deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-12 21:37:22 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Merge branch 'main' into main

Browse Source
This commit is contained in:
Meghan Stewart 2025-01-31 14:15:24 -08:00 committed by GitHub
commit 0d6268d464
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
96 changed files with 771 additions and 401 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.acrolinx-config.edn
View File

@ -39,7 +39,7 @@ For more information about the exception criteria and exception process, see [Mi
Select the total score link to review all feedback on clarity, consistency, tone, brand, terms, spelling, grammar, readability, and inclusive language. _You should fix all spelling errors regardless of your total score_. Fixing spelling errors helps maintain customer trust in overall content quality.
| Article | Total score<br>(Required: 80) | Words + phrases<br>(Brand, terms) | Correctness<br>(Spelling, grammar) | Clarity<br>(Readability) |
| Article | Total score<br>(Required: 80) | Terminology | Spelling and Grammar| Clarity<br>(Readability) |
|---------|:--------------:|:--------------------:|:------:|:---------:|
"

21
.github/workflows/BuildValidation.yml vendored Normal file
View File

@ -0,0 +1,21 @@
name: PR has no warnings or errors
permissions:
pull-requests: write
statuses: write
on:
issue_comment:
types: [created]
jobs:
build-status:
uses: MicrosoftDocs/microsoft-365-docs/.github/workflows/Shared-BuildValidation.yml@workflows-prod
with:
PayloadJson: ${{ toJSON(github) }}
secrets:
AccessToken: ${{ secrets.GITHUB_TOKEN }}

2
education/windows/federated-sign-in.md
View File

@ -1,7 +1,7 @@
---
title: Configure federated sign-in for Windows devices
description: Learn how federated sign-in in Windows works and how to configure it.
ms.date: 06/03/2024
ms.date: 01/27/2025
ms.topic: how-to
appliesto:
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>

8
windows/client-management/manage-windows-copilot.md
View File

@ -3,7 +3,7 @@ title: Updated Windows and Microsoft 365 Copilot Chat experience
description: Learn about changes to the Copilot in Windows experience for commercial environments and how to configure it for your organization.
ms.topic: overview
ms.subservice: windows-copilot
ms.date: 01/22/2025
ms.date: 01/28/2025
ms.author: mstewart
author: mestew
ms.collection:
@ -59,9 +59,9 @@ For users signing in to new PCs with work or school accounts, the following expe
The update to Microsoft 365 Copilot Chat to offer enterprise data protection is rolling out now.
The shift to Microsoft 365 Copilot Chat is coming soon. Changes will be rolled out to managed PCs starting with the September 2024 optional nonsecurity preview release, and following with the October 2024 monthly security update for all supported versions of Windows 11. These changes will be applied to Windows 10 PCs the month after. This update is replacing the current Copilot in Windows experience.
The Microsoft 365 Copilot app will be automatically enabled after you install the Windows updates listed above if you haven't previously enabled a group policy to prevent the installation of Copilot. The [AppLocker policy](/windows/security/application-security/application-control/app-control-for-business/applocker/applocker-overview) is available to control this Copilot experience before installing these Windows updates mentioned above or any subsequent Windows updates.
The Copilot app will be automatically enabled after you install the Windows updates listed above if you haven't previously enabled a group policy to prevent the installation of Copilot. The [AppLocker policy](/windows/security/application-security/application-control/app-control-for-business/applocker/applocker-overview) is available to control this Copilot experience before installing these Windows updates mentioned above or any subsequent Windows updates.
Note that the Microsoft 365 Copilot app doesn't support Microsoft Entra authentication and users trying to sign in to the app using a Microsoft Entra account will be redirected to https://copilot.cloud.microsoft/ in their default browser. For users authenticating with a Microsoft Entra account, they should access Copilot through the Microsoft 365 Copilot app as the entry point. We recommend you pin Copilot to the navigation bar of the Microsoft 365 Copilot app to enable easy access.
Note that the Copilot app, which is a consumer experience, doesn't support Microsoft Entra authentication and users trying to sign in to the app using a Microsoft Entra account will be redirected to https://copilot.cloud.microsoft/ in their default browser. For users authenticating with a Microsoft Entra account, they should access Copilot through the Microsoft 365 Copilot app as the entry point. We recommend you pin Copilot to the navigation bar of the Microsoft 365 Copilot app to enable easy access.
## Policy information for previous Copilot in Windows (preview) experience
@ -80,7 +80,7 @@ The following policy to manage Copilot in Windows (preview) will be removed in t
You can remove or uninstall the Copilot app from your device by using one of the following methods:
1. Enterprise users can uninstall the Copilot app by going to **Settings** > **Apps** >**Installed Apps**. Select the three dots appearing on the right side of the app and select **Uninstall** from the dropdown list.
1. Enterprise users can uninstall the [Copilot app](https://apps.microsoft.com/detail/9NHT9RB2F4HD), which is a consumer experience, by going to **Settings** > **Apps** >**Installed Apps**. Select the three dots appearing on the right side of the app and select **Uninstall** from the dropdown list.
1. If you are an IT administrator, you can prevent installation of the app or remove the Copilot app using one of the following methods:
1. Prevent installation of the Copilot app:

