From 83932149e53c8a15bd96850a50cbaf6c3c1e2ccf Mon Sep 17 00:00:00 2001 From: "Vinay Pamnani (from Dev Box)" Date: Tue, 14 Jan 2025 16:45:06 -0700 Subject: [PATCH 01/45] December DDF updates --- .../mdm/healthattestation-csp.md | 4 +- .../mdm/healthattestation-ddf.md | 4 +- .../mdm/policies-in-preview.md | 17 +- .../mdm/policy-csp-connectivity.md | 57 +++++- .../mdm/policy-csp-deliveryoptimization.md | 58 +++--- .../mdm/policy-csp-deviceguard.md | 68 ++++++- .../mdm/policy-csp-humanpresence.md | 181 +++++++++++++++++- .../mdm/policy-csp-printers.md | 54 +++++- windows/client-management/mdm/vpnv2-csp.md | 14 +- .../client-management/mdm/vpnv2-ddf-file.md | 12 +- 10 files changed, 415 insertions(+), 54 deletions(-) diff --git a/windows/client-management/mdm/healthattestation-csp.md b/windows/client-management/mdm/healthattestation-csp.md index 4367d3cb2f..a43aae095f 100644 --- a/windows/client-management/mdm/healthattestation-csp.md +++ b/windows/client-management/mdm/healthattestation-csp.md @@ -1,7 +1,7 @@ --- title: HealthAttestation CSP description: Learn more about the HealthAttestation CSP. -ms.date: 01/31/2024 +ms.date: 01/14/2025 --- @@ -51,7 +51,7 @@ The following list shows the HealthAttestation configuration service provider no | Scope | Editions | Applicable OS | |:--|:--|:--| -| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview | +| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 22H2 with [KB5046732](https://support.microsoft.com/help/5046732) [10.0.22621.4541] and later
✅ Windows 11, version 24H2 with [KB5046617](https://support.microsoft.com/help/5046617) [10.0.26100.2314] and later
✅ Windows Insider Preview | diff --git a/windows/client-management/mdm/healthattestation-ddf.md b/windows/client-management/mdm/healthattestation-ddf.md index 0c9d382872..5a273aecc4 100644 --- a/windows/client-management/mdm/healthattestation-ddf.md +++ b/windows/client-management/mdm/healthattestation-ddf.md @@ -1,7 +1,7 @@ --- title: HealthAttestation DDF file description: View the XML file containing the device description framework (DDF) for the HealthAttestation configuration service provider. -ms.date: 06/28/2024 +ms.date: 01/14/2025 --- @@ -436,7 +436,7 @@ The following XML file contains the device description framework (DDF) for the H - 99.9.99999 + 99.9.99999, 10.0.26100.2314, 10.0.22621.4541 1.4 diff --git a/windows/client-management/mdm/policies-in-preview.md b/windows/client-management/mdm/policies-in-preview.md index 0e4249d643..a728e43011 100644 --- a/windows/client-management/mdm/policies-in-preview.md +++ b/windows/client-management/mdm/policies-in-preview.md @@ -1,7 +1,7 @@ --- title: Configuration service provider preview policies description: Learn more about configuration service provider (CSP) policies that are available for Windows Insider Preview. -ms.date: 11/27/2024 +ms.date: 01/14/2025 --- @@ -31,6 +31,7 @@ This article lists the policies that are applicable for Windows Insider Preview ## Connectivity +- [DisableCrossDeviceResume](policy-csp-connectivity.md#disablecrossdeviceresume) - [UseCellularWhenWiFiPoor](policy-csp-connectivity.md#usecellularwhenwifipoor) - [DisableCellularSettingsPage](policy-csp-connectivity.md#disablecellularsettingspage) - [DisableCellularOperatorSettingsPage](policy-csp-connectivity.md#disablecellularoperatorsettingspage) @@ -46,6 +47,10 @@ This article lists the policies that are applicable for Windows Insider Preview - [DODisallowCacheServerDownloadsOnVPN](policy-csp-deliveryoptimization.md#dodisallowcacheserverdownloadsonvpn) - [DOVpnKeywords](policy-csp-deliveryoptimization.md#dovpnkeywords) +## DeviceGuard + +- [MachineIdentityIsolation](policy-csp-deviceguard.md#machineidentityisolation) + ## DevicePreparation CSP - [PageEnabled](devicepreparation-csp.md#pageenabled) @@ -80,6 +85,12 @@ This article lists the policies that are applicable for Windows Insider Preview - [AttestErrorMessage](healthattestation-csp.md#attesterrormessage) +## HumanPresence + +- [ForcePrivacyScreen](policy-csp-humanpresence.md#forceprivacyscreen) +- [ForcePrivacyScreenDim](policy-csp-humanpresence.md#forceprivacyscreendim) +- [ForcePrivacyScreenNotification](policy-csp-humanpresence.md#forceprivacyscreennotification) + ## InternetExplorer - [AllowLegacyURLFields](policy-csp-internetexplorer.md#allowlegacyurlfields) @@ -115,6 +126,10 @@ This article lists the policies that are applicable for Windows Insider Preview - [DisablePostLogonProvisioning](passportforwork-csp.md#devicetenantidpoliciesdisablepostlogonprovisioning) +## Printers + +- [ConfigureIppTlsCertificatePolicy](policy-csp-printers.md#configureipptlscertificatepolicy) + ## Reboot CSP - [WeeklyRecurrent](reboot-csp.md#scheduleweeklyrecurrent) diff --git a/windows/client-management/mdm/policy-csp-connectivity.md b/windows/client-management/mdm/policy-csp-connectivity.md index 5ed3127e3f..a58ea71af2 100644 --- a/windows/client-management/mdm/policy-csp-connectivity.md +++ b/windows/client-management/mdm/policy-csp-connectivity.md @@ -1,7 +1,7 @@ --- title: Connectivity Policy CSP description: Learn more about the Connectivity Area in Policy CSP. -ms.date: 11/05/2024 +ms.date: 01/14/2025 --- @@ -684,6 +684,61 @@ This policy makes all configurable settings in the 'Cellular' Settings page read + +## DisableCrossDeviceResume + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| ❌ Device
✅ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview | + + + +```User +./User/Vendor/MSFT/Policy/Config/Connectivity/DisableCrossDeviceResume +``` + + + + +This policy allows IT admins to turn off CrossDeviceResume feature to continue tasks, such as browsing file, continue using 1P/3P apps that require linking between Phone and PC. + +- If you enable this policy setting, the Windows device won't receive any CrossDeviceResume notification. + +- If you disable this policy setting, the Windows device will receive notification to resume activity from linked phone. + +- If you don't configure this policy setting, the default behavior is that the CrossDeviceResume feature is turned 'ON'. Changes to this policy take effect on reboot. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | `int` | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | CrossDeviceResume is Enabled. | +| 1 | CrossDeviceResume is Disabled. | + + + + + + + + ## DisableDownloadingOfPrintDriversOverHTTP diff --git a/windows/client-management/mdm/policy-csp-deliveryoptimization.md b/windows/client-management/mdm/policy-csp-deliveryoptimization.md index c058b8bccf..c8994390c1 100644 --- a/windows/client-management/mdm/policy-csp-deliveryoptimization.md +++ b/windows/client-management/mdm/policy-csp-deliveryoptimization.md @@ -1,7 +1,7 @@ --- title: DeliveryOptimization Policy CSP description: Learn more about the DeliveryOptimization Area in Policy CSP. -ms.date: 08/06/2024 +ms.date: 01/14/2025 --- @@ -93,7 +93,7 @@ The value 0 (zero) means "unlimited" cache; Delivery Optimization will clear the -Specifies whether the device is allowed to participate in Peer Caching while connected via VPN to the domain network. This means the device can download from or upload to other domain network devices, either on VPN or on the corporate domain network. +Specifies whether the device, with an active VPN connection, is allowed to participate in P2P or not. @@ -240,10 +240,18 @@ If this policy isn't configured, the client will attempt to automatically find a |:--|:--| | Format | `int` | | Access Type | Add, Delete, Get, Replace | -| Allowed Values | Range: `[0-4294967295]` | | Default Value | 0 | + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 1 | DHCP Option 235. | +| 2 | DHCP Option 235 Force. | + + **Group policy mapping**: @@ -342,7 +350,7 @@ The recommended value is 1 hour (3600). -Specifies the time in seconds to delay the fallback from Cache Server to the HTTP source for a background content download. Note that the DODelayBackgroundDownloadFromHttp policy takes precedence over this policy to allow downloads from peers first. +For background downloads that use a cache server, specifies the time to wait before falling back to download from the original HTTP source. @@ -397,7 +405,7 @@ Specifies the time in seconds to delay the fallback from Cache Server to the HTT -Specifies the time in seconds to delay the fallback from Cache Server to the HTTP source for foreground content download. Note that the DODelayForegroundDownloadFromHttp policy takes precedence over this policy to allow downloads from peers first. +For foreground downloads that use a cache server, specifies the time to wait before falling back to download from the original HTTP source. @@ -513,7 +521,7 @@ The recommended value is 1 minute (60). -Disallow downloads from Microsoft Connected Cache servers when the device connects via VPN. By default, the device is allowed to download from Microsoft Connected Cache when connected via VPN. +Specify to disallow downloads from Microsoft Connected Cache servers when the device has an active VPN connection. By default, the button is 'Not Set'. This means the device is allowed to download from Microsoft Connected Cache when the device has an active VPN connection. To block these downloads, turn the button on to 'Enabled'. @@ -535,8 +543,8 @@ Disallow downloads from Microsoft Connected Cache servers when the device connec | Value | Description | |:--|:--| -| 0 (Default) | Allowed. | -| 1 | Not allowed. | +| 0 (Default) | Not Set. | +| 1 | Enabled. | @@ -572,7 +580,7 @@ Disallow downloads from Microsoft Connected Cache servers when the device connec -Specifies the download method that Delivery Optimization can use in downloads of Windows Updates, Apps and App updates. The default value is 1. +Specifies the method that Delivery Optimization can use to download content on behalf of various Microsoft products. @@ -598,10 +606,10 @@ Specifies the download method that Delivery Optimization can use in downloads of |:--|:--| | 0 (Default) | HTTP only, no peering. | | 1 | HTTP blended with peering behind the same NAT. | -| 2 | When this option is selected, peering will cross NATs. To create a custom group use Group ID in combination with Mode 2. | +| 2 | HTTP blended with peering across a private group. | | 3 | HTTP blended with Internet peering. | -| 99 | Simple download mode with no peering. Delivery Optimization downloads using HTTP only and doesn't attempt to contact the Delivery Optimization cloud services. Added in Windows 10, version 1607. | -| 100 | Bypass mode. Windows 10: Don't use Delivery Optimization and use BITS instead. Windows 11: Deprecated, use Simple mode instead. | +| 99 | HTTP only, no peering, no use of DO cloud service. | +| 100 | Bypass mode, deprecated in Windows 11. | @@ -698,7 +706,7 @@ Note this is a best effort optimization and shouldn't be relied on for an authen -Set this policy to restrict peer selection to a specific source. Available options are: 1 = AD Site, 2 = Authenticated domain SID, 3 = DHCP Option ID, 4 = DNS Suffix, 5 = Microsoft Entra ID. When set, the Group ID will be assigned automatically from the selected source. This policy is ignored if the GroupID policy is also set. The options set in this policy only apply to Group (2) download mode. If Group (2) isn't set as Download mode, this policy will be ignored. For option 3 - DHCP Option ID, the client will query DHCP Option ID 234 and use the returned GUID value as the Group ID. Starting with Windows 10, version 1903, you can use the Microsoft Entra tenant ID as a means to define groups. To do this, set the value of DOGroupIdSource to 5. +Specifies the source of group ID used for peer selection. @@ -722,12 +730,12 @@ Set this policy to restrict peer selection to a specific source. Available optio | Value | Description | |:--|:--| -| 0 (Default) | Unset. | +| 0 (Default) | Not Set. | | 1 | AD site. | | 2 | Authenticated domain SID. | -| 3 | DHCP user option. | -| 4 | DNS suffix. | -| 5 | Microsoft Entra ID. | +| 3 | DHCP Option ID. | +| 4 | DNS Suffix. | +| 5 | Entra ID Tenant ID. | @@ -824,7 +832,7 @@ The default value 0 (zero) means that Delivery Optimization dynamically adjusts -Specifies the maximum time in seconds that each file is held in the Delivery Optimization cache after downloading successfully. The value 0 (zero) means unlimited; Delivery Optimization will hold the files in the cache longer and make the files available for uploads to other devices, as long as the cache size hasn't exceeded. The value 0 is new in Windows 10, version 1607. The default value is 604800 seconds (7 days). +Specifies the maximum time in seconds that each file is held in the Delivery Optimization cache after downloading successfully. @@ -879,7 +887,7 @@ Specifies the maximum time in seconds that each file is held in the Delivery Opt -Specifies the maximum cache size that Delivery Optimization can utilize, as a percentage of disk size (1-100). The default value is 20. +Specifies the maximum cache size that Delivery Optimization can utilize, as a percentage of the available drive space. @@ -991,7 +999,7 @@ The default value 0 (zero) means that Delivery Optimization dynamically adjusts -Specifies the minimum download QoS (Quality of Service or speed) in KiloBytes/sec for background downloads. This policy affects the blending of peer and HTTP sources. Delivery Optimization complements the download from the HTTP source to achieve the minimum QoS value set. The default value is 20480 (20 MB/s). +Specifies the minimum download QoS (Quality of Service) in KiloBytes/sec for background downloads. @@ -1165,7 +1173,7 @@ Recommended values: 64 GB to 256 GB. -Specifies the minimum content file size in MB enabled to use Peer Caching. Recommended values: 1 MB to 100,000 MB. The default value is 100 MB. +Specifies the minimum content file size in MB eligible to use P2P. @@ -1220,7 +1228,7 @@ Specifies the minimum content file size in MB enabled to use Peer Caching. Recom -Specifies the minimum RAM size in GB required to use Peer Caching. For example, if the minimum set is 1 GB, then devices with 1 GB or higher available RAM will be allowed to use Peer caching. Recommended values: 1 GB to 4 GB. The default value is 4 GB. +Specifies the minimum total RAM size in GB required to use P2P. @@ -1330,7 +1338,7 @@ By default, %SystemDrive% is used to store the cache. The drive location can be -Specifies the maximum total bytes in GB that Delivery Optimization is allowed to upload to Internet peers in each calendar month. The value 0 (zero) means unlimited; No monthly upload limit's applied if 0 is set. The default value is 5120 (5 TB). +Specifies the maximum bytes in GB that Delivery Optimization is allowed to upload to Internet peers in each calendar month. @@ -1501,7 +1509,7 @@ The default value 0 (zero) means that Delivery Optimization dynamically adjusts -Set this policy to restrict peer selection via selected option. Options available are: 1=Subnet mask, 2 = Local discovery (DNS-SD). These options apply to both Download Mode LAN (1) and Group (2). +Specifies to restrict peer selection using the selected method, in addition to the DownloadMode policy. @@ -1528,7 +1536,7 @@ In Windows 11 the 'Local Peer Discovery' option was introduced to restrict peer |:--|:--| | 0 (Default) | None. | | 1 | Subnet mask. | -| 2 | Local peer discovery (DNS-SD). | +| 2 | Local discovery (DNS-SD). | diff --git a/windows/client-management/mdm/policy-csp-deviceguard.md b/windows/client-management/mdm/policy-csp-deviceguard.md index c27a142696..ba7cfacf34 100644 --- a/windows/client-management/mdm/policy-csp-deviceguard.md +++ b/windows/client-management/mdm/policy-csp-deviceguard.md @@ -1,7 +1,7 @@ --- title: DeviceGuard Policy CSP description: Learn more about the DeviceGuard Area in Policy CSP. -ms.date: 01/18/2024 +ms.date: 01/14/2025 --- @@ -9,6 +9,8 @@ ms.date: 01/18/2024 # Policy CSP - DeviceGuard +[!INCLUDE [Windows Insider tip](includes/mdm-insider-csp-note.md)] + @@ -205,6 +207,70 @@ Credential Guard Configuration: 0 - Turns off CredentialGuard remotely if config + +## MachineIdentityIsolation + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| ✅ Device
❌ User | ❌ Pro
✅ Enterprise
✅ Education
❌ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/DeviceGuard/MachineIdentityIsolation +``` + + + + +Machine Identity Isolation: 0 - Machine password is only LSASS-bound and stored in $MACHINE.ACC registry key. 1 - Machine password both LSASS-bound and IUM-bound. It's stored in $MACHINE.ACC and $MACHINE.ACC.IUM registry keys. 2 - Machine password is only IUM-bound and stored in $MACHINE.ACC.IUM registry key. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | `int` | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | (Disabled) Machine password is only LSASS-bound and stored in $MACHINE.ACC registry key. | +| 1 | (Enabled in audit mode) Machine password both LSASS-bound and IUM-bound. It's stored in $MACHINE.ACC and $MACHINE.ACC.IUM registry keys. | +| 2 | (Enabled in enforcement mode) Machine password is only IUM-bound and stored in $MACHINE.ACC.IUM registry key. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | VirtualizationBasedSecurity | +| Friendly Name | Turn On Virtualization Based Security | +| Element Name | Machine Identity Isolation Configuration. | +| Location | Computer Configuration | +| Path | System > Device Guard | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\DeviceGuard | +| ADMX File Name | DeviceGuard.admx | + + + + + + + + ## RequirePlatformSecurityFeatures diff --git a/windows/client-management/mdm/policy-csp-humanpresence.md b/windows/client-management/mdm/policy-csp-humanpresence.md index 1cf592ddff..b27018ae74 100644 --- a/windows/client-management/mdm/policy-csp-humanpresence.md +++ b/windows/client-management/mdm/policy-csp-humanpresence.md @@ -1,7 +1,7 @@ --- title: HumanPresence Policy CSP description: Learn more about the HumanPresence Area in Policy CSP. -ms.date: 09/27/2024 +ms.date: 01/14/2025 --- @@ -9,6 +9,8 @@ ms.date: 09/27/2024 # Policy CSP - HumanPresence +[!INCLUDE [Windows Insider tip](includes/mdm-insider-csp-note.md)] + @@ -526,6 +528,183 @@ Determines the timeout for Lock on Leave forced by the MDM policy. The user will + +## ForcePrivacyScreen + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
❌ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/HumanPresence/ForcePrivacyScreen +``` + + + + +Determines whether detect when other people are looking at my screen is forced on/off by the MDM policy. The user won't be able to change this setting and the UI will be greyed out. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | `int` | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 2 | ForcedOff. | +| 1 | ForcedOn. | +| 0 (Default) | DefaultToUserChoice. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | ForcePrivacyScreen | +| Path | Sensors > AT > WindowsComponents > HumanPresence | + + + + + + + + + +## ForcePrivacyScreenDim + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
❌ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/HumanPresence/ForcePrivacyScreenDim +``` + + + + +Determines whether dim the screen when other people are looking at my screen checkbox is forced checked/unchecked by the MDM policy. The user won't be able to change this setting and the checkbox in the UI will be greyed out. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | `int` | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 2 | ForcedUnchecked. | +| 1 | ForcedChecked. | +| 0 (Default) | DefaultToUserChoice. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | ForcePrivacyScreenDim | +| Path | Sensors > AT > WindowsComponents > HumanPresence | + + + + + + + + + +## ForcePrivacyScreenNotification + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
❌ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/HumanPresence/ForcePrivacyScreenNotification +``` + + + + +Determines whether providing alert when people are looking at my screen checkbox is forced checked/unchecked by the MDM policy. The user won't be able to change this setting and the checkbox in the UI will be greyed out. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | `int` | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 2 | ForcedUnchecked. | +| 1 | ForcedChecked. | +| 0 (Default) | DefaultToUserChoice. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | ForcePrivacyScreenNotification | +| Path | Sensors > AT > WindowsComponents > HumanPresence | + + + + + + + + diff --git a/windows/client-management/mdm/policy-csp-printers.md b/windows/client-management/mdm/policy-csp-printers.md index 098733446d..b852afb0b4 100644 --- a/windows/client-management/mdm/policy-csp-printers.md +++ b/windows/client-management/mdm/policy-csp-printers.md @@ -1,7 +1,7 @@ --- title: Printers Policy CSP description: Learn more about the Printers Area in Policy CSP. -ms.date: 09/27/2024 +ms.date: 01/14/2025 --- @@ -11,6 +11,8 @@ ms.date: 09/27/2024 [!INCLUDE [ADMX-backed CSP tip](includes/mdm-admx-csp-note.md)] +[!INCLUDE [Windows Insider tip](includes/mdm-insider-csp-note.md)] + @@ -348,6 +350,56 @@ The following are the supported values: + +## ConfigureIppTlsCertificatePolicy + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Printers/ConfigureIppTlsCertificatePolicy +``` + + + + + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | `chr` (string) | +| Access Type | Add, Delete, Get, Replace | + + + + +[!INCLUDE [ADMX-backed policy note](includes/mdm-admx-policy-note.md)] + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | ConfigureIppTlsCertificatePolicy | +| ADMX File Name | Printing.admx | + + + + + + + + ## ConfigureRedirectionGuardPolicy diff --git a/windows/client-management/mdm/vpnv2-csp.md b/windows/client-management/mdm/vpnv2-csp.md index 58d6463c97..f8ca2e1a8a 100644 --- a/windows/client-management/mdm/vpnv2-csp.md +++ b/windows/client-management/mdm/vpnv2-csp.md @@ -1,7 +1,7 @@ --- title: VPNv2 CSP description: Learn more about the VPNv2 CSP. -ms.date: 01/18/2024 +ms.date: 01/14/2025 --- @@ -863,11 +863,7 @@ Returns the type of App/Id. This value can be either of the following: PackageFa -False: Don't Bypass for Local traffic. - -True: ByPass VPN Interface for Local Traffic. - -Optional. When this setting is True, requests to local resources that are available on the same Wi-Fi network as the VPN client can bypass the VPN. For example, if enterprise policy for VPN requires force tunnel for VPN, but enterprise intends to allow the remote user to connect locally to media center in their home, then this option should be set to True. The user can bypass VPN for local subnet traffic. When this is set to False, the setting is disabled and no subnet exceptions are allowed. +Not supported. @@ -5160,11 +5156,7 @@ Returns the type of App/Id. This value can be either of the following: PackageFa -False: Don't Bypass for Local traffic. - -True: ByPass VPN Interface for Local Traffic. - -Optional. When this setting is True, requests to local resources that are available on the same Wi-Fi network as the VPN client can bypass the VPN. For example, if enterprise policy for VPN requires force tunnel for VPN, but enterprise intends to allow the remote user to connect locally to media center in their home, then this option should be set to True. The user can bypass VPN for local subnet traffic. When this is set to False, the setting is disabled and no subnet exceptions are allowed. +Not supported. diff --git a/windows/client-management/mdm/vpnv2-ddf-file.md b/windows/client-management/mdm/vpnv2-ddf-file.md index abe39e405a..8927c4cc29 100644 --- a/windows/client-management/mdm/vpnv2-ddf-file.md +++ b/windows/client-management/mdm/vpnv2-ddf-file.md @@ -1,7 +1,7 @@ --- title: VPNv2 DDF file description: View the XML file containing the device description framework (DDF) for the VPNv2 configuration service provider. -ms.date: 06/28/2024 +ms.date: 01/14/2025 --- @@ -1156,10 +1156,7 @@ The following XML file contains the device description framework (DDF) for the V - False : Do not Bypass for Local traffic - True : ByPass VPN Interface for Local Traffic - - Optional. When this setting is True, requests to local resources that are available on the same Wi-Fi network as the VPN client can bypass the VPN. For example, if enterprise policy for VPN requires force tunnel for VPN, but enterprise intends to allow the remote user to connect locally to media center in their home, then this option should be set to True. The user can bypass VPN for local subnet traffic. When this is set to False, the setting is disabled and no subnet exceptions are allowed. + Not supported. @@ -4425,10 +4422,7 @@ A device tunnel profile must be deleted before another device tunnel profile can - False : Do not Bypass for Local traffic - True : ByPass VPN Interface for Local Traffic - - Optional. When this setting is True, requests to local resources that are available on the same Wi-Fi network as the VPN client can bypass the VPN. For example, if enterprise policy for VPN requires force tunnel for VPN, but enterprise intends to allow the remote user to connect locally to media center in their home, then this option should be set to True. The user can bypass VPN for local subnet traffic. When this is set to False, the setting is disabled and no subnet exceptions are allowed. + Not supported. From 6937671796a00c3999e5395b45d37f5c153f89b7 Mon Sep 17 00:00:00 2001 From: "Vinay Pamnani (from Dev Box)" Date: Tue, 21 Jan 2025 14:25:02 -0700 Subject: [PATCH 02/45] Updates --- .../mdm/policy-csp-deliveryoptimization.md | 92 +++++-------------- 1 file changed, 22 insertions(+), 70 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-deliveryoptimization.md b/windows/client-management/mdm/policy-csp-deliveryoptimization.md index c8994390c1..6fd24a5ef3 100644 --- a/windows/client-management/mdm/policy-csp-deliveryoptimization.md +++ b/windows/client-management/mdm/policy-csp-deliveryoptimization.md @@ -1,7 +1,7 @@ --- title: DeliveryOptimization Policy CSP description: Learn more about the DeliveryOptimization Area in Policy CSP. -ms.date: 01/14/2025 +ms.date: 01/21/2025 --- @@ -34,11 +34,7 @@ ms.date: 01/14/2025 -Specifies the maximum size in GB of Delivery Optimization cache. - -This policy overrides the DOMaxCacheSize policy. - -The value 0 (zero) means "unlimited" cache; Delivery Optimization will clear the cache when the device runs low on disk space. +Specifies the maximum size in GB of Delivery Optimization cache. This policy overrides the MaxCacheSize policy. @@ -125,8 +121,8 @@ Specifies whether the device, with an active VPN connection, is allowed to parti | Name | Value | |:--|:--| | Name | AllowVPNPeerCaching | -| Friendly Name | Enable Peer Caching while the device connects via VPN | -| Element Name | Enable Peer Caching while the device connects via VPN. | +| Friendly Name | Enable P2P while the device connects via VPN | +| Element Name | Enable P2P while the device connects via VPN. | | Location | Computer Configuration | | Path | Windows Components > Delivery Optimization | | Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization | @@ -156,9 +152,7 @@ Specifies whether the device, with an active VPN connection, is allowed to parti -This policy allows you to set one or more Microsoft Connected Cache servers that will be used by your client(s). - -One or more values can be added as either fully qualified domain names (FQDN) or IP addresses. To add multiple values, separate each FQDN or IP address by commas. +Specifies one or more Microsoft Connected Cache servers that will be used by your client(s). One or more values can be added as either fully qualified domain names (FQDN) or IP addresses. To add multiple values, separate each FQDN or IP address by commas. @@ -214,17 +208,10 @@ One or more values can be added as either fully qualified domain names (FQDN) or -This policy allows you to specify how your client(s) can discover Microsoft Connected Cache servers dynamically. - -Options available are: - -0 = Disable DNS-SD. - -1 = DHCP Option 235. +Specifies how your client(s) can discover Microsoft Connected Cache servers dynamically. +1 = DHCP Option 235 2 = DHCP Option 235 Force. - -If this policy isn't configured, the client will attempt to automatically find a cache server using DNS-SD. If set to 0, the client won't use DNS-SD to automatically find a cache server. If set to 1 or 2, the client will query DHCP Option ID 235 and use the returned value as the Cache Server Hostname. Option 2 overrides the Cache Server Hostname policy, if configured. @@ -289,13 +276,7 @@ If this policy isn't configured, the client will attempt to automatically find a -This policy allows you to delay the use of an HTTP source in a background download that's allowed to use P2P. - -After the max delay has reached, the download will resume using HTTP, either downloading the entire payload or complementing the bytes that couldn't be downloaded from Peers. - -Note that a download that's waiting for peer sources, will appear to be stuck for the end user. - -The recommended value is 1 hour (3600). +For background downloads that use P2P, specifies the time to wait before starting to download from the HTTP source. @@ -319,7 +300,7 @@ The recommended value is 1 hour (3600). | Name | Value | |:--|:--| | Name | DelayBackgroundDownloadFromHttp | -| Friendly Name | Delay background download from http (in secs) | +| Friendly Name | Delay background download from http (in seconds) | | Element Name | Delay background download from http (in secs) | | Location | Computer Configuration | | Path | Windows Components > Delivery Optimization | @@ -460,13 +441,7 @@ For foreground downloads that use a cache server, specifies the time to wait bef -This policy allows you to delay the use of an HTTP source in a foreground (interactive) download that's allowed to use P2P. - -After the max delay has reached, the download will resume using HTTP, either downloading the entire payload or complementing the bytes that couldn't be downloaded from Peers. - -Note that a download that's waiting for peer sources, will appear to be stuck for the end user. - -The recommended value is 1 minute (60). +For foreground downloads that use P2P, specifies the time to wait before starting to download from the HTTP source. @@ -490,7 +465,7 @@ The recommended value is 1 minute (60). | Name | Value | |:--|:--| | Name | DelayForegroundDownloadFromHttp | -| Friendly Name | Delay Foreground download from http (in secs) | +| Friendly Name | Delay Foreground download from http (in seconds) | | Element Name | Delay Foreground download from http (in secs) | | Location | Computer Configuration | | Path | Windows Components > Delivery Optimization | @@ -649,11 +624,7 @@ Specifies the method that Delivery Optimization can use to download content on b -Group ID must be set as a GUID. This Policy specifies an arbitrary group ID that the device belongs to. - -Use this if you need to create a single group for Local Network Peering for branches that are on different domains or aren't on the same LAN. - -Note this is a best effort optimization and shouldn't be relied on for an authentication of identity. +Specifies an arbitrary group ID that the device belongs to. A GUID must be used. @@ -776,8 +747,6 @@ Specifies the source of group ID used for peer selection. Specifies the maximum background download bandwidth in KiloBytes/second that the device can use across all concurrent download activities using Delivery Optimization. - -The default value 0 (zero) means that Delivery Optimization dynamically adjusts to use the available bandwidth for downloads. @@ -943,8 +912,6 @@ Specifies the maximum cache size that Delivery Optimization can utilize, as a pe Specifies the maximum foreground download bandwidth in KiloBytes/second that the device can use across all concurrent download activities using Delivery Optimization. - -The default value 0 (zero) means that Delivery Optimization dynamically adjusts to use the available bandwidth for downloads. @@ -1054,11 +1021,7 @@ Specifies the minimum download QoS (Quality of Service) in KiloBytes/sec for bac -Specify any value between 1 and 100 (in percentage) to allow the device to upload data to LAN and Group peers while on DC power (Battery). - -The recommended value to set if you allow uploads on battery is 40 (for 40%). The device can download from peers while on battery regardless of this policy. - -The value 0 means "not-limited"; The cloud service set default value will be used. +Specifies the minimum battery level required for uploading to peers, while on battery power. @@ -1113,12 +1076,7 @@ The value 0 means "not-limited"; The cloud service set default value will be use -Specifies the required minimum disk size (capacity in GB) for the device to use Peer Caching. The cloud service set default value will be used. - -Recommended values: 64 GB to 256 GB. - -> [!NOTE] -> If the DOModifyCacheDrive policy is set, the disk size check will apply to the new working directory specified by this policy. +Specifies the required minimum total disk size in GB for the device to use P2P. @@ -1142,8 +1100,8 @@ Recommended values: 64 GB to 256 GB. | Name | Value | |:--|:--| | Name | MinDiskSizeAllowedToPeer | -| Friendly Name | Minimum disk size allowed to use Peer Caching (in GB) | -| Element Name | Minimum disk size allowed to use Peer Caching (in GB) | +| Friendly Name | Minimum disk size allowed to use P2P (in GB) | +| Element Name | Minimum disk size allowed to use P2P (in GB) | | Location | Computer Configuration | | Path | Windows Components > Delivery Optimization | | Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization | @@ -1197,8 +1155,8 @@ Specifies the minimum content file size in MB eligible to use P2P. | Name | Value | |:--|:--| | Name | MinFileSizeToCache | -| Friendly Name | Minimum Peer Caching Content File Size (in MB) | -| Element Name | Minimum Peer Caching Content File Size (in MB) | +| Friendly Name | Minimum P2P Content File Size (in MB) | +| Element Name | Minimum P2P Content File Size (in MB) | | Location | Computer Configuration | | Path | Windows Components > Delivery Optimization | | Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization | @@ -1252,8 +1210,8 @@ Specifies the minimum total RAM size in GB required to use P2P. | Name | Value | |:--|:--| | Name | MinRAMAllowedToPeer | -| Friendly Name | Minimum RAM capacity (inclusive) required to enable use of Peer Caching (in GB) | -| Element Name | Minimum RAM capacity (inclusive) required to enable use of Peer Caching (in GB) | +| Friendly Name | Minimum RAM capacity (inclusive) required to enable use of P2P (in GB) | +| Element Name | Minimum RAM capacity (inclusive) required to enable use of P2P (in GB) | | Location | Computer Configuration | | Path | Windows Components > Delivery Optimization | | Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization | @@ -1283,9 +1241,7 @@ Specifies the minimum total RAM size in GB required to use P2P. -Specifies the drive Delivery Optimization shall use for its cache. - -By default, %SystemDrive% is used to store the cache. The drive location can be specified using environment variables, drive letter or using a full path. +Specifies the drive that Delivery Optimization should use for its cache. The drive location can be specified using environment variables, drive letter or using a full path. @@ -1394,8 +1350,6 @@ Specifies the maximum bytes in GB that Delivery Optimization is allowed to uploa Specifies the maximum background download bandwidth that Delivery Optimization uses across all concurrent download activities as a percentage of available download bandwidth. - -The default value 0 (zero) means that Delivery Optimization dynamically adjusts to use the available bandwidth for background downloads. @@ -1453,8 +1407,6 @@ Downloads from LAN peers won't be throttled even when this policy is set. Specifies the maximum foreground download bandwidth that Delivery Optimization uses across all concurrent download activities as a percentage of available download bandwidth. - -The default value 0 (zero) means that Delivery Optimization dynamically adjusts to use the available bandwidth for foreground downloads. @@ -1689,7 +1641,7 @@ This policy allows an IT Admin to define the following details: -This policy allows you to set one or more keywords used to recognize VPN connections. To add multiple keywords, separate them with commas. +Specifies one or more keywords used to recognize VPN connections. To add multiple keywords, separate each by a comma. From 682bf3f67fb7995ed8be63b899adff8b332c12c3 Mon Sep 17 00:00:00 2001 From: Meghan Stewart <33289333+mestew@users.noreply.github.com> Date: Wed, 22 Jan 2025 15:51:43 -0800 Subject: [PATCH 03/45] ccu-9693727 --- .../catalog-checkpoint-cumulative-updates.md | 66 +++++++++++++++++++ 1 file changed, 66 insertions(+) create mode 100644 windows/deployment/update/catalog-checkpoint-cumulative-updates.md diff --git a/windows/deployment/update/catalog-checkpoint-cumulative-updates.md b/windows/deployment/update/catalog-checkpoint-cumulative-updates.md new file mode 100644 index 0000000000..66e7894d4f --- /dev/null +++ b/windows/deployment/update/catalog-checkpoint-cumulative-updates.md @@ -0,0 +1,66 @@ +--- +title: Checkpoint cumulative updates and the Microsoft Update Catalog +description: This article describes how to handle checkpoint cumulative updates when you use the Microsoft Update Catalog to update devices and images. +ms.service: windows-client +ms.subservice: itpro-updates +ms.topic: conceptual +ms.author: mstewart +author: mestew +manager: aaroncz +ms.collection: + - tier2 +ms.localizationpriority: medium +appliesto: + - ✅ Windows 11, version 24H2 and later +ms.date: 01/23/2025 +--- + +# Checkpoint cumulative updates and Microsoft Update Catalog usage + +Starting Windows 11, version 24H2, monthly security updates and optional nonsecurity preview release updates may be preceded by a checkpoint cumulative update (CU). Devices (and images) updating from Windows Update (WU) and Windows Server Update Services (WSUS) release channels can continue to seamlessly install the latest monthly security update or the optional nonsecurity preview release regardless of whether there are any preceding checkpoint CUs, so update processes involving WU and WSUS remain unchanged. This article covers how Catalog users can easily update their devices (or images) through checkpoint CUs. + +## Checkpoint CUs + +Windows 11 quality updates use servicing technology and are built cumulatively from the time when a new Windows OS was "released to manufacturing" (RTM). These monthly updates include all the changes since RTM in the form of binary differentials computed from the initial version of those binaries. + +With Windows 11, version 24H2, Microsoft introduced a new concept of checkpoint cumulative updates. This will allow you to get features and security enhancements via the latest cumulative update through smaller, incremental differentials containing only the changes since the previous checkpoint cumulative update. This means that you can save time, bandwidth, and hard drive space. + +Going forward, Microsoft might periodically release cumulative updates as checkpoints. The subsequent updates will then consist of: +- The update package files associated with the checkpoints, and +- New update package files that contain incremental binary differentials against the version of binaries in the last checkpoint. + +This process may be repeated multiple times, thereby generating multiple checkpoints during the lifecycle of a given Windows release. The Windows 11, version 24H2 servicing stack can merge all the checkpoints and only download and install content that's missing on the device. + +If any checkpoint CUs precede a target update, a device or image needs to take all prior checkpoint CUs before it can take the target update. In other words, a post-checkpoint LCU can be applied to images/devices that are on that checkpoint or on a subsequent LCU. For updates sourced from WU and WSUS this happens seamlessly, and you can continue to use the same tools and processes that you currently use for approving and deploying updates. + +### Applicability + +A checkpoint CU is just another monthly security update that informs how subsequent updates are built. There is no policy change or new requirement around when users must take these updates, though it is best practice to take monthly security updates at the earliest opportunity to keep your devices protected and productive. + +This feature does not introduce any change to the applicability of monthly security updates. As before, these updates apply to the main OS (install.wim) and to WinPE (boot.wim) but not to WinRE (winre.wim). + +WinRE is serviced by applying the servicing stack update (SSU) from OnePackage (LCU does not apply) and SafeOS DU. This is how it has been for a while now, and there is no recent change to WinRE servicing and certainly no change due to the checkpoint cumulative updates feature. We understand that not everybody may have had a shared understanding about this, but applying SSU then SafeOS DU is the only way to ensure WinRE is serviced. For more information, see [Update Windows installation media with Dynamic Update](media-dynamic-update.md). + +### Current Checkpoint CUs + +For Windows 11, version 24H2 and above, for a given update the KB article will note all preceding checkpoint CUs under the **Catalog** release channel tab. We expect that your experience updating through a checkpoint CU will position you to efficiently take future checkpoint CUs. + +## Updating from the Microsoft Update Catalog + +When installing a given monthly security or optional nonsecurity preview update, [Microsoft Update Catalog](https://www.catalog.update.microsoft.com) users can determine and download the prior checkpoint CUs and apply these sequentially under certain situations or in one go using DISM. + +### Finding prior Checkpoint CUs + +For a given update, users can look up the KB article and find all preceding checkpoints, if any, listed under the **Catalog** release channel. For instance, the 2024-12 monthly security update (KB5048667) has one preceding checkpoint CU per [December 10, 2024—KB5048667 (OS Build 26100.2605)](https://support.microsoft.com/topic/708755a6-d809-4a8a-8d20-53c4108590e6#ID0ELBD=Catalog): + + +

