Merge branch 'main' into main

2025-05-12 21:37:22 +00:00 · 2025-01-31 14:15:24 -08:00 · 2025-01-31 14:15:24 -08:00 · 0d6268d464
commit 0d6268d464
parent a01cdb5681 ab24ea718d
96 changed files with 771 additions and 401 deletions
--- a/.acrolinx-config.edn
+++ b/.acrolinx-config.edn
@ -39,7 +39,7 @@ For more information about the exception criteria and exception process, see [Mi
 Select the total score link to review all feedback on clarity, consistency, tone, brand, terms, spelling, grammar, readability, and inclusive language. _You should fix all spelling errors regardless of your total score_. Fixing spelling errors helps maintain customer trust in overall content quality.
-| Article | Total score<br>(Required: 80) | Words + phrases<br>(Brand, terms) | Correctness<br>(Spelling, grammar) | Clarity<br>(Readability) |
+| Article | Total score<br>(Required: 80) | Terminology | Spelling and Grammar| Clarity<br>(Readability) |
 |---------|:--------------:|:--------------------:|:------:|:---------:|
 "
--- a/.github/workflows/BuildValidation.yml
+++ b/.github/workflows/BuildValidation.yml
@ -0,0 +1,21 @@
 name: PR has no warnings or errors
 permissions:
  pull-requests: write
  statuses: write
 on: 
  issue_comment:
    types: [created]
 jobs:
  build-status:
    uses: MicrosoftDocs/microsoft-365-docs/.github/workflows/Shared-BuildValidation.yml@workflows-prod
    with:
      PayloadJson: ${{ toJSON(github) }}
    secrets:
      AccessToken: ${{ secrets.GITHUB_TOKEN }}
--- a/education/windows/federated-sign-in.md
+++ b/education/windows/federated-sign-in.md
@ -1,7 +1,7 @@
 ---
 title: Configure federated sign-in for Windows devices
 description: Learn how federated sign-in in Windows works and how to configure it.
-ms.date: 06/03/2024
+ms.date: 01/27/2025
 ms.topic: how-to
 appliesto:
  - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>
--- a/windows/client-management/manage-windows-copilot.md
+++ b/windows/client-management/manage-windows-copilot.md
@ -3,7 +3,7 @@ title: Updated Windows and Microsoft 365 Copilot Chat experience
 description: Learn about changes to the Copilot in Windows experience for commercial environments and how to configure it for your organization.
 ms.topic: overview
 ms.subservice: windows-copilot
-ms.date: 01/22/2025
+ms.date: 01/28/2025
 ms.author: mstewart
 author: mestew
 ms.collection:
@ -59,9 +59,9 @@ For users signing in to new PCs with work or school accounts, the following expe
 The update to Microsoft 365 Copilot Chat to offer enterprise data protection is rolling out now.
 The shift to Microsoft 365 Copilot Chat is coming soon. Changes will be rolled out to managed PCs starting with the September 2024 optional nonsecurity preview release, and following with the October 2024 monthly security update for all supported versions of Windows 11. These changes will be applied to Windows 10 PCs the month after. This update is replacing the current Copilot in Windows experience.
-The Microsoft 365 Copilot app will be automatically enabled after you install the Windows updates listed above if you haven't previously enabled a group policy to prevent the installation of Copilot. The [AppLocker policy](/windows/security/application-security/application-control/app-control-for-business/applocker/applocker-overview) is available to control this Copilot experience before installing these Windows updates mentioned above or any subsequent Windows updates. 
+The Copilot app will be automatically enabled after you install the Windows updates listed above if you haven't previously enabled a group policy to prevent the installation of Copilot. The [AppLocker policy](/windows/security/application-security/application-control/app-control-for-business/applocker/applocker-overview) is available to control this Copilot experience before installing these Windows updates mentioned above or any subsequent Windows updates. 
-Note that the Microsoft 365 Copilot app doesn't support Microsoft Entra authentication and users trying to sign in to the app using a Microsoft Entra account will be redirected to https://copilot.cloud.microsoft/ in their default browser. For users authenticating with a Microsoft Entra account, they should access Copilot through the Microsoft 365 Copilot app as the entry point. We recommend you pin Copilot to the navigation bar of the Microsoft 365 Copilot app to enable easy access.
+Note that the Copilot app, which is a consumer experience, doesn't support Microsoft Entra authentication and users trying to sign in to the app using a Microsoft Entra account will be redirected to https://copilot.cloud.microsoft/ in their default browser. For users authenticating with a Microsoft Entra account, they should access Copilot through the Microsoft 365 Copilot app as the entry point. We recommend you pin Copilot to the navigation bar of the Microsoft 365 Copilot app to enable easy access.
 ## Policy information for previous Copilot in Windows (preview) experience
@ -80,7 +80,7 @@ The following policy to manage Copilot in Windows (preview) will be removed in t
 You can remove or uninstall the Copilot app from your device by using one of the following methods:
-1. Enterprise users  can uninstall the Copilot app by going to **Settings** > **Apps** >**Installed Apps**. Select the three dots appearing on the right side of the app and select **Uninstall** from the dropdown list.
+1. Enterprise users can uninstall the [Copilot app](https://apps.microsoft.com/detail/9NHT9RB2F4HD), which is a consumer experience, by going to **Settings** > **Apps** >**Installed Apps**. Select the three dots appearing on the right side of the app and select **Uninstall** from the dropdown list.
 1. If you are an IT administrator, you can prevent installation of the app or remove the Copilot app using one of the following methods:
   1. Prevent installation of the Copilot app:
--- a/windows/client-management/mdm/bitlocker-csp.md
+++ b/windows/client-management/mdm/bitlocker-csp.md
@ -551,6 +551,10 @@ The possible values for 'zz' are:
 - 1 = Store recovery passwords and key packages
 - 2 = Store recovery passwords only
 For Microsoft Entra hybrid joined devices, the BitLocker recovery password is backed up to both Active Directory and Entra ID.
 For Microsoft Entra joined devices, the BitLocker recovery password is backed up to Entra ID.
 <!-- Device-FixedDrivesRecoveryOptions-Editable-End -->
 <!-- Device-FixedDrivesRecoveryOptions-DFProperties-Begin -->
@ -2092,6 +2096,10 @@ The possible values for 'zz' are:
 - 1 = Store recovery passwords and key packages.
 - 2 = Store recovery passwords only.
 For Microsoft Entra hybrid joined devices, the BitLocker recovery password is backed up to both Active Directory and Entra ID.
 For Microsoft Entra joined devices, the BitLocker recovery password is backed up to Entra ID.
 <!-- Device-SystemDrivesRecoveryOptions-Editable-End -->
 <!-- Device-SystemDrivesRecoveryOptions-DFProperties-Begin -->
--- a/windows/client-management/mdm/healthattestation-csp.md
+++ b/windows/client-management/mdm/healthattestation-csp.md
@ -1,7 +1,7 @@
 ---
 title: HealthAttestation CSP
 description: Learn more about the HealthAttestation CSP.
-ms.date: 01/31/2024
+ms.date: 01/14/2025
 ---
 <!-- Auto-Generated CSP Document -->
@ -51,7 +51,7 @@ The following list shows the HealthAttestation configuration service provider no
 <!-- Device-AttestErrorMessage-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
-| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 22H2 with [KB5046732](https://support.microsoft.com/help/5046732) [10.0.22621.4541] and later <br> ✅ Windows 11, version 24H2 with [KB5046617](https://support.microsoft.com/help/5046617) [10.0.26100.2314] and later <br> ✅ Windows Insider Preview |
 <!-- Device-AttestErrorMessage-Applicability-End -->
 <!-- Device-AttestErrorMessage-OmaUri-Begin -->
--- a/windows/client-management/mdm/healthattestation-ddf.md
+++ b/windows/client-management/mdm/healthattestation-ddf.md
@ -1,7 +1,7 @@
 ---
 title: HealthAttestation DDF file
 description: View the XML file containing the device description framework (DDF) for the HealthAttestation configuration service provider.
-ms.date: 06/28/2024
+ms.date: 01/14/2025
 ---
 <!-- Auto-Generated CSP Document -->
@ -436,7 +436,7 @@ The following XML file contains the device description framework (DDF) for the H
          <MIME />
        </DFType>
        <MSFT:Applicability>
-          <MSFT:OsBuildVersion>99.9.99999</MSFT:OsBuildVersion>
+          <MSFT:OsBuildVersion>99.9.99999, 10.0.26100.2314, 10.0.22621.4541</MSFT:OsBuildVersion>
          <MSFT:CspVersion>1.4</MSFT:CspVersion>
        </MSFT:Applicability>
      </DFProperties>
--- a/windows/client-management/mdm/policies-in-preview.md
+++ b/windows/client-management/mdm/policies-in-preview.md
@ -1,7 +1,7 @@
 ---
 title: Configuration service provider preview policies
 description: Learn more about configuration service provider (CSP) policies that are available for Windows Insider Preview.
-ms.date: 11/27/2024
+ms.date: 01/14/2025
 ---
 <!-- Auto-Generated CSP Document -->
@ -31,6 +31,7 @@ This article lists the policies that are applicable for Windows Insider Preview
 ## Connectivity
 - [DisableCrossDeviceResume](policy-csp-connectivity.md#disablecrossdeviceresume)
 - [UseCellularWhenWiFiPoor](policy-csp-connectivity.md#usecellularwhenwifipoor)
 - [DisableCellularSettingsPage](policy-csp-connectivity.md#disablecellularsettingspage)
 - [DisableCellularOperatorSettingsPage](policy-csp-connectivity.md#disablecellularoperatorsettingspage)
@ -46,6 +47,10 @@ This article lists the policies that are applicable for Windows Insider Preview
 - [DODisallowCacheServerDownloadsOnVPN](policy-csp-deliveryoptimization.md#dodisallowcacheserverdownloadsonvpn)
 - [DOVpnKeywords](policy-csp-deliveryoptimization.md#dovpnkeywords)
 ## DeviceGuard
 - [MachineIdentityIsolation](policy-csp-deviceguard.md#machineidentityisolation)
 ## DevicePreparation CSP
 - [PageEnabled](devicepreparation-csp.md#pageenabled)
@ -80,6 +85,12 @@ This article lists the policies that are applicable for Windows Insider Preview
 - [AttestErrorMessage](healthattestation-csp.md#attesterrormessage)
 ## HumanPresence
 - [ForcePrivacyScreen](policy-csp-humanpresence.md#forceprivacyscreen)
 - [ForcePrivacyScreenDim](policy-csp-humanpresence.md#forceprivacyscreendim)
 - [ForcePrivacyScreenNotification](policy-csp-humanpresence.md#forceprivacyscreennotification)
 ## InternetExplorer
 - [AllowLegacyURLFields](policy-csp-internetexplorer.md#allowlegacyurlfields)
@ -115,6 +126,10 @@ This article lists the policies that are applicable for Windows Insider Preview
 - [DisablePostLogonProvisioning](passportforwork-csp.md#devicetenantidpoliciesdisablepostlogonprovisioning)
 ## Printers
 - [ConfigureIppTlsCertificatePolicy](policy-csp-printers.md#configureipptlscertificatepolicy)
 ## Reboot CSP
 - [WeeklyRecurrent](reboot-csp.md#scheduleweeklyrecurrent)
--- a/windows/client-management/mdm/policy-csp-connectivity.md
+++ b/windows/client-management/mdm/policy-csp-connectivity.md
@ -1,7 +1,7 @@
 ---
 title: Connectivity Policy CSP
 description: Learn more about the Connectivity Area in Policy CSP.
-ms.date: 11/05/2024
+ms.date: 01/14/2025
 ---
 <!-- Auto-Generated CSP Document -->
@ -684,6 +684,61 @@ This policy makes all configurable settings in the 'Cellular' Settings page read
 <!-- DisableCellularSettingsPage-End -->
 <!-- DisableCrossDeviceResume-Begin -->
 ## DisableCrossDeviceResume
 <!-- DisableCrossDeviceResume-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
 | ❌ Device <br> ✅ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
 <!-- DisableCrossDeviceResume-Applicability-End -->
 <!-- DisableCrossDeviceResume-OmaUri-Begin -->
 ```User
 ./User/Vendor/MSFT/Policy/Config/Connectivity/DisableCrossDeviceResume
 ```
 <!-- DisableCrossDeviceResume-OmaUri-End -->
 <!-- DisableCrossDeviceResume-Description-Begin -->
 <!-- Description-Source-DDF -->
 This policy allows IT admins to turn off CrossDeviceResume feature to continue tasks, such as browsing file, continue using 1P/3P apps that require linking between Phone and PC.
 - If you enable this policy setting, the Windows device won't receive any CrossDeviceResume notification.
 - If you disable this policy setting, the Windows device will receive notification to resume activity from linked phone.
 - If you don't configure this policy setting, the default behavior is that the CrossDeviceResume feature is turned 'ON'. Changes to this policy take effect on reboot.
 <!-- DisableCrossDeviceResume-Description-End -->
 <!-- DisableCrossDeviceResume-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 <!-- DisableCrossDeviceResume-Editable-End -->
 <!-- DisableCrossDeviceResume-DFProperties-Begin -->
 **Description framework properties**:
 | Property name | Property value |
 |:--|:--|
 | Format | `int` |
 | Access Type | Add, Delete, Get, Replace |
 | Default Value  | 0 |
 <!-- DisableCrossDeviceResume-DFProperties-End -->
 <!-- DisableCrossDeviceResume-AllowedValues-Begin -->
 **Allowed values**:
 | Value | Description |
 |:--|:--|
 | 0 (Default) | CrossDeviceResume is Enabled. |
 | 1 | CrossDeviceResume is Disabled. |
 <!-- DisableCrossDeviceResume-AllowedValues-End -->
 <!-- DisableCrossDeviceResume-Examples-Begin -->
 <!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
 <!-- DisableCrossDeviceResume-Examples-End -->
 <!-- DisableCrossDeviceResume-End -->
 <!-- DisableDownloadingOfPrintDriversOverHTTP-Begin -->
 ## DisableDownloadingOfPrintDriversOverHTTP
--- a/windows/client-management/mdm/policy-csp-deliveryoptimization.md
+++ b/windows/client-management/mdm/policy-csp-deliveryoptimization.md
@ -1,7 +1,7 @@
 ---
 title: DeliveryOptimization Policy CSP
 description: Learn more about the DeliveryOptimization Area in Policy CSP.
-ms.date: 08/06/2024
+ms.date: 01/21/2025
 ---
 <!-- Auto-Generated CSP Document -->
@ -34,11 +34,7 @@ ms.date: 08/06/2024
 <!-- DOAbsoluteMaxCacheSize-Description-Begin -->
 <!-- Description-Source-ADMX -->
-Specifies the maximum size in GB of Delivery Optimization cache.
+Specifies the maximum size in GB of Delivery Optimization cache. This policy overrides the MaxCacheSize policy.
 This policy overrides the DOMaxCacheSize policy.
 The value 0 (zero) means "unlimited" cache; Delivery Optimization will clear the cache when the device runs low on disk space.
 <!-- DOAbsoluteMaxCacheSize-Description-End -->
 <!-- DOAbsoluteMaxCacheSize-Editable-Begin -->
@ -93,7 +89,7 @@ The value 0 (zero) means "unlimited" cache; Delivery Optimization will clear the
 <!-- DOAllowVPNPeerCaching-Description-Begin -->
 <!-- Description-Source-DDF-Forced -->
-Specifies whether the device is allowed to participate in Peer Caching while connected via VPN to the domain network. This means the device can download from or upload to other domain network devices, either on VPN or on the corporate domain network.
+Specifies whether the device, with an active VPN connection, is allowed to participate in P2P or not.
 <!-- DOAllowVPNPeerCaching-Description-End -->
 <!-- DOAllowVPNPeerCaching-Editable-Begin -->
@ -125,8 +121,8 @@ Specifies whether the device is allowed to participate in Peer Caching while con
 | Name | Value |
 |:--|:--|
 | Name | AllowVPNPeerCaching |
-| Friendly Name | Enable Peer Caching while the device connects via VPN |
+| Friendly Name | Enable P2P while the device connects via VPN |
-| Element Name | Enable Peer Caching while the device connects via VPN. |
+| Element Name | Enable P2P while the device connects via VPN. |
 | Location | Computer Configuration |
 | Path | Windows Components > Delivery Optimization |
 | Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization |
@ -156,9 +152,7 @@ Specifies whether the device is allowed to participate in Peer Caching while con
 <!-- DOCacheHost-Description-Begin -->
 <!-- Description-Source-ADMX -->
-This policy allows you to set one or more Microsoft Connected Cache servers that will be used by your client(s).
+Specifies one or more Microsoft Connected Cache servers that will be used by your client(s). One or more values can be added as either fully qualified domain names (FQDN) or IP addresses. To add multiple values, separate each FQDN or IP address by commas.
 One or more values can be added as either fully qualified domain names (FQDN) or IP addresses. To add multiple values, separate each FQDN or IP address by commas.
 <!-- DOCacheHost-Description-End -->
 <!-- DOCacheHost-Editable-Begin -->
@ -214,17 +208,10 @@ One or more values can be added as either fully qualified domain names (FQDN) or
 <!-- DOCacheHostSource-Description-Begin -->
 <!-- Description-Source-ADMX -->
-This policy allows you to specify how your client(s) can discover Microsoft Connected Cache servers dynamically.
+Specifies how your client(s) can discover Microsoft Connected Cache servers dynamically.
 Options available are:
 0 = Disable DNS-SD.
 1 = DHCP Option 235.
 1 = DHCP Option 235
 2 = DHCP Option 235 Force.
 If this policy isn't configured, the client will attempt to automatically find a cache server using DNS-SD. If set to 0, the client won't use DNS-SD to automatically find a cache server. If set to 1 or 2, the client will query DHCP Option ID 235 and use the returned value as the Cache Server Hostname. Option 2 overrides the Cache Server Hostname policy, if configured.