8
windows/client-management/mdm/bitlocker-csp.md
View File

@ -551,6 +551,10 @@ The possible values for 'zz' are:
- 1 = Store recovery passwords and key packages
- 2 = Store recovery passwords only
For Microsoft Entra hybrid joined devices, the BitLocker recovery password is backed up to both Active Directory and Entra ID.
For Microsoft Entra joined devices, the BitLocker recovery password is backed up to Entra ID.
<!-- Device-FixedDrivesRecoveryOptions-Editable-End -->
<!-- Device-FixedDrivesRecoveryOptions-DFProperties-Begin -->
@ -2092,6 +2096,10 @@ The possible values for 'zz' are:
- 1 = Store recovery passwords and key packages.
- 2 = Store recovery passwords only.
For Microsoft Entra hybrid joined devices, the BitLocker recovery password is backed up to both Active Directory and Entra ID.
For Microsoft Entra joined devices, the BitLocker recovery password is backed up to Entra ID.
<!-- Device-SystemDrivesRecoveryOptions-Editable-End -->
<!-- Device-SystemDrivesRecoveryOptions-DFProperties-Begin -->

4
windows/client-management/mdm/healthattestation-csp.md
View File

@ -1,7 +1,7 @@
---
title: HealthAttestation CSP
description: Learn more about the HealthAttestation CSP.
ms.date: 01/31/2024
ms.date: 01/14/2025
---
<!-- Auto-Generated CSP Document -->
@ -51,7 +51,7 @@ The following list shows the HealthAttestation configuration service provider no
<!-- Device-AttestErrorMessage-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 22H2 with [KB5046732](https://support.microsoft.com/help/5046732) [10.0.22621.4541] and later <br> ✅ Windows 11, version 24H2 with [KB5046617](https://support.microsoft.com/help/5046617) [10.0.26100.2314] and later <br> ✅ Windows Insider Preview |
<!-- Device-AttestErrorMessage-Applicability-End -->
<!-- Device-AttestErrorMessage-OmaUri-Begin -->

4
windows/client-management/mdm/healthattestation-ddf.md
View File

@ -1,7 +1,7 @@
---
title: HealthAttestation DDF file
description: View the XML file containing the device description framework (DDF) for the HealthAttestation configuration service provider.
ms.date: 06/28/2024
ms.date: 01/14/2025
---
<!-- Auto-Generated CSP Document -->
@ -436,7 +436,7 @@ The following XML file contains the device description framework (DDF) for the H
<MIME />
</DFType>
<MSFT:Applicability>
<MSFT:OsBuildVersion>99.9.99999</MSFT:OsBuildVersion>
<MSFT:OsBuildVersion>99.9.99999, 10.0.26100.2314, 10.0.22621.4541</MSFT:OsBuildVersion>
<MSFT:CspVersion>1.4</MSFT:CspVersion>
</MSFT:Applicability>
</DFProperties>