+**Method 2: Install each MSU file individually, in order** + +Download and install each MSU file individually either using DISM or [Windows Update Standalone Installer](https://support.microsoft.com/topic/799ba3df-ec7e-b05e-ee13-1cdae8f23b19) in the following order: + +- windows11.0-kb5043080-x64_953449672073f8fb99badb4cc6d5d7849b9c83e8.msu +- windows11.0-kb5048667-x64_d4ad0ca69de9a02bc356757581e0e0d6960c9f93.msu + +

+ From f2bfea529bb9735e71bebb35ce5b87005da5aff0 Mon Sep 17 00:00:00 2001 From: Meghan Stewart <33289333+mestew@users.noreply.github.com> Date: Wed, 22 Jan 2025 15:56:20 -0800 Subject: [PATCH 04/45] ccu-9693727 --- .../catalog-checkpoint-cumulative-updates.md | 14 ++++++-------- 1 file changed, 6 insertions(+), 8 deletions(-) diff --git a/windows/deployment/update/catalog-checkpoint-cumulative-updates.md b/windows/deployment/update/catalog-checkpoint-cumulative-updates.md index 66e7894d4f..c71bab2808 100644 --- a/windows/deployment/update/catalog-checkpoint-cumulative-updates.md +++ b/windows/deployment/update/catalog-checkpoint-cumulative-updates.md @@ -55,12 +55,10 @@ For a given update, users can look up the KB article and find all preceding chec

-**Method 2: Install each MSU file individually, in order** - -Download and install each MSU file individually either using DISM or [Windows Update Standalone Installer](https://support.microsoft.com/topic/799ba3df-ec7e-b05e-ee13-1cdae8f23b19) in the following order: - -- windows11.0-kb5043080-x64_953449672073f8fb99badb4cc6d5d7849b9c83e8.msu -- windows11.0-kb5048667-x64_d4ad0ca69de9a02bc356757581e0e0d6960c9f93.msu - -

+Method 2: Install each MSU file individually, in order

+

+Download and install each MSU file individually either using DISM or [Windows Update Standalone Installer](https://support.microsoft.com/topic/799ba3df-ec7e-b05e-ee13-1cdae8f23b19) in the following order:

+

+

  • windows11.0-kb5043080-x64_953449672073f8fb99badb4cc6d5d7849b9c83e8.msu
    • +
  • windows11.0-kb5048667-x64_d4ad0ca69de9a02bc356757581e0e0d6960c9f93.msu

From 1b7a8b67ffbf62f74038639b982cc760045a06c7 Mon Sep 17 00:00:00 2001 From: Meghan Stewart <33289333+mestew@users.noreply.github.com> Date: Wed, 22 Jan 2025 16:08:51 -0800 Subject: [PATCH 05/45] ccu-9693727 --- .../update/catalog-checkpoint-cumulative-updates.md | 11 ++++------- 1 file changed, 4 insertions(+), 7 deletions(-) diff --git a/windows/deployment/update/catalog-checkpoint-cumulative-updates.md b/windows/deployment/update/catalog-checkpoint-cumulative-updates.md index c71bab2808..dc46168501 100644 --- a/windows/deployment/update/catalog-checkpoint-cumulative-updates.md +++ b/windows/deployment/update/catalog-checkpoint-cumulative-updates.md @@ -54,11 +54,8 @@ When installing a given monthly security or optional nonsecurity preview update, For a given update, users can look up the KB article and find all preceding checkpoints, if any, listed under the **Catalog** release channel. For instance, the 2024-12 monthly security update (KB5048667) has one preceding checkpoint CU per [December 10, 2024—KB5048667 (OS Build 26100.2605)](https://support.microsoft.com/topic/708755a6-d809-4a8a-8d20-53c4108590e6#ID0ELBD=Catalog): -

-Method 2: Install each MSU file individually, in order

-

-Download and install each MSU file individually either using DISM or [Windows Update Standalone Installer](https://support.microsoft.com/topic/799ba3df-ec7e-b05e-ee13-1cdae8f23b19) in the following order:

-

-

  • windows11.0-kb5043080-x64_953449672073f8fb99badb4cc6d5d7849b9c83e8.msu
    • -
  • windows11.0-kb5048667-x64_d4ad0ca69de9a02bc356757581e0e0d6960c9f93.msu

+| | +|---| +|Method 2: Install each MSU file individually, in order

Download and install each MSU file individually either using DISM or [Windows Update Standalone Installer](https://support.microsoft.com/topic/799ba3df-ec7e-b05e-ee13-1cdae8f23b19) in the following order:

  • windows11.0-kb5043080-x64_953449672073f8fb99badb4cc6d5d7849b9c83e8.msu
  • windows11.0-kb5048667-x64_d4ad0ca69de9a02bc356757581e0e0d6960c9f93.msu
| +> Method 2: Install each MSU file individually, in order

Download and install each MSU file individually either using DISM or [Windows Update Standalone Installer](https://support.microsoft.com/topic/799ba3df-ec7e-b05e-ee13-1cdae8f23b19) in the following order:

  • windows11.0-kb5043080-x64_953449672073f8fb99badb4cc6d5d7849b9c83e8.msu
  • windows11.0-kb5048667-x64_d4ad0ca69de9a02bc356757581e0e0d6960c9f93.msu
\ No newline at end of file From ca009c6fd50474152576d128bfad6a55dfd7b928 Mon Sep 17 00:00:00 2001 From: Meghan Stewart <33289333+mestew@users.noreply.github.com> Date: Thu, 23 Jan 2025 11:12:49 -0800 Subject: [PATCH 06/45] ccu-9693727 --- .../catalog-checkpoint-cumulative-updates.md | 44 ++++++++++++++++--- 1 file changed, 38 insertions(+), 6 deletions(-) diff --git a/windows/deployment/update/catalog-checkpoint-cumulative-updates.md b/windows/deployment/update/catalog-checkpoint-cumulative-updates.md index dc46168501..b6e802f722 100644 --- a/windows/deployment/update/catalog-checkpoint-cumulative-updates.md +++ b/windows/deployment/update/catalog-checkpoint-cumulative-updates.md @@ -43,7 +43,7 @@ WinRE is serviced by applying the servicing stack update (SSU) from OnePackage ( ### Current Checkpoint CUs -For Windows 11, version 24H2 and above, for a given update the KB article will note all preceding checkpoint CUs under the **Catalog** release channel tab. We expect that your experience updating through a checkpoint CU will position you to efficiently take future checkpoint CUs. +For Windows 11, version 24H2 and above, for a given update the knowledge base (KB) article will note all preceding checkpoint CUs under the **Catalog** release channel tab. We expect that your experience updating through a checkpoint CU will position you to efficiently take future checkpoint CUs. ## Updating from the Microsoft Update Catalog @@ -51,11 +51,43 @@ When installing a given monthly security or optional nonsecurity preview update, ### Finding prior Checkpoint CUs -For a given update, users can look up the KB article and find all preceding checkpoints, if any, listed under the **Catalog** release channel. For instance, the 2024-12 monthly security update (KB5048667) has one preceding checkpoint CU per [December 10, 2024—KB5048667 (OS Build 26100.2605)](https://support.microsoft.com/topic/708755a6-d809-4a8a-8d20-53c4108590e6#ID0ELBD=Catalog): +For a given update, users can look up the KB article and find all preceding checkpoints, if any, listed under the **Catalog** release channel. For instance, the 2024-12 monthly security update (KB5048667) has one preceding checkpoint CU per [December 10, 2024-KB5048667 (OS Build 26100.2605)](https://support.microsoft.com/topic/708755a6-d809-4a8a-8d20-53c4108590e6#ID0ELBD=Catalog): + > Method 2: Install each MSU file individually, in order

Download and install each MSU file individually either using DISM or [Windows Update Standalone Installer](https://support.microsoft.com/topic/799ba3df-ec7e-b05e-ee13-1cdae8f23b19) in the following order:

  • windows11.0-kb5043080-x64_953449672073f8fb99badb4cc6d5d7849b9c83e8.msu
  • windows11.0-kb5048667-x64_d4ad0ca69de9a02bc356757581e0e0d6960c9f93.msu
-| | -|---| -|Method 2: Install each MSU file individually, in order

Download and install each MSU file individually either using DISM or [Windows Update Standalone Installer](https://support.microsoft.com/topic/799ba3df-ec7e-b05e-ee13-1cdae8f23b19) in the following order:

  • windows11.0-kb5043080-x64_953449672073f8fb99badb4cc6d5d7849b9c83e8.msu
  • windows11.0-kb5048667-x64_d4ad0ca69de9a02bc356757581e0e0d6960c9f93.msu
| +Alternately, users can search the KB number in the [Microsoft Update Catalog](https://catalog.update.microsoft.com/) and select the **Download** button for the selected architecture. The download pop-up shows all prior checkpoints for the update so that users can conveniently download all MSUs and apply them to their image or device. For instance, Microsoft Update Catalog shows the [2024-12 cumulative update (KB5048667)](https://support.microsoft.com/help/5048667) has one preceding checkpoint CU, [KB5043080](https://support.microsoft.com/help/5043080). -> Method 2: Install each MSU file individually, in order

Download and install each MSU file individually either using DISM or [Windows Update Standalone Installer](https://support.microsoft.com/topic/799ba3df-ec7e-b05e-ee13-1cdae8f23b19) in the following order:

  • windows11.0-kb5043080-x64_953449672073f8fb99badb4cc6d5d7849b9c83e8.msu
  • windows11.0-kb5048667-x64_d4ad0ca69de9a02bc356757581e0e0d6960c9f93.msu
\ No newline at end of file +### Updating through Checkpoint CUs + +**Device has the latest checkpoint CU and doesn't need customization:** + +Devices or images that have the latest checkpoint CU installed and do not need Features on Demand (FoD) or language pack (LP) customization can be updated to the latest target CU with no change to your existing process. You can simply copy the target MSU from Catalog and install it, for instance using [Add-WindowsPackage (DISM)](/powershell/module/dism/add-windowspackage) or [DISM operating system package (`.cab` or `.msu`) servicing command-line options](/windows-hardware/manufacture/desktop/dism-operating-system-package-servicing-command-line-options). + +Examples of eligible devices: + +| Device is on | Needs to install| +|---|---| +|
  • The checkpoint CU, 2024-09 (KB5043080)
|
  • A subsequent monthly security update like 2024-11 (KB5046617), or
  • A subsequent optional nonsecurity releaselike 2024-11 (KB5046740)
| +|
  • A subsequent optional nonsecurity preview release like 2024-09 (KB5043178), or
  • A subsequent monthly security update like 2024-10 (KB5044284)
|
  • A subsequent monthly security update like 2025-01 (KB5050009), or
  • A subsequent optional nonsecurity release like 2024-11 (KB5046740)
| + +**Device needs FoD or LP customization:** + +Installing FoDs or LPs requires the full LCU payload, which now can be split across files associated with each preceding checkpoint CU. So, when customizing FoDs or LPs, all prior checkpoint CUs and the target CU need to be installed regardless of whether the device already had any of the prior checkpoints CU installed. This needs to be done using DISM. + +1. Copy the MSUs of the latest CU (the target) and all prior checkpoint CUs to a local folder. Make sure there are no other MSUs present. +1. Mount the install.wim file. +1. Run `DISM /add-package` with the latest MSU as the sole target. +1. Run `/Cleanup-Image /StartComponentCleanup`. +1. Unmount. +1. Run `DISM /export-image` to optimize the image size, if that's important to you. + +**Device doesn't have the latest checkpoint CU and doesn't need customization:** + +Devices that are not on the latest checkpoint CU and do not need FoD/LP customization can either install all needed CUs one by one in the right sequence. Alternately they can be updated using DISM to install all CUs in one go, see above. If there are total 4 checkpoint CUs available and device already has the first one installed, DISM will apply the remaining 3 checkpoint CUs in the right order followed by the target CU, all in one go. + +## Related articles + +- [Servicing stack updates](/windows/deployment/update/servicing-stack-updates) +- [Features on Demand](/windows-hardware/manufacture/desktop/features-on-demand-v2--capabilities) +- [How to download updates that include drivers and hotfixes from the Windows Update Catalog](/troubleshoot/windows-client/installing-updates-features-roles/download-updates-drivers-hotfixes-windows-update-catalog) +- [Update Windows installation media with Dynamic Update](media-dynamic-update.md) From a5475acc005510c2faf96bdba9efd3f963337815 Mon Sep 17 00:00:00 2001 From: Meghan Stewart <33289333+mestew@users.noreply.github.com> Date: Thu, 23 Jan 2025 11:31:55 -0800 Subject: [PATCH 07/45] ccu-9693727 --- windows/deployment/update/release-cycle.md | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/windows/deployment/update/release-cycle.md b/windows/deployment/update/release-cycle.md index 2df0fe24ef..82e635558d 100644 --- a/windows/deployment/update/release-cycle.md +++ b/windows/deployment/update/release-cycle.md @@ -54,6 +54,14 @@ Monthly security update releases are available through the following channels: Many update management tools, such as [Microsoft Configuration Manager](/mem/configmgr/) and [Microsoft Intune](/mem/intune/), rely on these channels for update deployment. +Starting Windows 11, version 24H2, Microsoft may periodically release cumulative updates as checkpoints. The subsequent updates will consist of: +- The update package files associated with the checkpoints, and +- New update package files that contain incremental binary differentials against the version of binaries in the last checkpoint. + +Multiple checkpoints may be shipped during the lifecycle of a given Windows release. Devices updating from Windows Update and WSUS can continue to seamlessly install the latest monthly security update regardless of whether there are any preceding checkpoint cumulative updates, no change is needed to their update process. Catalog users can review [Checkpoint cumulative updates and Microsoft Update Catalog usage](catalog-checkpoint-cumulative-updates.md) for reference. + + + ## Optional nonsecurity preview release **Optional nonsecurity preview releases** provide IT admins an opportunity for early validation of that content prior to the **monthly security update release**. Admins can test and validate production-quality releases ahead of the planned monthly security update release for the following month. These updates are optional, cumulative, nonsecurity preview releases. New features might initially be deployed in the prior month's **optional nonsecurity preview release**, then ship in the following **monthly security update release**. **Optional nonsecurity preview releases** are typically released on the fourth Tuesday of the month at 10:00 AM Pacific Time (PST/PDT). These releases are only offered to the most recent, supported versions of Windows. From 8c0f17456288528849486e3ee0fa7237f9365d7f Mon Sep 17 00:00:00 2001 From: Meghan Stewart <33289333+mestew@users.noreply.github.com> Date: Thu, 23 Jan 2025 11:35:56 -0800 Subject: [PATCH 08/45] ccu-9693727 --- windows/deployment/update/release-cycle.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/windows/deployment/update/release-cycle.md b/windows/deployment/update/release-cycle.md index 82e635558d..c7c628ba1b 100644 --- a/windows/deployment/update/release-cycle.md +++ b/windows/deployment/update/release-cycle.md @@ -78,6 +78,12 @@ To access the optional nonsecurity preview release: - Use [Windows Insider Program for Business](https://insider.windows.com/for-business) - Use the [Microsoft Update Catalog](https://www.catalog.update.microsoft.com/Home.aspx). +Starting Windows 11, version 24H2, Microsoft may periodically release cumulative updates as checkpoints. The subsequent updates will consist of: +- The update package files associated with the checkpoints, and +- New update package files that contain incremental binary differentials against the version of binaries in the last checkpoint. + +Multiple checkpoints may be shipped during the lifecycle of a given Windows release. Devices updating from Windows Update and WSUS can continue to seamlessly install the latest monthly security update regardless of whether there are any preceding checkpoint cumulative updates, no change is needed to their update process. Catalog users can review [Checkpoint cumulative updates and Microsoft Update Catalog usage](catalog-checkpoint-cumulative-updates.md) for reference. + ## OOB releases **Out-of-band (OOB) releases** might be provided to fix a recently identified issue or vulnerability. They're used in atypical cases when an issue is detected and can't wait for the next monthly release, because devices must be updated immediately to address security vulnerabilities or to resolve a quality issue impacting many devices. **Out-of-band (OOB) releases** are provided outside of the monthly schedule when there's an exceptional need. From 618377a20d1cc9b6fa4c57cf58b841f0a4e7c536 Mon Sep 17 00:00:00 2001 From: Meghan Stewart <33289333+mestew@users.noreply.github.com> Date: Thu, 23 Jan 2025 11:37:59 -0800 Subject: [PATCH 09/45] ccu-9693727 --- windows/deployment/update/release-cycle.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/deployment/update/release-cycle.md b/windows/deployment/update/release-cycle.md index c7c628ba1b..266d95bfcf 100644 --- a/windows/deployment/update/release-cycle.md +++ b/windows/deployment/update/release-cycle.md @@ -11,7 +11,7 @@ ms.localizationpriority: medium appliesto: - ✅ Windows 11 - ✅ Windows 10 -ms.date: 06/04/2024 +ms.date: 01/23/2025 --- # Update release cycle for Windows clients @@ -74,7 +74,7 @@ Multiple checkpoints may be shipped during the lifecycle of a given Windows rele - LCU preview To access the optional nonsecurity preview release: -- Navigate to **Settings** > **Update & Security** > **Windows Update** and select **Check for updates**. +- Navigate to **Settings** > **Update & Security** > **Windows Update** and select **Check for updates**. - Use [Windows Insider Program for Business](https://insider.windows.com/for-business) - Use the [Microsoft Update Catalog](https://www.catalog.update.microsoft.com/Home.aspx). From 3c8cfb2a61edf741e908f9b38e27bb8ed3f854b6 Mon Sep 17 00:00:00 2001 From: Meghan Stewart <33289333+mestew@users.noreply.github.com> Date: Thu, 23 Jan 2025 13:54:40 -0800 Subject: [PATCH 10/45] ccu-9693727 --- .../catalog-checkpoint-cumulative-updates.md | 40 +++++++++---------- windows/deployment/update/release-cycle.md | 2 +- 2 files changed, 21 insertions(+), 21 deletions(-) diff --git a/windows/deployment/update/catalog-checkpoint-cumulative-updates.md b/windows/deployment/update/catalog-checkpoint-cumulative-updates.md index b6e802f722..9c930c27e2 100644 --- a/windows/deployment/update/catalog-checkpoint-cumulative-updates.md +++ b/windows/deployment/update/catalog-checkpoint-cumulative-updates.md @@ -17,9 +17,9 @@ ms.date: 01/23/2025 # Checkpoint cumulative updates and Microsoft Update Catalog usage -Starting Windows 11, version 24H2, monthly security updates and optional nonsecurity preview release updates may be preceded by a checkpoint cumulative update (CU). Devices (and images) updating from Windows Update (WU) and Windows Server Update Services (WSUS) release channels can continue to seamlessly install the latest monthly security update or the optional nonsecurity preview release regardless of whether there are any preceding checkpoint CUs, so update processes involving WU and WSUS remain unchanged. This article covers how Catalog users can easily update their devices (or images) through checkpoint CUs. +Starting Windows 11, version 24H2, monthly security updates and optional nonsecurity preview release updates may be preceded by a checkpoint cumulative update. Devices (and images) updating from Windows Update (WU) and Windows Server Update Services (WSUS) release channels can continue to seamlessly install the latest monthly security update or the optional nonsecurity preview release regardless of whether there are any preceding checkpoint cumulative updates, so update processes involving WU and WSUS remain unchanged. This article covers how Microsoft Update Catalog users can easily update their devices (or images) through checkpoint cumulative updates. -## Checkpoint CUs +## Checkpoint cumulative updates Windows 11 quality updates use servicing technology and are built cumulatively from the time when a new Windows OS was "released to manufacturing" (RTM). These monthly updates include all the changes since RTM in the form of binary differentials computed from the initial version of those binaries. @@ -31,63 +31,63 @@ Going forward, Microsoft might periodically release cumulative updates as checkp This process may be repeated multiple times, thereby generating multiple checkpoints during the lifecycle of a given Windows release. The Windows 11, version 24H2 servicing stack can merge all the checkpoints and only download and install content that's missing on the device. -If any checkpoint CUs precede a target update, a device or image needs to take all prior checkpoint CUs before it can take the target update. In other words, a post-checkpoint LCU can be applied to images/devices that are on that checkpoint or on a subsequent LCU. For updates sourced from WU and WSUS this happens seamlessly, and you can continue to use the same tools and processes that you currently use for approving and deploying updates. +If any checkpoint cumulative updates precede a target update, a device or image needs to take all prior checkpoint cumulative updates before it can take the target update. In other words, a post-checkpoint latest cumulative update can be applied to images/devices that are on that checkpoint or on a subsequent latest cumulative update. For updates sourced from WU and WSUS this happens seamlessly, and you can continue to use the same tools and processes that you currently use for approving and deploying updates. ### Applicability -A checkpoint CU is just another monthly security update that informs how subsequent updates are built. There is no policy change or new requirement around when users must take these updates, though it is best practice to take monthly security updates at the earliest opportunity to keep your devices protected and productive. +A checkpoint cumulative update is just another monthly security update that informs how subsequent updates are built. There is no policy change or new requirement around when users must take these updates, though it is best practice to take monthly security updates at the earliest opportunity to keep your devices protected and productive. This feature does not introduce any change to the applicability of monthly security updates. As before, these updates apply to the main OS (install.wim) and to WinPE (boot.wim) but not to WinRE (winre.wim). -WinRE is serviced by applying the servicing stack update (SSU) from OnePackage (LCU does not apply) and SafeOS DU. This is how it has been for a while now, and there is no recent change to WinRE servicing and certainly no change due to the checkpoint cumulative updates feature. We understand that not everybody may have had a shared understanding about this, but applying SSU then SafeOS DU is the only way to ensure WinRE is serviced. For more information, see [Update Windows installation media with Dynamic Update](media-dynamic-update.md). +WinRE is serviced by applying the servicing stack update from OnePackage (latest cumulative update does not apply) and SafeOS DU. This is how it has been for a while now, and there is no recent change to WinRE servicing and certainly no change due to the checkpoint cumulative updates feature. We understand that not everybody may have had a shared understanding about this, but applying servicing stack update then SafeOS DU is the only way to ensure WinRE is serviced. For more information, see [Update Windows installation media with Dynamic Update](media-dynamic-update.md). -### Current Checkpoint CUs +### Current checkpoint cumulative updates -For Windows 11, version 24H2 and above, for a given update the knowledge base (KB) article will note all preceding checkpoint CUs under the **Catalog** release channel tab. We expect that your experience updating through a checkpoint CU will position you to efficiently take future checkpoint CUs. +For Windows 11, version 24H2 and above, for a given update the knowledge base (KB) article will note all preceding checkpoint cumulative updates under the **Catalog** release channel tab. We expect that your experience updating through a checkpoint cumulative update will position you to efficiently take future checkpoint cumulative updates. ## Updating from the Microsoft Update Catalog -When installing a given monthly security or optional nonsecurity preview update, [Microsoft Update Catalog](https://www.catalog.update.microsoft.com) users can determine and download the prior checkpoint CUs and apply these sequentially under certain situations or in one go using DISM. +When installing a given monthly security or optional nonsecurity preview update, [Microsoft Update Catalog](https://www.catalog.update.microsoft.com) users can determine and download the prior checkpoint cumulative updates and apply these sequentially under certain situations or in one go using DISM. -### Finding prior Checkpoint CUs +### Finding prior checkpoint cumulative updates -For a given update, users can look up the KB article and find all preceding checkpoints, if any, listed under the **Catalog** release channel. For instance, the 2024-12 monthly security update (KB5048667) has one preceding checkpoint CU per [December 10, 2024-KB5048667 (OS Build 26100.2605)](https://support.microsoft.com/topic/708755a6-d809-4a8a-8d20-53c4108590e6#ID0ELBD=Catalog): +For a given update, users can look up the KB article and find all preceding checkpoints, if any, listed under the **Catalog** release channel. For instance, the 2024-12 monthly security update (KB5048667) has one preceding checkpoint cumulative update per [December 10, 2024-KB5048667 (OS Build 26100.2605)](https://support.microsoft.com/topic/708755a6-d809-4a8a-8d20-53c4108590e6#ID0ELBD=Catalog): > Method 2: Install each MSU file individually, in order