 <!-- DOCacheHostSource-Description-End -->
 <!-- DOCacheHostSource-Editable-Begin -->
@ -240,10 +227,18 @@ If this policy isn't configured, the client will attempt to automatically find a
 |:--|:--|
 | Format | `int` |
 | Access Type | Add, Delete, Get, Replace |
 | Allowed Values | Range: `[0-4294967295]` |
 | Default Value  | 0 |
 <!-- DOCacheHostSource-DFProperties-End -->
 <!-- DOCacheHostSource-AllowedValues-Begin -->
 **Allowed values**:
 | Value | Description |
 |:--|:--|
 | 1 | DHCP Option 235. |
 | 2 | DHCP Option 235 Force. |
 <!-- DOCacheHostSource-AllowedValues-End -->
 <!-- DOCacheHostSource-GpMapping-Begin -->
 **Group policy mapping**:
@ -281,13 +276,7 @@ If this policy isn't configured, the client will attempt to automatically find a
 <!-- DODelayBackgroundDownloadFromHttp-Description-Begin -->
 <!-- Description-Source-ADMX -->
-This policy allows you to delay the use of an HTTP source in a background download that's allowed to use P2P.
+For background downloads that use P2P, specifies the time to wait before starting to download from the HTTP source.
 After the max delay has reached, the download will resume using HTTP, either downloading the entire payload or complementing the bytes that couldn't be downloaded from Peers.
 Note that a download that's waiting for peer sources, will appear to be stuck for the end user.
 The recommended value is 1 hour (3600).
 <!-- DODelayBackgroundDownloadFromHttp-Description-End -->
 <!-- DODelayBackgroundDownloadFromHttp-Editable-Begin -->
@ -311,7 +300,7 @@ The recommended value is 1 hour (3600).
 | Name | Value |
 |:--|:--|
 | Name | DelayBackgroundDownloadFromHttp |
-| Friendly Name | Delay background download from http (in secs) |
+| Friendly Name | Delay background download from http (in seconds) |
 | Element Name | Delay background download from http (in secs) |
 | Location | Computer Configuration |
 | Path | Windows Components > Delivery Optimization |
@ -342,7 +331,7 @@ The recommended value is 1 hour (3600).
 <!-- DODelayCacheServerFallbackBackground-Description-Begin -->
 <!-- Description-Source-DDF-Forced -->
-Specifies the time in seconds to delay the fallback from Cache Server to the HTTP source for a background content download. Note that the DODelayBackgroundDownloadFromHttp policy takes precedence over this policy to allow downloads from peers first.
+For background downloads that use a cache server, specifies the time to wait before falling back to download from the original HTTP source.
 <!-- DODelayCacheServerFallbackBackground-Description-End -->
 <!-- DODelayCacheServerFallbackBackground-Editable-Begin -->
@ -397,7 +386,7 @@ Specifies the time in seconds to delay the fallback from Cache Server to the HTT
 <!-- DODelayCacheServerFallbackForeground-Description-Begin -->
 <!-- Description-Source-DDF-Forced -->
-Specifies the time in seconds to delay the fallback from Cache Server to the HTTP source for foreground content download. Note that the DODelayForegroundDownloadFromHttp policy takes precedence over this policy to allow downloads from peers first.
+For foreground downloads that use a cache server, specifies the time to wait before falling back to download from the original HTTP source.
 <!-- DODelayCacheServerFallbackForeground-Description-End -->
 <!-- DODelayCacheServerFallbackForeground-Editable-Begin -->
@ -452,13 +441,7 @@ Specifies the time in seconds to delay the fallback from Cache Server to the HTT
 <!-- DODelayForegroundDownloadFromHttp-Description-Begin -->
 <!-- Description-Source-ADMX -->
-This policy allows you to delay the use of an HTTP source in a foreground (interactive) download that's allowed to use P2P.
+For foreground downloads that use P2P, specifies the time to wait before starting to download from the HTTP source.
 After the max delay has reached, the download will resume using HTTP, either downloading the entire payload or complementing the bytes that couldn't be downloaded from Peers.
 Note that a download that's waiting for peer sources, will appear to be stuck for the end user.
 The recommended value is 1 minute (60).
 <!-- DODelayForegroundDownloadFromHttp-Description-End -->
 <!-- DODelayForegroundDownloadFromHttp-Editable-Begin -->
@ -482,7 +465,7 @@ The recommended value is 1 minute (60).
 | Name | Value |
 |:--|:--|
 | Name | DelayForegroundDownloadFromHttp |
-| Friendly Name | Delay Foreground download from http (in secs) |
+| Friendly Name | Delay Foreground download from http (in seconds) |
 | Element Name | Delay Foreground download from http (in secs) |
 | Location | Computer Configuration |
 | Path | Windows Components > Delivery Optimization |
@ -513,7 +496,7 @@ The recommended value is 1 minute (60).
 <!-- DODisallowCacheServerDownloadsOnVPN-Description-Begin -->
 <!-- Description-Source-DDF -->
-Disallow downloads from Microsoft Connected Cache servers when the device connects via VPN. By default, the device is allowed to download from Microsoft Connected Cache when connected via VPN.
+Specify to disallow downloads from Microsoft Connected Cache servers when the device has an active VPN connection. By default, the button is 'Not Set'. This means the device is allowed to download from Microsoft Connected Cache when the device has an active VPN connection. To block these downloads, turn the button on to 'Enabled'.
 <!-- DODisallowCacheServerDownloadsOnVPN-Description-End -->
 <!-- DODisallowCacheServerDownloadsOnVPN-Editable-Begin -->
@ -535,8 +518,8 @@ Disallow downloads from Microsoft Connected Cache servers when the device connec
 | Value | Description |
 |:--|:--|
-| 0 (Default) | Allowed. |
+| 0 (Default) | Not Set. |
-| 1 | Not allowed. |
+| 1 | Enabled. |
 <!-- DODisallowCacheServerDownloadsOnVPN-AllowedValues-End -->
 <!-- DODisallowCacheServerDownloadsOnVPN-GpMapping-Begin -->
@ -572,7 +555,7 @@ Disallow downloads from Microsoft Connected Cache servers when the device connec
 <!-- DODownloadMode-Description-Begin -->
 <!-- Description-Source-DDF-Forced -->
-Specifies the download method that Delivery Optimization can use in downloads of Windows Updates, Apps and App updates. The default value is 1.
+Specifies the method that Delivery Optimization can use to download content on behalf of various Microsoft products.
 <!-- DODownloadMode-Description-End -->
 <!-- DODownloadMode-Editable-Begin -->
@ -598,10 +581,10 @@ Specifies the download method that Delivery Optimization can use in downloads of
 |:--|:--|
 | 0 (Default) | HTTP only, no peering. |
 | 1 | HTTP blended with peering behind the same NAT. |
-| 2 | When this option is selected, peering will cross NATs. To create a custom group use Group ID in combination with Mode 2. |
+| 2 | HTTP blended with peering across a private group. |
 | 3 | HTTP blended with Internet peering. |
-| 99 | Simple download mode with no peering. Delivery Optimization downloads using HTTP only and doesn't attempt to contact the Delivery Optimization cloud services. Added in Windows 10, version 1607. |
+| 99 | HTTP only, no peering, no use of DO cloud service. |
-| 100 | Bypass mode. Windows 10: Don't use Delivery Optimization and use BITS instead. Windows 11: Deprecated, use Simple mode instead. |
+| 100 | Bypass mode, deprecated in Windows 11. |
 <!-- DODownloadMode-AllowedValues-End -->
 <!-- DODownloadMode-GpMapping-Begin -->
@ -641,11 +624,7 @@ Specifies the download method that Delivery Optimization can use in downloads of
 <!-- DOGroupId-Description-Begin -->
 <!-- Description-Source-ADMX -->
-Group ID must be set as a GUID. This Policy specifies an arbitrary group ID that the device belongs to.
+Specifies an arbitrary group ID that the device belongs to. A GUID must be used.
 Use this if you need to create a single group for Local Network Peering for branches that are on different domains or aren't on the same LAN.
 Note this is a best effort optimization and shouldn't be relied on for an authentication of identity.
 <!-- DOGroupId-Description-End -->
 <!-- DOGroupId-Editable-Begin -->
@ -698,7 +677,7 @@ Note this is a best effort optimization and shouldn't be relied on for an authen
 <!-- DOGroupIdSource-Description-Begin -->
 <!-- Description-Source-DDF-Forced -->
-Set this policy to restrict peer selection to a specific source. Available options are: 1 = AD Site, 2 = Authenticated domain SID, 3 = DHCP Option ID, 4 = DNS Suffix, 5 = Microsoft Entra ID. When set, the Group ID will be assigned automatically from the selected source. This policy is ignored if the GroupID policy is also set. The options set in this policy only apply to Group (2) download mode. If Group (2) isn't set as Download mode, this policy will be ignored. For option 3 - DHCP Option ID, the client will query DHCP Option ID 234 and use the returned GUID value as the Group ID. Starting with Windows 10, version 1903, you can use the Microsoft Entra tenant ID as a means to define groups. To do this, set the value of DOGroupIdSource to 5.
+Specifies the source of group ID used for peer selection.
 <!-- DOGroupIdSource-Description-End -->
 <!-- DOGroupIdSource-Editable-Begin -->
@ -722,12 +701,12 @@ Set this policy to restrict peer selection to a specific source. Available optio
 | Value | Description |
 |:--|:--|
-| 0 (Default) | Unset. |
+| 0 (Default) | Not Set. |
 | 1 | AD site. |
 | 2 | Authenticated domain SID. |
-| 3 | DHCP user option. |
+| 3 | DHCP Option ID. |
-| 4 | DNS suffix. |
+| 4 | DNS Suffix. |
-| 5 | Microsoft Entra ID. |
+| 5 | Entra ID Tenant ID. |
 <!-- DOGroupIdSource-AllowedValues-End -->
 <!-- DOGroupIdSource-GpMapping-Begin -->
@ -768,8 +747,6 @@ Set this policy to restrict peer selection to a specific source. Available optio
 <!-- DOMaxBackgroundDownloadBandwidth-Description-Begin -->
 <!-- Description-Source-ADMX -->
 Specifies the maximum background download bandwidth in KiloBytes/second that the device can use across all concurrent download activities using Delivery Optimization.
 The default value 0 (zero) means that Delivery Optimization dynamically adjusts to use the available bandwidth for downloads.
 <!-- DOMaxBackgroundDownloadBandwidth-Description-End -->
 <!-- DOMaxBackgroundDownloadBandwidth-Editable-Begin -->
@ -824,7 +801,7 @@ The default value 0 (zero) means that Delivery Optimization dynamically adjusts
 <!-- DOMaxCacheAge-Description-Begin -->
 <!-- Description-Source-DDF-Forced -->
-Specifies the maximum time in seconds that each file is held in the Delivery Optimization cache after downloading successfully. The value 0 (zero) means unlimited; Delivery Optimization will hold the files in the cache longer and make the files available for uploads to other devices, as long as the cache size hasn't exceeded. The value 0 is new in Windows 10, version 1607. The default value is 604800 seconds (7 days).
+Specifies the maximum time in seconds that each file is held in the Delivery Optimization cache after downloading successfully.
 <!-- DOMaxCacheAge-Description-End -->
 <!-- DOMaxCacheAge-Editable-Begin -->
@ -879,7 +856,7 @@ Specifies the maximum time in seconds that each file is held in the Delivery Opt
 <!-- DOMaxCacheSize-Description-Begin -->
 <!-- Description-Source-DDF-Forced -->
-Specifies the maximum cache size that Delivery Optimization can utilize, as a percentage of disk size (1-100). The default value is 20.
+Specifies the maximum cache size that Delivery Optimization can utilize, as a percentage of the available drive space.
 <!-- DOMaxCacheSize-Description-End -->
 <!-- DOMaxCacheSize-Editable-Begin -->
@ -935,8 +912,6 @@ Specifies the maximum cache size that Delivery Optimization can utilize, as a pe
 <!-- DOMaxForegroundDownloadBandwidth-Description-Begin -->
 <!-- Description-Source-ADMX -->
 Specifies the maximum foreground download bandwidth in KiloBytes/second that the device can use across all concurrent download activities using Delivery Optimization.
 The default value 0 (zero) means that Delivery Optimization dynamically adjusts to use the available bandwidth for downloads.
 <!-- DOMaxForegroundDownloadBandwidth-Description-End -->
 <!-- DOMaxForegroundDownloadBandwidth-Editable-Begin -->
@ -991,7 +966,7 @@ The default value 0 (zero) means that Delivery Optimization dynamically adjusts
 <!-- DOMinBackgroundQos-Description-Begin -->
 <!-- Description-Source-DDF-Forced -->
-Specifies the minimum download QoS (Quality of Service or speed) in KiloBytes/sec for background downloads. This policy affects the blending of peer and HTTP sources. Delivery Optimization complements the download from the HTTP source to achieve the minimum QoS value set. The default value is 20480 (20 MB/s).
+Specifies the minimum download QoS (Quality of Service) in KiloBytes/sec for background downloads.
 <!-- DOMinBackgroundQos-Description-End -->
 <!-- DOMinBackgroundQos-Editable-Begin -->
@ -1046,11 +1021,7 @@ Specifies the minimum download QoS (Quality of Service or speed) in KiloBytes/se
 <!-- DOMinBatteryPercentageAllowedToUpload-Description-Begin -->
 <!-- Description-Source-ADMX -->
-Specify any value between 1 and 100 (in percentage) to allow the device to upload data to LAN and Group peers while on DC power (Battery).
+Specifies the minimum battery level required for uploading to peers, while on battery power.
 The recommended value to set if you allow uploads on battery is 40 (for 40%). The device can download from peers while on battery regardless of this policy.
 The value 0 means "not-limited"; The cloud service set default value will be used.
 <!-- DOMinBatteryPercentageAllowedToUpload-Description-End -->
 <!-- DOMinBatteryPercentageAllowedToUpload-Editable-Begin -->
@ -1105,12 +1076,7 @@ The value 0 means "not-limited"; The cloud service set default value will be use
 <!-- DOMinDiskSizeAllowedToPeer-Description-Begin -->
 <!-- Description-Source-ADMX -->
-Specifies the required minimum disk size (capacity in GB) for the device to use Peer Caching. The cloud service set default value will be used.
+Specifies the required minimum total disk size in GB for the device to use P2P.
 Recommended values: 64 GB to 256 GB.
 > [!NOTE]
 > If the DOModifyCacheDrive policy is set, the disk size check will apply to the new working directory specified by this policy.
 <!-- DOMinDiskSizeAllowedToPeer-Description-End -->
 <!-- DOMinDiskSizeAllowedToPeer-Editable-Begin -->
@ -1134,8 +1100,8 @@ Recommended values: 64 GB to 256 GB.
 | Name | Value |
 |:--|:--|
 | Name | MinDiskSizeAllowedToPeer |
-| Friendly Name | Minimum disk size allowed to use Peer Caching (in GB) |
+| Friendly Name | Minimum disk size allowed to use P2P (in GB) |
-| Element Name | Minimum disk size allowed to use Peer Caching (in GB) |
+| Element Name | Minimum disk size allowed to use P2P (in GB) |
 | Location | Computer Configuration |
 | Path | Windows Components > Delivery Optimization |
 | Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization |
@ -1165,7 +1131,7 @@ Recommended values: 64 GB to 256 GB.
 <!-- DOMinFileSizeToCache-Description-Begin -->
 <!-- Description-Source-DDF-Forced -->
-Specifies the minimum content file size in MB enabled to use Peer Caching. Recommended values: 1 MB to 100,000 MB. The default value is 100 MB.
+Specifies the minimum content file size in MB eligible to use P2P.
 <!-- DOMinFileSizeToCache-Description-End -->
 <!-- DOMinFileSizeToCache-Editable-Begin -->
@ -1189,8 +1155,8 @@ Specifies the minimum content file size in MB enabled to use Peer Caching. Recom
 | Name | Value |
 |:--|:--|
 | Name | MinFileSizeToCache |
-| Friendly Name | Minimum Peer Caching Content File Size (in MB) |
+| Friendly Name | Minimum P2P Content File Size (in MB) |
-| Element Name | Minimum Peer Caching Content File Size (in MB) |
+| Element Name | Minimum P2P Content File Size (in MB) |
 | Location | Computer Configuration |
 | Path | Windows Components > Delivery Optimization |
 | Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization |
@ -1220,7 +1186,7 @@ Specifies the minimum content file size in MB enabled to use Peer Caching. Recom
 <!-- DOMinRAMAllowedToPeer-Description-Begin -->
 <!-- Description-Source-DDF-Forced -->
-Specifies the minimum RAM size in GB required to use Peer Caching. For example, if the minimum set is 1 GB, then devices with 1 GB or higher available RAM will be allowed to use Peer caching. Recommended values: 1 GB to 4 GB. The default value is 4 GB.
+Specifies the minimum total RAM size in GB required to use P2P.
 <!-- DOMinRAMAllowedToPeer-Description-End -->
 <!-- DOMinRAMAllowedToPeer-Editable-Begin -->
@ -1244,8 +1210,8 @@ Specifies the minimum RAM size in GB required to use Peer Caching. For example,
 | Name | Value |
 |:--|:--|
 | Name | MinRAMAllowedToPeer |
-| Friendly Name | Minimum RAM capacity (inclusive) required to enable use of Peer Caching (in GB) |
+| Friendly Name | Minimum RAM capacity (inclusive) required to enable use of P2P (in GB) |
-| Element Name | Minimum RAM capacity (inclusive) required to enable use of Peer Caching (in GB) |
+| Element Name | Minimum RAM capacity (inclusive) required to enable use of P2P (in GB) |
 | Location | Computer Configuration |
 | Path | Windows Components > Delivery Optimization |
 | Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization |
@ -1275,9 +1241,7 @@ Specifies the minimum RAM size in GB required to use Peer Caching. For example,
 <!-- DOModifyCacheDrive-Description-Begin -->
 <!-- Description-Source-ADMX -->
-Specifies the drive Delivery Optimization shall use for its cache.
+Specifies the drive that Delivery Optimization should use for its cache. The drive location can be specified using environment variables, drive letter or using a full path.
 By default, %SystemDrive% is used to store the cache. The drive location can be specified using environment variables, drive letter or using a full path.