17
windows/client-management/mdm/policies-in-preview.md
View File

@ -1,7 +1,7 @@
---
title: Configuration service provider preview policies
description: Learn more about configuration service provider (CSP) policies that are available for Windows Insider Preview.
ms.date: 11/27/2024
ms.date: 01/14/2025
---
<!-- Auto-Generated CSP Document -->
@ -31,6 +31,7 @@ This article lists the policies that are applicable for Windows Insider Preview
## Connectivity
- [DisableCrossDeviceResume](policy-csp-connectivity.md#disablecrossdeviceresume)
- [UseCellularWhenWiFiPoor](policy-csp-connectivity.md#usecellularwhenwifipoor)
- [DisableCellularSettingsPage](policy-csp-connectivity.md#disablecellularsettingspage)
- [DisableCellularOperatorSettingsPage](policy-csp-connectivity.md#disablecellularoperatorsettingspage)
@ -46,6 +47,10 @@ This article lists the policies that are applicable for Windows Insider Preview
- [DODisallowCacheServerDownloadsOnVPN](policy-csp-deliveryoptimization.md#dodisallowcacheserverdownloadsonvpn)
- [DOVpnKeywords](policy-csp-deliveryoptimization.md#dovpnkeywords)
## DeviceGuard
- [MachineIdentityIsolation](policy-csp-deviceguard.md#machineidentityisolation)
## DevicePreparation CSP
- [PageEnabled](devicepreparation-csp.md#pageenabled)
@ -80,6 +85,12 @@ This article lists the policies that are applicable for Windows Insider Preview
- [AttestErrorMessage](healthattestation-csp.md#attesterrormessage)
## HumanPresence
- [ForcePrivacyScreen](policy-csp-humanpresence.md#forceprivacyscreen)
- [ForcePrivacyScreenDim](policy-csp-humanpresence.md#forceprivacyscreendim)
- [ForcePrivacyScreenNotification](policy-csp-humanpresence.md#forceprivacyscreennotification)
## InternetExplorer
- [AllowLegacyURLFields](policy-csp-internetexplorer.md#allowlegacyurlfields)
@ -115,6 +126,10 @@ This article lists the policies that are applicable for Windows Insider Preview
- [DisablePostLogonProvisioning](passportforwork-csp.md#devicetenantidpoliciesdisablepostlogonprovisioning)
## Printers
- [ConfigureIppTlsCertificatePolicy](policy-csp-printers.md#configureipptlscertificatepolicy)
## Reboot CSP
- [WeeklyRecurrent](reboot-csp.md#scheduleweeklyrecurrent)