Download and install each MSU file individually either using DISM or [Windows Update Standalone Installer](https://support.microsoft.com/topic/799ba3df-ec7e-b05e-ee13-1cdae8f23b19) in the following order:

  • windows11.0-kb5043080-x64_953449672073f8fb99badb4cc6d5d7849b9c83e8.msu
  • windows11.0-kb5048667-x64_d4ad0ca69de9a02bc356757581e0e0d6960c9f93.msu
-Alternately, users can search the KB number in the [Microsoft Update Catalog](https://catalog.update.microsoft.com/) and select the **Download** button for the selected architecture. The download pop-up shows all prior checkpoints for the update so that users can conveniently download all MSUs and apply them to their image or device. For instance, Microsoft Update Catalog shows the [2024-12 cumulative update (KB5048667)](https://support.microsoft.com/help/5048667) has one preceding checkpoint CU, [KB5043080](https://support.microsoft.com/help/5043080). +Alternately, users can search the KB number in the [Microsoft Update Catalog](https://catalog.update.microsoft.com/) and select the **Download** button for the selected architecture. The download pop-up shows all prior checkpoints for the update so that users can conveniently download all MSUs and apply them to their image or device. For instance, Microsoft Update Catalog shows the [2024-12 cumulative update (KB5048667)](https://support.microsoft.com/help/5048667) has one preceding checkpoint cumulative update, [KB5043080](https://support.microsoft.com/help/5043080). -### Updating through Checkpoint CUs +### Updating through checkpoint cumulative updates -**Device has the latest checkpoint CU and doesn't need customization:** +**Device has the latest checkpoint cumulative update and doesn't need customization:** -Devices or images that have the latest checkpoint CU installed and do not need Features on Demand (FoD) or language pack (LP) customization can be updated to the latest target CU with no change to your existing process. You can simply copy the target MSU from Catalog and install it, for instance using [Add-WindowsPackage (DISM)](/powershell/module/dism/add-windowspackage) or [DISM operating system package (`.cab` or `.msu`) servicing command-line options](/windows-hardware/manufacture/desktop/dism-operating-system-package-servicing-command-line-options). +Devices or images that have the latest checkpoint cumulative update installed and do not need Features on Demand (FoD) or language pack (LP) customization can be updated to the latest target cumulative update with no change to your existing process. You can simply copy the target MSU from Microsoft Update Catalog and install it, for instance using [Add-WindowsPackage (DISM)](/powershell/module/dism/add-windowspackage) or [DISM operating system package (`.cab` or `.msu`) servicing command-line options](/windows-hardware/manufacture/desktop/dism-operating-system-package-servicing-command-line-options). Examples of eligible devices: | Device is on | Needs to install| |---|---| -|
  • The checkpoint CU, 2024-09 (KB5043080)
|
  • A subsequent monthly security update like 2024-11 (KB5046617), or
  • A subsequent optional nonsecurity releaselike 2024-11 (KB5046740)
| +|
  • The checkpoint cumulative update, 2024-09 (KB5043080)
|
  • A subsequent monthly security update like 2024-11 (KB5046617), or
  • A subsequent optional nonsecurity releaselike 2024-11 (KB5046740)
| |
  • A subsequent optional nonsecurity preview release like 2024-09 (KB5043178), or
  • A subsequent monthly security update like 2024-10 (KB5044284)
|
  • A subsequent monthly security update like 2025-01 (KB5050009), or
  • A subsequent optional nonsecurity release like 2024-11 (KB5046740)
| **Device needs FoD or LP customization:** -Installing FoDs or LPs requires the full LCU payload, which now can be split across files associated with each preceding checkpoint CU. So, when customizing FoDs or LPs, all prior checkpoint CUs and the target CU need to be installed regardless of whether the device already had any of the prior checkpoints CU installed. This needs to be done using DISM. +Installing FoDs or LPs requires the full latest cumulative update payload, which now can be split across files associated with each preceding checkpoint cumulative update. So, when customizing FoDs or LPs, all prior checkpoint cumulative updates and the target cumulative update need to be installed regardless of whether the device already had any of the prior checkpoints cumulative update installed. This needs to be done using DISM. -1. Copy the MSUs of the latest CU (the target) and all prior checkpoint CUs to a local folder. Make sure there are no other MSUs present. +1. Copy the MSUs of the latest cumulative update (the target) and all prior checkpoint cumulative updates to a local folder. Make sure there are no other MSUs present. 1. Mount the install.wim file. 1. Run `DISM /add-package` with the latest MSU as the sole target. 1. Run `/Cleanup-Image /StartComponentCleanup`. 1. Unmount. 1. Run `DISM /export-image` to optimize the image size, if that's important to you. -**Device doesn't have the latest checkpoint CU and doesn't need customization:** +**Device doesn't have the latest checkpoint cumulative update and doesn't need customization:** -Devices that are not on the latest checkpoint CU and do not need FoD/LP customization can either install all needed CUs one by one in the right sequence. Alternately they can be updated using DISM to install all CUs in one go, see above. If there are total 4 checkpoint CUs available and device already has the first one installed, DISM will apply the remaining 3 checkpoint CUs in the right order followed by the target CU, all in one go. +Devices that are not on the latest checkpoint cumulative update and do not need FoD/LP customization can either install all needed cumulative updates one by one in the right sequence. Alternately they can be updated using DISM to install all cumulative updates in one go, see above. If there are total 4 checkpoint cumulative updates available and device already has the first one installed, DISM will apply the remaining 3 checkpoint cumulative updates in the right order followed by the target cumulative update, all in one go. ## Related articles - [Servicing stack updates](/windows/deployment/update/servicing-stack-updates) - [Features on Demand](/windows-hardware/manufacture/desktop/features-on-demand-v2--capabilities) -- [How to download updates that include drivers and hotfixes from the Windows Update Catalog](/troubleshoot/windows-client/installing-updates-features-roles/download-updates-drivers-hotfixes-windows-update-catalog) +- [How to download updates that include drivers and hotfixes from the Microsoft Update Catalog](/troubleshoot/windows-client/installing-updates-features-roles/download-updates-drivers-hotfixes-windows-update-catalog) - [Update Windows installation media with Dynamic Update](media-dynamic-update.md) diff --git a/windows/deployment/update/release-cycle.md b/windows/deployment/update/release-cycle.md index 266d95bfcf..aa99ea62f3 100644 --- a/windows/deployment/update/release-cycle.md +++ b/windows/deployment/update/release-cycle.md @@ -1,6 +1,6 @@ --- title: Update release cycle for Windows clients -description: Learn about the release cycle for updates so Windows clients in your organization stay productive and protected. +description: Learn about the release cycle for updates so Windows clients in your organization stay productive and protected. ms.service: windows-client ms.subservice: itpro-updates ms.topic: conceptual From 379b99618c5695f67b63011ea9ea42b1a940aa79 Mon Sep 17 00:00:00 2001 From: Meghan Stewart <33289333+mestew@users.noreply.github.com> Date: Thu, 23 Jan 2025 14:04:17 -0800 Subject: [PATCH 11/45] ccu-9693727 --- .../catalog-checkpoint-cumulative-updates.md | 28 +++++++++---------- 1 file changed, 14 insertions(+), 14 deletions(-) diff --git a/windows/deployment/update/catalog-checkpoint-cumulative-updates.md b/windows/deployment/update/catalog-checkpoint-cumulative-updates.md index 9c930c27e2..acabef6211 100644 --- a/windows/deployment/update/catalog-checkpoint-cumulative-updates.md +++ b/windows/deployment/update/catalog-checkpoint-cumulative-updates.md @@ -17,37 +17,37 @@ ms.date: 01/23/2025 # Checkpoint cumulative updates and Microsoft Update Catalog usage -Starting Windows 11, version 24H2, monthly security updates and optional nonsecurity preview release updates may be preceded by a checkpoint cumulative update. Devices (and images) updating from Windows Update (WU) and Windows Server Update Services (WSUS) release channels can continue to seamlessly install the latest monthly security update or the optional nonsecurity preview release regardless of whether there are any preceding checkpoint cumulative updates, so update processes involving WU and WSUS remain unchanged. This article covers how Microsoft Update Catalog users can easily update their devices (or images) through checkpoint cumulative updates. +Starting Windows 11, version 24H2, monthly security updates and optional nonsecurity preview release updates might be preceded by a checkpoint cumulative update. Devices (and images) updating from Windows Update (WU) and Windows Server Update Services (WSUS) release channels can continue to seamlessly install the latest monthly security update or the optional nonsecurity preview release regardless of whether there are any preceding checkpoint cumulative updates, so update processes involving WU and WSUS remain unchanged. This article covers how Microsoft Update Catalog users can easily update their devices (or images) through checkpoint cumulative updates. ## Checkpoint cumulative updates -Windows 11 quality updates use servicing technology and are built cumulatively from the time when a new Windows OS was "released to manufacturing" (RTM). These monthly updates include all the changes since RTM in the form of binary differentials computed from the initial version of those binaries. +Windows 11 quality updates use servicing technology and are built cumulatively from the time when a new Windows OS was released to manufacturing (RTM). These monthly updates include all the changes since RTM in the form of binary differentials computed from the initial version of those binaries. -With Windows 11, version 24H2, Microsoft introduced a new concept of checkpoint cumulative updates. This will allow you to get features and security enhancements via the latest cumulative update through smaller, incremental differentials containing only the changes since the previous checkpoint cumulative update. This means that you can save time, bandwidth, and hard drive space. +With Windows 11, version 24H2, Microsoft introduced a new concept of checkpoint cumulative updates. This change allows you to get features and security enhancements via the latest cumulative update through smaller, incremental differentials containing only the changes since the previous checkpoint cumulative update. This change means that you can save time, bandwidth, and hard drive space. Going forward, Microsoft might periodically release cumulative updates as checkpoints. The subsequent updates will then consist of: - The update package files associated with the checkpoints, and - New update package files that contain incremental binary differentials against the version of binaries in the last checkpoint. -This process may be repeated multiple times, thereby generating multiple checkpoints during the lifecycle of a given Windows release. The Windows 11, version 24H2 servicing stack can merge all the checkpoints and only download and install content that's missing on the device. +This process might be repeated multiple times, thereby generating multiple checkpoints during the lifecycle of a given Windows release. The Windows 11, version 24H2 servicing stack can merge all the checkpoints and only download and install content that's missing on the device. -If any checkpoint cumulative updates precede a target update, a device or image needs to take all prior checkpoint cumulative updates before it can take the target update. In other words, a post-checkpoint latest cumulative update can be applied to images/devices that are on that checkpoint or on a subsequent latest cumulative update. For updates sourced from WU and WSUS this happens seamlessly, and you can continue to use the same tools and processes that you currently use for approving and deploying updates. +If any checkpoint cumulative updates precede a target update, a device or image needs to take all prior checkpoint cumulative updates before it can take the target update. In other words, a post-checkpoint latest cumulative update can be applied to images/devices that are on that checkpoint or on a subsequent latest cumulative update. For updates sourced from WU and WSUS this process happens seamlessly. You can continue to use the same tools and processes that you currently use for approving and deploying updates. ### Applicability -A checkpoint cumulative update is just another monthly security update that informs how subsequent updates are built. There is no policy change or new requirement around when users must take these updates, though it is best practice to take monthly security updates at the earliest opportunity to keep your devices protected and productive. +A checkpoint cumulative update is just another monthly security update that informs how subsequent updates are built. There's no policy change or new requirement around when users must take these updates, though it's best practice to take monthly security updates at the earliest opportunity to keep your devices protected and productive. -This feature does not introduce any change to the applicability of monthly security updates. As before, these updates apply to the main OS (install.wim) and to WinPE (boot.wim) but not to WinRE (winre.wim). +This feature doesn't introduce any change to the applicability of monthly security updates. As before, these updates apply to the main OS (install.wim) and to WinPE (boot.wim) but not to WinRE (winre.wim). -WinRE is serviced by applying the servicing stack update from OnePackage (latest cumulative update does not apply) and SafeOS DU. This is how it has been for a while now, and there is no recent change to WinRE servicing and certainly no change due to the checkpoint cumulative updates feature. We understand that not everybody may have had a shared understanding about this, but applying servicing stack update then SafeOS DU is the only way to ensure WinRE is serviced. For more information, see [Update Windows installation media with Dynamic Update](media-dynamic-update.md). +WinRE is serviced by applying the servicing stack update from OnePackage (latest cumulative update doesn't apply) and SafeOS Dynamic Update. This is how it has been for a while now, and there's no recent change to WinRE servicing and certainly no change due to the checkpoint cumulative updates feature. We understand that not everybody may have had a shared understanding about this, but applying servicing stack update then SafeOS Dynamic Update is the only way to ensure WinRE is serviced. For more information, see [Update Windows installation media with Dynamic Update](media-dynamic-update.md). ### Current checkpoint cumulative updates -For Windows 11, version 24H2 and above, for a given update the knowledge base (KB) article will note all preceding checkpoint cumulative updates under the **Catalog** release channel tab. We expect that your experience updating through a checkpoint cumulative update will position you to efficiently take future checkpoint cumulative updates. +For Windows 11, version 24H2 and later, for a given update the knowledge base (KB) article notes all preceding checkpoint cumulative updates under the **Catalog** release channel tab. We expect that your experience updating through a checkpoint cumulative update will position you to efficiently take future checkpoint cumulative updates. ## Updating from the Microsoft Update Catalog -When installing a given monthly security or optional nonsecurity preview update, [Microsoft Update Catalog](https://www.catalog.update.microsoft.com) users can determine and download the prior checkpoint cumulative updates and apply these sequentially under certain situations or in one go using DISM. +When installing a given monthly security or optional nonsecurity preview update, [Microsoft Update Catalog](https://www.catalog.update.microsoft.com) users can determine and download the prior checkpoint cumulative updates and apply them sequentially under certain situations or in one go using DISM. ### Finding prior checkpoint cumulative updates @@ -61,20 +61,20 @@ Alternately, users can search the KB number in the [Microsoft Update Catalog](ht **Device has the latest checkpoint cumulative update and doesn't need customization:** -Devices or images that have the latest checkpoint cumulative update installed and do not need Features on Demand (FoD) or language pack (LP) customization can be updated to the latest target cumulative update with no change to your existing process. You can simply copy the target MSU from Microsoft Update Catalog and install it, for instance using [Add-WindowsPackage (DISM)](/powershell/module/dism/add-windowspackage) or [DISM operating system package (`.cab` or `.msu`) servicing command-line options](/windows-hardware/manufacture/desktop/dism-operating-system-package-servicing-command-line-options). +Devices or images that have the latest checkpoint cumulative update installed and don't need Features on Demand (FoD) or language pack (LP) customization can be updated to the latest target cumulative update with no change to your existing process. You can copy the target MSU from Microsoft Update Catalog and install it, for instance using [Add-WindowsPackage (DISM)](/powershell/module/dism/add-windowspackage) or [DISM operating system package (`.cab` or `.msu`) servicing command-line options](/windows-hardware/manufacture/desktop/dism-operating-system-package-servicing-command-line-options). Examples of eligible devices: | Device is on | Needs to install| |---|---| -|
  • The checkpoint cumulative update, 2024-09 (KB5043080)
|
  • A subsequent monthly security update like 2024-11 (KB5046617), or
  • A subsequent optional nonsecurity releaselike 2024-11 (KB5046740)
| +|
  • The checkpoint cumulative update, 2024-09 (KB5043080)
|
  • A subsequent monthly security update like 2024-11 (KB5046617), or
  • A subsequent optional nonsecurity release like 2024-11 (KB5046740)
| |
  • A subsequent optional nonsecurity preview release like 2024-09 (KB5043178), or
  • A subsequent monthly security update like 2024-10 (KB5044284)
|
  • A subsequent monthly security update like 2025-01 (KB5050009), or
  • A subsequent optional nonsecurity release like 2024-11 (KB5046740)
| **Device needs FoD or LP customization:** Installing FoDs or LPs requires the full latest cumulative update payload, which now can be split across files associated with each preceding checkpoint cumulative update. So, when customizing FoDs or LPs, all prior checkpoint cumulative updates and the target cumulative update need to be installed regardless of whether the device already had any of the prior checkpoints cumulative update installed. This needs to be done using DISM. -1. Copy the MSUs of the latest cumulative update (the target) and all prior checkpoint cumulative updates to a local folder. Make sure there are no other MSUs present. +1. Copy the .msu files of the latest cumulative update (the target) and all prior checkpoint cumulative updates to a local folder. Make sure there are no other .msu files present. 1. Mount the install.wim file. 1. Run `DISM /add-package` with the latest MSU as the sole target. 1. Run `/Cleanup-Image /StartComponentCleanup`. @@ -83,7 +83,7 @@ Installing FoDs or LPs requires the full latest cumulative update payload, which **Device doesn't have the latest checkpoint cumulative update and doesn't need customization:** -Devices that are not on the latest checkpoint cumulative update and do not need FoD/LP customization can either install all needed cumulative updates one by one in the right sequence. Alternately they can be updated using DISM to install all cumulative updates in one go, see above. If there are total 4 checkpoint cumulative updates available and device already has the first one installed, DISM will apply the remaining 3 checkpoint cumulative updates in the right order followed by the target cumulative update, all in one go. +Devices that aren't on the latest checkpoint cumulative update and don't need FoD/LP customization can either install all needed cumulative updates one by one in the right sequence. Alternately they can be updated using DISM to install all cumulative updates in one go, see above. If there are total four checkpoint cumulative updates available and device already has the first one installed, DISM applies the remaining three checkpoint cumulative updates in the right order followed by the target cumulative update, all in one go. ## Related articles From 39e1c81dd5a7b27f45798f36b3ba665d4ba077b6 Mon Sep 17 00:00:00 2001 From: Meghan Stewart <33289333+mestew@users.noreply.github.com> Date: Thu, 23 Jan 2025 15:11:33 -0800 Subject: [PATCH 12/45] ccu-9693727 --- windows/deployment/TOC.yml | 2 ++ .../catalog-checkpoint-cumulative-updates.md | 16 ++++++++-------- 2 files changed, 10 insertions(+), 8 deletions(-) diff --git a/windows/deployment/TOC.yml b/windows/deployment/TOC.yml index e816d252d7..db0c863b4a 100644 --- a/windows/deployment/TOC.yml +++ b/windows/deployment/TOC.yml @@ -294,6 +294,8 @@ items: href: update/windows-update-logs.md - name: Servicing stack updates href: update/servicing-stack-updates.md + - name: Checkpoint cumulative updates and Microsoft Update Catalog usage + href: update/catalog-checkpoint-cumulative-updates.md - name: Update CSP policies href: /windows/client-management/mdm/policy-csp-update?context=/windows/deployment/context/context - name: Update other Microsoft products diff --git a/windows/deployment/update/catalog-checkpoint-cumulative-updates.md b/windows/deployment/update/catalog-checkpoint-cumulative-updates.md index acabef6211..c569bad856 100644 --- a/windows/deployment/update/catalog-checkpoint-cumulative-updates.md +++ b/windows/deployment/update/catalog-checkpoint-cumulative-updates.md @@ -43,11 +43,11 @@ WinRE is serviced by applying the servicing stack update from OnePackage (latest ### Current checkpoint cumulative updates -For Windows 11, version 24H2 and later, for a given update the knowledge base (KB) article notes all preceding checkpoint cumulative updates under the **Catalog** release channel tab. We expect that your experience updating through a checkpoint cumulative update will position you to efficiently take future checkpoint cumulative updates. +For Windows 11, version 24H2 and later, for a given update, the knowledge base (KB) article notes all preceding checkpoint cumulative updates under the **Catalog** release channel tab. We expect that your experience updating through a checkpoint cumulative update will position you to efficiently take future checkpoint cumulative updates. ## Updating from the Microsoft Update Catalog -When installing a given monthly security or optional nonsecurity preview update, [Microsoft Update Catalog](https://www.catalog.update.microsoft.com) users can determine and download the prior checkpoint cumulative updates and apply them sequentially under certain situations or in one go using DISM. +When installing a given monthly security or optional nonsecurity preview update, [Microsoft Update Catalog](https://www.catalog.update.microsoft.com) users can determine and download the prior checkpoint cumulative updates and apply them sequentially under certain situations, or in one go using Deployment Image Servicing and Management (DISM). ### Finding prior checkpoint cumulative updates @@ -55,13 +55,13 @@ For a given update, users can look up the KB article and find all preceding chec > Method 2: Install each MSU file individually, in order

Download and install each MSU file individually either using DISM or [Windows Update Standalone Installer](https://support.microsoft.com/topic/799ba3df-ec7e-b05e-ee13-1cdae8f23b19) in the following order:

  • windows11.0-kb5043080-x64_953449672073f8fb99badb4cc6d5d7849b9c83e8.msu
  • windows11.0-kb5048667-x64_d4ad0ca69de9a02bc356757581e0e0d6960c9f93.msu
-Alternately, users can search the KB number in the [Microsoft Update Catalog](https://catalog.update.microsoft.com/) and select the **Download** button for the selected architecture. The download pop-up shows all prior checkpoints for the update so that users can conveniently download all MSUs and apply them to their image or device. For instance, Microsoft Update Catalog shows the [2024-12 cumulative update (KB5048667)](https://support.microsoft.com/help/5048667) has one preceding checkpoint cumulative update, [KB5043080](https://support.microsoft.com/help/5043080). +Alternately, users can search the KB number in the [Microsoft Update Catalog](https://catalog.update.microsoft.com/) and select the **Download** button for the selected architecture. The download pop-up shows all prior checkpoints for the update so that users can conveniently download all `.msu` files and apply them to their image or device. For instance, Microsoft Update Catalog shows the [2024-12 cumulative update (KB5048667)](https://support.microsoft.com/help/5048667) has one preceding checkpoint cumulative update, [KB5043080](https://support.microsoft.com/help/5043080). ### Updating through checkpoint cumulative updates **Device has the latest checkpoint cumulative update and doesn't need customization:** -Devices or images that have the latest checkpoint cumulative update installed and don't need Features on Demand (FoD) or language pack (LP) customization can be updated to the latest target cumulative update with no change to your existing process. You can copy the target MSU from Microsoft Update Catalog and install it, for instance using [Add-WindowsPackage (DISM)](/powershell/module/dism/add-windowspackage) or [DISM operating system package (`.cab` or `.msu`) servicing command-line options](/windows-hardware/manufacture/desktop/dism-operating-system-package-servicing-command-line-options). +Devices or images that have the latest checkpoint cumulative update installed and don't need Features on Demand (FoD) or language pack customization can be updated to the latest target cumulative update with no change to your existing process. You can copy the target `.msu` file from Microsoft Update Catalog and install it, for instance using [Add-WindowsPackage (DISM)](/powershell/module/dism/add-windowspackage) or [DISM operating system package (`.cab` or `.msu`) servicing command-line options](/windows-hardware/manufacture/desktop/dism-operating-system-package-servicing-command-line-options). Examples of eligible devices: @@ -70,20 +70,20 @@ Examples of eligible devices: |
  • The checkpoint cumulative update, 2024-09 (KB5043080)
|
  • A subsequent monthly security update like 2024-11 (KB5046617), or
  • A subsequent optional nonsecurity release like 2024-11 (KB5046740)
| |
  • A subsequent optional nonsecurity preview release like 2024-09 (KB5043178), or
  • A subsequent monthly security update like 2024-10 (KB5044284)
|
  • A subsequent monthly security update like 2025-01 (KB5050009), or
  • A subsequent optional nonsecurity release like 2024-11 (KB5046740)
| -**Device needs FoD or LP customization:** +**Device needs FoD or language pack customization:** -Installing FoDs or LPs requires the full latest cumulative update payload, which now can be split across files associated with each preceding checkpoint cumulative update. So, when customizing FoDs or LPs, all prior checkpoint cumulative updates and the target cumulative update need to be installed regardless of whether the device already had any of the prior checkpoints cumulative update installed. This needs to be done using DISM. +Installing FoDs or language packs requires the full latest cumulative update payload, which now can be split across files associated with each preceding checkpoint cumulative update. So, when customizing FoDs or language packs, all prior checkpoint cumulative updates and the target cumulative update need to be installed regardless of whether the device already had any of the prior checkpoints cumulative update installed. This needs to be done using DISM. 1. Copy the .msu files of the latest cumulative update (the target) and all prior checkpoint cumulative updates to a local folder. Make sure there are no other .msu files present. 1. Mount the install.wim file. -1. Run `DISM /add-package` with the latest MSU as the sole target. +1. Run `DISM /add-package` with the latest `.msu` file as the sole target. 1. Run `/Cleanup-Image /StartComponentCleanup`. 1. Unmount. 1. Run `DISM /export-image` to optimize the image size, if that's important to you. **Device doesn't have the latest checkpoint cumulative update and doesn't need customization:** -Devices that aren't on the latest checkpoint cumulative update and don't need FoD/LP customization can either install all needed cumulative updates one by one in the right sequence. Alternately they can be updated using DISM to install all cumulative updates in one go, see above. If there are total four checkpoint cumulative updates available and device already has the first one installed, DISM applies the remaining three checkpoint cumulative updates in the right order followed by the target cumulative update, all in one go. +Devices that aren't on the latest checkpoint cumulative update and don't need FoD/language pack customization can either install all needed cumulative updates one by one in the right sequence. Alternately they can be updated using DISM to install all cumulative updates in one go. For more information, see the [Updating through checkpoint cumulative updates](#updating-through-checkpoint-cumulative-updates) section. If there are total four checkpoint cumulative updates available and device already has the first one installed, DISM applies the remaining three checkpoint cumulative updates in the right order followed by the target cumulative update, all in one go. ## Related articles From 61e0e38f59da8a9842ad1d1880712a5b5d135f35 Mon Sep 17 00:00:00 2001 From: Chris Olin Date: Fri, 24 Jan 2025 11:37:24 -0500 Subject: [PATCH 13/45] Update pinned-apps.md added key details for provisioning package configuration / expected syntax --- windows/configuration/taskbar/pinned-apps.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/configuration/taskbar/pinned-apps.md b/windows/configuration/taskbar/pinned-apps.md index d2454b1e79..6f93e76b25 100644 --- a/windows/configuration/taskbar/pinned-apps.md +++ b/windows/configuration/taskbar/pinned-apps.md @@ -193,7 +193,7 @@ Alternatively, you can configure devices using a [custom policy][MEM-1] with the - **Value:** content of the XML file > [!NOTE] -> The content of the file must be entered as a single line in the `Value` field. Use a text editor to remove any line breaks from the XML file, usually with a function called *join lines*. +> The content of the file must be entered as a single line in the `Value` field. Use a text editor to remove any line breaks from the XML file, usually with a function called *join lines* or *linearize*. If customizations.xml is being modified directly instead of using the WCD editor, the XML brackets need to be escaped / replaced with \< and \> entity encodings. Single and double quote characters do not need to be escaped. [!INCLUDE [provisioning-package-2](../../../includes/configure/provisioning-package-2.md)] From f814a24f965d8db9d463c375bbd7e2a1b115a5ef Mon Sep 17 00:00:00 2001 From: TCGL23 <140627881+TCGL23@users.noreply.github.com> Date: Fri, 24 Jan 2025 17:41:58 +0000 Subject: [PATCH 14/45] Update bitlocker-csp.md Updating as descriptions in CSP refer to AD DS yet when configured to backup to AD DS, Microsoft Entra hybrid joined devices, the BitLocker recovery password is backed up to both Active Directory and Entra ID. and Microsoft Entra joined devices, the BitLocker recovery password is backed up to Entra ID. --- windows/client-management/mdm/bitlocker-csp.md | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/windows/client-management/mdm/bitlocker-csp.md b/windows/client-management/mdm/bitlocker-csp.md index f4d06f4ce7..052ed1a825 100644 --- a/windows/client-management/mdm/bitlocker-csp.md +++ b/windows/client-management/mdm/bitlocker-csp.md @@ -551,6 +551,10 @@ The possible values for 'zz' are: - 1 = Store recovery passwords and key packages - 2 = Store recovery passwords only + +For Microsoft Entra hybrid joined devices, the BitLocker recovery password is backed up to both Active Directory and Entra ID. + +For Microsoft Entra joined devices, the BitLocker recovery password is backed up to Entra ID. @@ -2092,6 +2096,10 @@ The possible values for 'zz' are: - 1 = Store recovery passwords and key packages. - 2 = Store recovery passwords only. + +For Microsoft Entra hybrid joined devices, the BitLocker recovery password is backed up to both Active Directory and Entra ID. + +For Microsoft Entra joined devices, the BitLocker recovery password is backed up to Entra ID. From 871071ea651124af44c2acd42050d87bb17888ff Mon Sep 17 00:00:00 2001 From: Meghan Stewart <33289333+mestew@users.noreply.github.com> Date: Fri, 24 Jan 2025 11:10:40 -0800 Subject: [PATCH 15/45] edits from pm --- .../update/catalog-checkpoint-cumulative-updates.md | 6 +++--- windows/deployment/update/release-cycle.md | 6 +++--- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/windows/deployment/update/catalog-checkpoint-cumulative-updates.md b/windows/deployment/update/catalog-checkpoint-cumulative-updates.md index c569bad856..3d038d8a0a 100644 --- a/windows/deployment/update/catalog-checkpoint-cumulative-updates.md +++ b/windows/deployment/update/catalog-checkpoint-cumulative-updates.md @@ -12,12 +12,12 @@ ms.collection: ms.localizationpriority: medium appliesto: - ✅ Windows 11, version 24H2 and later -ms.date: 01/23/2025 +ms.date: 01/27/2025 --- # Checkpoint cumulative updates and Microsoft Update Catalog usage -Starting Windows 11, version 24H2, monthly security updates and optional nonsecurity preview release updates might be preceded by a checkpoint cumulative update. Devices (and images) updating from Windows Update (WU) and Windows Server Update Services (WSUS) release channels can continue to seamlessly install the latest monthly security update or the optional nonsecurity preview release regardless of whether there are any preceding checkpoint cumulative updates, so update processes involving WU and WSUS remain unchanged. This article covers how Microsoft Update Catalog users can easily update their devices (or images) through checkpoint cumulative updates. +Starting Windows 11, version 24H2, monthly security updates and optional nonsecurity preview release updates might be preceded by a checkpoint cumulative update. Devices (and images) updating from Windows Update (WU) and Windows Server Update Services (WSUS) release channels can continue to seamlessly install the latest monthly security update or the optional nonsecurity preview release regardless of whether there are any preceding checkpoint cumulative updates, so **update processes involving WU and WSUS remain unchanged**. This article covers how Microsoft Update Catalog users can easily update their devices (or images) through checkpoint cumulative updates. ## Checkpoint cumulative updates @@ -39,7 +39,7 @@ A checkpoint cumulative update is just another monthly security update that info This feature doesn't introduce any change to the applicability of monthly security updates. As before, these updates apply to the main OS (install.wim) and to WinPE (boot.wim) but not to WinRE (winre.wim). -WinRE is serviced by applying the servicing stack update from OnePackage (latest cumulative update doesn't apply) and SafeOS Dynamic Update. This is how it has been for a while now, and there's no recent change to WinRE servicing and certainly no change due to the checkpoint cumulative updates feature. We understand that not everybody may have had a shared understanding about this, but applying servicing stack update then SafeOS Dynamic Update is the only way to ensure WinRE is serviced. For more information, see [Update Windows installation media with Dynamic Update](media-dynamic-update.md). +WinRE is serviced by applying the servicing stack update from a cumulative update (latest cumulative update doesn't apply) and SafeOS Dynamic Update. This is how it has been for a while now, and there's no recent change to WinRE servicing and certainly no change due to the checkpoint cumulative updates feature. We understand that not everybody may have had a shared understanding about this, but applying servicing stack update then SafeOS Dynamic Update is the only way to ensure WinRE is serviced. For more information, see [Update Windows installation media with Dynamic Update](media-dynamic-update.md). ### Current checkpoint cumulative updates diff --git a/windows/deployment/update/release-cycle.md b/windows/deployment/update/release-cycle.md index aa99ea62f3..7df3d99935 100644 --- a/windows/deployment/update/release-cycle.md +++ b/windows/deployment/update/release-cycle.md @@ -11,7 +11,7 @@ ms.localizationpriority: medium appliesto: - ✅ Windows 11 - ✅ Windows 10 -ms.date: 01/23/2025 +ms.date: 01/27/2025 --- # Update release cycle for Windows clients @@ -58,7 +58,7 @@ Starting Windows 11, version 24H2, Microsoft may periodically release cumulative - The update package files associated with the checkpoints, and - New update package files that contain incremental binary differentials against the version of binaries in the last checkpoint. -Multiple checkpoints may be shipped during the lifecycle of a given Windows release. Devices updating from Windows Update and WSUS can continue to seamlessly install the latest monthly security update regardless of whether there are any preceding checkpoint cumulative updates, no change is needed to their update process. Catalog users can review [Checkpoint cumulative updates and Microsoft Update Catalog usage](catalog-checkpoint-cumulative-updates.md) for reference. +Multiple checkpoints may be shipped during the lifecycle of a given Windows release. Devices updating from Windows Update and WSUS can continue to seamlessly install the latest monthly security update regardless of whether there are any preceding checkpoint cumulative updates, **no change is needed to their update process**. Catalog users can review [Checkpoint cumulative updates and Microsoft Update Catalog usage](catalog-checkpoint-cumulative-updates.md) for reference. @@ -82,7 +82,7 @@ Starting Windows 11, version 24H2, Microsoft may periodically release cumulative - The update package files associated with the checkpoints, and - New update package files that contain incremental binary differentials against the version of binaries in the last checkpoint. -Multiple checkpoints may be shipped during the lifecycle of a given Windows release. Devices updating from Windows Update and WSUS can continue to seamlessly install the latest monthly security update regardless of whether there are any preceding checkpoint cumulative updates, no change is needed to their update process. Catalog users can review [Checkpoint cumulative updates and Microsoft Update Catalog usage](catalog-checkpoint-cumulative-updates.md) for reference. +Multiple checkpoints may be shipped during the lifecycle of a given Windows release. Devices updating from Windows Update and WSUS can continue to seamlessly install the latest monthly security update regardless of whether there are any preceding checkpoint cumulative updates, **no change is needed to their update process**. Catalog users can review [Checkpoint cumulative updates and Microsoft Update Catalog usage](catalog-checkpoint-cumulative-updates.md) for reference. ## OOB releases From 750aa34feffcb2209449d3d33aeee9db07573698 Mon Sep 17 00:00:00 2001 From: Meghan Stewart <33289333+mestew@users.noreply.github.com> Date: Fri, 24 Jan 2025 11:41:49 -0800 Subject: [PATCH 16/45] edits from pm --- .../deployment/update/catalog-checkpoint-cumulative-updates.md | 1 + 1 file changed, 1 insertion(+) diff --git a/windows/deployment/update/catalog-checkpoint-cumulative-updates.md b/windows/deployment/update/catalog-checkpoint-cumulative-updates.md index 3d038d8a0a..a537aea3fa 100644 --- a/windows/deployment/update/catalog-checkpoint-cumulative-updates.md +++ b/windows/deployment/update/catalog-checkpoint-cumulative-updates.md @@ -12,6 +12,7 @@ ms.collection: ms.localizationpriority: medium appliesto: - ✅ Windows 11, version 24H2 and later + - ✅ Windows Server 2025 ms.date: 01/27/2025 --- From d8c6f3453149dd9bc68732d312b7ad464765b2d2 Mon Sep 17 00:00:00 2001 From: Meghan Stewart <33289333+mestew@users.noreply.github.com> Date: Mon, 27 Jan 2025 08:23:08 -0800 Subject: [PATCH 17/45] cpw-9694988 --- windows/client-management/manage-windows-copilot.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/client-management/manage-windows-copilot.md b/windows/client-management/manage-windows-copilot.md index fdb5c9671f..c899d98a8e 100644 --- a/windows/client-management/manage-windows-copilot.md +++ b/windows/client-management/manage-windows-copilot.md @@ -59,9 +59,9 @@ For users signing in to new PCs with work or school accounts, the following expe The update to Microsoft 365 Copilot Chat to offer enterprise data protection is rolling out now. The shift to Microsoft 365 Copilot Chat is coming soon. Changes will be rolled out to managed PCs starting with the September 2024 optional nonsecurity preview release, and following with the October 2024 monthly security update for all supported versions of Windows 11. These changes will be applied to Windows 10 PCs the month after. This update is replacing the current Copilot in Windows experience. -The Microsoft 365 Copilot app will be automatically enabled after you install the Windows updates listed above if you haven't previously enabled a group policy to prevent the installation of Copilot. The [AppLocker policy](/windows/security/application-security/application-control/app-control-for-business/applocker/applocker-overview) is available to control this Copilot experience before installing these Windows updates mentioned above or any subsequent Windows updates. +The Microsoft Copilot app, which is a consumer experience, will be automatically enabled after you install the Windows updates listed above if you haven't previously enabled a group policy to prevent the installation of Copilot. The [AppLocker policy](/windows/security/application-security/application-control/app-control-for-business/applocker/applocker-overview) is available to control this Copilot experience before installing these Windows updates mentioned above or any subsequent Windows updates. -Note that the Microsoft 365 Copilot app doesn't support Microsoft Entra authentication and users trying to sign in to the app using a Microsoft Entra account will be redirected to https://copilot.cloud.microsoft/ in their default browser. For users authenticating with a Microsoft Entra account, they should access Copilot through the Microsoft 365 Copilot app as the entry point. We recommend you pin Copilot to the navigation bar of the Microsoft 365 Copilot app to enable easy access. +Note that the Microsoft Copilot app doesn't support Microsoft Entra authentication and users trying to sign in to the app using a Microsoft Entra account will be redirected to https://copilot.cloud.microsoft/ in their default browser. For users authenticating with a Microsoft Entra account, they should access Copilot through the Microsoft 365 Copilot app as the entry point. We recommend you pin Copilot to the navigation bar of the Microsoft 365 Copilot app to enable easy access. ## Policy information for previous Copilot in Windows (preview) experience From c01e4d1591ef7bb7b762a3cf69dacbab341f24b6 Mon Sep 17 00:00:00 2001 From: Meghan Stewart <33289333+mestew@users.noreply.github.com> Date: Mon, 27 Jan 2025 08:27:33 -0800 Subject: [PATCH 18/45] cpw-9694988 --- windows/client-management/manage-windows-copilot.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/client-management/manage-windows-copilot.md b/windows/client-management/manage-windows-copilot.md index c899d98a8e..5014d53399 100644 --- a/windows/client-management/manage-windows-copilot.md +++ b/windows/client-management/manage-windows-copilot.md @@ -59,9 +59,9 @@ For users signing in to new PCs with work or school accounts, the following expe The update to Microsoft 365 Copilot Chat to offer enterprise data protection is rolling out now. The shift to Microsoft 365 Copilot Chat is coming soon. Changes will be rolled out to managed PCs starting with the September 2024 optional nonsecurity preview release, and following with the October 2024 monthly security update for all supported versions of Windows 11. These changes will be applied to Windows 10 PCs the month after. This update is replacing the current Copilot in Windows experience. -The Microsoft Copilot app, which is a consumer experience, will be automatically enabled after you install the Windows updates listed above if you haven't previously enabled a group policy to prevent the installation of Copilot. The [AppLocker policy](/windows/security/application-security/application-control/app-control-for-business/applocker/applocker-overview) is available to control this Copilot experience before installing these Windows updates mentioned above or any subsequent Windows updates. +The Microsoft Copilot app will be automatically enabled after you install the Windows updates listed above if you haven't previously enabled a group policy to prevent the installation of Copilot. The [AppLocker policy](/windows/security/application-security/application-control/app-control-for-business/applocker/applocker-overview) is available to control this Copilot experience before installing these Windows updates mentioned above or any subsequent Windows updates. -Note that the Microsoft Copilot app doesn't support Microsoft Entra authentication and users trying to sign in to the app using a Microsoft Entra account will be redirected to https://copilot.cloud.microsoft/ in their default browser. For users authenticating with a Microsoft Entra account, they should access Copilot through the Microsoft 365 Copilot app as the entry point. We recommend you pin Copilot to the navigation bar of the Microsoft 365 Copilot app to enable easy access. +Note that the Microsoft Copilot app, which is a consumer experience, doesn't support Microsoft Entra authentication and users trying to sign in to the app using a Microsoft Entra account will be redirected to https://copilot.cloud.microsoft/ in their default browser. For users authenticating with a Microsoft Entra account, they should access Copilot through the Microsoft 365 Copilot app as the entry point. We recommend you pin Copilot to the navigation bar of the Microsoft 365 Copilot app to enable easy access. ## Policy information for previous Copilot in Windows (preview) experience From 2fe8a6231bbd70eabef20c231d1566e9be081931 Mon Sep 17 00:00:00 2001 From: Meghan Stewart <33289333+mestew@users.noreply.github.com> Date: Mon, 27 Jan 2025 12:35:34 -0800 Subject: [PATCH 19/45] cpw-9694988 --- windows/client-management/toc.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/toc.yml b/windows/client-management/toc.yml index 711bc21aea..955dee1921 100644 --- a/windows/client-management/toc.yml +++ b/windows/client-management/toc.yml @@ -48,7 +48,7 @@ items: href: enterprise-app-management.md - name: Manage updates href: device-update-management.md - - name: Updated Windows and Microsoft Copilot experience + - name: Updated Windows and Microsoft 365 Copilot Chat experience href: manage-windows-copilot.md - name: Manage Recall href: manage-recall.md From a149e3de7b255fb9a6fd740658184702d1186860 Mon Sep 17 00:00:00 2001 From: Meghan Stewart <33289333+mestew@users.noreply.github.com> Date: Mon, 27 Jan 2025 12:37:17 -0800 Subject: [PATCH 20/45] cpw-9694988 --- windows/client-management/manage-windows-copilot.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/client-management/manage-windows-copilot.md b/windows/client-management/manage-windows-copilot.md index 5014d53399..2af6627e8d 100644 --- a/windows/client-management/manage-windows-copilot.md +++ b/windows/client-management/manage-windows-copilot.md @@ -59,9 +59,9 @@ For users signing in to new PCs with work or school accounts, the following expe The update to Microsoft 365 Copilot Chat to offer enterprise data protection is rolling out now. The shift to Microsoft 365 Copilot Chat is coming soon. Changes will be rolled out to managed PCs starting with the September 2024 optional nonsecurity preview release, and following with the October 2024 monthly security update for all supported versions of Windows 11. These changes will be applied to Windows 10 PCs the month after. This update is replacing the current Copilot in Windows experience. -The Microsoft Copilot app will be automatically enabled after you install the Windows updates listed above if you haven't previously enabled a group policy to prevent the installation of Copilot. The [AppLocker policy](/windows/security/application-security/application-control/app-control-for-business/applocker/applocker-overview) is available to control this Copilot experience before installing these Windows updates mentioned above or any subsequent Windows updates. +The Copilot app will be automatically enabled after you install the Windows updates listed above if you haven't previously enabled a group policy to prevent the installation of Copilot. The [AppLocker policy](/windows/security/application-security/application-control/app-control-for-business/applocker/applocker-overview) is available to control this Copilot experience before installing these Windows updates mentioned above or any subsequent Windows updates. -Note that the Microsoft Copilot app, which is a consumer experience, doesn't support Microsoft Entra authentication and users trying to sign in to the app using a Microsoft Entra account will be redirected to https://copilot.cloud.microsoft/ in their default browser. For users authenticating with a Microsoft Entra account, they should access Copilot through the Microsoft 365 Copilot app as the entry point. We recommend you pin Copilot to the navigation bar of the Microsoft 365 Copilot app to enable easy access. +Note that the Copilot app, which is a consumer experience, doesn't support Microsoft Entra authentication and users trying to sign in to the app using a Microsoft Entra account will be redirected to https://copilot.cloud.microsoft/ in their default browser. For users authenticating with a Microsoft Entra account, they should access Copilot through the Microsoft 365 Copilot app as the entry point. We recommend you pin Copilot to the navigation bar of the Microsoft 365 Copilot app to enable easy access. ## Policy information for previous Copilot in Windows (preview) experience From a59e627cf321c8d417783ef68ab692fe878c3596 Mon Sep 17 00:00:00 2001 From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com> Date: Mon, 27 Jan 2025 20:51:26 -0500 Subject: [PATCH 21/45] freshness review --- education/windows/federated-sign-in.md | 2 +- .../hello-for-business/rdp-sign-in.md | 2 +- ...e-hellman-protocol-over-ikev2-vpn-connections.md | 2 +- ...le-sign-on-sso-over-vpn-and-wi-fi-connections.md | 2 +- .../network-security/vpn/vpn-authentication.md | 13 +------------ .../vpn/vpn-auto-trigger-profile.md | 13 +------------ .../network-security/vpn/vpn-conditional-access.md | 13 +------------ .../network-security/vpn/vpn-connection-type.md | 12 +----------- .../network-security/vpn/vpn-guide.md | 2 +- .../network-security/vpn/vpn-name-resolution.md | 13 +------------ .../vpn/vpn-office-365-optimization.md | 2 +- .../network-security/vpn/vpn-profile-options.md | 12 +----------- .../network-security/vpn/vpn-routing.md | 13 +------------ .../network-security/vpn/vpn-security-features.md | 13 +------------ 14 files changed, 14 insertions(+), 100 deletions(-) diff --git a/education/windows/federated-sign-in.md b/education/windows/federated-sign-in.md index aca908bb45..9a73ef453c 100644 --- a/education/windows/federated-sign-in.md +++ b/education/windows/federated-sign-in.md @@ -1,7 +1,7 @@ --- title: Configure federated sign-in for Windows devices description: Learn how federated sign-in in Windows works and how to configure it. -ms.date: 06/03/2024 +ms.date: 01/27/2025 ms.topic: how-to appliesto: - ✅ Windows 11 diff --git a/windows/security/identity-protection/hello-for-business/rdp-sign-in.md b/windows/security/identity-protection/hello-for-business/rdp-sign-in.md index bc28fecee5..305932af9b 100644 --- a/windows/security/identity-protection/hello-for-business/rdp-sign-in.md +++ b/windows/security/identity-protection/hello-for-business/rdp-sign-in.md @@ -1,7 +1,7 @@ --- title: Remote Desktop sign-in with Windows Hello for Business description: Learn how to configure Remote Desktop (RDP) sign-in with Windows Hello for Business. -ms.date: 06/11/2024 +ms.date: 01/27/2025 ms.topic: how-to --- diff --git a/windows/security/operating-system-security/network-security/vpn/how-to-configure-diffie-hellman-protocol-over-ikev2-vpn-connections.md b/windows/security/operating-system-security/network-security/vpn/how-to-configure-diffie-hellman-protocol-over-ikev2-vpn-connections.md index c2a7ae57a8..2fc0efca6e 100644 --- a/windows/security/operating-system-security/network-security/vpn/how-to-configure-diffie-hellman-protocol-over-ikev2-vpn-connections.md +++ b/windows/security/operating-system-security/network-security/vpn/how-to-configure-diffie-hellman-protocol-over-ikev2-vpn-connections.md @@ -1,7 +1,7 @@ --- title: How to configure cryptographic settings for IKEv2 VPN connections description: Learn how to update the IKEv2 cryptographic settings of VPN servers and clients by running VPN cmdlets to secure connections. -ms.date: 05/06/2024 +ms.date: 01/27/2025 ms.topic: how-to --- diff --git a/windows/security/operating-system-security/network-security/vpn/how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md b/windows/security/operating-system-security/network-security/vpn/how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md index daf7f89f5d..9a4865a98c 100644 --- a/windows/security/operating-system-security/network-security/vpn/how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md +++ b/windows/security/operating-system-security/network-security/vpn/how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md @@ -1,7 +1,7 @@ --- title: How to use single sign-on (SSO) over VPN and Wi-Fi connections description: Explains requirements to enable single sign-on (SSO) to on-premises domain resources over WiFi or VPN connections. -ms.date: 05/06/2024 +ms.date: 01/27/2025 ms.topic: how-to --- diff --git a/windows/security/operating-system-security/network-security/vpn/vpn-authentication.md b/windows/security/operating-system-security/network-security/vpn/vpn-authentication.md index 539eeaeda6..26a2c22a06 100644 --- a/windows/security/operating-system-security/network-security/vpn/vpn-authentication.md +++ b/windows/security/operating-system-security/network-security/vpn/vpn-authentication.md @@ -1,7 +1,7 @@ --- title: VPN authentication options description: Learn about the EAP authentication methods that Windows supports in VPNs to provide secure authentication using username/password and certificate-based methods. -ms.date: 05/06/2024 +ms.date: 01/27/2025 ms.topic: concept-article --- @@ -80,14 +80,3 @@ The following image shows the field for EAP XML in a Microsoft Intune VPN profil :::image type="content" source="images/vpn-eap-xml.png" alt-text="Screenshot showing EAP XML configuration in Intune profile."::: -## Related topics - -- [VPN technical guide](vpn-guide.md) -- [VPN connection types](vpn-connection-type.md) -- [VPN routing decisions](vpn-routing.md) -- [VPN and conditional access](vpn-conditional-access.md) -- [VPN name resolution](vpn-name-resolution.md) -- [VPN auto-triggered profile options](vpn-auto-trigger-profile.md) -- [VPN security features](vpn-security-features.md) -- [VPN profile options](vpn-profile-options.md) -- [Extensible Authentication Protocol (EAP) for network access](/windows-server/networking/technologies/extensible-authentication-protocol/network-access) diff --git a/windows/security/operating-system-security/network-security/vpn/vpn-auto-trigger-profile.md b/windows/security/operating-system-security/network-security/vpn/vpn-auto-trigger-profile.md index 85b51dd4d1..53c870afc0 100644 --- a/windows/security/operating-system-security/network-security/vpn/vpn-auto-trigger-profile.md +++ b/windows/security/operating-system-security/network-security/vpn/vpn-auto-trigger-profile.md @@ -1,7 +1,7 @@ --- title: VPN auto-triggered profile options description: With auto-triggered VPN profile options, Windows can automatically establish a VPN connection based on IT admin-defined