 <!-- DOModifyCacheDrive-Description-End -->
 <!-- DOModifyCacheDrive-Editable-Begin -->
@ -1330,7 +1294,7 @@ By default, %SystemDrive% is used to store the cache. The drive location can be
 <!-- DOMonthlyUploadDataCap-Description-Begin -->
 <!-- Description-Source-DDF-Forced -->
-Specifies the maximum total bytes in GB that Delivery Optimization is allowed to upload to Internet peers in each calendar month. The value 0 (zero) means unlimited; No monthly upload limit's applied if 0 is set. The default value is 5120 (5 TB).
+Specifies the maximum bytes in GB that Delivery Optimization is allowed to upload to Internet peers in each calendar month.
 <!-- DOMonthlyUploadDataCap-Description-End -->
 <!-- DOMonthlyUploadDataCap-Editable-Begin -->
@ -1386,8 +1350,6 @@ Specifies the maximum total bytes in GB that Delivery Optimization is allowed to
 <!-- DOPercentageMaxBackgroundBandwidth-Description-Begin -->
 <!-- Description-Source-ADMX -->
 Specifies the maximum background download bandwidth that Delivery Optimization uses across all concurrent download activities as a percentage of available download bandwidth.
 The default value 0 (zero) means that Delivery Optimization dynamically adjusts to use the available bandwidth for background downloads.
 <!-- DOPercentageMaxBackgroundBandwidth-Description-End -->
 <!-- DOPercentageMaxBackgroundBandwidth-Editable-Begin -->
@ -1445,8 +1407,6 @@ Downloads from LAN peers won't be throttled even when this policy is set.
 <!-- DOPercentageMaxForegroundBandwidth-Description-Begin -->
 <!-- Description-Source-ADMX -->
 Specifies the maximum foreground download bandwidth that Delivery Optimization uses across all concurrent download activities as a percentage of available download bandwidth.
 The default value 0 (zero) means that Delivery Optimization dynamically adjusts to use the available bandwidth for foreground downloads.
 <!-- DOPercentageMaxForegroundBandwidth-Description-End -->
 <!-- DOPercentageMaxForegroundBandwidth-Editable-Begin -->
@ -1501,7 +1461,7 @@ The default value 0 (zero) means that Delivery Optimization dynamically adjusts
 <!-- DORestrictPeerSelectionBy-Description-Begin -->
 <!-- Description-Source-DDF-Forced -->
-Set this policy to restrict peer selection via selected option. Options available are: 1=Subnet mask, 2 = Local discovery (DNS-SD). These options apply to both Download Mode LAN (1) and Group (2).
+Specifies to restrict peer selection using the selected method, in addition to the DownloadMode policy.
 <!-- DORestrictPeerSelectionBy-Description-End -->
 <!-- DORestrictPeerSelectionBy-Editable-Begin -->
@ -1528,7 +1488,7 @@ In Windows 11 the 'Local Peer Discovery' option was introduced to restrict peer
 |:--|:--|
 | 0 (Default) | None. |
 | 1 | Subnet mask. |
-| 2 | Local peer discovery (DNS-SD). |
+| 2 | Local discovery (DNS-SD). |
 <!-- DORestrictPeerSelectionBy-AllowedValues-End -->
 <!-- DORestrictPeerSelectionBy-GpMapping-Begin -->
@ -1681,7 +1641,7 @@ This policy allows an IT Admin to define the following details:
 <!-- DOVpnKeywords-Description-Begin -->
 <!-- Description-Source-ADMX -->
-This policy allows you to set one or more keywords used to recognize VPN connections. To add multiple keywords, separate them with commas.
+Specifies one or more keywords used to recognize VPN connections. To add multiple keywords, separate each by a comma.
 <!-- DOVpnKeywords-Description-End -->
 <!-- DOVpnKeywords-Editable-Begin -->
--- a/windows/client-management/mdm/policy-csp-deviceguard.md
+++ b/windows/client-management/mdm/policy-csp-deviceguard.md
@ -1,7 +1,7 @@
 ---
 title: DeviceGuard Policy CSP
 description: Learn more about the DeviceGuard Area in Policy CSP.
-ms.date: 01/18/2024
+ms.date: 01/14/2025
 ---
 <!-- Auto-Generated CSP Document -->
@ -9,6 +9,8 @@ ms.date: 01/18/2024
 <!-- DeviceGuard-Begin -->
 # Policy CSP - DeviceGuard
 [!INCLUDE [Windows Insider tip](includes/mdm-insider-csp-note.md)]
 <!-- DeviceGuard-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 <!-- DeviceGuard-Editable-End -->
@ -205,6 +207,70 @@ Credential Guard Configuration: 0 - Turns off CredentialGuard remotely if config
 <!-- LsaCfgFlags-End -->
 <!-- MachineIdentityIsolation-Begin -->
 ## MachineIdentityIsolation
 <!-- MachineIdentityIsolation-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
 | ✅ Device <br> ❌ User | ❌ Pro <br> ✅ Enterprise <br> ✅ Education <br> ❌ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
 <!-- MachineIdentityIsolation-Applicability-End -->
 <!-- MachineIdentityIsolation-OmaUri-Begin -->
 ```Device
 ./Device/Vendor/MSFT/Policy/Config/DeviceGuard/MachineIdentityIsolation
 ```
 <!-- MachineIdentityIsolation-OmaUri-End -->
 <!-- MachineIdentityIsolation-Description-Begin -->
 <!-- Description-Source-DDF-Forced -->
 Machine Identity Isolation: 0 - Machine password is only LSASS-bound and stored in $MACHINE.ACC registry key. 1 - Machine password both LSASS-bound and IUM-bound. It's stored in $MACHINE.ACC and $MACHINE.ACC.IUM registry keys. 2 - Machine password is only IUM-bound and stored in $MACHINE.ACC.IUM registry key.
 <!-- MachineIdentityIsolation-Description-End -->
 <!-- MachineIdentityIsolation-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 <!-- MachineIdentityIsolation-Editable-End -->
 <!-- MachineIdentityIsolation-DFProperties-Begin -->
 **Description framework properties**:
 | Property name | Property value |
 |:--|:--|
 | Format | `int` |
 | Access Type | Add, Delete, Get, Replace |
 | Default Value  | 0 |
 <!-- MachineIdentityIsolation-DFProperties-End -->
 <!-- MachineIdentityIsolation-AllowedValues-Begin -->
 **Allowed values**:
 | Value | Description |
 |:--|:--|
 | 0 (Default) | (Disabled) Machine password is only LSASS-bound and stored in $MACHINE.ACC registry key. |
 | 1 | (Enabled in audit mode) Machine password both LSASS-bound and IUM-bound. It's stored in $MACHINE.ACC and $MACHINE.ACC.IUM registry keys. |
 | 2 | (Enabled in enforcement mode) Machine password is only IUM-bound and stored in $MACHINE.ACC.IUM registry key. |
 <!-- MachineIdentityIsolation-AllowedValues-End -->
 <!-- MachineIdentityIsolation-GpMapping-Begin -->
 **Group policy mapping**:
 | Name | Value |
 |:--|:--|
 | Name | VirtualizationBasedSecurity |
 | Friendly Name | Turn On Virtualization Based Security |
 | Element Name | Machine Identity Isolation Configuration. |
 | Location | Computer Configuration |
 | Path | System > Device Guard |
 | Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\DeviceGuard |
 | ADMX File Name | DeviceGuard.admx |
 <!-- MachineIdentityIsolation-GpMapping-End -->
 <!-- MachineIdentityIsolation-Examples-Begin -->
 <!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
 <!-- MachineIdentityIsolation-Examples-End -->
 <!-- MachineIdentityIsolation-End -->
 <!-- RequirePlatformSecurityFeatures-Begin -->
 ## RequirePlatformSecurityFeatures
--- a/windows/client-management/mdm/policy-csp-humanpresence.md
+++ b/windows/client-management/mdm/policy-csp-humanpresence.md
@ -1,7 +1,7 @@
 ---
 title: HumanPresence Policy CSP
 description: Learn more about the HumanPresence Area in Policy CSP.
-ms.date: 09/27/2024
+ms.date: 01/14/2025
 ---
 <!-- Auto-Generated CSP Document -->
@ -9,6 +9,8 @@ ms.date: 09/27/2024
 <!-- HumanPresence-Begin -->
 # Policy CSP - HumanPresence
 [!INCLUDE [Windows Insider tip](includes/mdm-insider-csp-note.md)]
 <!-- HumanPresence-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 <!-- HumanPresence-Editable-End -->
@ -526,6 +528,183 @@ Determines the timeout for Lock on Leave forced by the MDM policy. The user will
 <!-- ForceLockTimeout-End -->
 <!-- ForcePrivacyScreen-Begin -->
 ## ForcePrivacyScreen
 <!-- ForcePrivacyScreen-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
 | ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ❌ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
 <!-- ForcePrivacyScreen-Applicability-End -->
 <!-- ForcePrivacyScreen-OmaUri-Begin -->
 ```Device
 ./Device/Vendor/MSFT/Policy/Config/HumanPresence/ForcePrivacyScreen
 ```
 <!-- ForcePrivacyScreen-OmaUri-End -->
 <!-- ForcePrivacyScreen-Description-Begin -->
 <!-- Description-Source-DDF -->
 Determines whether detect when other people are looking at my screen is forced on/off by the MDM policy. The user won't be able to change this setting and the UI will be greyed out.
 <!-- ForcePrivacyScreen-Description-End -->
 <!-- ForcePrivacyScreen-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 <!-- ForcePrivacyScreen-Editable-End -->
 <!-- ForcePrivacyScreen-DFProperties-Begin -->
 **Description framework properties**:
 | Property name | Property value |
 |:--|:--|
 | Format | `int` |
 | Access Type | Add, Delete, Get, Replace |
 | Default Value  | 0 |
 <!-- ForcePrivacyScreen-DFProperties-End -->
 <!-- ForcePrivacyScreen-AllowedValues-Begin -->
 **Allowed values**:
 | Value | Description |
 |:--|:--|
 | 2 | ForcedOff. |
 | 1 | ForcedOn. |
 | 0 (Default) | DefaultToUserChoice. |
 <!-- ForcePrivacyScreen-AllowedValues-End -->
 <!-- ForcePrivacyScreen-GpMapping-Begin -->
 **Group policy mapping**:
 | Name | Value |
 |:--|:--|
 | Name | ForcePrivacyScreen |
 | Path | Sensors > AT > WindowsComponents > HumanPresence |
 <!-- ForcePrivacyScreen-GpMapping-End -->
 <!-- ForcePrivacyScreen-Examples-Begin -->
 <!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
 <!-- ForcePrivacyScreen-Examples-End -->
 <!-- ForcePrivacyScreen-End -->
 <!-- ForcePrivacyScreenDim-Begin -->
 ## ForcePrivacyScreenDim
 <!-- ForcePrivacyScreenDim-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
 | ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ❌ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
 <!-- ForcePrivacyScreenDim-Applicability-End -->
 <!-- ForcePrivacyScreenDim-OmaUri-Begin -->
 ```Device
 ./Device/Vendor/MSFT/Policy/Config/HumanPresence/ForcePrivacyScreenDim
 ```
 <!-- ForcePrivacyScreenDim-OmaUri-End -->
 <!-- ForcePrivacyScreenDim-Description-Begin -->
 <!-- Description-Source-DDF -->
 Determines whether dim the screen when other people are looking at my screen checkbox is forced checked/unchecked by the MDM policy. The user won't be able to change this setting and the checkbox in the UI will be greyed out.
 <!-- ForcePrivacyScreenDim-Description-End -->
 <!-- ForcePrivacyScreenDim-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 <!-- ForcePrivacyScreenDim-Editable-End -->
 <!-- ForcePrivacyScreenDim-DFProperties-Begin -->
 **Description framework properties**:
 | Property name | Property value |
 |:--|:--|
 | Format | `int` |
 | Access Type | Add, Delete, Get, Replace |
 | Default Value  | 0 |
 <!-- ForcePrivacyScreenDim-DFProperties-End -->
 <!-- ForcePrivacyScreenDim-AllowedValues-Begin -->
 **Allowed values**:
 | Value | Description |
 |:--|:--|
 | 2 | ForcedUnchecked. |
 | 1 | ForcedChecked. |
 | 0 (Default) | DefaultToUserChoice. |
 <!-- ForcePrivacyScreenDim-AllowedValues-End -->
 <!-- ForcePrivacyScreenDim-GpMapping-Begin -->
 **Group policy mapping**:
 | Name | Value |
 |:--|:--|
 | Name | ForcePrivacyScreenDim |
 | Path | Sensors > AT > WindowsComponents > HumanPresence |
 <!-- ForcePrivacyScreenDim-GpMapping-End -->
 <!-- ForcePrivacyScreenDim-Examples-Begin -->
 <!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
 <!-- ForcePrivacyScreenDim-Examples-End -->
 <!-- ForcePrivacyScreenDim-End -->
 <!-- ForcePrivacyScreenNotification-Begin -->
 ## ForcePrivacyScreenNotification
 <!-- ForcePrivacyScreenNotification-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
 | ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ❌ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
 <!-- ForcePrivacyScreenNotification-Applicability-End -->
 <!-- ForcePrivacyScreenNotification-OmaUri-Begin -->
 ```Device
 ./Device/Vendor/MSFT/Policy/Config/HumanPresence/ForcePrivacyScreenNotification
 ```
 <!-- ForcePrivacyScreenNotification-OmaUri-End -->
 <!-- ForcePrivacyScreenNotification-Description-Begin -->
 <!-- Description-Source-DDF -->
 Determines whether providing alert when people are looking at my screen checkbox is forced checked/unchecked by the MDM policy. The user won't be able to change this setting and the checkbox in the UI will be greyed out.
 <!-- ForcePrivacyScreenNotification-Description-End -->
 <!-- ForcePrivacyScreenNotification-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 <!-- ForcePrivacyScreenNotification-Editable-End -->
 <!-- ForcePrivacyScreenNotification-DFProperties-Begin -->
 **Description framework properties**:
 | Property name | Property value |
 |:--|:--|
 | Format | `int` |
 | Access Type | Add, Delete, Get, Replace |
 | Default Value  | 0 |
 <!-- ForcePrivacyScreenNotification-DFProperties-End -->
 <!-- ForcePrivacyScreenNotification-AllowedValues-Begin -->
 **Allowed values**:
 | Value | Description |
 |:--|:--|
 | 2 | ForcedUnchecked. |
 | 1 | ForcedChecked. |
 | 0 (Default) | DefaultToUserChoice. |
 <!-- ForcePrivacyScreenNotification-AllowedValues-End -->
 <!-- ForcePrivacyScreenNotification-GpMapping-Begin -->
 **Group policy mapping**:
 | Name | Value |
 |:--|:--|
 | Name | ForcePrivacyScreenNotification |
 | Path | Sensors > AT > WindowsComponents > HumanPresence |
 <!-- ForcePrivacyScreenNotification-GpMapping-End -->
 <!-- ForcePrivacyScreenNotification-Examples-Begin -->
 <!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
 <!-- ForcePrivacyScreenNotification-Examples-End -->
 <!-- ForcePrivacyScreenNotification-End -->
 <!-- HumanPresence-CspMoreInfo-Begin -->
 <!-- Add any additional information about this CSP here. Anything outside this section will get overwritten. -->
 <!-- HumanPresence-CspMoreInfo-End -->
--- a/windows/client-management/mdm/policy-csp-printers.md
+++ b/windows/client-management/mdm/policy-csp-printers.md
@ -1,7 +1,7 @@
 ---
 title: Printers Policy CSP
 description: Learn more about the Printers Area in Policy CSP.
-ms.date: 09/27/2024
+ms.date: 01/14/2025
 ---
 <!-- Auto-Generated CSP Document -->
@ -11,6 +11,8 @@ ms.date: 09/27/2024
 [!INCLUDE [ADMX-backed CSP tip](includes/mdm-admx-csp-note.md)]
 [!INCLUDE [Windows Insider tip](includes/mdm-insider-csp-note.md)]
 <!-- Printers-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 <!-- Printers-Editable-End -->
@ -348,6 +350,56 @@ The following are the supported values:
 <!-- ConfigureIppPageCountsPolicy-End -->
 <!-- ConfigureIppTlsCertificatePolicy-Begin -->
 ## ConfigureIppTlsCertificatePolicy
 <!-- ConfigureIppTlsCertificatePolicy-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
 | ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
 <!-- ConfigureIppTlsCertificatePolicy-Applicability-End -->
 <!-- ConfigureIppTlsCertificatePolicy-OmaUri-Begin -->
 ```Device
 ./Device/Vendor/MSFT/Policy/Config/Printers/ConfigureIppTlsCertificatePolicy
 ```
 <!-- ConfigureIppTlsCertificatePolicy-OmaUri-End -->
 <!-- ConfigureIppTlsCertificatePolicy-Description-Begin -->
 <!-- Description-Source-Not-Found -->
 <!-- ConfigureIppTlsCertificatePolicy-Description-End -->
 <!-- ConfigureIppTlsCertificatePolicy-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 <!-- ConfigureIppTlsCertificatePolicy-Editable-End -->
 <!-- ConfigureIppTlsCertificatePolicy-DFProperties-Begin -->
 **Description framework properties**:
 | Property name | Property value |
 |:--|:--|
 | Format | `chr` (string) |
 | Access Type | Add, Delete, Get, Replace |
 <!-- ConfigureIppTlsCertificatePolicy-DFProperties-End -->
 <!-- ConfigureIppTlsCertificatePolicy-AdmxBacked-Begin -->
 <!-- ADMX-Not-Found -->
 [!INCLUDE [ADMX-backed policy note](includes/mdm-admx-policy-note.md)]
 **ADMX mapping**:
 | Name | Value |
 |:--|:--|
 | Name | ConfigureIppTlsCertificatePolicy |
 | ADMX File Name | Printing.admx |
 <!-- ConfigureIppTlsCertificatePolicy-AdmxBacked-End -->
 <!-- ConfigureIppTlsCertificatePolicy-Examples-Begin -->
 <!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
 <!-- ConfigureIppTlsCertificatePolicy-Examples-End -->
 <!-- ConfigureIppTlsCertificatePolicy-End -->
 <!-- ConfigureRedirectionGuardPolicy-Begin -->
 ## ConfigureRedirectionGuardPolicy
--- a/windows/client-management/mdm/vpnv2-csp.md
+++ b/windows/client-management/mdm/vpnv2-csp.md
@ -1,7 +1,7 @@
 ---
 title: VPNv2 CSP
 description: Learn more about the VPNv2 CSP.