57
windows/client-management/mdm/policy-csp-connectivity.md
View File

@ -1,7 +1,7 @@
---
title: Connectivity Policy CSP
description: Learn more about the Connectivity Area in Policy CSP.
ms.date: 11/05/2024
ms.date: 01/14/2025
---
<!-- Auto-Generated CSP Document -->
@ -684,6 +684,61 @@ This policy makes all configurable settings in the 'Cellular' Settings page read
<!-- DisableCellularSettingsPage-End -->
<!-- DisableCrossDeviceResume-Begin -->
## DisableCrossDeviceResume
<!-- DisableCrossDeviceResume-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ❌ Device <br> ✅ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
<!-- DisableCrossDeviceResume-Applicability-End -->
<!-- DisableCrossDeviceResume-OmaUri-Begin -->
```User
./User/Vendor/MSFT/Policy/Config/Connectivity/DisableCrossDeviceResume
```
<!-- DisableCrossDeviceResume-OmaUri-End -->
<!-- DisableCrossDeviceResume-Description-Begin -->
<!-- Description-Source-DDF -->
This policy allows IT admins to turn off CrossDeviceResume feature to continue tasks, such as browsing file, continue using 1P/3P apps that require linking between Phone and PC.
- If you enable this policy setting, the Windows device won't receive any CrossDeviceResume notification.
- If you disable this policy setting, the Windows device will receive notification to resume activity from linked phone.
- If you don't configure this policy setting, the default behavior is that the CrossDeviceResume feature is turned 'ON'. Changes to this policy take effect on reboot.
<!-- DisableCrossDeviceResume-Description-End -->
<!-- DisableCrossDeviceResume-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- DisableCrossDeviceResume-Editable-End -->
<!-- DisableCrossDeviceResume-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `int` |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 0 |
<!-- DisableCrossDeviceResume-DFProperties-End -->
<!-- DisableCrossDeviceResume-AllowedValues-Begin -->
**Allowed values**:
| Value | Description |
|:--|:--|
| 0 (Default) | CrossDeviceResume is Enabled. |
| 1 | CrossDeviceResume is Disabled. |
<!-- DisableCrossDeviceResume-AllowedValues-End -->
<!-- DisableCrossDeviceResume-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- DisableCrossDeviceResume-Examples-End -->
<!-- DisableCrossDeviceResume-End -->
<!-- DisableDownloadingOfPrintDriversOverHTTP-Begin -->
## DisableDownloadingOfPrintDriversOverHTTP