rules. Learn about the types of auto-trigger rules that you can create for VPN connections. -ms.date: 05/06/2024 +ms.date: 01/27/2025 ms.topic: how-to --- @@ -77,14 +77,3 @@ See [VPN profile options](vpn-profile-options.md) and [VPNv2 CSP](/windows/clien The following image shows associating apps to a VPN connection in a VPN Profile configuration policy using Microsoft Intune. :::image type="content" source="images/vpn-app-trigger.png" alt-text="Creation of VPN profile in Intune: application association options." lightbox="images/vpn-app-trigger.png"::: - -## Related articles - -- [VPN technical guide](vpn-guide.md) -- [VPN connection types](vpn-connection-type.md) -- [VPN routing decisions](vpn-routing.md) -- [VPN authentication options](vpn-authentication.md) -- [VPN and conditional access](vpn-conditional-access.md) -- [VPN name resolution](vpn-name-resolution.md) -- [VPN security features](vpn-security-features.md) -- [VPN profile options](vpn-profile-options.md) diff --git a/windows/security/operating-system-security/network-security/vpn/vpn-conditional-access.md b/windows/security/operating-system-security/network-security/vpn/vpn-conditional-access.md index 8fa4ab6725..e912b38f54 100644 --- a/windows/security/operating-system-security/network-security/vpn/vpn-conditional-access.md +++ b/windows/security/operating-system-security/network-security/vpn/vpn-conditional-access.md @@ -1,7 +1,7 @@ --- title: VPN and conditional access description: Learn how to integrate the VPN client with the Conditional Access platform, and how to create access rules for Microsoft Entra connected apps. -ms.date: 05/06/2024 +ms.date: 01/27/2025 ms.topic: how-to --- @@ -92,14 +92,3 @@ See [VPN profile options](vpn-profile-options.md) and [VPNv2 CSP](/windows/clien - [Tip of the Day: The Conditional Access Framework and Device Compliance for VPN (Part 2)](/archive/blogs/tip_of_the_day/tip-of-the-day-the-conditional-access-framework-and-device-compliance-for-vpn-part-2) - [Tip of the Day: The Conditional Access Framework and Device Compliance for VPN (Part 3)](/archive/blogs/tip_of_the_day/tip-of-the-day-the-conditional-access-framework-and-device-compliance-for-vpn-part-3) - [Tip of the Day: The Conditional Access Framework and Device Compliance for VPN (Part 4)](/archive/blogs/tip_of_the_day/tip-of-the-day-the-conditional-access-framework-and-device-compliance-for-vpn-part-4) - -## Related articles - -- [VPN technical guide](vpn-guide.md) -- [VPN connection types](vpn-connection-type.md) -- [VPN routing decisions](vpn-routing.md) -- [VPN authentication options](vpn-authentication.md) -- [VPN name resolution](vpn-name-resolution.md) -- [VPN auto-triggered profile options](vpn-auto-trigger-profile.md) -- [VPN security features](vpn-security-features.md) -- [VPN profile options](vpn-profile-options.md) diff --git a/windows/security/operating-system-security/network-security/vpn/vpn-connection-type.md b/windows/security/operating-system-security/network-security/vpn/vpn-connection-type.md index 7199978f6c..0c0b47c65c 100644 --- a/windows/security/operating-system-security/network-security/vpn/vpn-connection-type.md +++ b/windows/security/operating-system-security/network-security/vpn/vpn-connection-type.md @@ -1,7 +1,7 @@ --- title: VPN connection types description: Learn about Windows VPN platform clients and the VPN connection-type features that can be configured. -ms.date: 05/06/2024 +ms.date: 01/27/2025 ms.topic: concept-article --- @@ -46,13 +46,3 @@ In Intune, you can also include custom XML for non-Microsoft plug-in profiles: > [!div class="mx-imgBorder"] > ![Custom XML.](images/vpn-custom-xml-intune.png) -## Related articles - -- [VPN technical guide](vpn-guide.md) -- [VPN routing decisions](vpn-routing.md) -- [VPN authentication options](vpn-authentication.md) -- [VPN and conditional access](vpn-conditional-access.md) -- [VPN name resolution](vpn-name-resolution.md) -- [VPN auto-triggered profile options](vpn-auto-trigger-profile.md) -- [VPN security features](vpn-security-features.md) -- [VPN profile options](vpn-profile-options.md) diff --git a/windows/security/operating-system-security/network-security/vpn/vpn-guide.md b/windows/security/operating-system-security/network-security/vpn/vpn-guide.md index 3233517baa..c1c9ac3826 100644 --- a/windows/security/operating-system-security/network-security/vpn/vpn-guide.md +++ b/windows/security/operating-system-security/network-security/vpn/vpn-guide.md @@ -1,7 +1,7 @@ --- title: Windows VPN technical guide description: Learn how to plan and configure Windows devices for your organization's VPN solution. -ms.date: 05/06/2024 +ms.date: 01/27/2025 ms.topic: overview --- diff --git a/windows/security/operating-system-security/network-security/vpn/vpn-name-resolution.md b/windows/security/operating-system-security/network-security/vpn/vpn-name-resolution.md index 666f60d6c1..36074af74a 100644 --- a/windows/security/operating-system-security/network-security/vpn/vpn-name-resolution.md +++ b/windows/security/operating-system-security/network-security/vpn/vpn-name-resolution.md @@ -1,7 +1,7 @@ --- title: VPN name resolution description: Learn how name resolution works when using a VPN connection. -ms.date: 05/06/2024 +ms.date: 01/27/2025 ms.topic: concept-article --- @@ -58,14 +58,3 @@ The fields in **Add or edit DNS rule** in the Intune profile correspond to the X | **Name** | **VPNv2/*ProfileName*/DomainNameInformationList/*dniRowId*/DomainName** | | **Servers (comma separated)** | **VPNv2/*ProfileName*/DomainNameInformationList/*dniRowId*/DnsServers** | | **Proxy server** | **VPNv2/*ProfileName*/DomainNameInformationList/*dniRowId*/WebServers** | - -## Related articles - -- [VPN technical guide](vpn-guide.md) -- [VPN connection types](vpn-connection-type.md) -- [VPN routing decisions](vpn-routing.md) -- [VPN authentication options](vpn-authentication.md) -- [VPN and conditional access](vpn-conditional-access.md) -- [VPN auto-triggered profile options](vpn-auto-trigger-profile.md) -- [VPN security features](vpn-security-features.md) -- [VPN profile options](vpn-profile-options.md) \ No newline at end of file diff --git a/windows/security/operating-system-security/network-security/vpn/vpn-office-365-optimization.md b/windows/security/operating-system-security/network-security/vpn/vpn-office-365-optimization.md index aced17dd8e..02b7c5daff 100644 --- a/windows/security/operating-system-security/network-security/vpn/vpn-office-365-optimization.md +++ b/windows/security/operating-system-security/network-security/vpn/vpn-office-365-optimization.md @@ -2,7 +2,7 @@ title: Optimize Microsoft 365 traffic for remote workers with the Windows VPN client description: Learn how to optimize Microsoft 365 traffic for remote workers with the Windows VPN client ms.topic: how-to -ms.date: 05/06/2024 +ms.date: 01/27/2025 --- # Optimize Microsoft 365 traffic for remote workers with the Windows VPN client diff --git a/windows/security/operating-system-security/network-security/vpn/vpn-profile-options.md b/windows/security/operating-system-security/network-security/vpn/vpn-profile-options.md index 4fdbb86971..43f5802163 100644 --- a/windows/security/operating-system-security/network-security/vpn/vpn-profile-options.md +++ b/windows/security/operating-system-security/network-security/vpn/vpn-profile-options.md @@ -1,7 +1,7 @@ --- title: VPN profile options description: Windows adds Virtual Private Network (VPN) profile options to help manage how users connect. VPNs give users secure remote access to the company network. -ms.date: 05/06/2024 +ms.date: 01/27/2025 ms.topic: how-to --- @@ -316,13 +316,3 @@ After you configure the settings that you want using ProfileXML, you can create - [VPNv2 configuration service provider (CSP) reference](/windows/client-management/mdm/vpnv2-csp) - [How to Create VPN Profiles in Configuration Manager](/previous-versions/system-center/system-center-2012-R2/dn261200(v=technet.10)) -## Related articles - -- [VPN technical guide](vpn-guide.md) -- [VPN connection types](vpn-connection-type.md) -- [VPN routing decisions](vpn-routing.md) -- [VPN authentication options](vpn-authentication.md) -- [VPN and conditional access](vpn-conditional-access.md) -- [VPN name resolution](vpn-name-resolution.md) -- [VPN auto-triggered profile options](vpn-auto-trigger-profile.md) -- [VPN security features](vpn-security-features.md) diff --git a/windows/security/operating-system-security/network-security/vpn/vpn-routing.md b/windows/security/operating-system-security/network-security/vpn/vpn-routing.md index e5f0bc3f68..6bbae9aa58 100644 --- a/windows/security/operating-system-security/network-security/vpn/vpn-routing.md +++ b/windows/security/operating-system-security/network-security/vpn/vpn-routing.md @@ -1,5 +1,5 @@ --- -ms.date: 05/06/2024 +ms.date: 01/27/2025 title: VPN routing decisions description: Learn about approaches that either send all data through a VPN or only selected data. The one you choose impacts capacity planning and security expectations. ms.topic: concept-article @@ -43,14 +43,3 @@ When you configure a VPN profile in Microsoft Intune, you can enable split tunne ![split tunnel.](images/vpn-split.png) Once enabled, you can add the routes that should use the VPN connection. - -## Related articles - -- [VPN technical guide](vpn-guide.md) -- [VPN connection types](vpn-connection-type.md) -- [VPN authentication options](vpn-authentication.md) -- [VPN and conditional access](vpn-conditional-access.md) -- [VPN name resolution](vpn-name-resolution.md) -- [VPN auto-triggered profile options](vpn-auto-trigger-profile.md) -- [VPN security features](vpn-security-features.md) -- [VPN profile options](vpn-profile-options.md) \ No newline at end of file diff --git a/windows/security/operating-system-security/network-security/vpn/vpn-security-features.md b/windows/security/operating-system-security/network-security/vpn/vpn-security-features.md index 0ca87d7370..2e53eeeae5 100644 --- a/windows/security/operating-system-security/network-security/vpn/vpn-security-features.md +++ b/windows/security/operating-system-security/network-security/vpn/vpn-security-features.md @@ -1,7 +1,7 @@ --- title: VPN security features description: Learn about security features for VPN, including LockDown VPN and traffic filters. -ms.date: 05/06/2024 +ms.date: 01/27/2025 ms.topic: concept-article --- @@ -55,14 +55,3 @@ A VPN profile configured with LockDown secures the device to only allow network > [!CAUTION] > Be careful when deploying LockDown VPN, as the resultant connection won't be able to send or receive any network traffic without the VPN connection being established. - -## Related articles - -- [VPN technical guide](vpn-guide.md) -- [VPN connection types](vpn-connection-type.md) -- [VPN routing decisions](vpn-routing.md) -- [VPN authentication options](vpn-authentication.md) -- [VPN and conditional access](vpn-conditional-access.md) -- [VPN name resolution](vpn-name-resolution.md) -- [VPN auto-triggered profile options](vpn-auto-trigger-profile.md) -- [VPN profile options](vpn-profile-options.md) From fc28c60c9d565f66f1d6b86170a57b2082374839 Mon Sep 17 00:00:00 2001 From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com> Date: Mon, 27 Jan 2025 21:04:32 -0500 Subject: [PATCH 22/45] Acrolinx --- .../network-security/vpn/vpn-conditional-access.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/windows/security/operating-system-security/network-security/vpn/vpn-conditional-access.md b/windows/security/operating-system-security/network-security/vpn/vpn-conditional-access.md index e912b38f54..8b93ff6019 100644 --- a/windows/security/operating-system-security/network-security/vpn/vpn-conditional-access.md +++ b/windows/security/operating-system-security/network-security/vpn/vpn-conditional-access.md @@ -19,7 +19,7 @@ Conditional Access Platform components used for Device Compliance include the fo - [Windows Health Attestation Service](../../system-security/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md) (optional) - Microsoft Entra Certificate Authority - It's a requirement that the client certificate used for the cloud-based device compliance solution be issued by a Microsoft Entra ID-based Certificate Authority (CA). A Microsoft Entra CA is essentially a mini-CA cloud tenant in Azure. The Microsoft Entra CA can't be configured as part of an on-premises Enterprise CA. See also [Always On VPN deployment for Windows Server and Windows 10](/windows-server/remote/remote-access/vpn/always-on-vpn/deploy/always-on-vpn-deploy). -- Microsoft Entra ID-issued short-lived certificates - When a VPN connection attempt is made, the Microsoft Entra Token Broker on the local device communicates with Microsoft Entra ID, which then checks for health based on compliance rules. If compliant, Microsoft Entra ID sends back a short-lived certificate that is used to authenticate the VPN. Note that certificate authentication methods such as EAP-TLS can be used. When the client reconnects and determines that the certificate has expired, the client will again check with Microsoft Entra ID for health validation before a new certificate is issued. +- Microsoft Entra ID-issued short-lived certificates - When a VPN connection attempt is made, the Microsoft Entra Token Broker on the local device communicates with Microsoft Entra ID, which then checks for health based on compliance rules. If compliant, Microsoft Entra ID sends back a short-lived certificate that is used to authenticate the VPN. Certificate authentication methods such as EAP-TLS can be used. When the client reconnects and determines that the certificate has expired, the client will again check with Microsoft Entra ID for health validation before a new certificate is issued. - [Microsoft Intune device compliance policies](/mem/intune/protect/device-compliance-get-started): Cloud-based device compliance uses Microsoft Intune Compliance Policies, which are capable of querying the device state and define compliance rules for the following, among other things. - Antivirus status - Auto-update status and update compliance @@ -35,7 +35,7 @@ The following client-side components are also required: ## VPN device compliance -At this time, the Microsoft Entra certificates issued to users don't contain a CRL Distribution Point (CDP) and aren't suitable for Key Distribution Centers (KDCs) to issue Kerberos tokens. For users to gain access to on-premises resources such as files on a network share, client authentication certificates must be deployed to the Windows profiles of the users, and their VPNv2 profiles must contain the <SSO> section. +At this time, the Microsoft Entra certificates issued to users don't contain a CRL Distribution Point (CDP) and aren't suitable for Key Distribution Centers (KDCs) to issue Kerberos tokens. For users to gain access to on-premises resources such as files on a network share, client authentication certificates must be deployed to the Windows profiles of the users, and their VPNv2 profiles must contain the section. Server-side infrastructure requirements to support VPN device compliance include: @@ -60,8 +60,8 @@ Two client-side configuration service providers are leveraged for VPN device com - Upon request, forward the Health Attestation Certificate (received from HAS) and related runtime information to the MDM server for verification > [!NOTE] -> It's required that certificates used for obtaining Kerberos tickets to be issued from an on-premises CA, and that SSO to be enabled in the user's VPN profile. This will enable the user to access on-premises resources. -> In the case of AzureAD-only joined devices (not hybrid joined devices), if the user certificate issued by the on-premises CA has the user UPN from AzureAD in Subject and SAN (Subject Alternative Name), the VPN profile must be modified to ensure that the client does not cache the credentials used for VPN authentication. To do this, after deploying the VPN profile to the client, modify the *Rasphone.pbk* on the client by changing the entry **UseRasCredentials** from 1 (default) to 0 (zero). +> It's required that certificates used for obtaining Kerberos tickets to be issued from an on-premises CA, and that SSO to be enabled in the user's VPN profile. This allows the user to access on-premises resources. +> In the case of Microsoft Entra joined devices (not hybrid joined devices), if the user certificate issued by the on-premises CA has the user UPN from Microsoft Entra in Subject and SAN (Subject Alternative Name), the VPN profile must be modified to ensure that the client doesn't cache the credentials used for VPN authentication. To do this, after deploying the VPN profile to the client, modify the *Rasphone.pbk* on the client by changing the entry **UseRasCredentials** from 1 (default) to 0 (zero). ## Client connection flow @@ -71,7 +71,7 @@ The VPN client side connection flow works as follows: When a VPNv2 Profile is configured with \ \true<\/Enabled> the VPN client uses this connection flow: -1. The VPN client calls into Windows 10's or Windows 11's Microsoft Entra Token Broker, identifying itself as a VPN client. +1. The VPN client calls into Windows 10 or Windows 11 Microsoft Entra Token Broker, identifying itself as a VPN client. 1. The Microsoft Entra Token Broker authenticates to Microsoft Entra ID and provides it with information about the device trying to connect. The Microsoft Entra Server checks if the device is in compliance with the policies. 1. If compliant, Microsoft Entra ID requests a short-lived certificate. 1. Microsoft Entra ID pushes down a short-lived certificate to the Certificate Store via the Token Broker. The Token Broker then returns control back over to the VPN client for further connection processing. From 245f29986b072dce32e6ab40f591d278cf2e72f8 Mon Sep 17 00:00:00 2001 From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com> Date: Mon, 27 Jan 2025 21:09:08 -0500 Subject: [PATCH 23/45] fix HTML tag --- .../network-security/vpn/vpn-conditional-access.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/operating-system-security/network-security/vpn/vpn-conditional-access.md b/windows/security/operating-system-security/network-security/vpn/vpn-conditional-access.md index 8b93ff6019..9702c4afee 100644 --- a/windows/security/operating-system-security/network-security/vpn/vpn-conditional-access.md +++ b/windows/security/operating-system-security/network-security/vpn/vpn-conditional-access.md @@ -35,7 +35,7 @@ The following client-side components are also required: ## VPN device compliance -At this time, the Microsoft Entra certificates issued to users don't contain a CRL Distribution Point (CDP) and aren't suitable for Key Distribution Centers (KDCs) to issue Kerberos tokens. For users to gain access to on-premises resources such as files on a network share, client authentication certificates must be deployed to the Windows profiles of the users, and their VPNv2 profiles must contain the section. +At this time, the Microsoft Entra certificates issued to users don't contain a CRL Distribution Point (CDP) and aren't suitable for Key Distribution Centers (KDCs) to issue Kerberos tokens. For users to gain access to on-premises resources such as files on a network share, client authentication certificates must be deployed to the Windows profiles of the users, and their VPNv2 profiles must contain the `` section. Server-side infrastructure requirements to support VPN device compliance include: From b883d6e6c6453ba8f515de5702b741b7d01469cc Mon Sep 17 00:00:00 2001 From: Meghan Stewart <33289333+mestew@users.noreply.github.com> Date: Tue, 28 Jan 2025 08:57:50 -0800 Subject: [PATCH 24/45] cpw2-9694988 --- windows/client-management/manage-windows-copilot.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/client-management/manage-windows-copilot.md b/windows/client-management/manage-windows-copilot.md index 2af6627e8d..655fdb09e4 100644 --- a/windows/client-management/manage-windows-copilot.md +++ b/windows/client-management/manage-windows-copilot.md @@ -3,7 +3,7 @@ title: Updated Windows and Microsoft 365 Copilot Chat experience description: Learn about changes to the Copilot in Windows experience for commercial environments and how to configure it for your organization. ms.topic: overview ms.subservice: windows-copilot -ms.date: 01/22/2025 +ms.date: 01/28/2025 ms.author: mstewart author: mestew ms.collection: @@ -80,7 +80,7 @@ The following policy to manage Copilot in Windows (preview) will be removed in t You can remove or uninstall the Copilot app from your device by using one of the following methods: -1. Enterprise users can uninstall the Copilot app by going to **Settings** > **Apps** >**Installed Apps**. Select the three dots appearing on the right side of the app and select **Uninstall** from the dropdown list. +1. Enterprise users can uninstall the [Copilot app](https://apps.microsoft.com/detail/9NHT9RB2F4HD), which is a consumer experience, by going to **Settings** > **Apps** >**Installed Apps**. Select the three dots appearing on the right side of the app and select **Uninstall** from the dropdown list. 1. If you are an IT administrator, you can prevent installation of the app or remove the Copilot app using one of the following methods: 1. Prevent installation of the Copilot app: From 866d47341e471cab8d31f0352ed10c65238cec54 Mon Sep 17 00:00:00 2001 From: Vinay Pamnani <37223378+vinaypamnani-msft@users.noreply.github.com> Date: Tue, 28 Jan 2025 10:05:32 -0700 Subject: [PATCH 25/45] Update applications-that-can-bypass-appcontrol.md --- .../design/applications-that-can-bypass-appcontrol.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/windows/security/application-security/application-control/app-control-for-business/design/applications-that-can-bypass-appcontrol.md b/windows/security/application-security/application-control/app-control-for-business/design/applications-that-can-bypass-appcontrol.md index 23d40c8440..f25bd9c11d 100644 --- a/windows/security/application-security/application-control/app-control-for-business/design/applications-that-can-bypass-appcontrol.md +++ b/windows/security/application-security/application-control/app-control-for-business/design/applications-that-can-bypass-appcontrol.md @@ -49,7 +49,7 @@ Unless your use scenarios explicitly require them, Microsoft recommends that you - texttransform.exe - visualuiaverifynative.exe - system.management.automation.dll -- webclnt.dll/davsvc.dll +- webclnt.dll/davsvc.dll3 - wfc.exe - windbg.exe - wmic.exe @@ -62,6 +62,8 @@ Unless your use scenarios explicitly require them, Microsoft recommends that you 2 If you're using your reference system in a development context and use msbuild.exe to build managed applications, we recommend that you allow msbuild.exe in your code integrity policies. Otherwise, we recommend that you block msbuild.exe. +3 If you block WebDAV DLL's, we recommend that you also disable the **WebClient** service using a group policy or MDM policies. + * Microsoft recognizes the efforts of people in the security community who help us protect customers through responsible vulnerability disclosure, and extends thanks to the following people:
From bc953482d3337b2af5b0c26774077e6731a000f8 Mon Sep 17 00:00:00 2001 From: Padma Jayaraman Date: Tue, 28 Jan 2025 23:18:34 +0530 Subject: [PATCH 26/45] Fix typo in WebDAV DLLs recommendation. --- .../design/applications-that-can-bypass-appcontrol.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/application-security/application-control/app-control-for-business/design/applications-that-can-bypass-appcontrol.md b/windows/security/application-security/application-control/app-control-for-business/design/applications-that-can-bypass-appcontrol.md index f25bd9c11d..f2ebb636f5 100644 --- a/windows/security/application-security/application-control/app-control-for-business/design/applications-that-can-bypass-appcontrol.md +++ b/windows/security/application-security/application-control/app-control-for-business/design/applications-that-can-bypass-appcontrol.md @@ -62,7 +62,7 @@ Unless your use scenarios explicitly require them, Microsoft recommends that you 2 If you're using your reference system in a development context and use msbuild.exe to build managed applications, we recommend that you allow msbuild.exe in your code integrity policies. Otherwise, we recommend that you block msbuild.exe. -3 If you block WebDAV DLL's, we recommend that you also disable the **WebClient** service using a group policy or MDM policies. +3 If you block WebDAV DLLs, we recommend that you also disable the **WebClient** service using a group policy or MDM policies. * Microsoft recognizes the efforts of people in the security community who help us protect customers through responsible vulnerability disclosure, and extends thanks to the following people: From 7b0694f4bc50372c74a9470a32bd0fcde3754149 Mon Sep 17 00:00:00 2001 From: David Strome <21028455+dstrome@users.noreply.github.com> Date: Tue, 28 Jan 2025 14:10:33 -0800 Subject: [PATCH 27/45] Add BuildValidation workflow --- .github/workflows/BuildValidation.yml | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) create mode 100644 .github/workflows/BuildValidation.yml diff --git a/.github/workflows/BuildValidation.yml b/.github/workflows/BuildValidation.yml new file mode 100644 index 0000000000..e57844b453 --- /dev/null +++ b/.github/workflows/BuildValidation.yml @@ -0,0 +1,21 @@ +name: PR has no warnings or errors + +permissions: + pull-requests: write + statuses: write + +on: + issue_comment: + types: [created] + +jobs: + + build-status: + uses: MicrosoftDocs/microsoft-365-docs/.github/workflows/Shared-BuildValidation.yml@workflows-prod + with: + PayloadJson: ${{ toJSON(github) }} + secrets: + AccessToken: ${{ secrets.GITHUB_TOKEN }} + + + From f01b4a9fd585a2bd5b1a813b4cbc5fbf7473682e Mon Sep 17 00:00:00 2001 From: David Callaghan Date: Wed, 29 Jan 2025 11:49:50 -0800 Subject: [PATCH 28/45] Update windows-autopatch-hotpatch-updates.md Removing ** asterisks and clarifying the registry key value and path to avoid customers using the wrong information. --- .../manage/windows-autopatch-hotpatch-updates.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/deployment/windows-autopatch/manage/windows-autopatch-hotpatch-updates.md b/windows/deployment/windows-autopatch/manage/windows-autopatch-hotpatch-updates.md index 026f05bd13..d92f402704 100644 --- a/windows/deployment/windows-autopatch/manage/windows-autopatch-hotpatch-updates.md +++ b/windows/deployment/windows-autopatch/manage/windows-autopatch-hotpatch-updates.md @@ -40,9 +40,9 @@ VBS must be turned on for a device to be offered Hotpatch updates. For informati ### Arm 64 devices must disable compiled hybrid PE usage (CHPE) (Arm 64 CPU Only) -This requirement only applies to Arm 64 CPU devices when using Hotpatch updates. Hotpatch updates aren't compatible with servicing CHPE OS binaries located in the `%SystemRoot%\SyChpe32` folder. To ensure all the Hotpatch updates are applied, you must set the CHPE disable flag and restart the device to disable CHPE usage. You only need to set this flag one time. The registry setting remains applied through updates. To disable CHPE, set the following registry key: -Path: `**HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management**` -Key value: `**HotPatchRestrictions=1**` +This requirement only applies to Arm 64 CPU devices when using Hotpatch updates. Hotpatch updates aren't compatible with servicing CHPE OS binaries located in the `%SystemRoot%\SyChpe32` folder. To ensure all the Hotpatch updates are applied, you must set the CHPE disable flag and restart the device to disable CHPE usage. You only need to set this flag one time. The registry setting remains applied through updates. To disable CHPE, create and/or set the following DWORD registry key: +Path: `HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management` +DWORD key value: HotPatchRestrictions=1 > [!IMPORTANT] > This setting is required because it forces the operating system to use the emulation x86-only binaries instead of CHPE binaries on Arm 64 devices. CHPE binaries include native Arm 64 code to improve performance, excluding the CHPE binaries might affect performance or compatibility. Be sure to test application compatibility and performance before rolling out Hotpatch updates widely on Arm 64 CPU based devices. From 24c2e18504b1afaf66778ece499504cd45eb3537 Mon Sep 17 00:00:00 2001 From: Frank Rojas <45807133+frankroj@users.noreply.github.com> Date: Wed, 29 Jan 2025 15:35:05 -0500 Subject: [PATCH 29/45] Update review date on reviewed articles --- ...rted-with-the-user-state-migration-tool.md | 2 +- .../usmt/migrate-application-settings.md | 2 +- .../usmt/migration-store-types-overview.md | 2 +- .../usmt/offline-migration-reference.md | 10 ++-- .../usmt/understanding-migration-xml-files.md | 2 +- .../deployment/usmt/usmt-best-practices.md | 2 +- .../usmt/usmt-choose-migration-store-type.md | 2 +- .../usmt/usmt-command-line-syntax.md | 2 +- .../usmt/usmt-common-migration-scenarios.md | 2 +- .../deployment/usmt/usmt-configxml-file.md | 4 +- .../usmt/usmt-conflicts-and-precedence.md | 16 +++---- .../usmt/usmt-custom-xml-examples.md | 10 ++-- .../usmt/usmt-customize-xml-files.md | 2 +- .../usmt/usmt-determine-what-to-migrate.md | 2 +- .../usmt-estimate-migration-store-size.md | 2 +- .../usmt/usmt-exclude-files-and-settings.md | 2 +- ...files-from-a-compressed-migration-store.md | 2 +- windows/deployment/usmt/usmt-faq.yml | 48 +++++++++---------- .../usmt/usmt-general-conventions.md | 18 +++---- .../usmt/usmt-hard-link-migration-store.md | 2 +- windows/deployment/usmt/usmt-how-it-works.md | 4 +- windows/deployment/usmt/usmt-how-to.md | 2 +- .../usmt-identify-application-settings.md | 2 +- ...t-identify-file-types-files-and-folders.md | 2 +- ...usmt-identify-operating-system-settings.md | 2 +- .../deployment/usmt/usmt-identify-users.md | 2 +- .../usmt/usmt-include-files-and-settings.md | 14 +++--- .../deployment/usmt/usmt-loadstate-syntax.md | 2 +- windows/deployment/usmt/usmt-log-files.md | 2 +- ...usmt-migrate-efs-files-and-certificates.md | 2 +- .../usmt/usmt-migrate-user-accounts.md | 2 +- .../usmt/usmt-migration-store-encryption.md | 2 +- windows/deployment/usmt/usmt-overview.md | 2 +- .../usmt/usmt-plan-your-migration.md | 2 +- .../usmt-recognized-environment-variables.md | 2 +- windows/deployment/usmt/usmt-reference.md | 2 +- windows/deployment/usmt/usmt-requirements.md | 2 +- .../usmt/usmt-reroute-files-and-settings.md | 8 ++-- windows/deployment/usmt/usmt-resources.md | 4 +- .../deployment/usmt/usmt-scanstate-syntax.md | 2 +- .../usmt/usmt-technical-reference.md | 2 +- .../usmt/usmt-test-your-migration.md | 2 +- windows/deployment/usmt/usmt-topics.md | 2 +- .../deployment/usmt/usmt-troubleshooting.md | 2 +- windows/deployment/usmt/usmt-utilities.md | 2 +- .../usmt/usmt-what-does-usmt-migrate.md | 2 +- .../usmt/usmt-xml-elements-library.md | 44 ++++++++--------- windows/deployment/usmt/usmt-xml-reference.md | 2 +- ...ndition-of-a-compressed-migration-store.md | 2 +- .../deployment/usmt/xml-file-requirements.md | 2 +- 50 files changed, 129 insertions(+), 129 deletions(-) diff --git a/windows/deployment/usmt/getting-started-with-the-user-state-migration-tool.md b/windows/deployment/usmt/getting-started-with-the-user-state-migration-tool.md index 9e1d97ccac..3a2a091e06 100644 --- a/windows/deployment/usmt/getting-started-with-the-user-state-migration-tool.md +++ b/windows/deployment/usmt/getting-started-with-the-user-state-migration-tool.md @@ -8,7 +8,7 @@ ms.service: windows-client author: frankroj ms.topic: conceptual ms.subservice: itpro-deploy -ms.date: 08/30/2024 +ms.date: 01/29/2025 appliesto: - ✅ Windows 11 - ✅ Windows 10 diff --git a/windows/deployment/usmt/migrate-application-settings.md b/windows/deployment/usmt/migrate-application-settings.md index d189141607..563fffa13b 100644 --- a/windows/deployment/usmt/migrate-application-settings.md +++ b/windows/deployment/usmt/migrate-application-settings.md @@ -6,7 +6,7 @@ manager: aaroncz ms.author: frankroj ms.service: windows-client author: frankroj -ms.date: 08/30/2024 +ms.date: 01/29/2025 ms.topic: conceptual ms.subservice: itpro-deploy appliesto: diff --git a/windows/deployment/usmt/migration-store-types-overview.md b/windows/deployment/usmt/migration-store-types-overview.md index f0fdf74531..e69fa2a0eb 100644 --- a/windows/deployment/usmt/migration-store-types-overview.md +++ b/windows/deployment/usmt/migration-store-types-overview.md @@ -6,7 +6,7 @@ manager: aaroncz ms.author: frankroj ms.service: windows-client author: frankroj -ms.date: 01/09/2024 +ms.date: 01/29/2025 ms.topic: conceptual ms.subservice: itpro-deploy appliesto: diff --git a/windows/deployment/usmt/offline-migration-reference.md b/windows/deployment/usmt/offline-migration-reference.md index 8e72361a5d..631c7b6aa6 100644 --- a/windows/deployment/usmt/offline-migration-reference.md +++ b/windows/deployment/usmt/offline-migration-reference.md @@ -6,7 +6,7 @@ manager: aaroncz ms.author: frankroj ms.service: windows-client author: frankroj -ms.date: 01/09/2024 +ms.date: 01/29/2025 ms.topic: conceptual ms.subservice: itpro-deploy appliesto: @@ -50,7 +50,7 @@ For exceptions to what can be migrated offline, see [What Does USMT Migrate?](us ## What offline environments are supported? -All currently supported +All currently supported The following table defines the supported combination of online and offline operating systems in USMT. @@ -183,9 +183,9 @@ The following XML example illustrates some of the elements discussed earlier in ```xml - C:\Windows - D:\Windows - E:\ + C:\Windows + D:\Windows + E:\ 1 diff --git a/windows/deployment/usmt/understanding-migration-xml-files.md b/windows/deployment/usmt/understanding-migration-xml-files.md index 3adb68387b..2994c4a929 100644 --- a/windows/deployment/usmt/understanding-migration-xml-files.md +++ b/windows/deployment/usmt/understanding-migration-xml-files.md @@ -6,7 +6,7 @@ manager: aaroncz ms.author: frankroj ms.service: windows-client author: frankroj -ms.date: 01/09/2024 +ms.date: 01/29/2025 ms.topic: conceptual ms.subservice: itpro-deploy appliesto: diff --git a/windows/deployment/usmt/usmt-best-practices.md b/windows/deployment/usmt/usmt-best-practices.md index 4ebf6ff55f..fe77583153 100644 --- a/windows/deployment/usmt/usmt-best-practices.md +++ b/windows/deployment/usmt/usmt-best-practices.md @@ -6,7 +6,7 @@ manager: aaroncz ms.author: frankroj ms.service: windows-client author: frankroj -ms.date: 01/09/2024 +ms.date: 01/29/2025 ms.topic: conceptual ms.subservice: itpro-deploy appliesto: diff --git a/windows/deployment/usmt/usmt-choose-migration-store-type.md b/windows/deployment/usmt/usmt-choose-migration-store-type.md index 1847cce5d9..e8a0d69a2f 100644 --- a/windows/deployment/usmt/usmt-choose-migration-store-type.md +++ b/windows/deployment/usmt/usmt-choose-migration-store-type.md @@ -6,7 +6,7 @@ manager: aaroncz ms.author: frankroj ms.service: windows-client author: frankroj -ms.date: 01/09/2024 +ms.date: 01/29/2025 ms.topic: conceptual ms.subservice: itpro-deploy appliesto: diff --git a/windows/deployment/usmt/usmt-command-line-syntax.md b/windows/deployment/usmt/usmt-command-line-syntax.md index 4844937b52..71da51bdda 100644 --- a/windows/deployment/usmt/usmt-command-line-syntax.md +++ b/windows/deployment/usmt/usmt-command-line-syntax.md @@ -6,7 +6,7 @@ manager: aaroncz ms.author: frankroj ms.service: windows-client author: frankroj -ms.date: 01/09/2024 +ms.date: 01/29/2025 ms.topic: conceptual ms.subservice: itpro-deploy appliesto: diff --git a/windows/deployment/usmt/usmt-common-migration-scenarios.md b/windows/deployment/usmt/usmt-common-migration-scenarios.md index 1685667185..d618b669c3 100644 --- a/windows/deployment/usmt/usmt-common-migration-scenarios.md +++ b/windows/deployment/usmt/usmt-common-migration-scenarios.md @@ -6,7 +6,7 @@ manager: aaroncz ms.author: frankroj ms.service: windows-client author: frankroj -ms.date: 01/09/2024 +ms.date: 01/29/2025 ms.topic: conceptual ms.subservice: itpro-deploy appliesto: diff --git a/windows/deployment/usmt/usmt-configxml-file.md b/windows/deployment/usmt/usmt-configxml-file.md index c0e4682965..f77777e41f 100644 --- a/windows/deployment/usmt/usmt-configxml-file.md +++ b/windows/deployment/usmt/usmt-configxml-file.md @@ -6,7 +6,7 @@ manager: aaroncz ms.author: frankroj ms.service: windows-client author: frankroj -ms.date: 01/09/2024 +ms.date: 01/29/2025 ms.topic: conceptual ms.subservice: itpro-deploy appliesto: @@ -496,7 +496,7 @@ The following sample `Config.xml` file contains detailed examples about items th - + --> diff --git a/windows/deployment/usmt/usmt-conflicts-and-precedence.md b/windows/deployment/usmt/usmt-conflicts-and-precedence.md index f9874a4d2f..c2a0454e4b 100644 --- a/windows/deployment/usmt/usmt-conflicts-and-precedence.md +++ b/windows/deployment/usmt/usmt-conflicts-and-precedence.md @@ -6,7 +6,7 @@ manager: aaroncz ms.author: frankroj ms.service: windows-client author: frankroj -ms.date: 01/09/2024 +ms.date: 01/29/2025 ms.topic: conceptual ms.subservice: itpro-deploy appliesto: @@ -79,7 +79,7 @@ Specifying `migrate="no"` in the `Config.xml` file is the same as deleting the c %CSIDL_PERSONAL%\* [*.doc] - + ``` ### How does USMT process each component in an .xml file with multiple components? @@ -116,7 +116,7 @@ In the following example, mp3 files aren't excluded from the migration. The mp3 C:\* [*.mp3] - + ``` ### \ and \ rules precedence examples @@ -185,11 +185,11 @@ The destination computer contains the following files: A custom **.xml** file contains the following code: ```xml - - - c:\data\* [*] - - + + + c:\data\* [*] + + ``` For this example, the following information describes the resulting behavior if the code is added to the custom **.xml** file. diff --git a/windows/deployment/usmt/usmt-custom-xml-examples.md b/windows/deployment/usmt/usmt-custom-xml-examples.md index 130f3031c8..c398822c63 100644 --- a/windows/deployment/usmt/usmt-custom-xml-examples.md +++ b/windows/deployment/usmt/usmt-custom-xml-examples.md @@ -8,7 +8,7 @@ ms.service: windows-client author: frankroj ms.topic: conceptual ms.subservice: itpro-deploy -ms.date: 01/09/2024 +ms.date: 01/29/2025 appliesto: - ✅ Windows 11 - ✅ Windows 10 @@ -120,7 +120,7 @@ The following sample is a custom **.xml** file named `CustomFile.xml` that migra My Video - + MigXmlHelper.DoesObjectExist("File","%CSIDL_MYVIDEO%") @@ -251,8 +251,8 @@ The behavior for this custom **.xml** file is described within the ` - - + + @@ -264,7 +264,7 @@ The behavior for this custom **.xml** file is described within the ` - + C:\*\Presentations\* [*] C:\Presentations\* [*] diff --git a/windows/deployment/usmt/usmt-customize-xml-files.md b/windows/deployment/usmt/usmt-customize-xml-files.md index 8eefa733d4..00a902de28 100644 --- a/windows/deployment/usmt/usmt-customize-xml-files.md +++ b/windows/deployment/usmt/usmt-customize-xml-files.md @@ -6,7 +6,7 @@ manager: aaroncz ms.author: frankroj ms.service: windows-client author: frankroj -ms.date: 01/09/2024 +ms.date: 01/29/2025 ms.topic: conceptual ms.subservice: itpro-deploy appliesto: diff --git a/windows/deployment/usmt/usmt-determine-what-to-migrate.md b/windows/deployment/usmt/usmt-determine-what-to-migrate.md index bad57314e9..098c1a8a45 100644 --- a/windows/deployment/usmt/usmt-determine-what-to-migrate.md +++ b/windows/deployment/usmt/usmt-determine-what-to-migrate.md @@ -6,7 +6,7 @@ manager: aaroncz ms.author: frankroj ms.service: windows-client author: frankroj -ms.date: 01/09/2024 +ms.date: 01/29/2025 ms.topic: conceptual ms.subservice: itpro-deploy appliesto: diff --git a/windows/deployment/usmt/usmt-estimate-migration-store-size.md b/windows/deployment/usmt/usmt-estimate-migration-store-size.md index 014e48a76e..ae5b4e142e 100644 --- a/windows/deployment/usmt/usmt-estimate-migration-store-size.md +++ b/windows/deployment/usmt/usmt-estimate-migration-store-size.md @@ -6,7 +6,7 @@ manager: aaroncz ms.author: frankroj ms.service: windows-client author: frankroj -ms.date: 01/09/2024 +ms.date: 01/29/2025 ms.topic: conceptual ms.subservice: itpro-deploy appliesto: diff --git a/windows/deployment/usmt/usmt-exclude-files-and-settings.md b/windows/deployment/usmt/usmt-exclude-files-and-settings.md index 354badb01a..72388d511e 100644 --- a/windows/deployment/usmt/usmt-exclude-files-and-settings.md +++ b/windows/deployment/usmt/usmt-exclude-files-and-settings.md @@ -6,7 +6,7 @@ manager: aaroncz ms.author: frankroj ms.service: windows-client author: frankroj -ms.date: 01/09/2024 +ms.date: 01/29/2025 ms.topic: conceptual ms.subservice: itpro-deploy appliesto: diff --git a/windows/deployment/usmt/usmt-extract-files-from-a-compressed-migration-store.md b/windows/deployment/usmt/usmt-extract-files-from-a-compressed-migration-store.md index 59234776e5..9fefd6f0b4 100644 --- a/windows/deployment/usmt/usmt-extract-files-from-a-compressed-migration-store.md +++ b/windows/deployment/usmt/usmt-extract-files-from-a-compressed-migration-store.md @@ -6,7 +6,7 @@ manager: aaroncz ms.author: frankroj ms.service: windows-client author: frankroj -ms.date: 01/09/2024 +ms.date: 01/29/2025 ms.topic: conceptual ms.subservice: itpro-deploy appliesto: diff --git a/windows/deployment/usmt/usmt-faq.yml b/windows/deployment/usmt/usmt-faq.yml index 666888f9d3..fb9a10a99e 100644 --- a/windows/deployment/usmt/usmt-faq.yml +++ b/windows/deployment/usmt/usmt-faq.yml @@ -11,12 +11,12 @@ metadata: ms.mktglfcycl: deploy ms.sitesec: library audience: itpro - ms.date: 01/09/2024 + ms.date: 01/29/2025 ms.topic: faq title: Frequently Asked Questions summary: | **Applies to:** - + - Windows 11 - Windows 10 @@ -30,13 +30,13 @@ sections: How much space is needed on the destination computer? answer: | The destination computer needs enough available space for the following items: - + - Operating system - + - Applications - + - Uncompressed store - + - question: | Can the files and settings be stored directly on the destination computer or is a server needed? answer: | @@ -47,13 +47,13 @@ sections: - Directly on the destination computer. To store it directly on the destination computer: - + 1. Create and share the directory `C:\store` on the destination computer. - + 1. Run the **ScanState** tool on the source computer and save the files and settings to `\\\store` - + 1. Run the **LoadState** tool on the destination computer and specify `C:\store` as the store location. - + - question: | Can data be migrated between operating systems with different languages? answer: | @@ -80,7 +80,7 @@ sections: How can a folder or a certain type of file be excluded from the migration? answer: | The **\** element can be used to globally exclude data from the migration. For example, this element can be used to exclude all MP3 files on the computer or to exclude all files from `C:\UserData`. This element excludes objects regardless of any other **\** rules that are in the **.xml** files. For an example, see **\** in the [Exclude files and settings](usmt-exclude-files-and-settings.md) article. For the syntax of this element, see [XML elements library](usmt-xml-elements-library.md). - + - question: | What happens to files that were located on a drive that don't exist on the destination computer? answer: | @@ -91,22 +91,22 @@ sections: - C:\\ is the system drive on the destination computer. the file is migrated to `C:\data\File.pst`. This behavior holds true even when **\** rules attempt to move data to a drive that doesn't exist on the destination computer. - + - name: USMT .xml Files questions: - question: | Where are there examples of USMT **.xml** files? answer: | The following articles include examples of USMT **.xml** files: - + - [Exclude files and settings](usmt-exclude-files-and-settings.md) - + - [Reroute files and settings](usmt-reroute-files-and-settings.md) - + - [Include files and settings](usmt-include-files-and-settings.md) - + - [Custom XML examples](usmt-custom-xml-examples.md) - + - question: | Can custom **.xml** files that were written for USMT 5.0 be used? answer: | @@ -121,9 +121,9 @@ sections: Why must the **.xml** files be included with both the `ScanState.exe` and `LoadState.exe` commands? answer: | The **.xml** files aren't copied to the store as in previous versions of USMT. Because the **ScanState** and **LoadState** tools need the **.xml** files to control the migration, the same set of **.xml** files must be specified for the `ScanState.exe` and `LoadState.exe` commands. If a particular set of mig\*.xml files were used in the **ScanState** tool, either called through the `/auto` option, or individually through the `/i` option, then the same option should be used to call the exact same mig\*.xml files in the **LoadState** tool. However, the `Config.xml` file doesn't need to be specified, unless files and settings that were migrated to the store need to be excluded. For example, the **Documents** folder might be migrated to the store, but not to the destination computer. To do this type of migration, modify the `Config.xml` file and specify the updated file with the `LoadState.exe` command. **LoadState** migrates only the desired files and settings. - + If an **.xml** file is excluded from the `LoadState.exe` command, then all of the data in the store that was migrated with the missing **.xml** files are migrated. However, the migration rules that were specified for the `ScanState.exe` command don't apply. For example, if a `MigApp.xml` file that has a rerouting rule such as `MigsysHelperFunction.RelativeMove("c:\data", "%CSIDL_PERSONAL%")` is excluded, USMT doesn't reroute the files. Instead, it migrates them to `C:\data`. - + - question: | Which files can be modified and specified on the command line? answer: | @@ -133,20 +133,20 @@ sections: What happens if the **.xml** files aren't specified on the command line? answer: | - **ScanState** - + If no files are specified with the `ScanState.exe` command, all user accounts and default operating system components are migrated. - + - **LoadState** - + If no files are specified with the `LoadState.exe` command, all data that is in the store is migrated. However, any target-specific migration rules that were specified in **.xml** files with the `ScanState.exe` command doesn't apply. For example, if a `MigApp.xml` file that has a rerouting rule such as `MigsysHelperFunction.RelativeMove("c:\data", "%CSIDL_PERSONAL%")` is excluded, USMT doesn't reroute the files. Instead, it migrates them to `C:\data`. - + - name: Conflicts and Precedence questions: - question: | What happens when there are conflicting XML rules or conflicting objects on the destination computer? answer: | For more information, see [Conflicts and precedence](usmt-conflicts-and-precedence.md). - + additionalContent: | diff --git a/windows/deployment/usmt/usmt-general-conventions.md b/windows/deployment/usmt/usmt-general-conventions.md index 38b66a02b6..950371b73e 100644 --- a/windows/deployment/usmt/usmt-general-conventions.md +++ b/windows/deployment/usmt/usmt-general-conventions.md @@ -6,7 +6,7 @@ manager: aaroncz ms.author: frankroj ms.service: windows-client author: frankroj -ms.date: 01/09/2024 +ms.date: 01/29/2025 ms.topic: conceptual ms.subservice: itpro-deploy appliesto: @@ -73,21 +73,21 @@ The XML helper functions in the [XML elements library](usmt-xml-elements-library The encoded location is composed of the node part, optionally followed by the leaf enclosed in square brackets. This format makes a clear distinction between nodes and leaves. For example, specify the file - + `C:\Windows\Notepad.exe` - + as - + **c:\\Windows\[Notepad.exe\]** - + Similarly, specify the directory - + `C:\Windows\System32` - + as - + **c:\\Windows\\System32** - + Note the absence of the **\[\]** characters in second example. The registry is represented in a similar way. The default value of a registry key is represented as an empty **\[\]** construct. For example, the default value for the `HKLM\SOFTWARE\MyKey` registry key is **HKLM\\SOFTWARE\\MyKey\[\]**. diff --git a/windows/deployment/usmt/usmt-hard-link-migration-store.md b/windows/deployment/usmt/usmt-hard-link-migration-store.md index d2cae89bc7..7c21f7e783 100644 --- a/windows/deployment/usmt/usmt-hard-link-migration-store.md +++ b/windows/deployment/usmt/usmt-hard-link-migration-store.md @@ -6,7 +6,7 @@ manager: aaroncz ms.author: frankroj ms.service: windows-client author: frankroj -ms.date: 01/09/2024 +ms.date: 01/29/2025 ms.topic: conceptual ms.subservice: itpro-deploy appliesto: diff --git a/windows/deployment/usmt/usmt-how-it-works.md b/windows/deployment/usmt/usmt-how-it-works.md index 591b1d3804..0da69dfec4 100644 --- a/windows/deployment/usmt/usmt-how-it-works.md +++ b/windows/deployment/usmt/usmt-how-it-works.md @@ -8,7 +8,7 @@ ms.service: windows-client author: frankroj ms.topic: conceptual ms.subservice: itpro-deploy -ms.date: 01/09/2024 +ms.date: 01/29/2025 appliesto: - ✅ Windows 11 - ✅ Windows 10 @@ -33,7 +33,7 @@ When the **ScanState** tool runs on the source computer, it goes through the fol There are three types of components: - Components that migrate the operating system settings. - + - Components that migrate application settings. - Components that migrate users' files. diff --git a/windows/deployment/usmt/usmt-how-to.md b/windows/deployment/usmt/usmt-how-to.md index c3589124d1..72231c5f35 100644 --- a/windows/deployment/usmt/usmt-how-to.md +++ b/windows/deployment/usmt/usmt-how-to.md @@ -6,7 +6,7 @@ manager: aaroncz ms.author: frankroj ms.service: windows-client author: frankroj -ms.date: 01/09/2024 +ms.date: 01/29/2025 ms.topic: conceptual ms.subservice: itpro-deploy appliesto: diff --git a/windows/deployment/usmt/usmt-identify-application-settings.md b/windows/deployment/usmt/usmt-identify-application-settings.md index feca874008..41d2a4f881 100644 --- a/windows/deployment/usmt/usmt-identify-application-settings.md +++ b/windows/deployment/usmt/usmt-identify-application-settings.md @@ -6,7 +6,7 @@ manager: aaroncz ms.author: frankroj ms.service: windows-client author: frankroj -ms.date: 01/09/2024 +ms.date: 01/29/2025 ms.topic: conceptual ms.subservice: itpro-deploy appliesto: diff --git a/windows/deployment/usmt/usmt-identify-file-types-files-and-folders.md b/windows/deployment/usmt/usmt-identify-file-types-files-and-folders.md index e5b15c352d..e46ff9f218 100644 --- a/windows/deployment/usmt/usmt-identify-file-types-files-and-folders.md +++ b/windows/deployment/usmt/usmt-identify-file-types-files-and-folders.md @@ -6,7 +6,7 @@ manager: aaroncz ms.author: frankroj ms.service: windows-client author: frankroj -ms.date: 01/09/2024 +ms.date: 01/29/2025 ms.topic: conceptual ms.subservice: itpro-deploy appliesto: diff --git a/windows/deployment/usmt/usmt-identify-operating-system-settings.md b/windows/deployment/usmt/usmt-identify-operating-system-settings.md index cedbe8d1f9..941df2cced 100644 --- a/windows/deployment/usmt/usmt-identify-operating-system-settings.md +++ b/windows/deployment/usmt/usmt-identify-operating-system-settings.md @@ -6,7 +6,7 @@ manager: aaroncz ms.author: frankroj ms.service: windows-client author: frankroj -ms.date: 01/09/2024 +ms.date: 01/29/2025 ms.topic: conceptual ms.subservice: itpro-deploy appliesto: diff --git a/windows/deployment/usmt/usmt-identify-users.md b/windows/deployment/usmt/usmt-identify-users.md index 736881d3b3..314590b2b7 100644 --- a/windows/deployment/usmt/usmt-identify-users.md +++ b/windows/deployment/usmt/usmt-identify-users.md @@ -9,7 +9,7 @@ author: frankroj ms.topic: conceptual ms.localizationpriority: medium ms.subservice: itpro-deploy -ms.date: 01/09/2024 +ms.date: 01/29/2025 appliesto: - ✅ Windows 11 - ✅ Windows 10 diff --git a/windows/deployment/usmt/usmt-include-files-and-settings.md b/windows/deployment/usmt/usmt-include-files-and-settings.md index f4d79a27f2..6ff87626e6 100644 --- a/windows/deployment/usmt/usmt-include-files-and-settings.md +++ b/windows/deployment/usmt/usmt-include-files-and-settings.md @@ -6,7 +6,7 @@ manager: aaroncz ms.author: frankroj ms.service: windows-client author: frankroj -ms.date: 01/09/2024 +ms.date: 01/29/2025 ms.topic: conceptual ms.subservice: itpro-deploy appliesto: @@ -25,12 +25,12 @@ The following **.xml** file migrates a single registry key. ```xml - Component to migrate only registry value string + Component to migrate only registry value string - HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache [Persistent] + HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache [Persistent] @@ -95,8 +95,8 @@ The following **.xml** file migrates all files and subfolders of the `Engineerin - - + + @@ -114,7 +114,7 @@ The following **.xml** file migrates all files and subfolders of the `Engineerin - + C:\*\EngineeringDrafts\* [*] C:\EngineeringDrafts\* [*] @@ -149,7 +149,7 @@ The following **.xml** file migrates `.mp3` files located in the specified drive - + ``` ## Migrate a specific file diff --git a/windows/deployment/usmt/usmt-loadstate-syntax.md b/windows/deployment/usmt/usmt-loadstate-syntax.md index a4bf1f2eeb..30667f7873 100644 --- a/windows/deployment/usmt/usmt-loadstate-syntax.md +++ b/windows/deployment/usmt/usmt-loadstate-syntax.md @@ -6,7 +6,7 @@ manager: aaroncz ms.author: frankroj ms.service: windows-client author: frankroj -ms.date: 04/30/2024 +ms.date: 01/29/2025 ms.topic: conceptual ms.subservice: itpro-deploy appliesto: diff --git a/windows/deployment/usmt/usmt-log-files.md b/windows/deployment/usmt/usmt-log-files.md index 70f159b544..27e897b01d 100644 --- a/windows/deployment/usmt/usmt-log-files.md +++ b/windows/deployment/usmt/usmt-log-files.md @@ -6,7 +6,7 @@ manager: aaroncz ms.author: frankroj ms.service: windows-client author: frankroj -ms.date: 01/09/2024 +ms.date: 01/29/2025 ms.topic: conceptual ms.subservice: itpro-deploy appliesto: diff --git a/windows/deployment/usmt/usmt-migrate-efs-files-and-certificates.md b/windows/deployment/usmt/usmt-migrate-efs-files-and-certificates.md index 39944f9a6a..8d146557a2 100644 --- a/windows/deployment/usmt/usmt-migrate-efs-files-and-certificates.md +++ b/windows/deployment/usmt/usmt-migrate-efs-files-and-certificates.md @@ -6,7 +6,7 @@ manager: aaroncz ms.author: frankroj ms.service: windows-client author: frankroj -ms.date: 01/09/2024 +ms.date: 01/29/2025 ms.topic: conceptual ms.subservice: itpro-deploy appliesto: diff --git a/windows/deployment/usmt/usmt-migrate-user-accounts.md b/windows/deployment/usmt/usmt-migrate-user-accounts.md index 41f319446d..2e82b3db4e 100644 --- a/windows/deployment/usmt/usmt-migrate-user-accounts.md +++ b/windows/deployment/usmt/usmt-migrate-user-accounts.md @@ -6,7 +6,7 @@ manager: aaroncz ms.author: frankroj ms.service: windows-client author: frankroj -ms.date: 01/09/2024 +ms.date: 01/29/2025 ms.topic: conceptual ms.subservice: itpro-deploy appliesto: diff --git a/windows/deployment/usmt/usmt-migration-store-encryption.md b/windows/deployment/usmt/usmt-migration-store-encryption.md index b5dc3eb5fe..2084dbdd22 100644 --- a/windows/deployment/usmt/usmt-migration-store-encryption.md +++ b/windows/deployment/usmt/usmt-migration-store-encryption.md @@ -6,7 +6,7 @@ manager: aaroncz ms.author: frankroj ms.service: windows-client author: frankroj -ms.date: 01/09/2024 +ms.date: 01/29/2025 ms.topic: conceptual ms.subservice: itpro-deploy appliesto: diff --git a/windows/deployment/usmt/usmt-overview.md b/windows/deployment/usmt/usmt-overview.md index f0023bfc0b..0e8726cf9a 100644 --- a/windows/deployment/usmt/usmt-overview.md +++ b/windows/deployment/usmt/usmt-overview.md @@ -7,7 +7,7 @@ author: frankroj ms.reviewer: kevinmi,warrenw manager: aaroncz ms.author: frankroj -ms.date: 01/09/2024 +ms.date: 01/29/2025 ms.topic: overview ms.collection: - highpri diff --git a/windows/deployment/usmt/usmt-plan-your-migration.md b/windows/deployment/usmt/usmt-plan-your-migration.md index 20bbc09ad5..6fbc90a488 100644 --- a/windows/deployment/usmt/usmt-plan-your-migration.md +++ b/windows/deployment/usmt/usmt-plan-your-migration.md @@ -6,7 +6,7 @@ manager: aaroncz ms.author: frankroj ms.service: windows-client author: frankroj -ms.date: 01/09/2024 +ms.date: 01/29/2025 ms.topic: conceptual ms.subservice: itpro-deploy appliesto: diff --git a/windows/deployment/usmt/usmt-recognized-environment-variables.md b/windows/deployment/usmt/usmt-recognized-environment-variables.md index 0d2153bbaa..74170fceed 100644 --- a/windows/deployment/usmt/usmt-recognized-environment-variables.md +++ b/windows/deployment/usmt/usmt-recognized-environment-variables.md @@ -7,7 +7,7 @@ ms.reviewer: kevinmi,warrenw manager: aaroncz ms.author: frankroj author: frankroj -ms.date: 01/09/2024 +ms.date: 01/29/2025 ms.topic: conceptual ms.collection: - highpri diff --git a/windows/deployment/usmt/usmt-reference.md b/windows/deployment/usmt/usmt-reference.md index 9581170803..adeaf3c10e 100644 --- a/windows/deployment/usmt/usmt-reference.md +++ b/windows/deployment/usmt/usmt-reference.md @@ -6,7 +6,7 @@ manager: aaroncz ms.author: frankroj ms.service: windows-client author: frankroj -ms.date: 01/09/2024 +ms.date: 01/29/2025 ms.topic: conceptual ms.subservice: itpro-deploy appliesto: diff --git a/windows/deployment/usmt/usmt-requirements.md b/windows/deployment/usmt/usmt-requirements.md index 26b5f86f7a..438b71d40b 100644 --- a/windows/deployment/usmt/usmt-requirements.md +++ b/windows/deployment/usmt/usmt-requirements.md @@ -6,7 +6,7 @@ manager: aaroncz ms.author: frankroj ms.service: windows-client author: frankroj -ms.date: 04/30/2024 +ms.date: 01/29/2025 ms.topic: conceptual ms.subservice: itpro-deploy appliesto: diff --git a/windows/deployment/usmt/usmt-reroute-files-and-settings.md b/windows/deployment/usmt/usmt-reroute-files-and-settings.md index f002c6d337..e7a5305f00 100644 --- a/windows/deployment/usmt/usmt-reroute-files-and-settings.md +++ b/windows/deployment/usmt/usmt-reroute-files-and-settings.md @@ -6,7 +6,7 @@ manager: aaroncz ms.author: frankroj ms.service: windows-client author: frankroj -ms.date: 01/09/2024 +ms.date: 01/29/2025 ms.topic: conceptual ms.subservice: itpro-deploy appliesto: @@ -70,7 +70,7 @@ The following custom **.xml** file reroutes **.mp3** files located in the fixed - + ``` ## Reroute a specific file @@ -83,8 +83,8 @@ The following custom **.xml** file migrates the `Sample.doc` file from `C:\Engin Sample.doc into the Documents folder - - + + C:\EngineeringDrafts\ [Sample.doc] diff --git a/windows/deployment/usmt/usmt-resources.md b/windows/deployment/usmt/usmt-resources.md index 239d7be582..6e81c92b9a 100644 --- a/windows/deployment/usmt/usmt-resources.md +++ b/windows/deployment/usmt/usmt-resources.md @@ -6,7 +6,7 @@ manager: aaroncz ms.author: frankroj ms.service: windows-client author: frankroj -ms.date: 01/09/2024 +ms.date: 01/29/2025 ms.topic: conceptual ms.subservice: itpro-deploy appliesto: @@ -23,7 +23,7 @@ appliesto: - Microsoft Visual Studio - The User State Migration Tool (USMT) XML schema (the `MigXML.xsd` file) can be used to validate the migration **.xml** files using an XML authoring tool such as Microsoft Visual Studio. - + For more information about how to use the schema with an XML authoring environment, see the environment's documentation. - [Ask the Directory Services Team blog](https://techcommunity.microsoft.com/t5/ask-the-directory-services-team/bg-p/AskDS). diff --git a/windows/deployment/usmt/usmt-scanstate-syntax.md b/windows/deployment/usmt/usmt-scanstate-syntax.md index 24f73b72d1..a25a4bde8e 100644 --- a/windows/deployment/usmt/usmt-scanstate-syntax.md +++ b/windows/deployment/usmt/usmt-scanstate-syntax.md @@ -6,7 +6,7 @@ manager: aaroncz ms.author: frankroj ms.service: windows-client author: frankroj -ms.date: 04/30/2024 +ms.date: 01/29/2025 ms.topic: conceptual ms.subservice: itpro-deploy appliesto: diff --git a/windows/deployment/usmt/usmt-technical-reference.md b/windows/deployment/usmt/usmt-technical-reference.md index 1254f4fef0..d269cd7597 100644 --- a/windows/deployment/usmt/usmt-technical-reference.md +++ b/windows/deployment/usmt/usmt-technical-reference.md @@ -6,7 +6,7 @@ manager: aaroncz ms.author: frankroj ms.service: windows-client author: frankroj -ms.date: 01/09/2024 +ms.date: 01/29/2025 ms.topic: conceptual ms.subservice: itpro-deploy appliesto: diff --git a/windows/deployment/usmt/usmt-test-your-migration.md b/windows/deployment/usmt/usmt-test-your-migration.md index 57767aecf4..4b1d005a41 100644 --- a/windows/deployment/usmt/usmt-test-your-migration.md +++ b/windows/deployment/usmt/usmt-test-your-migration.md @@ -6,7 +6,7 @@ manager: aaroncz ms.author: frankroj ms.service: windows-client author: frankroj -ms.date: 01/09/2024 +ms.date: 01/29/2025 ms.topic: conceptual ms.subservice: itpro-deploy appliesto: diff --git a/windows/deployment/usmt/usmt-topics.md b/windows/deployment/usmt/usmt-topics.md index e3be3d8fd0..56ee8a1868 100644 --- a/windows/deployment/usmt/usmt-topics.md +++ b/windows/deployment/usmt/usmt-topics.md @@ -6,7 +6,7 @@ manager: aaroncz ms.author: frankroj ms.service: windows-client author: frankroj -ms.date: 01/09/2024 +ms.date: 01/29/2025 ms.topic: conceptual ms.subservice: itpro-deploy appliesto: diff --git a/windows/deployment/usmt/usmt-troubleshooting.md b/windows/deployment/usmt/usmt-troubleshooting.md index 3e85b84a37..3ca79322a4 100644 --- a/windows/deployment/usmt/usmt-troubleshooting.md +++ b/windows/deployment/usmt/usmt-troubleshooting.md @@ -6,7 +6,7 @@ manager: aaroncz ms.author: frankroj ms.service: windows-client author: frankroj -ms.date: 01/09/2024 +ms.date: 01/29/2025 ms.topic: conceptual ms.subservice: itpro-deploy appliesto: diff --git a/windows/deployment/usmt/usmt-utilities.md b/windows/deployment/usmt/usmt-utilities.md index 20c70db094..bef1f41088 100644 --- a/windows/deployment/usmt/usmt-utilities.md +++ b/windows/deployment/usmt/usmt-utilities.md @@ -6,7 +6,7 @@ manager: aaroncz ms.author: frankroj ms.service: windows-client author: frankroj -ms.date: 01/09/2024 +ms.date: 01/29/2025 ms.topic: conceptual ms.subservice: itpro-deploy appliesto: diff --git a/windows/deployment/usmt/usmt-what-does-usmt-migrate.md b/windows/deployment/usmt/usmt-what-does-usmt-migrate.md index e03e8db9c0..56cee12f98 100644 --- a/windows/deployment/usmt/usmt-what-does-usmt-migrate.md +++ b/windows/deployment/usmt/usmt-what-does-usmt-migrate.md @@ -6,7 +6,7 @@ manager: aaroncz ms.author: frankroj ms.service: windows-client author: frankroj -ms.date: 01/18/2024 +ms.date: 01/29/2025 ms.topic: conceptual ms.subservice: itpro-deploy appliesto: diff --git a/windows/deployment/usmt/usmt-xml-elements-library.md b/windows/deployment/usmt/usmt-xml-elements-library.md index a4694c75a9..fc41899980 100644 --- a/windows/deployment/usmt/usmt-xml-elements-library.md +++ b/windows/deployment/usmt/usmt-xml-elements-library.md @@ -6,7 +6,7 @@ manager: aaroncz ms.author: frankroj ms.service: windows-client author: frankroj -ms.date: 01/09/2024 +ms.date: 01/29/2025 ms.topic: conceptual ms.subservice: itpro-deploy appliesto: @@ -95,7 +95,7 @@ The following example is from the `MigApp.xml` file: %HklmWowSoftware%\Microsoft\Office\16.0\Common\Migration\Office [Lang] DWORD 00000000 - + ``` ## \ @@ -127,7 +127,7 @@ The following example is from the `MigApp.xml` file: %HklmWowSoftware%\Microsoft\Office\16.0\Common\Migration\Office [Lang] DWORD 00000000 - + ``` ## \ @@ -1070,10 +1070,10 @@ Example: - DOC @@ -1126,18 +1126,18 @@ Syntax: For example, to migrate all \*.doc files from the source computer, specifying the following code under the **\** element: ```xml - - doc - + + doc + ``` is the same as specifying the following code below the **\** element: ```xml - - - - + + + + ``` @@ -1202,7 +1202,7 @@ The following example is from the `MigUser.xml` file: %CSIDL_MYVIDEO% - + MigXmlHelper.DoesObjectExist("File","%CSIDL_MYVIDEO%") @@ -1702,11 +1702,11 @@ The following example is from the `MigUser.xml` file: %CSIDL_MYMUSIC% - + MigXmlHelper.DoesObjectExist("File","%CSIDL_MYMUSIC%") - + @@ -1846,11 +1846,11 @@ The following example is from the `MigUser.xml` file. For more examples, see the %CSIDL_STARTMENU% - + MigXmlHelper.DoesObjectExist("File","%CSIDL_STARTMENU%") - + @@ -1901,11 +1901,11 @@ The following example is from the `MigUser.xml` file: %CSIDL_MYMUSIC% - + MigXmlHelper.DoesObjectExist("File","%CSIDL_MYMUSIC%") - + @@ -1969,7 +1969,7 @@ Examples: To migrate the Sample.doc file from any drive on the source computer, use **\** as follows. If multiple files exist with the same name, all such files get migrated. ```xml - + ``` For more examples of how to use this element, see [Exclude Files and Settings](usmt-exclude-files-and-settings.md), [Reroute Files and Settings](usmt-reroute-files-and-settings.md), and [Custom XML Examples](usmt-custom-xml-examples.md). @@ -2171,7 +2171,7 @@ For example: ```xml - %CSIDL_COMMON_APPDATA%\QuickTime + %CSIDL_COMMON_APPDATA%\QuickTime ``` @@ -2204,7 +2204,7 @@ The following **.xml** file excludes all `.mp3` files from migration. For additi - + diff --git a/windows/deployment/usmt/usmt-xml-reference.md b/windows/deployment/usmt/usmt-xml-reference.md index 3b1f32fc27..21d2195393 100644 --- a/windows/deployment/usmt/usmt-xml-reference.md +++ b/windows/deployment/usmt/usmt-xml-reference.md @@ -6,7 +6,7 @@ manager: aaroncz ms.author: frankroj ms.service: windows-client author: frankroj -ms.date: 01/09/2024 +ms.date: 01/29/2025 ms.topic: conceptual ms.subservice: itpro-deploy appliesto: diff --git a/windows/deployment/usmt/verify-the-condition-of-a-compressed-migration-store.md b/windows/deployment/usmt/verify-the-condition-of-a-compressed-migration-store.md index 818a24659e..f611d55175 100644 --- a/windows/deployment/usmt/verify-the-condition-of-a-compressed-migration-store.md +++ b/windows/deployment/usmt/verify-the-condition-of-a-compressed-migration-store.md @@ -6,7 +6,7 @@ manager: aaroncz ms.author: frankroj ms.service: windows-client author: frankroj -ms.date: 01/09/2024 +ms.date: 01/29/2025 ms.topic: conceptual ms.subservice: itpro-deploy appliesto: diff --git a/windows/deployment/usmt/xml-file-requirements.md b/windows/deployment/usmt/xml-file-requirements.md index 7d1969ad11..8b1d97b433 100644 --- a/windows/deployment/usmt/xml-file-requirements.md +++ b/windows/deployment/usmt/xml-file-requirements.md @@ -6,7 +6,7 @@ manager: aaroncz ms.author: frankroj ms.service: windows-client author: frankroj -ms.date: 01/09/2024 +ms.date: 01/29/2025 ms.topic: conceptual ms.subservice: itpro-deploy appliesto: From c809361069aa33717ca0c5527ab82c16c5346d0a Mon Sep 17 00:00:00 2001 From: Frank Rojas <45807133+frankroj@users.noreply.github.com> Date: Wed, 29 Jan 2025 15:50:59 -0500 Subject: [PATCH 30/45] Update review date on reviewed articles 2 --- windows/deployment/upgrade/log-files.md | 2 +- windows/deployment/upgrade/resolve-windows-upgrade-errors.md | 2 +- windows/deployment/upgrade/setupdiag.md | 4 ++-- windows/deployment/upgrade/submit-errors.md | 2 +- windows/deployment/upgrade/windows-error-reporting.md | 4 ++-- windows/deployment/upgrade/windows-upgrade-paths.md | 2 +- 6 files changed, 8 insertions(+), 8 deletions(-) diff --git a/windows/deployment/upgrade/log-files.md b/windows/deployment/upgrade/log-files.md index 5da693649e..d8dc167a04 100644 --- a/windows/deployment/upgrade/log-files.md +++ b/windows/deployment/upgrade/log-files.md @@ -11,7 +11,7 @@ ms.collection: - highpri - tier2 ms.subservice: itpro-deploy -ms.date: 01/18/2024 +ms.date: 01/29/2025 appliesto: - ✅ Windows 11 - ✅ Windows 10 diff --git a/windows/deployment/upgrade/resolve-windows-upgrade-errors.md b/windows/deployment/upgrade/resolve-windows-upgrade-errors.md index da72341ab0..444ff9cf37 100644 --- a/windows/deployment/upgrade/resolve-windows-upgrade-errors.md +++ b/windows/deployment/upgrade/resolve-windows-upgrade-errors.md @@ -8,7 +8,7 @@ ms.localizationpriority: medium ms.topic: conceptual ms.service: windows-client ms.subservice: itpro-deploy -ms.date: 01/18/2024 +ms.date: 01/29/2025 appliesto: - ✅ Windows 11 - ✅ Windows 10 diff --git a/windows/deployment/upgrade/setupdiag.md b/windows/deployment/upgrade/setupdiag.md index 00ae1403ff..c66b48114b 100644 --- a/windows/deployment/upgrade/setupdiag.md +++ b/windows/deployment/upgrade/setupdiag.md @@ -12,7 +12,7 @@ ms.topic: troubleshooting ms.collection: - highpri - tier2 -ms.date: 01/18/2024 +ms.date: 01/29/2025 appliesto: - ✅ Windows 11 - ✅ Windows 10 @@ -479,7 +479,7 @@ Refer to "https://learn.microsoft.com/windows/desktop/Debug/system-error-codes" "FailureDetails":"Err = 0x00000057, LastOperation = Gather data, scope: EVERYTHING, LastPhase = Downlevel", "DeviceDriverInfo":null, "Remediation":[ - + ], "SetupPhaseInfo":null, "SetupOperationInfo":null diff --git a/windows/deployment/upgrade/submit-errors.md b/windows/deployment/upgrade/submit-errors.md index 48726194a2..5caad8feef 100644 --- a/windows/deployment/upgrade/submit-errors.md +++ b/windows/deployment/upgrade/submit-errors.md @@ -8,7 +8,7 @@ author: frankroj ms.localizationpriority: medium ms.topic: conceptual ms.subservice: itpro-deploy -ms.date: 01/18/2024 +ms.date: 01/29/2025 appliesto: - ✅ Windows 11 - ✅ Windows 10 diff --git a/windows/deployment/upgrade/windows-error-reporting.md b/windows/deployment/upgrade/windows-error-reporting.md index c7251d75b2..34c5e47773 100644 --- a/windows/deployment/upgrade/windows-error-reporting.md +++ b/windows/deployment/upgrade/windows-error-reporting.md @@ -8,7 +8,7 @@ author: frankroj ms.localizationpriority: medium ms.topic: conceptual ms.subservice: itpro-deploy -ms.date: 01/18/2024 +ms.date: 01/29/2025 appliesto: - ✅ Windows 11 - ✅ Windows 10 @@ -18,7 +18,7 @@ appliesto: > [!NOTE] > -> This article is a 300 level article (moderately advanced). +> This article is a 300 level article (moderately advanced). > > See [Resolve Windows upgrade errors](resolve-windows-upgrade-errors.md) for a full list of articles in this section. diff --git a/windows/deployment/upgrade/windows-upgrade-paths.md b/windows/deployment/upgrade/windows-upgrade-paths.md index 1033866907..4d1dcd205e 100644 --- a/windows/deployment/upgrade/windows-upgrade-paths.md +++ b/windows/deployment/upgrade/windows-upgrade-paths.md @@ -11,7 +11,7 @@ ms.collection: - highpri - tier2 ms.subservice: itpro-deploy -ms.date: 02/13/2024 +ms.date: 01/29/2025 appliesto: - ✅ Windows 10 - ✅ Windows 11 From 360ec467a50435d5adb48f151b8fef010140652e Mon Sep 17 00:00:00 2001 From: Ruchika Mittal Date: Thu, 30 Jan 2025 02:37:19 +0530 Subject: [PATCH 31/45] Fix numbering --- windows/deployment/upgrade/log-files.