-ms.date: 01/18/2024
+ms.date: 01/14/2025
 ---
 <!-- Auto-Generated CSP Document -->
@ -863,11 +863,7 @@ Returns the type of App/Id. This value can be either of the following: PackageFa
 <!-- Device-{ProfileName}-ByPassForLocal-Description-Begin -->
 <!-- Description-Source-DDF -->
-False: Don't Bypass for Local traffic.
+Not supported.
 True: ByPass VPN Interface for Local Traffic.
 Optional. When this setting is True, requests to local resources that are available on the same Wi-Fi network as the VPN client can bypass the VPN. For example, if enterprise policy for VPN requires force tunnel for VPN, but enterprise intends to allow the remote user to connect locally to media center in their home, then this option should be set to True. The user can bypass VPN for local subnet traffic. When this is set to False, the setting is disabled and no subnet exceptions are allowed.
 <!-- Device-{ProfileName}-ByPassForLocal-Description-End -->
 <!-- Device-{ProfileName}-ByPassForLocal-Editable-Begin -->
@ -5160,11 +5156,7 @@ Returns the type of App/Id. This value can be either of the following: PackageFa
 <!-- User-{ProfileName}-ByPassForLocal-Description-Begin -->
 <!-- Description-Source-DDF -->
-False: Don't Bypass for Local traffic.
+Not supported.
 True: ByPass VPN Interface for Local Traffic.
 Optional. When this setting is True, requests to local resources that are available on the same Wi-Fi network as the VPN client can bypass the VPN. For example, if enterprise policy for VPN requires force tunnel for VPN, but enterprise intends to allow the remote user to connect locally to media center in their home, then this option should be set to True. The user can bypass VPN for local subnet traffic. When this is set to False, the setting is disabled and no subnet exceptions are allowed.
 <!-- User-{ProfileName}-ByPassForLocal-Description-End -->
 <!-- User-{ProfileName}-ByPassForLocal-Editable-Begin -->
--- a/windows/client-management/mdm/vpnv2-ddf-file.md
+++ b/windows/client-management/mdm/vpnv2-ddf-file.md
@ -1,7 +1,7 @@
 ---
 title: VPNv2 DDF file
 description: View the XML file containing the device description framework (DDF) for the VPNv2 configuration service provider.
-ms.date: 06/28/2024
+ms.date: 01/14/2025
 ---
 <!-- Auto-Generated CSP Document -->
@ -1156,10 +1156,7 @@ The following XML file contains the device description framework (DDF) for the V
            <Replace />
          </AccessType>
          <Description>
-                        False : Do not Bypass for Local traffic
+                        Not supported.
                        True : ByPass VPN Interface for Local Traffic
                        Optional. When this setting is True, requests to local resources that are available on the same Wi-Fi network as the VPN client can bypass the VPN. For example, if enterprise policy for VPN requires force tunnel for VPN, but enterprise intends to allow the remote user to connect locally to media center in their home, then this option should be set to True. The user can bypass VPN for local subnet traffic. When this is set to False, the setting is disabled and no subnet exceptions are allowed.
                    </Description>
          <DFFormat>
            <bool />
@ -4425,10 +4422,7 @@ A device tunnel profile must be deleted before another device tunnel profile can
            <Replace />
          </AccessType>
          <Description>
-                        False : Do not Bypass for Local traffic
+                        Not supported.
                        True : ByPass VPN Interface for Local Traffic
                        Optional. When this setting is True, requests to local resources that are available on the same Wi-Fi network as the VPN client can bypass the VPN. For example, if enterprise policy for VPN requires force tunnel for VPN, but enterprise intends to allow the remote user to connect locally to media center in their home, then this option should be set to True. The user can bypass VPN for local subnet traffic. When this is set to False, the setting is disabled and no subnet exceptions are allowed.
                    </Description>
          <DFFormat>
            <bool />
--- a/windows/client-management/toc.yml
+++ b/windows/client-management/toc.yml
@ -48,7 +48,7 @@ items:
                href: enterprise-app-management.md
              - name: Manage updates
                href: device-update-management.md
-              - name: Updated Windows and Microsoft Copilot experience
+              - name: Updated Windows and Microsoft 365 Copilot Chat experience
                href: manage-windows-copilot.md
              - name: Manage Recall
                href: manage-recall.md
--- a/windows/configuration/taskbar/pinned-apps.md
+++ b/windows/configuration/taskbar/pinned-apps.md
@ -193,7 +193,7 @@ Alternatively, you can configure devices using a [custom policy][MEM-1] with the
 - **Value:** content of the XML file
 > [!NOTE]
-> The content of the file must be entered as a single line in the `Value` field. Use a text editor to remove any line breaks from the XML file, usually with a function called *join lines*.
+> The content of the file must be entered as a single line in the `Value` field. Use a text editor to remove any line breaks from the XML file, usually with a function called *join lines* or *linearize*. If customizations.xml is being modified directly instead of using the WCD editor, the XML brackets need to be escaped / replaced with \&lt; and \&gt; entity encodings. Single and double quote characters do not need to be escaped.
 [!INCLUDE [provisioning-package-2](../../../includes/configure/provisioning-package-2.md)]
--- a/windows/deployment/TOC.yml
+++ b/windows/deployment/TOC.yml
@ -294,6 +294,8 @@ items:
          href: update/windows-update-logs.md
        - name: Servicing stack updates
          href: update/servicing-stack-updates.md
        - name: Checkpoint cumulative updates and Microsoft Update Catalog usage
          href: update/catalog-checkpoint-cumulative-updates.md          
        - name: Update CSP policies
          href: /windows/client-management/mdm/policy-csp-update?context=/windows/deployment/context/context
        - name: Update other Microsoft products
--- a/windows/deployment/update/catalog-checkpoint-cumulative-updates.md
+++ b/windows/deployment/update/catalog-checkpoint-cumulative-updates.md
@ -0,0 +1,93 @@
 ---
 title: Checkpoint cumulative updates and the Microsoft Update Catalog
 description: This article describes how to handle checkpoint cumulative updates when you use the Microsoft Update Catalog to update devices and images.
 ms.service: windows-client
 ms.subservice: itpro-updates
 ms.topic: conceptual
 ms.author: mstewart
 author: mestew
 manager: aaroncz
 ms.collection:
  - tier2
 ms.localizationpriority: medium
 appliesto: 
  - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11, version 24H2 and later</a>
  - ✅ <a href="https://learn.microsoft.com/windows/release-health/windows-server-release-info" target="_blank">Windows Server 2025 and later</a>
 ms.date: 01/31/2025
 ---
 # Checkpoint cumulative updates and Microsoft Update Catalog usage
 <!--9693727-->
 Starting Windows 11, version 24H2, monthly security updates and optional nonsecurity preview release updates might be preceded by a checkpoint cumulative update. Devices updating from Windows Update (WU) and Windows Server Update Services (WSUS) release channels can continue to seamlessly install the latest monthly security update or the optional nonsecurity preview release regardless of whether there are any preceding checkpoint cumulative updates, so **update processes involving WU and WSUS remain unchanged**. This article covers how Microsoft Update Catalog users can easily update their devices (or images) through checkpoint cumulative updates.
 ## Checkpoint cumulative updates
 Windows 11 quality updates use servicing technology and are built cumulatively from the time when a new Windows OS was released to manufacturing (RTM). These monthly updates include all the changes since RTM in the form of binary differentials computed from the initial version of those binaries.
 With Windows 11, version 24H2, Microsoft introduced a new concept of checkpoint cumulative updates. This change allows you to get features and security enhancements via the latest cumulative update through smaller, incremental differentials containing only the changes since the previous checkpoint cumulative update. This change means that you can save time, bandwidth, and hard drive space.
 Going forward, Microsoft might periodically release cumulative updates as checkpoints. The subsequent updates will then consist of:
 - The update package files associated with the checkpoints, and
 - New update package files that contain incremental binary differentials against the version of binaries in the last checkpoint.
 This process might be repeated multiple times, thereby generating multiple checkpoints during the lifecycle of a given Windows release. The Windows 11, version 24H2 servicing stack can merge all the checkpoints and only download and install content that's missing on the device.
 If any checkpoint cumulative updates precede a target update, a device or image needs to take all prior checkpoint cumulative updates before it can take the target update. In other words, a post-checkpoint latest cumulative update can be applied to images/devices that are on that checkpoint or on a subsequent latest cumulative update. For updates sourced from WU and WSUS this process happens seamlessly. You can continue to use the same tools and processes that you currently use for approving and deploying updates. We expect that your experience updating through a checkpoint cumulative update will position you to efficiently take future checkpoint cumulative updates.
 ### Applicability
 A checkpoint cumulative update is just another monthly security update that informs how subsequent updates are built. There's no policy change or new requirement around when users must take these updates, though it's best practice to take monthly security updates at the earliest opportunity to keep your devices protected and productive.
 ### Update Windows installation media
 This feature doesn't introduce any change to the applicability of monthly security updates. As before, these updates apply to the main OS (install.wim) and to WinPE (boot.wim) but not to WinRE (winre.wim).
 WinRE is serviced by applying the servicing stack update from a cumulative update (latest cumulative update doesn't apply) and SafeOS Dynamic Update. This is how it has been for a while now, and there's no recent change to WinRE servicing and certainly no change due to the checkpoint cumulative updates feature. We understand that not everybody may have had a shared understanding about this, but applying servicing stack update then SafeOS Dynamic Update is the only way to ensure WinRE is serviced. For more information, see [Update Windows installation media with Dynamic Update](media-dynamic-update.md).
 ## Updating from the Microsoft Update Catalog
 When installing a given monthly security or optional nonsecurity preview update, [Microsoft Update Catalog](https://www.catalog.update.microsoft.com) users can determine and download the prior checkpoint cumulative updates and apply them sequentially under certain situations, or in one go using Deployment Image Servicing and Management (DISM).
 ### Finding prior checkpoint cumulative updates
 For a given update, users can look up the KB article and find all preceding checkpoints, if any, listed under the **Catalog** release channel. For instance, the 2024-12 monthly security update (KB5048667) has one preceding checkpoint cumulative update per [December 10, 2024-KB5048667 (OS Build 26100.2605)](https://support.microsoft.com/topic/708755a6-d809-4a8a-8d20-53c4108590e6#ID0ELBD=Catalog):
   > <b>Install each MSU file individually, in order</b> <p>Download and install each MSU file individually either using DISM or [Windows Update Standalone Installer](https://support.microsoft.com/topic/799ba3df-ec7e-b05e-ee13-1cdae8f23b19) in the following order: <ul><li> windows11.0-kb5043080-x64_953449672073f8fb99badb4cc6d5d7849b9c83e8.msu </li> <li>windows11.0-kb5048667-x64_d4ad0ca69de9a02bc356757581e0e0d6960c9f93.msu </li></ul>
 Alternately, users can search the KB number in the [Microsoft Update Catalog](https://catalog.update.microsoft.com/) and select the **Download** button for the selected architecture. The download pop-up shows all prior checkpoints for the update so that users can conveniently download all `.msu` files and apply them to their image or device. For instance, Microsoft Update Catalog shows the [2024-12 cumulative update (KB5048667)](https://support.microsoft.com/help/5048667) has one preceding checkpoint cumulative update, [KB5043080](https://support.microsoft.com/help/5043080).
 ### Updating through checkpoint cumulative updates
 **Device has the latest checkpoint cumulative update and doesn't need customization:**
 Devices or images that have the latest checkpoint cumulative update installed and don't need Features on Demand (FoD) or language pack customization can be updated to the latest target cumulative update with no change to your existing process. You can copy the target `.msu` file from Microsoft Update Catalog and install it, for instance using [Add-WindowsPackage (DISM)](/powershell/module/dism/add-windowspackage) or [DISM operating system package (`.cab` or `.msu`) servicing command-line options](/windows-hardware/manufacture/desktop/dism-operating-system-package-servicing-command-line-options).
 Examples of eligible devices:
 | Device is on | Needs to install| 
 |---|---|
 |<ul><li>The checkpoint cumulative update, 2024-09 (KB5043080)</li></ul>|<ul><li>A subsequent monthly security update like 2024-11 (KB5046617), or</li> <li>A subsequent optional nonsecurity release like 2024-11 (KB5046740) </li></ul>|
 |<ul><li>A subsequent optional nonsecurity preview release like 2024-09 (KB5043178), or</li> <li> A subsequent monthly security update like 2024-10 (KB5044284)</li></ul>|<ul><li>A subsequent monthly security update like 2025-01 (KB5050009), or</li> <li> A subsequent optional nonsecurity release like 2024-11 (KB5046740) </li></ul>|
 **Device needs FoD or language pack customization:**
 Installing FoDs or language packs requires the full latest cumulative update payload, which now can be split across files associated with each preceding checkpoint cumulative update. So, when customizing FoDs or language packs for offline media, all prior checkpoint cumulative updates and the target cumulative update need to be installed regardless of whether the device already had any of the prior checkpoints cumulative update installed. This needs to be done using DISM.
 1.	Copy the .msu files of the latest cumulative update (the target) and all prior checkpoint cumulative updates to a local folder. Make sure there are no other .msu files present.
 1.	Mount the install.wim file.
 1.	Run `DISM /add-package` with the latest `.msu` file as the sole target.
 1.	Run `/Cleanup-Image /StartComponentCleanup`.
 1.	Unmount.
 1.	Run `DISM /export-image` to optimize the image size, if that's important to you.  
 **Device doesn't have the latest checkpoint cumulative update and doesn't need customization:**
 Devices that aren't on the latest checkpoint cumulative update and don't need FoD/language pack customization can either install all needed cumulative updates one by one in the right sequence. Alternately they can be updated using DISM to install all cumulative updates in one go. For more information, see the [Updating through checkpoint cumulative updates](#updating-through-checkpoint-cumulative-updates) section. If there are total four checkpoint cumulative updates available and device already has the first one installed, DISM applies the remaining three checkpoint cumulative updates in the right order followed by the target cumulative update, all in one go. 
 ## Related articles
 - [Servicing stack updates](/windows/deployment/update/servicing-stack-updates)
 - [Features on Demand](/windows-hardware/manufacture/desktop/features-on-demand-v2--capabilities)
 - [How to download updates that include drivers and hotfixes from the Microsoft Update Catalog](/troubleshoot/windows-client/installing-updates-features-roles/download-updates-drivers-hotfixes-windows-update-catalog)
 - [Update Windows installation media with Dynamic Update](media-dynamic-update.md) 
--- a/windows/deployment/update/includes/checkpoint-cumulative-updates.md
+++ b/windows/deployment/update/includes/checkpoint-cumulative-updates.md
@ -0,0 +1,17 @@
 ---
 author: mestew
 ms.author: mstewart
 manager: aaroncz
 ms.subservice: itpro-updates
 ms.service: windows-client
 ms.topic: include
 ms.date: 01/31/2025
 ms.localizationpriority: medium
 ---
 <!-- This file is used multiple times in release-cycle.md. Headings are driven by article context. 9693727-->
 Starting Windows 11, version 24H2, Microsoft may periodically release cumulative updates as checkpoints. The subsequent updates will consist of:
 - The update package files associated with the checkpoints, and
 - New update package files that contain incremental binary differentials against the version of binaries in the last checkpoint.
 Multiple checkpoints may be shipped during the lifecycle of a given Windows release. Devices updating from Windows Update and WSUS can continue to seamlessly install the latest monthly security update regardless of whether there are any preceding checkpoint cumulative updates, **no change is needed to their update process**. Catalog users can review [Checkpoint cumulative updates and Microsoft Update Catalog usage](../catalog-checkpoint-cumulative-updates.md) for reference.
--- a/windows/deployment/update/release-cycle.md
+++ b/windows/deployment/update/release-cycle.md
@ -1,6 +1,6 @@
 ---
 title: Update release cycle for Windows clients
-description: Learn about the release cycle for updates so Windows clients in your organization stay productive and protected.
+description: Learn about the release cycle for updates so Windows clients in your organization stay productive and protected.
 ms.service: windows-client
 ms.subservice: itpro-updates
 ms.topic: conceptual
@ -11,7 +11,7 @@ ms.localizationpriority: medium
 appliesto: 
 - ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
 - ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
-ms.date: 06/04/2024
+ms.date: 01/31/2025
 ---
 # Update release cycle for Windows clients
@ -54,6 +54,9 @@ Monthly security update releases are available through the following channels:
 Many update management tools, such as [Microsoft Configuration Manager](/mem/configmgr/) and [Microsoft Intune](/mem/intune/), rely on these channels for update deployment.
 <!--Using include for checkpoint cumulative updates-->
 [!INCLUDE [Checkpoint cumulative updates](./includes/checkpoint-cumulative-updates.md)]
 ## Optional nonsecurity preview release
 **Optional nonsecurity preview releases** provide IT admins an opportunity for early validation of that content prior to the **monthly security update release**. Admins can test and validate production-quality releases ahead of the planned monthly security update release for the following month. These updates are optional, cumulative, nonsecurity preview releases. New features might initially be deployed in the prior month's **optional nonsecurity preview release**, then ship in the following **monthly security update release**. **Optional nonsecurity preview releases** are typically released on the fourth Tuesday of the month at 10:00 AM Pacific Time (PST/PDT). These releases are only offered to the most recent, supported versions of Windows.
@ -66,10 +69,14 @@ Many update management tools, such as [Microsoft Configuration Manager](/mem/con
 - LCU preview
 To access the optional nonsecurity preview release:
- Navigate to **Settings** > **Update & Security** > **Windows Update** and select **Check for updates**. 
+- Navigate to **Settings** > **Update & Security** > **Windows Update** and select **Check for updates**. 
 - Use [Windows Insider Program for Business](https://insider.windows.com/for-business)
 - Use the [Microsoft Update Catalog](https://www.catalog.update.microsoft.com/Home.aspx).