148
windows/client-management/mdm/policy-csp-deliveryoptimization.md
View File

@ -1,7 +1,7 @@
---
title: DeliveryOptimization Policy CSP
description: Learn more about the DeliveryOptimization Area in Policy CSP.
ms.date: 08/06/2024
ms.date: 01/21/2025
---
<!-- Auto-Generated CSP Document -->
@ -34,11 +34,7 @@ ms.date: 08/06/2024
<!-- DOAbsoluteMaxCacheSize-Description-Begin -->
<!-- Description-Source-ADMX -->
Specifies the maximum size in GB of Delivery Optimization cache.
This policy overrides the DOMaxCacheSize policy.
The value 0 (zero) means "unlimited" cache; Delivery Optimization will clear the cache when the device runs low on disk space.
Specifies the maximum size in GB of Delivery Optimization cache. This policy overrides the MaxCacheSize policy.
<!-- DOAbsoluteMaxCacheSize-Description-End -->
<!-- DOAbsoluteMaxCacheSize-Editable-Begin -->
@ -93,7 +89,7 @@ The value 0 (zero) means "unlimited" cache; Delivery Optimization will clear the
<!-- DOAllowVPNPeerCaching-Description-Begin -->
<!-- Description-Source-DDF-Forced -->
Specifies whether the device is allowed to participate in Peer Caching while connected via VPN to the domain network. This means the device can download from or upload to other domain network devices, either on VPN or on the corporate domain network.
Specifies whether the device, with an active VPN connection, is allowed to participate in P2P or not.
<!-- DOAllowVPNPeerCaching-Description-End -->
<!-- DOAllowVPNPeerCaching-Editable-Begin -->
@ -125,8 +121,8 @@ Specifies whether the device is allowed to participate in Peer Caching while con
| Name | Value |
|:--|:--|
| Name | AllowVPNPeerCaching |
| Friendly Name | Enable Peer Caching while the device connects via VPN |
| Element Name | Enable Peer Caching while the device connects via VPN. |
| Friendly Name | Enable P2P while the device connects via VPN |
| Element Name | Enable P2P while the device connects via VPN. |
| Location | Computer Configuration |
| Path | Windows Components > Delivery Optimization |
| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization |
@ -156,9 +152,7 @@ Specifies whether the device is allowed to participate in Peer Caching while con
<!-- DOCacheHost-Description-Begin -->
<!-- Description-Source-ADMX -->
This policy allows you to set one or more Microsoft Connected Cache servers that will be used by your client(s).
One or more values can be added as either fully qualified domain names (FQDN) or IP addresses. To add multiple values, separate each FQDN or IP address by commas.
Specifies one or more Microsoft Connected Cache servers that will be used by your client(s). One or more values can be added as either fully qualified domain names (FQDN) or IP addresses. To add multiple values, separate each FQDN or IP address by commas.
<!-- DOCacheHost-Description-End -->
<!-- DOCacheHost-Editable-Begin -->
@ -214,17 +208,10 @@ One or more values can be added as either fully qualified domain names (FQDN) or
<!-- DOCacheHostSource-Description-Begin -->
<!-- Description-Source-ADMX -->
This policy allows you to specify how your client(s) can discover Microsoft Connected Cache servers dynamically.
Options available are:
0 = Disable DNS-SD.
1 = DHCP Option 235.
Specifies how your client(s) can discover Microsoft Connected Cache servers dynamically.
1 = DHCP Option 235
2 = DHCP Option 235 Force.
If this policy isn't configured, the client will attempt to automatically find a cache server using DNS-SD. If set to 0, the client won't use DNS-SD to automatically find a cache server. If set to 1 or 2, the client will query DHCP Option ID 235 and use the returned value as the Cache Server Hostname. Option 2 overrides the Cache Server Hostname policy, if configured.
<!-- DOCacheHostSource-Description-End -->
<!-- DOCacheHostSource-Editable-Begin -->
@ -240,10 +227,18 @@ If this policy isn't configured, the client will attempt to automatically find a
|:--|:--|
| Format | `int` |
| Access Type | Add, Delete, Get, Replace |
| Allowed Values | Range: `[0-4294967295]` |
| Default Value | 0 |
<!-- DOCacheHostSource-DFProperties-End -->
<!-- DOCacheHostSource-AllowedValues-Begin -->
**Allowed values**:
| Value | Description |
|:--|:--|
| 1 | DHCP Option 235. |
| 2 | DHCP Option 235 Force. |
<!-- DOCacheHostSource-AllowedValues-End -->
<!-- DOCacheHostSource-GpMapping-Begin -->
**Group policy mapping**:
@ -281,13 +276,7 @@ If this policy isn't configured, the client will attempt to automatically find a