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/deployment/upgrade/log-files.md b/windows/deployment/upgrade/log-files.md index d8dc167a04..78f9f1690b 100644 --- a/windows/deployment/upgrade/log-files.md +++ b/windows/deployment/upgrade/log-files.md @@ -51,13 +51,13 @@ A `setupact.log` or `setuperr.log` entry includes the following elements: 1. **The date and time** - 2023-09-08 09:20:05 -1. **The log level** - Info, Warning, Error, Fatal Error +2. **The log level** - Info, Warning, Error, Fatal Error -1. **The logging component** - CONX, MOUPG, PANTHR, SP, IBSLIB, MIG, DISM, CSI, CBS +3. **The logging component** - CONX, MOUPG, PANTHR, SP, IBSLIB, MIG, DISM, CSI, CBS The logging components SP (setup platform), MIG (migration engine), and CONX (compatibility information) are useful for troubleshooting Windows Setup errors. -1. **The message** - Operation completed successfully. +4. **The message** - Operation completed successfully. See the following example: From e9ca0075d60a6f39fd5d7a598e2e6fa3544519b2 Mon Sep 17 00:00:00 2001 From: Rebecca Agiewich <16087112+rjagiewich@users.noreply.github.com> Date: Wed, 29 Jan 2025 15:21:24 -0800 Subject: [PATCH 32/45] UI updates --- .acrolinx-config.edn | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.acrolinx-config.edn b/.acrolinx-config.edn index 2794193b88..3e58e829a1 100644 --- a/.acrolinx-config.edn +++ b/.acrolinx-config.edn @@ -39,7 +39,7 @@ For more information about the exception criteria and exception process, see [Mi Select the total score link to review all feedback on clarity, consistency, tone, brand, terms, spelling, grammar, readability, and inclusive language. _You should fix all spelling errors regardless of your total score_. Fixing spelling errors helps maintain customer trust in overall content quality. -| Article | Total score
(Required: 80) | Words + phrases
(Brand, terms) | Correctness
(Spelling, grammar) | Clarity
(Readability) | +| Article | Total score
(Required: 80) | Terminology | Spelling and Grammar| Clarity
(Readability) | |---------|:--------------:|:--------------------:|:------:|:---------:| " From 121a3e9d45e2ab05d43d26476bd551962a1ae31f Mon Sep 17 00:00:00 2001 From: Vinay Pamnani <37223378+vinaypamnani-msft@users.noreply.github.com> Date: Wed, 29 Jan 2025 17:50:01 -0700 Subject: [PATCH 33/45] Update docfx.json --- windows/security/docfx.json | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/windows/security/docfx.json b/windows/security/docfx.json index e0cd0064c8..eebfabaaa0 100644 --- a/windows/security/docfx.json +++ b/windows/security/docfx.json @@ -142,9 +142,10 @@ "✅ Windows Server 2019", "✅ Windows Server 2016" ], - "application-security/application-control/windows-defender-application-control/**/*.md": [ + "application-security/application-control/app-control-for-business/**/*.md": [ "✅ Windows 11", "✅ Windows 10", + "✅ Windows Server 2025", "✅ Windows Server 2022", "✅ Windows Server 2019", "✅ Windows Server 2016" From 1a4d132553d6a0547cd66007fb6f34ea04083423 Mon Sep 17 00:00:00 2001 From: Meghan Stewart <33289333+mestew@users.noreply.github.com> Date: Thu, 30 Jan 2025 10:01:58 -0800 Subject: [PATCH 34/45] edits and use include file --- .../catalog-checkpoint-cumulative-updates.md | 2 +- .../includes/checkpoint-cumulative-updates.md | 17 ++++++++++++++++ windows/deployment/update/release-cycle.md | 20 ++++++++----------- 3 files changed, 26 insertions(+), 13 deletions(-) create mode 100644 windows/deployment/update/includes/checkpoint-cumulative-updates.md diff --git a/windows/deployment/update/catalog-checkpoint-cumulative-updates.md b/windows/deployment/update/catalog-checkpoint-cumulative-updates.md index a537aea3fa..cef752e648 100644 --- a/windows/deployment/update/catalog-checkpoint-cumulative-updates.md +++ b/windows/deployment/update/catalog-checkpoint-cumulative-updates.md @@ -13,7 +13,7 @@ ms.localizationpriority: medium appliesto: - ✅ Windows 11, version 24H2 and later - ✅ Windows Server 2025 -ms.date: 01/27/2025 +ms.date: 01/30/2025 --- # Checkpoint cumulative updates and Microsoft Update Catalog usage diff --git a/windows/deployment/update/includes/checkpoint-cumulative-updates.md b/windows/deployment/update/includes/checkpoint-cumulative-updates.md new file mode 100644 index 0000000000..9e266ddb65 --- /dev/null +++ b/windows/deployment/update/includes/checkpoint-cumulative-updates.md @@ -0,0 +1,17 @@ +--- +author: mestew +ms.author: mstewart +manager: aaroncz +ms.subservice: itpro-updates +ms.service: windows-client +ms.topic: include +ms.date: 01/30/2025 +ms.localizationpriority: medium +--- + + +Starting Windows 11, version 24H2, Microsoft may periodically release cumulative updates as checkpoints. The subsequent updates will consist of: +- The update package files associated with the checkpoints, and +- New update package files that contain incremental binary differentials against the version of binaries in the last checkpoint. + +Multiple checkpoints may be shipped during the lifecycle of a given Windows release. Devices updating from Windows Update and WSUS can continue to seamlessly install the latest monthly security update regardless of whether there are any preceding checkpoint cumulative updates, **no change is needed to their update process**. Catalog users can review [Checkpoint cumulative updates and Microsoft Update Catalog usage](catalog-checkpoint-cumulative-updates.md) for reference. diff --git a/windows/deployment/update/release-cycle.md b/windows/deployment/update/release-cycle.md index 7df3d99935..449627bbbe 100644 --- a/windows/deployment/update/release-cycle.md +++ b/windows/deployment/update/release-cycle.md @@ -11,7 +11,7 @@ ms.localizationpriority: medium appliesto: - ✅ Windows 11 - ✅ Windows 10 -ms.date: 01/27/2025 +ms.date: 01/30/2025 --- # Update release cycle for Windows clients @@ -54,13 +54,8 @@ Monthly security update releases are available through the following channels: Many update management tools, such as [Microsoft Configuration Manager](/mem/configmgr/) and [Microsoft Intune](/mem/intune/), rely on these channels for update deployment. -Starting Windows 11, version 24H2, Microsoft may periodically release cumulative updates as checkpoints. The subsequent updates will consist of: -- The update package files associated with the checkpoints, and -- New update package files that contain incremental binary differentials against the version of binaries in the last checkpoint. - -Multiple checkpoints may be shipped during the lifecycle of a given Windows release. Devices updating from Windows Update and WSUS can continue to seamlessly install the latest monthly security update regardless of whether there are any preceding checkpoint cumulative updates, **no change is needed to their update process**. Catalog users can review [Checkpoint cumulative updates and Microsoft Update Catalog usage](catalog-checkpoint-cumulative-updates.md) for reference. - - + +[!INCLUDE [Checkpoint cumulative updates](./includes/checkpoint-cumulative-updates.md)] ## Optional nonsecurity preview release @@ -78,11 +73,9 @@ To access the optional nonsecurity preview release: - Use [Windows Insider Program for Business](https://insider.windows.com/for-business) - Use the [Microsoft Update Catalog](https://www.catalog.update.microsoft.com/Home.aspx). -Starting Windows 11, version 24H2, Microsoft may periodically release cumulative updates as checkpoints. The subsequent updates will consist of: -- The update package files associated with the checkpoints, and -- New update package files that contain incremental binary differentials against the version of binaries in the last checkpoint. + +[!INCLUDE [Checkpoint cumulative updates](./includes/checkpoint-cumulative-updates.md)] -Multiple checkpoints may be shipped during the lifecycle of a given Windows release. Devices updating from Windows Update and WSUS can continue to seamlessly install the latest monthly security update regardless of whether there are any preceding checkpoint cumulative updates, **no change is needed to their update process**. Catalog users can review [Checkpoint cumulative updates and Microsoft Update Catalog usage](catalog-checkpoint-cumulative-updates.md) for reference. ## OOB releases @@ -97,6 +90,9 @@ Some key considerations about OOB releases include: - Critical OOB releases are automatically available to WSUS and Windows Update for Business, just like the monthly security update releases. - Some OOB releases are classified as noncritical. - Noncritical releases only go to the Microsoft Update Catalog for users or organizations to voluntarily obtain the update. + + +[!INCLUDE [Checkpoint cumulative updates](./includes/checkpoint-cumulative-updates.md)] ## Continuous innovation for Windows 11 From 453ad36bf40b41e29f18af5d1cc9621ab4184e93 Mon Sep 17 00:00:00 2001 From: Meghan Stewart <33289333+mestew@users.noreply.github.com> Date: Thu, 30 Jan 2025 10:07:34 -0800 Subject: [PATCH 35/45] fix link --- .../deployment/update/includes/checkpoint-cumulative-updates.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/update/includes/checkpoint-cumulative-updates.md b/windows/deployment/update/includes/checkpoint-cumulative-updates.md index 9e266ddb65..c1be20d788 100644 --- a/windows/deployment/update/includes/checkpoint-cumulative-updates.md +++ b/windows/deployment/update/includes/checkpoint-cumulative-updates.md @@ -14,4 +14,4 @@ Starting Windows 11, version 24H2, Microsoft may periodically release cumulative - The update package files associated with the checkpoints, and - New update package files that contain incremental binary differentials against the version of binaries in the last checkpoint. -Multiple checkpoints may be shipped during the lifecycle of a given Windows release. Devices updating from Windows Update and WSUS can continue to seamlessly install the latest monthly security update regardless of whether there are any preceding checkpoint cumulative updates, **no change is needed to their update process**. Catalog users can review [Checkpoint cumulative updates and Microsoft Update Catalog usage](catalog-checkpoint-cumulative-updates.md) for reference. +Multiple checkpoints may be shipped during the lifecycle of a given Windows release. Devices updating from Windows Update and WSUS can continue to seamlessly install the latest monthly security update regardless of whether there are any preceding checkpoint cumulative updates, **no change is needed to their update process**. Catalog users can review [Checkpoint cumulative updates and Microsoft Update Catalog usage](../catalog-checkpoint-cumulative-updates.md) for reference. From 0df087627d8d8bf258704d57f22a68134130860d Mon Sep 17 00:00:00 2001 From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com> Date: Thu, 30 Jan 2025 13:36:49 -0500 Subject: [PATCH 36/45] script variable update --- .../passwordless-strategy/journey-step-3.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/identity-protection/passwordless-strategy/journey-step-3.md b/windows/security/identity-protection/passwordless-strategy/journey-step-3.md index 9bc006a4e0..46402af58c 100644 --- a/windows/security/identity-protection/passwordless-strategy/journey-step-3.md +++ b/windows/security/identity-protection/passwordless-strategy/journey-step-3.md @@ -2,7 +2,7 @@ title: Transition into a passwordless deployment description: Learn about how to transition into a passwordless deployment, the third step of the Microsoft passwordless journey. ms.topic: concept-article -ms.date: 10/29/2024 +ms.date: 01/30/2025 --- # Transition into a passwordless deployment @@ -123,7 +123,7 @@ function Generate-RandomPassword{ $NewPassword = ConvertTo-SecureString -String (Generate-RandomPassword) -AsPlainText -Force -Set-ADAccountPassword -identity $userId -NewPassword $NewPassword -Reset +Set-ADAccountPassword -identity $samAccountName = -NewPassword $NewPassword -Reset ``` If your organizational policies allow it, you can configure the randomized passwords to never expire, or use a long expiration period. This configuration prevents the user from being prompted to change their password. From 1007a030d7c902902a9f7d4c6aeb505a8b7df216 Mon Sep 17 00:00:00 2001 From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com> Date: Thu, 30 Jan 2025 13:43:07 -0500 Subject: [PATCH 37/45] fix --- .../identity-protection/passwordless-strategy/journey-step-3.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/passwordless-strategy/journey-step-3.md b/windows/security/identity-protection/passwordless-strategy/journey-step-3.md index 46402af58c..3d3f9622e0 100644 --- a/windows/security/identity-protection/passwordless-strategy/journey-step-3.md +++ b/windows/security/identity-protection/passwordless-strategy/journey-step-3.md @@ -123,7 +123,7 @@ function Generate-RandomPassword{ $NewPassword = ConvertTo-SecureString -String (Generate-RandomPassword) -AsPlainText -Force -Set-ADAccountPassword -identity $samAccountName = -NewPassword $NewPassword -Reset +Set-ADAccountPassword -identity $samAccountName -NewPassword $NewPassword -Reset ``` If your organizational policies allow it, you can configure the randomized passwords to never expire, or use a long expiration period. This configuration prevents the user from being prompted to change their password. From 746a55a558255fa98a24c552ec4e49a653707c65 Mon Sep 17 00:00:00 2001 From: Rick Munck <33725928+jmunck@users.noreply.github.com> Date: Fri, 31 Jan 2025 07:47:26 -0600 Subject: [PATCH 38/45] Update security-compliance-toolkit-10.md Removed reference to Server 2012 R2, Office 2016, Windows 10 20H2. Added Server 2025 Updated Office baseline to v2412 --- .../security-compliance-toolkit-10.md | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/windows/security/operating-system-security/device-management/windows-security-configuration-framework/security-compliance-toolkit-10.md b/windows/security/operating-system-security/device-management/windows-security-configuration-framework/security-compliance-toolkit-10.md index ced5288d21..3556919a26 100644 --- a/windows/security/operating-system-security/device-management/windows-security-configuration-framework/security-compliance-toolkit-10.md +++ b/windows/security/operating-system-security/device-management/windows-security-configuration-framework/security-compliance-toolkit-10.md @@ -23,18 +23,16 @@ The Security Compliance Toolkit consists of: - Windows 10 security baselines - Windows 10, version 22H2 - Windows 10, version 21H2 - - Windows 10, version 20H2 - Windows 10, version 1809 - Windows 10, version 1607 - Windows 10, version 1507 - Windows Server security baselines + - Windows Server 2025 - Windows Server 2022 - Windows Server 2019 - Windows Server 2016 - - Windows Server 2012 R2 - Microsoft Office security baseline - - Office 2016 - - Microsoft 365 Apps for Enterprise Version 2206 + - Microsoft 365 Apps for Enterprise Version 2412 - Microsoft Edge security baseline - Microsoft Edge version 128 - Tools From 56501a2715c401e2beb228aaa26e499e5d14c1e1 Mon Sep 17 00:00:00 2001 From: Rick Munck <33725928+jmunck@users.noreply.github.com> Date: Fri, 31 Jan 2025 08:12:47 -0600 Subject: [PATCH 39/45] Update get-support-for-security-baselines.md Updated versions and removed links to SCM --- .../get-support-for-security-baselines.md | 15 +++------------ 1 file changed, 3 insertions(+), 12 deletions(-) diff --git a/windows/security/operating-system-security/device-management/windows-security-configuration-framework/get-support-for-security-baselines.md b/windows/security/operating-system-security/device-management/windows-security-configuration-framework/get-support-for-security-baselines.md index 05f61ccf78..75939e36c9 100644 --- a/windows/security/operating-system-security/device-management/windows-security-configuration-framework/get-support-for-security-baselines.md +++ b/windows/security/operating-system-security/device-management/windows-security-configuration-framework/get-support-for-security-baselines.md @@ -16,16 +16,7 @@ The Security Compliance Manager (SCM) is now retired and is no longer supported. More information about this change can be found on the [Microsoft Security Guidance blog](/archive/blogs/secguide/security-compliance-manager-scm-retired-new-tools-and-procedures). -### Where can I get an older version of a Windows baseline? - -Any version of Windows baseline before Windows 10, version 1703, can still be downloaded using SCM. Any future versions of Windows baseline will be available through SCT. See the version matrix in this article to see if your version of Windows baseline is available on SCT. - -- [SCM 4.0 Download](/previous-versions/tn-archive/cc936627(v=technet.10)) -- [SCM Frequently Asked Questions (FAQ)](https://social.technet.microsoft.com/wiki/contents/articles/1836.microsoft-security-compliance-manager-scm-frequently-asked-questions-faq.aspx) -- [SCM Release Notes](https://social.technet.microsoft.com/wiki/contents/articles/1864.microsoft-security-compliance-manager-scm-release-notes.aspx) -- [SCM baseline download help](https://social.technet.microsoft.com/wiki/contents/articles/1865.microsoft-security-compliance-manager-scm-baseline-download-help.aspx) - -### What file formats are supported by the new SCT? +### What file formats are supported by the SCT? The toolkit supports formats created by the Windows GPO backup feature (`.pol`, `.inf`, and `.csv`). Policy Analyzer saves its data in XML files with a `.PolicyRules` file extension. LGPO also supports its own LGPO text file format as a text-based analog for the binary registry.pol file format. For more information, see the LGPO documentation. Keep in mind that SCMs' `.cab` files are no longer supported. @@ -56,16 +47,16 @@ No. SCM supported only SCAP 1.0, which wasn't updated as SCAP evolved. The new t | Name | Build | Baseline Release Date | Security Tools | |--|--|--|--| +| Windows Server 2025 | [SecGuide](https://techcommunity.microsoft.com/blog/microsoft-security-baselines/windows-server-2025-security-baseline/4358733) | January 2025 | [SCT 1.0](https://www.microsoft.com/download/details.aspx?id=55319) | | Windows Server 2022 | [SecGuide](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/windows-server-2022-security-baseline/ba-p/2724685) | September 2021 | [SCT 1.0](https://www.microsoft.com/download/details.aspx?id=55319) | | Windows Server 2019 | [SecGuide](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/security-baseline-final-for-windows-10-v1809-and-windows-server/ba-p/701082) | November 2018 | [SCT 1.0](https://www.microsoft.com/download/details.aspx?id=55319) | | Windows Server 2016 | [SecGuide](/archive/blogs/secguide/security-baseline-for-windows-10-v1607-anniversary-edition-and-windows-server-2016) | October 2016 | [SCT 1.0](https://www.microsoft.com/download/details.aspx?id=55319) | -| Windows Server 2012 R2 | [SecGuide](/archive/blogs/secguide/security-baseline-for-windows-10-v1607-anniversary-edition-and-windows-server-2016) | August 2014 | [SCT 1.0](https://www.microsoft.com/download/details.aspx?id=55319) | ### Microsoft products | Name | Details | Security Tools | |--|--|--| -| Microsoft 365 Apps for enterprise, version 2306 | [SecGuide](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/security-baseline-for-m365-apps-for-enterprise-v2306/ba-p/3858702) | [SCT 1.0](https://www.microsoft.com/download/details.aspx?id=55319) | +| Microsoft 365 Apps for enterprise, version 2412 | [SecGuide](https://techcommunity.microsoft.com/blog/microsoft-security-baselines/security-baseline-for-m365-apps-for-enterprise-v2412/4357320) | [SCT 1.0](https://www.microsoft.com/download/details.aspx?id=55319) | | Microsoft Edge, version 128 | [SecGuide](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/security-baseline-for-microsoft-edge-version-128/ba-p/4237524) | [SCT 1.0](https://www.microsoft.com/download/details.aspx?id=55319) | ## Related articles From ef635d68903f2bd699414a1e6de8db3fae68c075 Mon Sep 17 00:00:00 2001 From: Meghan Stewart <33289333+mestew@users.noreply.github.com> Date: Fri, 31 Jan 2025 08:39:25 -0800 Subject: [PATCH 40/45] edit --- .../update/catalog-checkpoint-cumulative-updates.md | 4 ++-- .../update/includes/checkpoint-cumulative-updates.md | 4 ++-- windows/deployment/update/release-cycle.md | 2 +- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/windows/deployment/update/catalog-checkpoint-cumulative-updates.md b/windows/deployment/update/catalog-checkpoint-cumulative-updates.md index cef752e648..0c3fda339a 100644 --- a/windows/deployment/update/catalog-checkpoint-cumulative-updates.md +++ b/windows/deployment/update/catalog-checkpoint-cumulative-updates.md @@ -13,11 +13,11 @@ ms.localizationpriority: medium appliesto: - ✅ Windows 11, version 24H2 and later - ✅ Windows Server 2025 -ms.date: 01/30/2025 +ms.date: 01/31/2025 --- # Checkpoint cumulative updates and Microsoft Update Catalog usage - + Starting Windows 11, version 24H2, monthly security updates and optional nonsecurity preview release updates might be preceded by a checkpoint cumulative update. Devices (and images) updating from Windows Update (WU) and Windows Server Update Services (WSUS) release channels can continue to seamlessly install the latest monthly security update or the optional nonsecurity preview release regardless of whether there are any preceding checkpoint cumulative updates, so **update processes involving WU and WSUS remain unchanged**. This article covers how Microsoft Update Catalog users can easily update their devices (or images) through checkpoint cumulative updates. ## Checkpoint cumulative updates diff --git a/windows/deployment/update/includes/checkpoint-cumulative-updates.md b/windows/deployment/update/includes/checkpoint-cumulative-updates.md index c1be20d788..dd9b0e1abd 100644 --- a/windows/deployment/update/includes/checkpoint-cumulative-updates.md +++ b/windows/deployment/update/includes/checkpoint-cumulative-updates.md @@ -5,10 +5,10 @@ manager: aaroncz ms.subservice: itpro-updates ms.service: windows-client ms.topic: include -ms.date: 01/30/2025 +ms.date: 01/31/2025 ms.localizationpriority: medium --- - + Starting Windows 11, version 24H2, Microsoft may periodically release cumulative updates as checkpoints. The subsequent updates will consist of: - The update package files associated with the checkpoints, and diff --git a/windows/deployment/update/release-cycle.md b/windows/deployment/update/release-cycle.md index 449627bbbe..ef01bc96d7 100644 --- a/windows/deployment/update/release-cycle.md +++ b/windows/deployment/update/release-cycle.md @@ -11,7 +11,7 @@ ms.localizationpriority: medium appliesto: - ✅ Windows 11 - ✅ Windows 10 -ms.date: 01/30/2025 +ms.date: 01/31/2025 --- # Update release cycle for Windows clients From 14751d75763c5009894ca7922c94a717cbd8761d Mon Sep 17 00:00:00 2001 From: Meghan Stewart <33289333+mestew@users.noreply.github.com> Date: Fri, 31 Jan 2025 09:50:46 -0800 Subject: [PATCH 41/45] edits --- .../catalog-checkpoint-cumulative-updates.md | 15 +++++++-------- 1 file changed, 7 insertions(+), 8 deletions(-) diff --git a/windows/deployment/update/catalog-checkpoint-cumulative-updates.md b/windows/deployment/update/catalog-checkpoint-cumulative-updates.md index 0c3fda339a..867e17a256 100644 --- a/windows/deployment/update/catalog-checkpoint-cumulative-updates.md +++ b/windows/deployment/update/catalog-checkpoint-cumulative-updates.md @@ -12,13 +12,13 @@ ms.collection: ms.localizationpriority: medium appliesto: - ✅ Windows 11, version 24H2 and later - - ✅ Windows Server 2025 + - ✅ Windows Server 2025 and later ms.date: 01/31/2025 --- # Checkpoint cumulative updates and Microsoft Update Catalog usage -Starting Windows 11, version 24H2, monthly security updates and optional nonsecurity preview release updates might be preceded by a checkpoint cumulative update. Devices (and images) updating from Windows Update (WU) and Windows Server Update Services (WSUS) release channels can continue to seamlessly install the latest monthly security update or the optional nonsecurity preview release regardless of whether there are any preceding checkpoint cumulative updates, so **update processes involving WU and WSUS remain unchanged**. This article covers how Microsoft Update Catalog users can easily update their devices (or images) through checkpoint cumulative updates. +Starting Windows 11, version 24H2, monthly security updates and optional nonsecurity preview release updates might be preceded by a checkpoint cumulative update. Devices updating from Windows Update (WU) and Windows Server Update Services (WSUS) release channels can continue to seamlessly install the latest monthly security update or the optional nonsecurity preview release regardless of whether there are any preceding checkpoint cumulative updates, so **update processes involving WU and WSUS remain unchanged**. This article covers how Microsoft Update Catalog users can easily update their devices (or images) through checkpoint cumulative updates. ## Checkpoint cumulative updates @@ -32,7 +32,7 @@ Going forward, Microsoft might periodically release cumulative updates as checkp This process might be repeated multiple times, thereby generating multiple checkpoints during the lifecycle of a given Windows release. The Windows 11, version 24H2 servicing stack can merge all the checkpoints and only download and install content that's missing on the device. -If any checkpoint cumulative updates precede a target update, a device or image needs to take all prior checkpoint cumulative updates before it can take the target update. In other words, a post-checkpoint latest cumulative update can be applied to images/devices that are on that checkpoint or on a subsequent latest cumulative update. For updates sourced from WU and WSUS this process happens seamlessly. You can continue to use the same tools and processes that you currently use for approving and deploying updates. +If any checkpoint cumulative updates precede a target update, a device or image needs to take all prior checkpoint cumulative updates before it can take the target update. In other words, a post-checkpoint latest cumulative update can be applied to images/devices that are on that checkpoint or on a subsequent latest cumulative update. For updates sourced from WU and WSUS this process happens seamlessly. You can continue to use the same tools and processes that you currently use for approving and deploying updates. We expect that your experience updating through a checkpoint cumulative update will position you to efficiently take future checkpoint cumulative updates. ### Applicability @@ -40,11 +40,10 @@ A checkpoint cumulative update is just another monthly security update that info This feature doesn't introduce any change to the applicability of monthly security updates. As before, these updates apply to the main OS (install.wim) and to WinPE (boot.wim) but not to WinRE (winre.wim). +### Update Windows installation media + WinRE is serviced by applying the servicing stack update from a cumulative update (latest cumulative update doesn't apply) and SafeOS Dynamic Update. This is how it has been for a while now, and there's no recent change to WinRE servicing and certainly no change due to the checkpoint cumulative updates feature. We understand that not everybody may have had a shared understanding about this, but applying servicing stack update then SafeOS Dynamic Update is the only way to ensure WinRE is serviced. For more information, see [Update Windows installation media with Dynamic Update](media-dynamic-update.md). -### Current checkpoint cumulative updates - -For Windows 11, version 24H2 and later, for a given update, the knowledge base (KB) article notes all preceding checkpoint cumulative updates under the **Catalog** release channel tab. We expect that your experience updating through a checkpoint cumulative update will position you to efficiently take future checkpoint cumulative updates. ## Updating from the Microsoft Update Catalog @@ -54,7 +53,7 @@ When installing a given monthly security or optional nonsecurity preview update, For a given update, users can look up the KB article and find all preceding checkpoints, if any, listed under the **Catalog** release channel. For instance, the 2024-12 monthly security update (KB5048667) has one preceding checkpoint cumulative update per [December 10, 2024-KB5048667 (OS Build 26100.2605)](https://support.microsoft.com/topic/708755a6-d809-4a8a-8d20-53c4108590e6#ID0ELBD=Catalog): - > Method 2: Install each MSU file individually, in order