 <!--Using include for checkpoint cumulative updates-->
 [!INCLUDE [Checkpoint cumulative updates](./includes/checkpoint-cumulative-updates.md)]
 ## OOB releases
 **Out-of-band (OOB) releases** might be provided to fix a recently identified issue or vulnerability. They're used in atypical cases when an issue is detected and can't wait for the next monthly release, because devices must be updated immediately to address security vulnerabilities or to resolve a quality issue impacting many devices. **Out-of-band (OOB) releases** are provided outside of the monthly schedule when there's an exceptional need.
@ -83,6 +90,9 @@ Some key considerations about OOB releases include:
  - Critical OOB releases are automatically available to WSUS and Windows Update for Business, just like the monthly security update releases.  
 - Some OOB releases are classified as noncritical.
  - Noncritical releases only go to the Microsoft Update Catalog for users or organizations to voluntarily obtain the update.
 <!--Using include for checkpoint cumulative updates-->
 [!INCLUDE [Checkpoint cumulative updates](./includes/checkpoint-cumulative-updates.md)]
 ## Continuous innovation for Windows 11
--- a/windows/deployment/upgrade/log-files.md
+++ b/windows/deployment/upgrade/log-files.md
@ -11,7 +11,7 @@ ms.collection:
  - highpri
  - tier2
 ms.subservice: itpro-deploy
-ms.date: 01/18/2024
+ms.date: 01/29/2025
 appliesto:
  - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>
  - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10</a>
@ -51,13 +51,13 @@ A `setupact.log` or `setuperr.log` entry includes the following elements:
 1. **The date and time** - 2023-09-08 09:20:05
-1. **The log level** - Info, Warning, Error, Fatal Error
+2. **The log level** - Info, Warning, Error, Fatal Error
-1. **The logging component** - CONX, MOUPG, PANTHR, SP, IBSLIB, MIG, DISM, CSI, CBS
+3. **The logging component** - CONX, MOUPG, PANTHR, SP, IBSLIB, MIG, DISM, CSI, CBS
  The logging components SP (setup platform), MIG (migration engine), and CONX (compatibility information) are useful for troubleshooting Windows Setup errors.
-1. **The message** - Operation completed successfully.
+4. **The message** - Operation completed successfully.
 See the following example:
--- a/windows/deployment/upgrade/resolve-windows-upgrade-errors.md
+++ b/windows/deployment/upgrade/resolve-windows-upgrade-errors.md
@ -8,7 +8,7 @@ ms.localizationpriority: medium
 ms.topic: conceptual
 ms.service: windows-client
 ms.subservice: itpro-deploy
-ms.date: 01/18/2024
+ms.date: 01/29/2025
 appliesto:
  - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>
  - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10</a>
--- a/windows/deployment/upgrade/setupdiag.md
+++ b/windows/deployment/upgrade/setupdiag.md
@ -12,7 +12,7 @@ ms.topic: troubleshooting
 ms.collection:
  - highpri
  - tier2
-ms.date: 01/18/2024
+ms.date: 01/29/2025
 appliesto:
  - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>
  - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10</a>
@ -479,7 +479,7 @@ Refer to "https://learn.microsoft.com/windows/desktop/Debug/system-error-codes"
    "FailureDetails":"Err = 0x00000057, LastOperation = Gather data, scope: EVERYTHING, LastPhase = Downlevel",
    "DeviceDriverInfo":null,
    "Remediation":[
-        
+
    ],
    "SetupPhaseInfo":null,
    "SetupOperationInfo":null
--- a/windows/deployment/upgrade/submit-errors.md
+++ b/windows/deployment/upgrade/submit-errors.md
@ -8,7 +8,7 @@ author: frankroj
 ms.localizationpriority: medium
 ms.topic: conceptual
 ms.subservice: itpro-deploy
-ms.date: 01/18/2024
+ms.date: 01/29/2025
 appliesto:
  - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>
  - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10</a>
--- a/windows/deployment/upgrade/windows-error-reporting.md
+++ b/windows/deployment/upgrade/windows-error-reporting.md
@ -8,7 +8,7 @@ author: frankroj
 ms.localizationpriority: medium
 ms.topic: conceptual
 ms.subservice: itpro-deploy
-ms.date: 01/18/2024
+ms.date: 01/29/2025
 appliesto:
  - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>
  - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10</a>
@ -18,7 +18,7 @@ appliesto:
 > [!NOTE]
 >
-> This article is a 300 level article (moderately advanced).  
+> This article is a 300 level article (moderately advanced).
 >
 > See [Resolve Windows upgrade errors](resolve-windows-upgrade-errors.md) for a full list of articles in this section.
--- a/windows/deployment/upgrade/windows-upgrade-paths.md
+++ b/windows/deployment/upgrade/windows-upgrade-paths.md
@ -11,7 +11,7 @@ ms.collection:
  - highpri
  - tier2
 ms.subservice: itpro-deploy
-ms.date: 02/13/2024
+ms.date: 01/29/2025
 appliesto:
  - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10</a>
  - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>
--- a/windows/deployment/usmt/getting-started-with-the-user-state-migration-tool.md
+++ b/windows/deployment/usmt/getting-started-with-the-user-state-migration-tool.md
@ -8,7 +8,7 @@ ms.service: windows-client
 author: frankroj
 ms.topic: conceptual
 ms.subservice: itpro-deploy
-ms.date: 08/30/2024
+ms.date: 01/29/2025
 appliesto:
  - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>
  - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10</a>
--- a/windows/deployment/usmt/migrate-application-settings.md
+++ b/windows/deployment/usmt/migrate-application-settings.md
@ -6,7 +6,7 @@ manager: aaroncz
 ms.author: frankroj
 ms.service: windows-client
 author: frankroj
-ms.date: 08/30/2024
+ms.date: 01/29/2025
 ms.topic: conceptual
 ms.subservice: itpro-deploy
 appliesto:
--- a/windows/deployment/usmt/migration-store-types-overview.md
+++ b/windows/deployment/usmt/migration-store-types-overview.md
@ -6,7 +6,7 @@ manager: aaroncz
 ms.author: frankroj
 ms.service: windows-client
 author: frankroj
-ms.date: 01/09/2024
+ms.date: 01/29/2025
 ms.topic: conceptual
 ms.subservice: itpro-deploy
 appliesto:
--- a/windows/deployment/usmt/offline-migration-reference.md
+++ b/windows/deployment/usmt/offline-migration-reference.md
@ -6,7 +6,7 @@ manager: aaroncz
 ms.author: frankroj
 ms.service: windows-client
 author: frankroj
-ms.date: 01/09/2024
+ms.date: 01/29/2025
 ms.topic: conceptual
 ms.subservice: itpro-deploy
 appliesto:
@ -50,7 +50,7 @@ For exceptions to what can be migrated offline, see [What Does USMT Migrate?](us
 ## What offline environments are supported?
-All currently supported 
+All currently supported
 The following table defines the supported combination of online and offline operating systems in USMT.
@ -183,9 +183,9 @@ The following XML example illustrates some of the elements discussed earlier in
 ```xml
 <offline>
     <winDir>
-          <path>C:\Windows</path> 
+          <path>C:\Windows</path>
-          <path>D:\Windows</path> 
+          <path>D:\Windows</path>
-          <path>E:\</path> 
+          <path>E:\</path>
     </winDir>
     <failOnMultipleWinDir>1</failOnMultipleWinDir>
 </offline>
--- a/windows/deployment/usmt/understanding-migration-xml-files.md
+++ b/windows/deployment/usmt/understanding-migration-xml-files.md
@ -6,7 +6,7 @@ manager: aaroncz
 ms.author: frankroj
 ms.service: windows-client
 author: frankroj
-ms.date: 01/09/2024
+ms.date: 01/29/2025
 ms.topic: conceptual
 ms.subservice: itpro-deploy
 appliesto:
--- a/windows/deployment/usmt/usmt-best-practices.md
+++ b/windows/deployment/usmt/usmt-best-practices.md
@ -6,7 +6,7 @@ manager: aaroncz
 ms.author: frankroj
 ms.service: windows-client
 author: frankroj
-ms.date: 01/09/2024
+ms.date: 01/29/2025
 ms.topic: conceptual
 ms.subservice: itpro-deploy
 appliesto:
--- a/windows/deployment/usmt/usmt-choose-migration-store-type.md
+++ b/windows/deployment/usmt/usmt-choose-migration-store-type.md
@ -6,7 +6,7 @@ manager: aaroncz
 ms.author: frankroj
 ms.service: windows-client
 author: frankroj
-ms.date: 01/09/2024
+ms.date: 01/29/2025
 ms.topic: conceptual
 ms.subservice: itpro-deploy
 appliesto:
--- a/windows/deployment/usmt/usmt-command-line-syntax.md
+++ b/windows/deployment/usmt/usmt-command-line-syntax.md
@ -6,7 +6,7 @@ manager: aaroncz
 ms.author: frankroj
 ms.service: windows-client
 author: frankroj
-ms.date: 01/09/2024
+ms.date: 01/29/2025
 ms.topic: conceptual
 ms.subservice: itpro-deploy
 appliesto:
--- a/windows/deployment/usmt/usmt-common-migration-scenarios.md
+++ b/windows/deployment/usmt/usmt-common-migration-scenarios.md
@ -6,7 +6,7 @@ manager: aaroncz
 ms.author: frankroj
 ms.service: windows-client
 author: frankroj
-ms.date: 01/09/2024
+ms.date: 01/29/2025
 ms.topic: conceptual
 ms.subservice: itpro-deploy
 appliesto:
--- a/windows/deployment/usmt/usmt-configxml-file.md
+++ b/windows/deployment/usmt/usmt-configxml-file.md
@ -6,7 +6,7 @@ manager: aaroncz
 ms.author: frankroj
 ms.service: windows-client
 author: frankroj
-ms.date: 01/09/2024
+ms.date: 01/29/2025
 ms.topic: conceptual
 ms.subservice: itpro-deploy
 appliesto:
@ -496,7 +496,7 @@ The following sample `Config.xml` file contains detailed examples about items th
              </changeGroup>
            </mappings>
          </localGroups>
-          
+
      -->
  </ProfileControl>
 </Configuration>
--- a/windows/deployment/usmt/usmt-conflicts-and-precedence.md
+++ b/windows/deployment/usmt/usmt-conflicts-and-precedence.md
@ -6,7 +6,7 @@ manager: aaroncz
 ms.author: frankroj
 ms.service: windows-client
 author: frankroj
-ms.date: 01/09/2024
+ms.date: 01/29/2025
 ms.topic: conceptual
 ms.subservice: itpro-deploy
 appliesto:
@ -79,7 +79,7 @@ Specifying `migrate="no"` in the `Config.xml` file is the same as deleting the c
   <objectSet>
      <pattern type="File">%CSIDL_PERSONAL%\* [*.doc] </pattern>
   </objectSet>
-</include> 
+</include>
 ```
 ### How does USMT process each component in an .xml file with multiple components?
@ -116,7 +116,7 @@ In the following example, mp3 files aren't excluded from the migration. The mp3
     <objectSet>
          <pattern type="File"> C:\* [*.mp3]</pattern>
     </objectSet>
-</exclude>  
+</exclude>
 ```
 ### \<include\> and \<exclude\> rules precedence examples
@ -185,11 +185,11 @@ The destination computer contains the following files:
 A custom **.xml** file contains the following code:
 ```xml
-<include> 
+<include>
-   <objectSet> 
+   <objectSet>
-      <pattern type="File">c:\data\* [*]</pattern> 
+      <pattern type="File">c:\data\* [*]</pattern>
-   </objectSet> 
+   </objectSet>
-</include> 
+</include>
 ```
 For this example, the following information describes the resulting behavior if the code is added to the custom **.xml** file.
--- a/windows/deployment/usmt/usmt-custom-xml-examples.md
+++ b/windows/deployment/usmt/usmt-custom-xml-examples.md
@ -8,7 +8,7 @@ ms.service: windows-client
 author: frankroj
 ms.topic: conceptual
 ms.subservice: itpro-deploy
-ms.date: 01/09/2024
+ms.date: 01/29/2025
 appliesto:
  - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>
  - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10</a>
@ -120,7 +120,7 @@ The following sample is a custom **.xml** file named `CustomFile.xml` that migra
 <component type="Documents" context="User">
        <displayName>My Video</displayName>
        <role role="Data">
-            <detects>           
+            <detects>
                <detect>
                    <condition>MigXmlHelper.DoesObjectExist("File","%CSIDL_MYVIDEO%")</condition>
                </detect>
@ -251,8 +251,8 @@ The behavior for this custom **.xml** file is described within the `<displayName
    <rules>
         <include>
            <objectSet>
-                 <script>MigXmlHelper.GenerateDrivePatterns ("\Requests\* [*] ", "Fixed")</script>            
+                 <script>MigXmlHelper.GenerateDrivePatterns ("\Requests\* [*] ", "Fixed")</script>
-                 <script>MigXmlHelper.GenerateDrivePatterns ("*\Requests\* [*] ", "Fixed")</script>            
+                 <script>MigXmlHelper.GenerateDrivePatterns ("*\Requests\* [*] ", "Fixed")</script>
            </objectSet>
          </include>
    </rules>
@ -264,7 +264,7 @@ The behavior for this custom **.xml** file is described within the `<displayName
  <role role="Data">
    <rules>
         <include>
-            <objectSet>                 
+            <objectSet>
                 <pattern type="File"> C:\*\Presentations\* [*]</pattern>
                 <pattern type="File"> C:\Presentations\* [*]</pattern>
           </objectSet>
--- a/windows/deployment/usmt/usmt-customize-xml-files.md
+++ b/windows/deployment/usmt/usmt-customize-xml-files.md
@ -6,7 +6,7 @@ manager: aaroncz
 ms.author: frankroj
 ms.service: windows-client
 author: frankroj
-ms.date: 01/09/2024
+ms.date: 01/29/2025
 ms.topic: conceptual
 ms.subservice: itpro-deploy
 appliesto:
--- a/windows/deployment/usmt/usmt-determine-what-to-migrate.md
+++ b/windows/deployment/usmt/usmt-determine-what-to-migrate.md
@ -6,7 +6,7 @@ manager: aaroncz
 ms.author: frankroj
 ms.service: windows-client
 author: frankroj
-ms.date: 01/09/2024
+ms.date: 01/29/2025
 ms.topic: conceptual
 ms.subservice: itpro-deploy
 appliesto:
--- a/windows/deployment/usmt/usmt-estimate-migration-store-size.md
+++ b/windows/deployment/usmt/usmt-estimate-migration-store-size.md
@ -6,7 +6,7 @@ manager: aaroncz
 ms.author: frankroj
 ms.service: windows-client
 author: frankroj
-ms.date: 01/09/2024
+ms.date: 01/29/2025
 ms.topic: conceptual
 ms.subservice: itpro-deploy
 appliesto:
--- a/windows/deployment/usmt/usmt-exclude-files-and-settings.md
+++ b/windows/deployment/usmt/usmt-exclude-files-and-settings.md
@ -6,7 +6,7 @@ manager: aaroncz
 ms.author: frankroj
 ms.service: windows-client
 author: frankroj
-ms.date: 01/09/2024
+ms.date: 01/29/2025
 ms.topic: conceptual
 ms.subservice: itpro-deploy
 appliesto:
--- a/windows/deployment/usmt/usmt-extract-files-from-a-compressed-migration-store.md
+++ b/windows/deployment/usmt/usmt-extract-files-from-a-compressed-migration-store.md
@ -6,7 +6,7 @@ manager: aaroncz
 ms.author: frankroj
 ms.service: windows-client
 author: frankroj
-ms.date: 01/09/2024
+ms.date: 01/29/2025
 ms.topic: conceptual
 ms.subservice: itpro-deploy
 appliesto:
--- a/windows/deployment/usmt/usmt-faq.yml
+++ b/windows/deployment/usmt/usmt-faq.yml
@ -11,12 +11,12 @@ metadata:
  ms.mktglfcycl: deploy
  ms.sitesec: library
  audience: itpro
-  ms.date: 01/09/2024
+  ms.date: 01/29/2025
  ms.topic: faq
 title: Frequently Asked Questions
 summary: |
  **Applies to:**
-  
+
  - Windows 11
  - Windows 10
@ -30,13 +30,13 @@ sections:
          How much space is needed on the destination computer?
        answer: |
          The destination computer needs enough available space for the following items:
-          
+
          -   Operating system
-          
+
          -   Applications
-          
+
          -   Uncompressed store
-          
+
      - question: |
          Can the files and settings be stored directly on the destination computer or is a server needed?
        answer: |
@ -47,13 +47,13 @@ sections:
          - Directly on the destination computer.
          To store it directly on the destination computer:
-          
+
          1.  Create and share the directory `C:\store` on the destination computer.
-          
+
          1.  Run the **ScanState** tool on the source computer and save the files and settings to `\\<DestinationComputerName>\store`
-          
+
          1.  Run the **LoadState** tool on the destination computer and specify `C:\store` as the store location.
-          
+
      - question: |
          Can data be migrated between operating systems with different languages?
        answer: |
@ -80,7 +80,7 @@ sections:
          How can a folder or a certain type of file be excluded from the migration?
        answer: |
          The **\<unconditionalExclude\>** element can be used to globally exclude data from the migration. For example, this element can be used to exclude all MP3 files on the computer or to exclude all files from `C:\UserData`. This element excludes objects regardless of any other **\<include\>** rules that are in the **.xml** files. For an example, see **\<unconditionalExclude\>** in the [Exclude files and settings](usmt-exclude-files-and-settings.md) article. For the syntax of this element, see [XML elements library](usmt-xml-elements-library.md).
-          
+
      - question: |
          What happens to files that were located on a drive that don't exist on the destination computer?
        answer: |
@ -91,22 +91,22 @@ sections:
          - C:\\ is the system drive on the destination computer.
          the file is migrated to `C:\data\File.pst`. This behavior holds true even when **\<locationModify\>** rules attempt to move data to a drive that doesn't exist on the destination computer.