<!-- DODelayBackgroundDownloadFromHttp-Description-Begin -->
<!-- Description-Source-ADMX -->
This policy allows you to delay the use of an HTTP source in a background download that's allowed to use P2P.
After the max delay has reached, the download will resume using HTTP, either downloading the entire payload or complementing the bytes that couldn't be downloaded from Peers.
Note that a download that's waiting for peer sources, will appear to be stuck for the end user.
The recommended value is 1 hour (3600).
For background downloads that use P2P, specifies the time to wait before starting to download from the HTTP source.
<!-- DODelayBackgroundDownloadFromHttp-Description-End -->
<!-- DODelayBackgroundDownloadFromHttp-Editable-Begin -->
@ -311,7 +300,7 @@ The recommended value is 1 hour (3600).
| Name | Value |
|:--|:--|
| Name | DelayBackgroundDownloadFromHttp |
| Friendly Name | Delay background download from http (in secs) |
| Friendly Name | Delay background download from http (in seconds) |
| Element Name | Delay background download from http (in secs) |
| Location | Computer Configuration |
| Path | Windows Components > Delivery Optimization |
@ -342,7 +331,7 @@ The recommended value is 1 hour (3600).
<!-- DODelayCacheServerFallbackBackground-Description-Begin -->
<!-- Description-Source-DDF-Forced -->
Specifies the time in seconds to delay the fallback from Cache Server to the HTTP source for a background content download. Note that the DODelayBackgroundDownloadFromHttp policy takes precedence over this policy to allow downloads from peers first.
For background downloads that use a cache server, specifies the time to wait before falling back to download from the original HTTP source.
<!-- DODelayCacheServerFallbackBackground-Description-End -->
<!-- DODelayCacheServerFallbackBackground-Editable-Begin -->
@ -397,7 +386,7 @@ Specifies the time in seconds to delay the fallback from Cache Server to the HTT
<!-- DODelayCacheServerFallbackForeground-Description-Begin -->
<!-- Description-Source-DDF-Forced -->
Specifies the time in seconds to delay the fallback from Cache Server to the HTTP source for foreground content download. Note that the DODelayForegroundDownloadFromHttp policy takes precedence over this policy to allow downloads from peers first.
For foreground downloads that use a cache server, specifies the time to wait before falling back to download from the original HTTP source.
<!-- DODelayCacheServerFallbackForeground-Description-End -->
<!-- DODelayCacheServerFallbackForeground-Editable-Begin -->
@ -452,13 +441,7 @@ Specifies the time in seconds to delay the fallback from Cache Server to the HTT
<!-- DODelayForegroundDownloadFromHttp-Description-Begin -->
<!-- Description-Source-ADMX -->
This policy allows you to delay the use of an HTTP source in a foreground (interactive) download that's allowed to use P2P.
After the max delay has reached, the download will resume using HTTP, either downloading the entire payload or complementing the bytes that couldn't be downloaded from Peers.
Note that a download that's waiting for peer sources, will appear to be stuck for the end user.
The recommended value is 1 minute (60).
For foreground downloads that use P2P, specifies the time to wait before starting to download from the HTTP source.
<!-- DODelayForegroundDownloadFromHttp-Description-End -->
<!-- DODelayForegroundDownloadFromHttp-Editable-Begin -->
@ -482,7 +465,7 @@ The recommended value is 1 minute (60).
| Name | Value |
|:--|:--|
| Name | DelayForegroundDownloadFromHttp |
| Friendly Name | Delay Foreground download from http (in secs) |
| Friendly Name | Delay Foreground download from http (in seconds) |
| Element Name | Delay Foreground download from http (in secs) |
| Location | Computer Configuration |
| Path | Windows Components > Delivery Optimization |
@ -513,7 +496,7 @@ The recommended value is 1 minute (60).
<!-- DODisallowCacheServerDownloadsOnVPN-Description-Begin -->
<!-- Description-Source-DDF -->
Disallow downloads from Microsoft Connected Cache servers when the device connects via VPN. By default, the device is allowed to download from Microsoft Connected Cache when connected via VPN.
Specify to disallow downloads from Microsoft Connected Cache servers when the device has an active VPN connection. By default, the button is 'Not Set'. This means the device is allowed to download from Microsoft Connected Cache when the device has an active VPN connection. To block these downloads, turn the button on to 'Enabled'.