Download and install each MSU file individually either using DISM or [Windows Update Standalone Installer](https://support.microsoft.com/topic/799ba3df-ec7e-b05e-ee13-1cdae8f23b19) in the following order:

  • windows11.0-kb5043080-x64_953449672073f8fb99badb4cc6d5d7849b9c83e8.msu
  • windows11.0-kb5048667-x64_d4ad0ca69de9a02bc356757581e0e0d6960c9f93.msu
+ > Install each MSU file individually, in order

Download and install each MSU file individually either using DISM or [Windows Update Standalone Installer](https://support.microsoft.com/topic/799ba3df-ec7e-b05e-ee13-1cdae8f23b19) in the following order:

  • windows11.0-kb5043080-x64_953449672073f8fb99badb4cc6d5d7849b9c83e8.msu
  • windows11.0-kb5048667-x64_d4ad0ca69de9a02bc356757581e0e0d6960c9f93.msu
Alternately, users can search the KB number in the [Microsoft Update Catalog](https://catalog.update.microsoft.com/) and select the **Download** button for the selected architecture. The download pop-up shows all prior checkpoints for the update so that users can conveniently download all `.msu` files and apply them to their image or device. For instance, Microsoft Update Catalog shows the [2024-12 cumulative update (KB5048667)](https://support.microsoft.com/help/5048667) has one preceding checkpoint cumulative update, [KB5043080](https://support.microsoft.com/help/5043080). @@ -73,7 +72,7 @@ Examples of eligible devices: **Device needs FoD or language pack customization:** -Installing FoDs or language packs requires the full latest cumulative update payload, which now can be split across files associated with each preceding checkpoint cumulative update. So, when customizing FoDs or language packs, all prior checkpoint cumulative updates and the target cumulative update need to be installed regardless of whether the device already had any of the prior checkpoints cumulative update installed. This needs to be done using DISM. +Installing FoDs or language packs requires the full latest cumulative update payload, which now can be split across files associated with each preceding checkpoint cumulative update. So, when customizing FoDs or language packs for offline media, all prior checkpoint cumulative updates and the target cumulative update need to be installed regardless of whether the device already had any of the prior checkpoints cumulative update installed. This needs to be done using DISM. 1. Copy the .msu files of the latest cumulative update (the target) and all prior checkpoint cumulative updates to a local folder. Make sure there are no other .msu files present. 1. Mount the install.wim file. From bc3239cafdcdd56555b9b42b7cd520fe8d0783ae Mon Sep 17 00:00:00 2001 From: Meghan Stewart <33289333+mestew@users.noreply.github.com> Date: Fri, 31 Jan 2025 10:39:10 -0800 Subject: [PATCH 42/45] Update catalog-checkpoint-cumulative-updates.md commit --- .../deployment/update/catalog-checkpoint-cumulative-updates.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/update/catalog-checkpoint-cumulative-updates.md b/windows/deployment/update/catalog-checkpoint-cumulative-updates.md index 867e17a256..f92a84a8fa 100644 --- a/windows/deployment/update/catalog-checkpoint-cumulative-updates.md +++ b/windows/deployment/update/catalog-checkpoint-cumulative-updates.md @@ -90,4 +90,4 @@ Devices that aren't on the latest checkpoint cumulative update and don't need Fo - [Servicing stack updates](/windows/deployment/update/servicing-stack-updates) - [Features on Demand](/windows-hardware/manufacture/desktop/features-on-demand-v2--capabilities) - [How to download updates that include drivers and hotfixes from the Microsoft Update Catalog](/troubleshoot/windows-client/installing-updates-features-roles/download-updates-drivers-hotfixes-windows-update-catalog) -- [Update Windows installation media with Dynamic Update](media-dynamic-update.md) +- [Update Windows installation media with Dynamic Update](media-dynamic-update.md) From 248eef82d97bfc706fc386fff79bdc22decbdeef Mon Sep 17 00:00:00 2001 From: Meghan Stewart <33289333+mestew@users.noreply.github.com> Date: Fri, 31 Jan 2025 11:01:47 -0800 Subject: [PATCH 43/45] edits --- .../deployment/update/catalog-checkpoint-cumulative-updates.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/windows/deployment/update/catalog-checkpoint-cumulative-updates.md b/windows/deployment/update/catalog-checkpoint-cumulative-updates.md index 867e17a256..a4e7755200 100644 --- a/windows/deployment/update/catalog-checkpoint-cumulative-updates.md +++ b/windows/deployment/update/catalog-checkpoint-cumulative-updates.md @@ -38,9 +38,10 @@ If any checkpoint cumulative updates precede a target update, a device or image A checkpoint cumulative update is just another monthly security update that informs how subsequent updates are built. There's no policy change or new requirement around when users must take these updates, though it's best practice to take monthly security updates at the earliest opportunity to keep your devices protected and productive. +### Update Windows installation media + This feature doesn't introduce any change to the applicability of monthly security updates. As before, these updates apply to the main OS (install.wim) and to WinPE (boot.wim) but not to WinRE (winre.wim). -### Update Windows installation media WinRE is serviced by applying the servicing stack update from a cumulative update (latest cumulative update doesn't apply) and SafeOS Dynamic Update. This is how it has been for a while now, and there's no recent change to WinRE servicing and certainly no change due to the checkpoint cumulative updates feature. We understand that not everybody may have had a shared understanding about this, but applying servicing stack update then SafeOS Dynamic Update is the only way to ensure WinRE is serviced. For more information, see [Update Windows installation media with Dynamic Update](media-dynamic-update.md). From dae02a5ae9b4f40a7084d58759f629ee5c5f3c0d Mon Sep 17 00:00:00 2001 From: Mukund Kher Date: Fri, 31 Jan 2025 11:03:11 -0800 Subject: [PATCH 44/45] Update catalog-checkpoint-cumulative-updates.md Commit --- .../update/catalog-checkpoint-cumulative-updates.md | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/windows/deployment/update/catalog-checkpoint-cumulative-updates.md b/windows/deployment/update/catalog-checkpoint-cumulative-updates.md index 4778484089..c7ba0f378d 100644 --- a/windows/deployment/update/catalog-checkpoint-cumulative-updates.md +++ b/windows/deployment/update/catalog-checkpoint-cumulative-updates.md @@ -38,10 +38,9 @@ If any checkpoint cumulative updates precede a target update, a device or image A checkpoint cumulative update is just another monthly security update that informs how subsequent updates are built. There's no policy change or new requirement around when users must take these updates, though it's best practice to take monthly security updates at the earliest opportunity to keep your devices protected and productive. -### Update Windows installation media - This feature doesn't introduce any change to the applicability of monthly security updates. As before, these updates apply to the main OS (install.wim) and to WinPE (boot.wim) but not to WinRE (winre.wim). +### Update Windows installation media WinRE is serviced by applying the servicing stack update from a cumulative update (latest cumulative update doesn't apply) and SafeOS Dynamic Update. This is how it has been for a while now, and there's no recent change to WinRE servicing and certainly no change due to the checkpoint cumulative updates feature. We understand that not everybody may have had a shared understanding about this, but applying servicing stack update then SafeOS Dynamic Update is the only way to ensure WinRE is serviced. For more information, see [Update Windows installation media with Dynamic Update](media-dynamic-update.md). @@ -84,7 +83,7 @@ Installing FoDs or language packs requires the full latest cumulative update pay **Device doesn't have the latest checkpoint cumulative update and doesn't need customization:** -Devices that aren't on the latest checkpoint cumulative update and don't need FoD/language pack customization can either install all needed cumulative updates one by one in the right sequence. Alternately they can be updated using DISM to install all cumulative updates in one go. For more information, see the [Updating through checkpoint cumulative updates](#updating-through-checkpoint-cumulative-updates) section. If there are total four checkpoint cumulative updates available and device already has the first one installed, DISM applies the remaining three checkpoint cumulative updates in the right order followed by the target cumulative update, all in one go. +Devices that aren't on the latest checkpoint cumulative update and don't need FoD/language pack customization can either install all needed cumulative updates one by one in the right sequence. Alternately they can be updated using DISM to install all cumulative updates in one go. For more information, see the [Updating through checkpoint cumulative updates](#updating-through-checkpoint-cumulative-updates) section. If there are total four checkpoint cumulative updates available and device already has the first one installed, DISM applies the remaining three checkpoint cumulative updates in the right order followed by the target cumulative update, all in one go. ## Related articles From 53a7beeb303649515112b4542b9efc9494218f8b Mon Sep 17 00:00:00 2001 From: Meghan Stewart <33289333+mestew@users.noreply.github.com> Date: Fri, 31 Jan 2025 11:09:40 -0800 Subject: [PATCH 45/45] edits --- .../update/catalog-checkpoint-cumulative-updates.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/deployment/update/catalog-checkpoint-cumulative-updates.md b/windows/deployment/update/catalog-checkpoint-cumulative-updates.md index c7ba0f378d..ce4b36fd45 100644 --- a/windows/deployment/update/catalog-checkpoint-cumulative-updates.md +++ b/windows/deployment/update/catalog-checkpoint-cumulative-updates.md @@ -38,10 +38,10 @@ If any checkpoint cumulative updates precede a target update, a device or image A checkpoint cumulative update is just another monthly security update that informs how subsequent updates are built. There's no policy change or new requirement around when users must take these updates, though it's best practice to take monthly security updates at the earliest opportunity to keep your devices protected and productive. -This feature doesn't introduce any change to the applicability of monthly security updates. As before, these updates apply to the main OS (install.wim) and to WinPE (boot.wim) but not to WinRE (winre.wim). - ### Update Windows installation media +This feature doesn't introduce any change to the applicability of monthly security updates. As before, these updates apply to the main OS (install.wim) and to WinPE (boot.wim) but not to WinRE (winre.wim). + WinRE is serviced by applying the servicing stack update from a cumulative update (latest cumulative update doesn't apply) and SafeOS Dynamic Update. This is how it has been for a while now, and there's no recent change to WinRE servicing and certainly no change due to the checkpoint cumulative updates feature. We understand that not everybody may have had a shared understanding about this, but applying servicing stack update then SafeOS Dynamic Update is the only way to ensure WinRE is serviced. For more information, see [Update Windows installation media with Dynamic Update](media-dynamic-update.md).