-          
+
  - name: USMT .xml Files
    questions:
      - question: |
          Where are there examples of USMT **.xml** files?
        answer: |
          The following articles include examples of USMT **.xml** files:
-          
+
          -   [Exclude files and settings](usmt-exclude-files-and-settings.md)
-          
+
          -   [Reroute files and settings](usmt-reroute-files-and-settings.md)
-          
+
          -   [Include files and settings](usmt-include-files-and-settings.md)
-          
+
          -   [Custom XML examples](usmt-custom-xml-examples.md)
-          
+
      - question: |
          Can custom **.xml** files that were written for USMT 5.0 be used?
        answer: |
@ -121,9 +121,9 @@ sections:
          Why must the **.xml** files be included with both the `ScanState.exe` and `LoadState.exe` commands?
        answer: |
          The **.xml** files aren't copied to the store as in previous versions of USMT. Because the **ScanState** and **LoadState** tools need the **.xml** files to control the migration, the same set of **.xml** files must be specified for the `ScanState.exe` and `LoadState.exe` commands. If a particular set of mig\*.xml files were used in the **ScanState** tool, either called through the `/auto` option, or individually through the `/i` option, then the same option should be used to call the exact same mig\*.xml files in the **LoadState** tool. However, the `Config.xml` file doesn't need to be specified, unless files and settings that were migrated to the store need to be excluded. For example, the **Documents** folder might be migrated to the store, but not to the destination computer. To do this type of migration, modify the `Config.xml` file and specify the updated file with the `LoadState.exe` command. **LoadState** migrates only the desired files and settings.
-          
+
          If an **.xml** file is excluded from the `LoadState.exe` command, then all of the data in the store that was migrated with the missing **.xml** files are migrated. However, the migration rules that were specified for the `ScanState.exe` command don't apply. For example, if a `MigApp.xml` file that has a rerouting rule such as `MigsysHelperFunction.RelativeMove("c:\data", "%CSIDL_PERSONAL%")` is excluded, USMT doesn't reroute the files. Instead, it migrates them to `C:\data`.
-          
+
      - question: |
          Which files can be modified and specified on the command line?
        answer: |
@ -133,20 +133,20 @@ sections:
          What happens if the **.xml** files aren't specified on the command line?
        answer: |
          -   **ScanState**
-          
+
              If no files are specified with the `ScanState.exe` command, all user accounts and default operating system components are migrated.
-          
+
          -   **LoadState**
-          
+
              If no files are specified with the `LoadState.exe` command, all data that is in the store is migrated. However, any target-specific migration rules that were specified in **.xml** files with the `ScanState.exe` command doesn't apply. For example, if a `MigApp.xml` file that has a rerouting rule such as `MigsysHelperFunction.RelativeMove("c:\data", "%CSIDL_PERSONAL%")` is excluded, USMT doesn't reroute the files. Instead, it migrates them to `C:\data`.
-          
+
  - name: Conflicts and Precedence
    questions:
      - question: |
          What happens when there are conflicting XML rules or conflicting objects on the destination computer?
        answer: |
          For more information, see [Conflicts and precedence](usmt-conflicts-and-precedence.md).
-          
+
 additionalContent: |
--- a/windows/deployment/usmt/usmt-general-conventions.md
+++ b/windows/deployment/usmt/usmt-general-conventions.md
@ -6,7 +6,7 @@ manager: aaroncz
 ms.author: frankroj
 ms.service: windows-client
 author: frankroj
-ms.date: 01/09/2024
+ms.date: 01/29/2025
 ms.topic: conceptual
 ms.subservice: itpro-deploy
 appliesto:
@ -73,21 +73,21 @@ The XML helper functions in the [XML elements library](usmt-xml-elements-library
 The encoded location is composed of the node part, optionally followed by the leaf enclosed in square brackets. This format makes a clear distinction between nodes and leaves.
  For example, specify the file
-  
+
  `C:\Windows\Notepad.exe`
-  
+
  as
-  
+
  **c:\\Windows\[Notepad.exe\]**
-  
+
  Similarly, specify the directory
-  
+
  `C:\Windows\System32`
-  
+
  as
-  
+
  **c:\\Windows\\System32**
-  
+
  Note the absence of the **\[\]** characters in second example.
  The registry is represented in a similar way. The default value of a registry key is represented as an empty **\[\]** construct. For example, the default value for the `HKLM\SOFTWARE\MyKey` registry key is **HKLM\\SOFTWARE\\MyKey\[\]**.
--- a/windows/deployment/usmt/usmt-hard-link-migration-store.md
+++ b/windows/deployment/usmt/usmt-hard-link-migration-store.md
@ -6,7 +6,7 @@ manager: aaroncz
 ms.author: frankroj
 ms.service: windows-client
 author: frankroj
-ms.date: 01/09/2024
+ms.date: 01/29/2025
 ms.topic: conceptual
 ms.subservice: itpro-deploy
 appliesto:
--- a/windows/deployment/usmt/usmt-how-it-works.md
+++ b/windows/deployment/usmt/usmt-how-it-works.md
@ -8,7 +8,7 @@ ms.service: windows-client
 author: frankroj
 ms.topic: conceptual
 ms.subservice: itpro-deploy
-ms.date: 01/09/2024
+ms.date: 01/29/2025
 appliesto:
  - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>
  - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10</a>
@ -33,7 +33,7 @@ When the **ScanState** tool runs on the source computer, it goes through the fol
    There are three types of components:
    - Components that migrate the operating system settings.
-  
+
    - Components that migrate application settings.
    - Components that migrate users' files.
--- a/windows/deployment/usmt/usmt-how-to.md
+++ b/windows/deployment/usmt/usmt-how-to.md
@ -6,7 +6,7 @@ manager: aaroncz
 ms.author: frankroj
 ms.service: windows-client
 author: frankroj
-ms.date: 01/09/2024
+ms.date: 01/29/2025
 ms.topic: conceptual
 ms.subservice: itpro-deploy
 appliesto:
--- a/windows/deployment/usmt/usmt-identify-application-settings.md
+++ b/windows/deployment/usmt/usmt-identify-application-settings.md
@ -6,7 +6,7 @@ manager: aaroncz
 ms.author: frankroj
 ms.service: windows-client
 author: frankroj
-ms.date: 01/09/2024
+ms.date: 01/29/2025
 ms.topic: conceptual
 ms.subservice: itpro-deploy
 appliesto:
--- a/windows/deployment/usmt/usmt-identify-file-types-files-and-folders.md
+++ b/windows/deployment/usmt/usmt-identify-file-types-files-and-folders.md
@ -6,7 +6,7 @@ manager: aaroncz
 ms.author: frankroj
 ms.service: windows-client
 author: frankroj
-ms.date: 01/09/2024
+ms.date: 01/29/2025
 ms.topic: conceptual
 ms.subservice: itpro-deploy
 appliesto:
--- a/windows/deployment/usmt/usmt-identify-operating-system-settings.md
+++ b/windows/deployment/usmt/usmt-identify-operating-system-settings.md
@ -6,7 +6,7 @@ manager: aaroncz
 ms.author: frankroj
 ms.service: windows-client
 author: frankroj
-ms.date: 01/09/2024
+ms.date: 01/29/2025
 ms.topic: conceptual
 ms.subservice: itpro-deploy
 appliesto:
--- a/windows/deployment/usmt/usmt-identify-users.md
+++ b/windows/deployment/usmt/usmt-identify-users.md
@ -9,7 +9,7 @@ author: frankroj
 ms.topic: conceptual
 ms.localizationpriority: medium
 ms.subservice: itpro-deploy
-ms.date: 01/09/2024
+ms.date: 01/29/2025
 appliesto:
  - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>
  - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10</a>
--- a/windows/deployment/usmt/usmt-include-files-and-settings.md
+++ b/windows/deployment/usmt/usmt-include-files-and-settings.md
@ -6,7 +6,7 @@ manager: aaroncz
 ms.author: frankroj
 ms.service: windows-client
 author: frankroj
-ms.date: 01/09/2024
+ms.date: 01/29/2025
 ms.topic: conceptual
 ms.subservice: itpro-deploy
 appliesto:
@ -25,12 +25,12 @@ The following **.xml** file migrates a single registry key.
 ```xml
 <migration urlid="http://www.microsoft.com/migration/1.0/migxmlext/test">
     <component type="Application" context="System">
-          <displayName>Component to migrate only registry value string</displayName> 
+          <displayName>Component to migrate only registry value string</displayName>
          <role role="Settings">
          <rules>
               <include>
                    <objectSet>
-                         <pattern type="Registry">HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache [Persistent]</pattern> 
+                         <pattern type="Registry">HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache [Persistent]</pattern>
                    </objectSet>
               </include>
          </rules>
@ -95,8 +95,8 @@ The following **.xml** file migrates all files and subfolders of the `Engineerin
    <rules>
         <include>
            <objectSet>
-         <script>MigXmlHelper.GenerateDrivePatterns ("\EngineeringDrafts\* [*] ", "Fixed")</script>            
+         <script>MigXmlHelper.GenerateDrivePatterns ("\EngineeringDrafts\* [*] ", "Fixed")</script>
-         <script>MigXmlHelper.GenerateDrivePatterns ("*\EngineeringDrafts\* [*] ", "Fixed")</script>            
+         <script>MigXmlHelper.GenerateDrivePatterns ("*\EngineeringDrafts\* [*] ", "Fixed")</script>
       </objectSet>
          </include>
    </rules>
@ -114,7 +114,7 @@ The following **.xml** file migrates all files and subfolders of the `Engineerin
  <role role="Data">
    <rules>
         <include>
-            <objectSet>                 
+            <objectSet>
 <pattern type="File"> C:\*\EngineeringDrafts\* [*]</pattern>
 <pattern type="File"> C:\EngineeringDrafts\* [*]</pattern>
       </objectSet>
@ -149,7 +149,7 @@ The following **.xml** file migrates `.mp3` files located in the specified drive
    </rules>
  </role>
 </component>
-</migration> 
+</migration>
 ```
 ## Migrate a specific file
--- a/windows/deployment/usmt/usmt-loadstate-syntax.md
+++ b/windows/deployment/usmt/usmt-loadstate-syntax.md
@ -6,7 +6,7 @@ manager: aaroncz
 ms.author: frankroj
 ms.service: windows-client
 author: frankroj
-ms.date: 04/30/2024
+ms.date: 01/29/2025
 ms.topic: conceptual
 ms.subservice: itpro-deploy
 appliesto:
--- a/windows/deployment/usmt/usmt-log-files.md
+++ b/windows/deployment/usmt/usmt-log-files.md
@ -6,7 +6,7 @@ manager: aaroncz
 ms.author: frankroj
 ms.service: windows-client
 author: frankroj
-ms.date: 01/09/2024
+ms.date: 01/29/2025
 ms.topic: conceptual
 ms.subservice: itpro-deploy
 appliesto:
--- a/windows/deployment/usmt/usmt-migrate-efs-files-and-certificates.md
+++ b/windows/deployment/usmt/usmt-migrate-efs-files-and-certificates.md
@ -6,7 +6,7 @@ manager: aaroncz
 ms.author: frankroj
 ms.service: windows-client
 author: frankroj
-ms.date: 01/09/2024
+ms.date: 01/29/2025
 ms.topic: conceptual
 ms.subservice: itpro-deploy
 appliesto:
--- a/windows/deployment/usmt/usmt-migrate-user-accounts.md
+++ b/windows/deployment/usmt/usmt-migrate-user-accounts.md
@ -6,7 +6,7 @@ manager: aaroncz
 ms.author: frankroj
 ms.service: windows-client
 author: frankroj
-ms.date: 01/09/2024
+ms.date: 01/29/2025
 ms.topic: conceptual
 ms.subservice: itpro-deploy
 appliesto:
--- a/windows/deployment/usmt/usmt-migration-store-encryption.md
+++ b/windows/deployment/usmt/usmt-migration-store-encryption.md
@ -6,7 +6,7 @@ manager: aaroncz
 ms.author: frankroj
 ms.service: windows-client
 author: frankroj
-ms.date: 01/09/2024
+ms.date: 01/29/2025
 ms.topic: conceptual
 ms.subservice: itpro-deploy
 appliesto:
--- a/windows/deployment/usmt/usmt-overview.md
+++ b/windows/deployment/usmt/usmt-overview.md
@ -7,7 +7,7 @@ author: frankroj
 ms.reviewer: kevinmi,warrenw
 manager: aaroncz
 ms.author: frankroj
-ms.date: 01/09/2024
+ms.date: 01/29/2025
 ms.topic: overview
 ms.collection:
  - highpri
--- a/windows/deployment/usmt/usmt-plan-your-migration.md
+++ b/windows/deployment/usmt/usmt-plan-your-migration.md
@ -6,7 +6,7 @@ manager: aaroncz
 ms.author: frankroj
 ms.service: windows-client
 author: frankroj
-ms.date: 01/09/2024
+ms.date: 01/29/2025
 ms.topic: conceptual
 ms.subservice: itpro-deploy
 appliesto:
--- a/windows/deployment/usmt/usmt-recognized-environment-variables.md
+++ b/windows/deployment/usmt/usmt-recognized-environment-variables.md
@ -7,7 +7,7 @@ ms.reviewer: kevinmi,warrenw
 manager: aaroncz
 ms.author: frankroj
 author: frankroj
-ms.date: 01/09/2024
+ms.date: 01/29/2025
 ms.topic: conceptual
 ms.collection:
  - highpri
--- a/windows/deployment/usmt/usmt-reference.md
+++ b/windows/deployment/usmt/usmt-reference.md
@ -6,7 +6,7 @@ manager: aaroncz
 ms.author: frankroj
 ms.service: windows-client
 author: frankroj
-ms.date: 01/09/2024
+ms.date: 01/29/2025
 ms.topic: conceptual
 ms.subservice: itpro-deploy
 appliesto:
--- a/windows/deployment/usmt/usmt-requirements.md
+++ b/windows/deployment/usmt/usmt-requirements.md
@ -6,7 +6,7 @@ manager: aaroncz
 ms.author: frankroj
 ms.service: windows-client
 author: frankroj
-ms.date: 04/30/2024
+ms.date: 01/29/2025
 ms.topic: conceptual
 ms.subservice: itpro-deploy
 appliesto:
--- a/windows/deployment/usmt/usmt-reroute-files-and-settings.md
+++ b/windows/deployment/usmt/usmt-reroute-files-and-settings.md
@ -6,7 +6,7 @@ manager: aaroncz
 ms.author: frankroj
 ms.service: windows-client
 author: frankroj
-ms.date: 01/09/2024
+ms.date: 01/29/2025
 ms.topic: conceptual
 ms.subservice: itpro-deploy
 appliesto:
@ -70,7 +70,7 @@ The following custom **.xml** file reroutes **.mp3** files located in the fixed
    </rules>
  </role>
 </component>
-</migration> 
+</migration>
 ```
 ## Reroute a specific file
@ -83,8 +83,8 @@ The following custom **.xml** file migrates the `Sample.doc` file from `C:\Engin
 <displayName>Sample.doc into the Documents folder</displayName>
    <role role="Data">
      <rules>
-        <include> 
+        <include>
-          <objectSet>     
+          <objectSet>
                 <pattern type="File"> C:\EngineeringDrafts\ [Sample.doc]</pattern>
          </objectSet>
        </include>
--- a/windows/deployment/usmt/usmt-resources.md
+++ b/windows/deployment/usmt/usmt-resources.md
@ -6,7 +6,7 @@ manager: aaroncz
 ms.author: frankroj
 ms.service: windows-client
 author: frankroj
-ms.date: 01/09/2024
+ms.date: 01/29/2025
 ms.topic: conceptual
 ms.subservice: itpro-deploy
 appliesto:
@ -23,7 +23,7 @@ appliesto:
 - Microsoft Visual Studio
  - The User State Migration Tool (USMT) XML schema (the `MigXML.xsd` file) can be used to validate the migration **.xml** files using an XML authoring tool such as Microsoft Visual Studio.
-  
+
    For more information about how to use the schema with an XML authoring environment, see the environment's documentation.
 - [Ask the Directory Services Team blog](https://techcommunity.microsoft.com/t5/ask-the-directory-services-team/bg-p/AskDS).