<!-- DODisallowCacheServerDownloadsOnVPN-Description-End -->
<!-- DODisallowCacheServerDownloadsOnVPN-Editable-Begin -->
@ -535,8 +518,8 @@ Disallow downloads from Microsoft Connected Cache servers when the device connec
| Value | Description |
|:--|:--|
| 0 (Default) | Allowed. |
| 1 | Not allowed. |
| 0 (Default) | Not Set. |
| 1 | Enabled. |
<!-- DODisallowCacheServerDownloadsOnVPN-AllowedValues-End -->
<!-- DODisallowCacheServerDownloadsOnVPN-GpMapping-Begin -->
@ -572,7 +555,7 @@ Disallow downloads from Microsoft Connected Cache servers when the device connec
<!-- DODownloadMode-Description-Begin -->
<!-- Description-Source-DDF-Forced -->
Specifies the download method that Delivery Optimization can use in downloads of Windows Updates, Apps and App updates. The default value is 1.
Specifies the method that Delivery Optimization can use to download content on behalf of various Microsoft products.
<!-- DODownloadMode-Description-End -->
<!-- DODownloadMode-Editable-Begin -->
@ -598,10 +581,10 @@ Specifies the download method that Delivery Optimization can use in downloads of
|:--|:--|
| 0 (Default) | HTTP only, no peering. |
| 1 | HTTP blended with peering behind the same NAT. |
| 2 | When this option is selected, peering will cross NATs. To create a custom group use Group ID in combination with Mode 2. |
| 2 | HTTP blended with peering across a private group. |
| 3 | HTTP blended with Internet peering. |
| 99 | Simple download mode with no peering. Delivery Optimization downloads using HTTP only and doesn't attempt to contact the Delivery Optimization cloud services. Added in Windows 10, version 1607. |
| 100 | Bypass mode. Windows 10: Don't use Delivery Optimization and use BITS instead. Windows 11: Deprecated, use Simple mode instead. |
| 99 | HTTP only, no peering, no use of DO cloud service. |
| 100 | Bypass mode, deprecated in Windows 11. |
<!-- DODownloadMode-AllowedValues-End -->
<!-- DODownloadMode-GpMapping-Begin -->
@ -641,11 +624,7 @@ Specifies the download method that Delivery Optimization can use in downloads of
<!-- DOGroupId-Description-Begin -->
<!-- Description-Source-ADMX -->
Group ID must be set as a GUID. This Policy specifies an arbitrary group ID that the device belongs to.
Use this if you need to create a single group for Local Network Peering for branches that are on different domains or aren't on the same LAN.
Note this is a best effort optimization and shouldn't be relied on for an authentication of identity.
Specifies an arbitrary group ID that the device belongs to. A GUID must be used.
<!-- DOGroupId-Description-End -->
<!-- DOGroupId-Editable-Begin -->
@ -698,7 +677,7 @@ Note this is a best effort optimization and shouldn't be relied on for an authen
<!-- DOGroupIdSource-Description-Begin -->
<!-- Description-Source-DDF-Forced -->
Set this policy to restrict peer selection to a specific source. Available options are: 1 = AD Site, 2 = Authenticated domain SID, 3 = DHCP Option ID, 4 = DNS Suffix, 5 = Microsoft Entra ID. When set, the Group ID will be assigned automatically from the selected source. This policy is ignored if the GroupID policy is also set. The options set in this policy only apply to Group (2) download mode. If Group (2) isn't set as Download mode, this policy will be ignored. For option 3 - DHCP Option ID, the client will query DHCP Option ID 234 and use the returned GUID value as the Group ID. Starting with Windows 10, version 1903, you can use the Microsoft Entra tenant ID as a means to define groups. To do this, set the value of DOGroupIdSource to 5.
Specifies the source of group ID used for peer selection.
<!-- DOGroupIdSource-Description-End -->
<!-- DOGroupIdSource-Editable-Begin -->
@ -722,12 +701,12 @@ Set this policy to restrict peer selection to a specific source. Available optio
| Value | Description |
|:--|:--|
| 0 (Default) | Unset. |
| 0 (Default) | Not Set. |
| 1 | AD site. |
| 2 | Authenticated domain SID. |
| 3 | DHCP user option. |
| 4 | DNS suffix. |
| 5 | Microsoft Entra ID. |
| 3 | DHCP Option ID. |
| 4 | DNS Suffix. |
| 5 | Entra ID Tenant ID. |
<!-- DOGroupIdSource-AllowedValues-End -->
<!-- DOGroupIdSource-GpMapping-Begin -->
@ -768,8 +747,6 @@ Set this policy to restrict peer selection to a specific source. Available optio
<!-- DOMaxBackgroundDownloadBandwidth-Description-Begin -->
<!-- Description-Source-ADMX -->