--- a/windows/deployment/usmt/usmt-scanstate-syntax.md
+++ b/windows/deployment/usmt/usmt-scanstate-syntax.md
@ -6,7 +6,7 @@ manager: aaroncz
 ms.author: frankroj
 ms.service: windows-client
 author: frankroj
-ms.date: 04/30/2024
+ms.date: 01/29/2025
 ms.topic: conceptual
 ms.subservice: itpro-deploy
 appliesto:
--- a/windows/deployment/usmt/usmt-technical-reference.md
+++ b/windows/deployment/usmt/usmt-technical-reference.md
@ -6,7 +6,7 @@ manager: aaroncz
 ms.author: frankroj
 ms.service: windows-client
 author: frankroj
-ms.date: 01/09/2024
+ms.date: 01/29/2025
 ms.topic: conceptual
 ms.subservice: itpro-deploy
 appliesto:
--- a/windows/deployment/usmt/usmt-test-your-migration.md
+++ b/windows/deployment/usmt/usmt-test-your-migration.md
@ -6,7 +6,7 @@ manager: aaroncz
 ms.author: frankroj
 ms.service: windows-client
 author: frankroj
-ms.date: 01/09/2024
+ms.date: 01/29/2025
 ms.topic: conceptual
 ms.subservice: itpro-deploy
 appliesto:
--- a/windows/deployment/usmt/usmt-topics.md
+++ b/windows/deployment/usmt/usmt-topics.md
@ -6,7 +6,7 @@ manager: aaroncz
 ms.author: frankroj
 ms.service: windows-client
 author: frankroj
-ms.date: 01/09/2024
+ms.date: 01/29/2025
 ms.topic: conceptual
 ms.subservice: itpro-deploy
 appliesto:
--- a/windows/deployment/usmt/usmt-troubleshooting.md
+++ b/windows/deployment/usmt/usmt-troubleshooting.md
@ -6,7 +6,7 @@ manager: aaroncz
 ms.author: frankroj
 ms.service: windows-client
 author: frankroj
-ms.date: 01/09/2024
+ms.date: 01/29/2025
 ms.topic: conceptual
 ms.subservice: itpro-deploy
 appliesto:
--- a/windows/deployment/usmt/usmt-utilities.md
+++ b/windows/deployment/usmt/usmt-utilities.md
@ -6,7 +6,7 @@ manager: aaroncz
 ms.author: frankroj
 ms.service: windows-client
 author: frankroj
-ms.date: 01/09/2024
+ms.date: 01/29/2025
 ms.topic: conceptual
 ms.subservice: itpro-deploy
 appliesto:
--- a/windows/deployment/usmt/usmt-what-does-usmt-migrate.md
+++ b/windows/deployment/usmt/usmt-what-does-usmt-migrate.md
@ -6,7 +6,7 @@ manager: aaroncz
 ms.author: frankroj
 ms.service: windows-client
 author: frankroj
-ms.date: 01/18/2024
+ms.date: 01/29/2025
 ms.topic: conceptual
 ms.subservice: itpro-deploy
 appliesto:
--- a/windows/deployment/usmt/usmt-xml-elements-library.md
+++ b/windows/deployment/usmt/usmt-xml-elements-library.md
@ -6,7 +6,7 @@ manager: aaroncz
 ms.author: frankroj
 ms.service: windows-client
 author: frankroj
-ms.date: 01/09/2024
+ms.date: 01/29/2025
 ms.topic: conceptual
 ms.subservice: itpro-deploy
 appliesto:
@ -95,7 +95,7 @@ The following example is from the `MigApp.xml` file:
   <location type="Registry">%HklmWowSoftware%\Microsoft\Office\16.0\Common\Migration\Office [Lang]</location>
   <attributes>DWORD</attributes>
   <bytes>00000000</bytes>
-</object> 
+</object>
 ```
 ## \<bytes\>
@ -127,7 +127,7 @@ The following example is from the `MigApp.xml` file:
   <location type="Registry">%HklmWowSoftware%\Microsoft\Office\16.0\Common\Migration\Office [Lang]</location>
   <attributes>DWORD</attributes>
   <bytes>00000000</bytes>
-</object> 
+</object>
 ```
 ## \<commandLine\>
@ -1070,10 +1070,10 @@ Example:
               </externalProcess>
         </rules>
   </role>
-<!-- Migrate 
+<!-- Migrate
   all doc files from the system
   all power point files
-   all visio design files 
+   all visio design files
   all my c++ program files -->
   <extensions>
      <extension>DOC</extension>
@ -1126,18 +1126,18 @@ Syntax:
 For example, to migrate all \*.doc files from the source computer, specifying the following code under the **\<component\>** element:
 ```xml
-<extensions> 
+<extensions>
-        <extension>doc</extension> 
+        <extension>doc</extension>
-<extensions> 
+<extensions>
 ```
 is the same as specifying the following code below the **\<rules\>** element:
 ```xml
-<include> 
+<include>
-        <objectSet> 
+        <objectSet>
-                <script>MigXmlHelper.GenerateDrivePatterns ("* [*.doc]", "Fixed")</script> 
+                <script>MigXmlHelper.GenerateDrivePatterns ("* [*.doc]", "Fixed")</script>
-        </objectSet> 
+        </objectSet>
 </include>
 ```
@ -1202,7 +1202,7 @@ The following example is from the `MigUser.xml` file:
         <path type="File">%CSIDL_MYVIDEO%</path>
      </paths>
      <role role="Data">
-         <detects>           
+         <detects>
            <detect>
               <condition>MigXmlHelper.DoesObjectExist("File","%CSIDL_MYVIDEO%")</condition>
            </detect>
@ -1702,11 +1702,11 @@ The following example is from the `MigUser.xml` file:
         <path type="File">%CSIDL_MYMUSIC%</path>
      </paths>
   <role role="Data">
-      <detects>           
+      <detects>
      <detect>
         <condition>MigXmlHelper.DoesObjectExist("File","%CSIDL_MYMUSIC%")</condition>
      </detect>
-   </detects>           
+   </detects>
   <rules>
      <include filter='MigXmlHelper.IgnoreIrrelevantLinks()'>
         <objectSet>
@ -1846,11 +1846,11 @@ The following example is from the `MigUser.xml` file. For more examples, see the
      <path type="File">%CSIDL_STARTMENU%</path>
   </paths>
   <role role="Settings">
-      <detects>           
+      <detects>
         <detect>
            <condition>MigXmlHelper.DoesObjectExist("File","%CSIDL_STARTMENU%")</condition>
         </detect>
-      </detects>           
+      </detects>
   <rules>
      <include filter='MigXmlHelper.IgnoreIrrelevantLinks()'>
         <objectSet>
@ -1901,11 +1901,11 @@ The following example is from the `MigUser.xml` file:
         <path type="File">%CSIDL_MYMUSIC%</path>
      </paths>
   <role role="Data">
-      <detects>           
+      <detects>
      <detect>
         <condition>MigXmlHelper.DoesObjectExist("File","%CSIDL_MYMUSIC%")</condition>
      </detect>
-   </detects>           
+   </detects>
   <rules>
      <include filter='MigXmlHelper.IgnoreIrrelevantLinks()'>
         <objectSet>
@ -1969,7 +1969,7 @@ Examples:
 To migrate the Sample.doc file from any drive on the source computer, use **\<script\>** as follows. If multiple files exist with the same name, all such files get migrated.
 ```xml
-<script>MigXmlHelper.GenerateDrivePatterns("* [sample.doc]", "Fixed")</script> 
+<script>MigXmlHelper.GenerateDrivePatterns("* [sample.doc]", "Fixed")</script>
 ```
 For more examples of how to use this element, see [Exclude Files and Settings](usmt-exclude-files-and-settings.md), [Reroute Files and Settings](usmt-reroute-files-and-settings.md), and [Custom XML Examples](usmt-custom-xml-examples.md).
@ -2171,7 +2171,7 @@ For example:
 ```xml
 <variable name="QuickTime5or6DataSys">
-  <text>%CSIDL_COMMON_APPDATA%\QuickTime</text> 
+  <text>%CSIDL_COMMON_APPDATA%\QuickTime</text>
 </variable>
 ```
@ -2204,7 +2204,7 @@ The following **.xml** file excludes all `.mp3` files from migration. For additi
             <unconditionalExclude>
                        <objectSet>
    <script>MigXmlHelper.GenerateDrivePatterns ("* [*.mp3]", "Fixed")</script>
-                        </objectSet> 
+                        </objectSet>
             </unconditionalExclude>
            </rules>
        </role>
--- a/windows/deployment/usmt/usmt-xml-reference.md
+++ b/windows/deployment/usmt/usmt-xml-reference.md
@ -6,7 +6,7 @@ manager: aaroncz
 ms.author: frankroj
 ms.service: windows-client
 author: frankroj
-ms.date: 01/09/2024
+ms.date: 01/29/2025
 ms.topic: conceptual
 ms.subservice: itpro-deploy
 appliesto:
--- a/windows/deployment/usmt/verify-the-condition-of-a-compressed-migration-store.md
+++ b/windows/deployment/usmt/verify-the-condition-of-a-compressed-migration-store.md
@ -6,7 +6,7 @@ manager: aaroncz
 ms.author: frankroj
 ms.service: windows-client
 author: frankroj
-ms.date: 01/09/2024
+ms.date: 01/29/2025
 ms.topic: conceptual
 ms.subservice: itpro-deploy
 appliesto:
--- a/windows/deployment/usmt/xml-file-requirements.md
+++ b/windows/deployment/usmt/xml-file-requirements.md
@ -6,7 +6,7 @@ manager: aaroncz
 ms.author: frankroj
 ms.service: windows-client
 author: frankroj
-ms.date: 01/09/2024
+ms.date: 01/29/2025
 ms.topic: conceptual
 ms.subservice: itpro-deploy
 appliesto:
--- a/windows/deployment/windows-autopatch/manage/windows-autopatch-hotpatch-updates.md
+++ b/windows/deployment/windows-autopatch/manage/windows-autopatch-hotpatch-updates.md
@ -40,9 +40,9 @@ VBS must be turned on for a device to be offered Hotpatch updates. For informati
 ### Arm 64 devices must disable compiled hybrid PE usage (CHPE) (Arm 64 CPU Only)
-This requirement only applies to Arm 64 CPU devices when using Hotpatch updates. Hotpatch updates aren't compatible with servicing CHPE OS binaries located in the `%SystemRoot%\SyChpe32` folder. To ensure all the Hotpatch updates are applied, you must set the CHPE disable flag and restart the device to disable CHPE usage. You only need to set this flag one time. The registry setting remains applied through updates. To disable CHPE, set the following registry key:
+This requirement only applies to Arm 64 CPU devices when using Hotpatch updates. Hotpatch updates aren't compatible with servicing CHPE OS binaries located in the `%SystemRoot%\SyChpe32` folder. To ensure all the Hotpatch updates are applied, you must set the CHPE disable flag and restart the device to disable CHPE usage. You only need to set this flag one time. The registry setting remains applied through updates. To disable CHPE, create and/or set the following DWORD registry key:
-Path: `**HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management**`
+Path: `HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management`
-Key value: `**HotPatchRestrictions=1**`
+DWORD key value: HotPatchRestrictions=1
 > [!IMPORTANT]
 > This setting is required because it forces the operating system to use the emulation x86-only binaries instead of CHPE binaries on Arm 64 devices. CHPE binaries include native Arm 64 code to improve performance, excluding the CHPE binaries might affect performance or compatibility. Be sure to test application compatibility and performance before rolling out Hotpatch updates widely on Arm 64 CPU based devices.
--- a/windows/security/application-security/application-control/app-control-for-business/design/applications-that-can-bypass-appcontrol.md
+++ b/windows/security/application-security/application-control/app-control-for-business/design/applications-that-can-bypass-appcontrol.md
@ -49,7 +49,7 @@ Unless your use scenarios explicitly require them, Microsoft recommends that you
 - texttransform.exe
 - visualuiaverifynative.exe
 - system.management.automation.dll
- webclnt.dll/davsvc.dll
+- webclnt.dll/davsvc.dll<sup>3</sup>
 - wfc.exe
 - windbg.exe
 - wmic.exe
@ -62,6 +62,8 @@ Unless your use scenarios explicitly require them, Microsoft recommends that you
 <sup>2</sup> If you're using your reference system in a development context and use msbuild.exe to build managed applications, we recommend that you allow msbuild.exe in your code integrity policies. Otherwise, we recommend that you block msbuild.exe.
 <sup>3</sup> If you block WebDAV DLLs, we recommend that you also disable the **WebClient** service using a group policy or MDM policies.
 <sup>*</sup> Microsoft recognizes the efforts of people in the security community who help us protect customers through responsible vulnerability disclosure, and extends thanks to the following people:
 <br />
--- a/windows/security/docfx.json
+++ b/windows/security/docfx.json
@ -142,9 +142,10 @@
          "✅ <a href=\"https://learn.microsoft.com/windows/release-health/windows-server-release-info\" target=\"_blank\">Windows Server 2019</a>",
          "✅ <a href=\"https://learn.microsoft.com/windows/release-health/windows-server-release-info\" target=\"_blank\">Windows Server 2016</a>"
        ],
-        "application-security/application-control/windows-defender-application-control/**/*.md": [
+        "application-security/application-control/app-control-for-business/**/*.md": [
          "✅ <a href=\"https://learn.microsoft.com/windows/release-health/supported-versions-windows-client\" target=\"_blank\">Windows 11</a>",
          "✅ <a href=\"https://learn.microsoft.com/windows/release-health/supported-versions-windows-client\" target=\"_blank\">Windows 10</a>",
          "✅ <a href=\"https://learn.microsoft.com/windows/release-health/windows-server-release-info\" target=\"_blank\">Windows Server 2025</a>",
          "✅ <a href=\"https://learn.microsoft.com/windows/release-health/windows-server-release-info\" target=\"_blank\">Windows Server 2022</a>",
          "✅ <a href=\"https://learn.microsoft.com/windows/release-health/windows-server-release-info\" target=\"_blank\">Windows Server 2019</a>",
          "✅ <a href=\"https://learn.microsoft.com/windows/release-health/windows-server-release-info\" target=\"_blank\">Windows Server 2016</a>"
--- a/windows/security/identity-protection/hello-for-business/rdp-sign-in.md
+++ b/windows/security/identity-protection/hello-for-business/rdp-sign-in.md
@ -1,7 +1,7 @@
 ---
 title: Remote Desktop sign-in with Windows Hello for Business
 description: Learn how to configure Remote Desktop (RDP) sign-in with Windows Hello for Business.
-ms.date: 06/11/2024
+ms.date: 01/27/2025
 ms.topic: how-to
 ---
--- a/windows/security/identity-protection/passwordless-strategy/journey-step-3.md
+++ b/windows/security/identity-protection/passwordless-strategy/journey-step-3.md
@ -2,7 +2,7 @@
 title: Transition into a passwordless deployment
 description: Learn about how to transition into a passwordless deployment, the third step of the Microsoft passwordless journey.
 ms.topic: concept-article
-ms.date: 10/29/2024
+ms.date: 01/30/2025
 ---
 # Transition into a passwordless deployment
@ -123,7 +123,7 @@ function Generate-RandomPassword{
 $NewPassword = ConvertTo-SecureString -String (Generate-RandomPassword) -AsPlainText -Force
-Set-ADAccountPassword -identity $userId -NewPassword $NewPassword -Reset
+Set-ADAccountPassword -identity $samAccountName -NewPassword $NewPassword -Reset
 ```
 If your organizational policies allow it, you can configure the randomized passwords to never expire, or use a long expiration period. This configuration prevents the user from being prompted to change their password.
--- a/windows/security/operating-system-security/device-management/windows-security-configuration-framework/get-support-for-security-baselines.md
+++ b/windows/security/operating-system-security/device-management/windows-security-configuration-framework/get-support-for-security-baselines.md
@ -16,16 +16,7 @@ The Security Compliance Manager (SCM) is now retired and is no longer supported.
 More information about this change can be found on the [Microsoft Security Guidance blog](/archive/blogs/secguide/security-compliance-manager-scm-retired-new-tools-and-procedures).
-### Where can I get an older version of a Windows baseline?
+### What file formats are supported by the SCT?
 Any version of Windows baseline before Windows 10, version 1703, can still be downloaded using SCM. Any future versions of Windows baseline will be available through SCT. See the version matrix in this article to see if your version of Windows baseline is available on SCT.
 - [SCM 4.0 Download](/previous-versions/tn-archive/cc936627(v=technet.10))
 - [SCM Frequently Asked Questions (FAQ)](https://social.technet.microsoft.com/wiki/contents/articles/1836.microsoft-security-compliance-manager-scm-frequently-asked-questions-faq.aspx)
 - [SCM Release Notes](https://social.technet.microsoft.com/wiki/contents/articles/1864.microsoft-security-compliance-manager-scm-release-notes.aspx)
 - [SCM baseline download help](https://social.technet.microsoft.com/wiki/contents/articles/1865.microsoft-security-compliance-manager-scm-baseline-download-help.aspx)
 ### What file formats are supported by the new SCT?
 The toolkit supports formats created by the Windows GPO backup feature (`.pol`, `.inf`, and `.csv`). Policy Analyzer saves its data in XML files with a `.PolicyRules` file extension. LGPO also supports its own LGPO text file format as a text-based analog for the binary registry.pol file format. For more information, see the LGPO documentation. Keep in mind that SCMs' `.cab` files are no longer supported.
@ -56,16 +47,16 @@ No. SCM supported only SCAP 1.0, which wasn't updated as SCAP evolved. The new t
 | Name | Build | Baseline Release Date | Security Tools |
 |--|--|--|--|
 | Windows Server 2025 | [SecGuide](https://techcommunity.microsoft.com/blog/microsoft-security-baselines/windows-server-2025-security-baseline/4358733) | January 2025 | [SCT 1.0](https://www.microsoft.com/download/details.aspx?id=55319) |
 | Windows Server 2022 | [SecGuide](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/windows-server-2022-security-baseline/ba-p/2724685) | September 2021 | [SCT 1.0](https://www.microsoft.com/download/details.aspx?id=55319) |
 | Windows Server 2019 | [SecGuide](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/security-baseline-final-for-windows-10-v1809-and-windows-server/ba-p/701082) | November 2018 | [SCT 1.0](https://www.microsoft.com/download/details.aspx?id=55319) |
 | Windows Server 2016 | [SecGuide](/archive/blogs/secguide/security-baseline-for-windows-10-v1607-anniversary-edition-and-windows-server-2016) | October 2016 | [SCT 1.0](https://www.microsoft.com/download/details.aspx?id=55319) |
 | Windows Server 2012 R2 | [SecGuide](/archive/blogs/secguide/security-baseline-for-windows-10-v1607-anniversary-edition-and-windows-server-2016) | August 2014 | [SCT 1.0](https://www.microsoft.com/download/details.aspx?id=55319) |
 ### Microsoft products
 | Name | Details | Security Tools |
 |--|--|--|
-| Microsoft 365 Apps for enterprise, version 2306 | [SecGuide](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/security-baseline-for-m365-apps-for-enterprise-v2306/ba-p/3858702) | [SCT 1.0](https://www.microsoft.com/download/details.aspx?id=55319) |
+| Microsoft 365 Apps for enterprise, version 2412 | [SecGuide](https://techcommunity.microsoft.com/blog/microsoft-security-baselines/security-baseline-for-m365-apps-for-enterprise-v2412/4357320) | [SCT 1.0](https://www.microsoft.com/download/details.aspx?id=55319) |
 | Microsoft Edge, version 128 | [SecGuide](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/security-baseline-for-microsoft-edge-version-128/ba-p/4237524) | [SCT 1.0](https://www.microsoft.com/download/details.aspx?id=55319) |
 ## Related articles
--- a/windows/security/operating-system-security/device-management/windows-security-configuration-framework/security-compliance-toolkit-10.md
+++ b/windows/security/operating-system-security/device-management/windows-security-configuration-framework/security-compliance-toolkit-10.md
@ -23,18 +23,16 @@ The Security Compliance Toolkit consists of:
 - Windows 10 security baselines
  - Windows 10, version 22H2
  - Windows 10, version 21H2
  - Windows 10, version 20H2
  - Windows 10, version 1809
  - Windows 10, version 1607
  - Windows 10, version 1507
 - Windows Server security baselines
  - Windows Server 2025
  - Windows Server 2022
  - Windows Server 2019
  - Windows Server 2016
  - Windows Server 2012 R2
 - Microsoft Office security baseline
-  - Office 2016
+  - Microsoft 365 Apps for Enterprise Version 2412
  - Microsoft 365 Apps for Enterprise Version 2206
 - Microsoft Edge security baseline
  - Microsoft Edge version 128
 - Tools
--- a/windows/security/operating-system-security/network-security/vpn/how-to-configure-diffie-hellman-protocol-over-ikev2-vpn-connections.md
+++ b/windows/security/operating-system-security/network-security/vpn/how-to-configure-diffie-hellman-protocol-over-ikev2-vpn-connections.md
@ -1,7 +1,7 @@
 ---
 title: How to configure cryptographic settings for IKEv2 VPN connections
 description: Learn how to update the IKEv2 cryptographic settings of VPN servers and clients by running VPN cmdlets to secure connections.
-ms.date: 05/06/2024
+ms.date: 01/27/2025
 ms.topic: how-to
 ---
--- a/windows/security/operating-system-security/network-security/vpn/how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md
+++ b/windows/security/operating-system-security/network-security/vpn/how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md
@ -1,7 +1,7 @@
 ---
 title: How to use single sign-on (SSO) over VPN and Wi-Fi connections
 description: Explains requirements to enable single sign-on (SSO) to on-premises domain resources over WiFi or VPN connections.
-ms.date: 05/06/2024
+ms.date: 01/27/2025
 ms.topic: how-to
 ---
--- a/windows/security/operating-system-security/network-security/vpn/vpn-authentication.md
+++ b/windows/security/operating-system-security/network-security/vpn/vpn-authentication.md
@ -1,7 +1,7 @@
 ---
 title: VPN authentication options
 description: Learn about the EAP authentication methods that Windows supports in VPNs to provide secure authentication using username/password and certificate-based methods.
-ms.date: 05/06/2024
+ms.date: 01/27/2025
 ms.topic: concept-article
 ---
@ -80,14 +80,3 @@ The following image shows the field for EAP XML in a Microsoft Intune VPN profil
 :::image type="content" source="images/vpn-eap-xml.png" alt-text="Screenshot showing EAP XML configuration in Intune profile.":::
 ## Related topics
 - [VPN technical guide](vpn-guide.md)
 - [VPN connection types](vpn-connection-type.md)
 - [VPN routing decisions](vpn-routing.md)
 - [VPN and conditional access](vpn-conditional-access.md)
 - [VPN name resolution](vpn-name-resolution.md)
 - [VPN auto-triggered profile options](vpn-auto-trigger-profile.md)
 - [VPN security features](vpn-security-features.md)
 - [VPN profile options](vpn-profile-options.md)
 - [Extensible Authentication Protocol (EAP) for network access](/windows-server/networking/technologies/extensible-authentication-protocol/network-access)
--- a/windows/security/operating-system-security/network-security/vpn/vpn-auto-trigger-profile.md
+++ b/windows/security/operating-system-security/network-security/vpn/vpn-auto-trigger-profile.md
@ -1,7 +1,7 @@
 ---
 title: VPN auto-triggered profile options
 description: With auto-triggered VPN profile options, Windows can automatically establish a VPN connection based on IT admin-defined rules. Learn about the types of auto-trigger rules that you can create for VPN connections.
-ms.date: 05/06/2024
+ms.date: 01/27/2025
 ms.topic: how-to
 ---
@ -77,14 +77,3 @@ See [VPN profile options](vpn-profile-options.md) and [VPNv2 CSP](/windows/clien
 The following image shows associating apps to a VPN connection in a VPN Profile configuration policy using Microsoft Intune.
 :::image type="content" source="images/vpn-app-trigger.png" alt-text="Creation of VPN profile in Intune: application association options." lightbox="images/vpn-app-trigger.png":::
 ## Related articles
 - [VPN technical guide](vpn-guide.md)
 - [VPN connection types](vpn-connection-type.md)
 - [VPN routing decisions](vpn-routing.md)
 - [VPN authentication options](vpn-authentication.md)
 - [VPN and conditional access](vpn-conditional-access.md)
 - [VPN name resolution](vpn-name-resolution.md)
 - [VPN security features](vpn-security-features.md)
 - [VPN profile options](vpn-profile-options.md)
--- a/windows/security/operating-system-security/network-security/vpn/vpn-conditional-access.md
+++ b/windows/security/operating-system-security/network-security/vpn/vpn-conditional-access.md
@ -1,7 +1,7 @@
 ---
 title: VPN and conditional access
 description: Learn how to integrate the VPN client with the Conditional Access platform, and how to create access rules for Microsoft Entra connected apps.
-ms.date: 05/06/2024
+ms.date: 01/27/2025
 ms.topic: how-to
 ---
@ -19,7 +19,7 @@ Conditional Access Platform components used for Device Compliance include the fo
 - [Windows Health Attestation Service](../../system-security/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md) (optional)
 - Microsoft Entra Certificate Authority - It's a requirement that the client certificate used for the cloud-based device compliance solution be issued by a Microsoft Entra ID-based Certificate Authority (CA). A Microsoft Entra CA is essentially a mini-CA cloud tenant in Azure. The Microsoft Entra CA can't be configured as part of an on-premises Enterprise CA.
 See also [Always On VPN deployment for Windows Server and Windows 10](/windows-server/remote/remote-access/vpn/always-on-vpn/deploy/always-on-vpn-deploy).
- Microsoft Entra ID-issued short-lived certificates - When a VPN connection attempt is made, the Microsoft Entra Token Broker on the local device communicates with Microsoft Entra ID, which then checks for health based on compliance rules. If compliant, Microsoft Entra ID sends back a short-lived certificate that is used to authenticate the VPN. Note that certificate authentication methods such as EAP-TLS can be used. When the client reconnects and determines that the certificate has expired, the client will again check with Microsoft Entra ID for health validation before a new certificate is issued.
+- Microsoft Entra ID-issued short-lived certificates - When a VPN connection attempt is made, the Microsoft Entra Token Broker on the local device communicates with Microsoft Entra ID, which then checks for health based on compliance rules. If compliant, Microsoft Entra ID sends back a short-lived certificate that is used to authenticate the VPN. Certificate authentication methods such as EAP-TLS can be used. When the client reconnects and determines that the certificate has expired, the client will again check with Microsoft Entra ID for health validation before a new certificate is issued.
 - [Microsoft Intune device compliance policies](/mem/intune/protect/device-compliance-get-started): Cloud-based device compliance uses Microsoft Intune Compliance Policies, which are capable of querying the device state and define compliance rules for the following, among other things.
  - Antivirus status
  - Auto-update status and update compliance
@ -35,7 +35,7 @@ The following client-side components are also required:
 ## VPN device compliance
-At this time, the Microsoft Entra certificates issued to users don't contain a CRL Distribution Point (CDP) and aren't suitable for Key Distribution Centers (KDCs) to issue Kerberos tokens. For users to gain access to on-premises resources such as files on a network share, client authentication certificates must be deployed to the Windows profiles of the users, and their VPNv2 profiles must contain the &lt;SSO&gt; section.
+At this time, the Microsoft Entra certificates issued to users don't contain a CRL Distribution Point (CDP) and aren't suitable for Key Distribution Centers (KDCs) to issue Kerberos tokens. For users to gain access to on-premises resources such as files on a network share, client authentication certificates must be deployed to the Windows profiles of the users, and their VPNv2 profiles must contain the `<SSO>` section.
 Server-side infrastructure requirements to support VPN device compliance include:
@ -60,8 +60,8 @@ Two client-side configuration service providers are leveraged for VPN device com
  - Upon request, forward the Health Attestation Certificate (received from HAS) and related runtime information to the MDM server for verification
 > [!NOTE]
-> It's required that certificates used for obtaining Kerberos tickets to be issued from an on-premises CA, and that SSO to be enabled in the user's VPN profile. This will enable the user to access on-premises resources.
+> It's required that certificates used for obtaining Kerberos tickets to be issued from an on-premises CA, and that SSO to be enabled in the user's VPN profile. This allows the user to access on-premises resources.
-> In the case of AzureAD-only joined devices (not hybrid joined devices), if the user certificate issued by the on-premises CA has the user UPN from AzureAD in Subject and SAN (Subject Alternative Name), the VPN profile must be modified to ensure that the client does not cache the credentials used for VPN authentication. To do this, after deploying the VPN profile to the client, modify the *Rasphone.pbk* on the client by changing the entry **UseRasCredentials** from 1 (default) to 0 (zero).
+> In the case of Microsoft Entra joined devices (not hybrid joined devices), if the user certificate issued by the on-premises CA has the user UPN from Microsoft Entra in Subject and SAN (Subject Alternative Name), the VPN profile must be modified to ensure that the client doesn't cache the credentials used for VPN authentication. To do this, after deploying the VPN profile to the client, modify the *Rasphone.pbk* on the client by changing the entry **UseRasCredentials** from 1 (default) to 0 (zero).
 ## Client connection flow
@ -71,7 +71,7 @@ The VPN client side connection flow works as follows:
 When a VPNv2 Profile is configured with \<DeviceCompliance> \<Enabled>true<\/Enabled> the VPN client uses this connection flow:
-1. The VPN client calls into Windows 10's or Windows 11's Microsoft Entra Token Broker, identifying itself as a VPN client.
+1. The VPN client calls into Windows 10 or Windows 11 Microsoft Entra Token Broker, identifying itself as a VPN client.
 1. The Microsoft Entra Token Broker authenticates to Microsoft Entra ID and provides it with information about the device trying to connect. The Microsoft Entra Server checks if the device is in compliance with the policies.
 1. If compliant, Microsoft Entra ID requests a short-lived certificate.
 1. Microsoft Entra ID pushes down a short-lived certificate to the Certificate Store via the Token Broker. The Token Broker then returns control back over to the VPN client for further connection  processing.
@ -92,14 +92,3 @@ See [VPN profile options](vpn-profile-options.md) and [VPNv2 CSP](/windows/clien
 - [Tip of the Day: The Conditional Access Framework and Device Compliance for VPN (Part 2)](/archive/blogs/tip_of_the_day/tip-of-the-day-the-conditional-access-framework-and-device-compliance-for-vpn-part-2)
 - [Tip of the Day: The Conditional Access Framework and Device Compliance for VPN (Part 3)](/archive/blogs/tip_of_the_day/tip-of-the-day-the-conditional-access-framework-and-device-compliance-for-vpn-part-3)
 - [Tip of the Day: The Conditional Access Framework and Device Compliance for VPN (Part 4)](/archive/blogs/tip_of_the_day/tip-of-the-day-the-conditional-access-framework-and-device-compliance-for-vpn-part-4)
 ## Related articles
 - [VPN technical guide](vpn-guide.md)
 - [VPN connection types](vpn-connection-type.md)
 - [VPN routing decisions](vpn-routing.md)
 - [VPN authentication options](vpn-authentication.md)
 - [VPN name resolution](vpn-name-resolution.md)
 - [VPN auto-triggered profile options](vpn-auto-trigger-profile.md)
 - [VPN security features](vpn-security-features.md)
 - [VPN profile options](vpn-profile-options.md)
--- a/windows/security/operating-system-security/network-security/vpn/vpn-connection-type.md
+++ b/windows/security/operating-system-security/network-security/vpn/vpn-connection-type.md
@ -1,7 +1,7 @@
 ---
 title: VPN connection types
 description: Learn about Windows VPN platform clients and the VPN connection-type features that can be configured.
-ms.date: 05/06/2024
+ms.date: 01/27/2025
 ms.topic: concept-article
 ---
@ -46,13 +46,3 @@ In Intune, you can also include custom XML for non-Microsoft plug-in profiles:
 > [!div class="mx-imgBorder"]
 > ![Custom XML.](images/vpn-custom-xml-intune.png)
 ## Related articles
 - [VPN technical guide](vpn-guide.md)
 - [VPN routing decisions](vpn-routing.md)
 - [VPN authentication options](vpn-authentication.md)
 - [VPN and conditional access](vpn-conditional-access.md)
 - [VPN name resolution](vpn-name-resolution.md)
 - [VPN auto-triggered profile options](vpn-auto-trigger-profile.md)
 - [VPN security features](vpn-security-features.md)
 - [VPN profile options](vpn-profile-options.md)
--- a/windows/security/operating-system-security/network-security/vpn/vpn-guide.md
+++ b/windows/security/operating-system-security/network-security/vpn/vpn-guide.md
@ -1,7 +1,7 @@
 ---
 title: Windows VPN technical guide
 description: Learn how to plan and configure Windows devices for your organization's VPN solution.
-ms.date: 05/06/2024
+ms.date: 01/27/2025
 ms.topic: overview
 ---
--- a/windows/security/operating-system-security/network-security/vpn/vpn-name-resolution.md
+++ b/windows/security/operating-system-security/network-security/vpn/vpn-name-resolution.md
@ -1,7 +1,7 @@
 ---
 title: VPN name resolution
 description: Learn how name resolution works when using a VPN connection.
-ms.date: 05/06/2024
+ms.date: 01/27/2025
 ms.topic: concept-article
 ---
@ -58,14 +58,3 @@ The fields in **Add or edit DNS rule** in the Intune profile correspond to the X
 | **Name** | **VPNv2/*ProfileName*/DomainNameInformationList/*dniRowId*/DomainName**  |
 | **Servers (comma separated)** | **VPNv2/*ProfileName*/DomainNameInformationList/*dniRowId*/DnsServers**  |
 | **Proxy server** |  **VPNv2/*ProfileName*/DomainNameInformationList/*dniRowId*/WebServers**  |
 ## Related articles
 - [VPN technical guide](vpn-guide.md)
 - [VPN connection types](vpn-connection-type.md)
 - [VPN routing decisions](vpn-routing.md)
 - [VPN authentication options](vpn-authentication.md)
 - [VPN and conditional access](vpn-conditional-access.md)
 - [VPN auto-triggered profile options](vpn-auto-trigger-profile.md)
 - [VPN security features](vpn-security-features.md)
 - [VPN profile options](vpn-profile-options.md)
--- a/windows/security/operating-system-security/network-security/vpn/vpn-office-365-optimization.md
+++ b/windows/security/operating-system-security/network-security/vpn/vpn-office-365-optimization.md
@ -2,7 +2,7 @@
 title: Optimize Microsoft 365 traffic for remote workers with the Windows VPN client
 description: Learn how to optimize Microsoft 365 traffic for remote workers with the Windows VPN client
 ms.topic: how-to
-ms.date: 05/06/2024
+ms.date: 01/27/2025
 ---
 # Optimize Microsoft 365 traffic for remote workers with the Windows VPN client
--- a/windows/security/operating-system-security/network-security/vpn/vpn-profile-options.md
+++ b/windows/security/operating-system-security/network-security/vpn/vpn-profile-options.md
@ -1,7 +1,7 @@
 ---
 title: VPN profile options
 description: Windows adds Virtual Private Network (VPN) profile options to help manage how users connect. VPNs give users secure remote access to the company network.
-ms.date: 05/06/2024
+ms.date: 01/27/2025
 ms.topic: how-to
 ---
@ -316,13 +316,3 @@ After you configure the settings that you want using ProfileXML, you can create
 - [VPNv2 configuration service provider (CSP) reference](/windows/client-management/mdm/vpnv2-csp)
 - [How to Create VPN Profiles in Configuration Manager](/previous-versions/system-center/system-center-2012-R2/dn261200(v=technet.10))
 ## Related articles
 - [VPN technical guide](vpn-guide.md)
 - [VPN connection types](vpn-connection-type.md)
 - [VPN routing decisions](vpn-routing.md)
 - [VPN authentication options](vpn-authentication.md)
 - [VPN and conditional access](vpn-conditional-access.md)
 - [VPN name resolution](vpn-name-resolution.md)
 - [VPN auto-triggered profile options](vpn-auto-trigger-profile.md)
 - [VPN security features](vpn-security-features.md)
--- a/windows/security/operating-system-security/network-security/vpn/vpn-routing.md
+++ b/windows/security/operating-system-security/network-security/vpn/vpn-routing.md
@ -1,5 +1,5 @@
 ---
-ms.date: 05/06/2024
+ms.date: 01/27/2025
 title: VPN routing decisions
 description: Learn about approaches that either send all data through a VPN or only selected data. The one you choose impacts capacity planning and security expectations.
 ms.topic: concept-article
@ -43,14 +43,3 @@ When you configure a VPN profile in Microsoft Intune, you can enable split tunne
 ![split tunnel.](images/vpn-split.png)
 Once enabled, you can add the routes that should use the VPN connection.
 ## Related articles
 - [VPN technical guide](vpn-guide.md)
 - [VPN connection types](vpn-connection-type.md)
 - [VPN authentication options](vpn-authentication.md)
 - [VPN and conditional access](vpn-conditional-access.md)
 - [VPN name resolution](vpn-name-resolution.md)
 - [VPN auto-triggered profile options](vpn-auto-trigger-profile.md)
 - [VPN security features](vpn-security-features.md)
 - [VPN profile options](vpn-profile-options.md)
--- a/windows/security/operating-system-security/network-security/vpn/vpn-security-features.md
+++ b/windows/security/operating-system-security/network-security/vpn/vpn-security-features.md
@ -1,7 +1,7 @@
 ---
 title: VPN security features
 description: Learn about security features for VPN, including LockDown VPN and traffic filters.
-ms.date: 05/06/2024
+ms.date: 01/27/2025
 ms.topic: concept-article
 ---
@ -55,14 +55,3 @@ A VPN profile configured with LockDown secures the device to only allow network
 > [!CAUTION]
 > Be careful when deploying LockDown VPN, as the resultant connection won't be able to send or receive any network traffic without the VPN connection being established.
 ## Related articles
 - [VPN technical guide](vpn-guide.md)
 - [VPN connection types](vpn-connection-type.md)
 - [VPN routing decisions](vpn-routing.md)
 - [VPN authentication options](vpn-authentication.md)
 - [VPN and conditional access](vpn-conditional-access.md)
 - [VPN name resolution](vpn-name-resolution.md)
 - [VPN auto-triggered profile options](vpn-auto-trigger-profile.md)
 - [VPN profile options](vpn-profile-options.md)