Specifies the maximum background download bandwidth in KiloBytes/second that the device can use across all concurrent download activities using Delivery Optimization.
The default value 0 (zero) means that Delivery Optimization dynamically adjusts to use the available bandwidth for downloads.
<!-- DOMaxBackgroundDownloadBandwidth-Description-End -->
<!-- DOMaxBackgroundDownloadBandwidth-Editable-Begin -->
@ -824,7 +801,7 @@ The default value 0 (zero) means that Delivery Optimization dynamically adjusts
<!-- DOMaxCacheAge-Description-Begin -->
<!-- Description-Source-DDF-Forced -->
Specifies the maximum time in seconds that each file is held in the Delivery Optimization cache after downloading successfully. The value 0 (zero) means unlimited; Delivery Optimization will hold the files in the cache longer and make the files available for uploads to other devices, as long as the cache size hasn't exceeded. The value 0 is new in Windows 10, version 1607. The default value is 604800 seconds (7 days).
Specifies the maximum time in seconds that each file is held in the Delivery Optimization cache after downloading successfully.
<!-- DOMaxCacheAge-Description-End -->
<!-- DOMaxCacheAge-Editable-Begin -->
@ -879,7 +856,7 @@ Specifies the maximum time in seconds that each file is held in the Delivery Opt
<!-- DOMaxCacheSize-Description-Begin -->
<!-- Description-Source-DDF-Forced -->
Specifies the maximum cache size that Delivery Optimization can utilize, as a percentage of disk size (1-100). The default value is 20.
Specifies the maximum cache size that Delivery Optimization can utilize, as a percentage of the available drive space.
<!-- DOMaxCacheSize-Description-End -->
<!-- DOMaxCacheSize-Editable-Begin -->
@ -935,8 +912,6 @@ Specifies the maximum cache size that Delivery Optimization can utilize, as a pe
<!-- DOMaxForegroundDownloadBandwidth-Description-Begin -->
<!-- Description-Source-ADMX -->
Specifies the maximum foreground download bandwidth in KiloBytes/second that the device can use across all concurrent download activities using Delivery Optimization.
The default value 0 (zero) means that Delivery Optimization dynamically adjusts to use the available bandwidth for downloads.
<!-- DOMaxForegroundDownloadBandwidth-Description-End -->
<!-- DOMaxForegroundDownloadBandwidth-Editable-Begin -->
@ -991,7 +966,7 @@ The default value 0 (zero) means that Delivery Optimization dynamically adjusts
<!-- DOMinBackgroundQos-Description-Begin -->
<!-- Description-Source-DDF-Forced -->
Specifies the minimum download QoS (Quality of Service or speed) in KiloBytes/sec for background downloads. This policy affects the blending of peer and HTTP sources. Delivery Optimization complements the download from the HTTP source to achieve the minimum QoS value set. The default value is 20480 (20 MB/s).
Specifies the minimum download QoS (Quality of Service) in KiloBytes/sec for background downloads.
<!-- DOMinBackgroundQos-Description-End -->
<!-- DOMinBackgroundQos-Editable-Begin -->
@ -1046,11 +1021,7 @@ Specifies the minimum download QoS (Quality of Service or speed) in KiloBytes/se
<!-- DOMinBatteryPercentageAllowedToUpload-Description-Begin -->
<!-- Description-Source-ADMX -->
Specify any value between 1 and 100 (in percentage) to allow the device to upload data to LAN and Group peers while on DC power (Battery).
The recommended value to set if you allow uploads on battery is 40 (for 40%). The device can download from peers while on battery regardless of this policy.
The value 0 means "not-limited"; The cloud service set default value will be used.
Specifies the minimum battery level required for uploading to peers, while on battery power.
<!-- DOMinBatteryPercentageAllowedToUpload-Description-End -->
<!-- DOMinBatteryPercentageAllowedToUpload-Editable-Begin -->
@ -1105,12 +1076,7 @@ The value 0 means "not-limited"; The cloud service set default value will be use
<!-- DOMinDiskSizeAllowedToPeer-Description-Begin -->
<!-- Description-Source-ADMX -->
Specifies the required minimum disk size (capacity in GB) for the device to use Peer Caching. The cloud service set default value will be used.
Recommended values: 64 GB to 256 GB.
> [!NOTE]
> If the DOModifyCacheDrive policy is set, the disk size check will apply to the new working directory specified by this policy.
Specifies the required minimum total disk size in GB for the device to use P2P.
<!-- DOMinDiskSizeAllowedToPeer-Description-End -->
<!-- DOMinDiskSizeAllowedToPeer-Editable-Begin -->
@ -1134,8 +1100,8 @@ Recommended values: 64 GB to 256 GB.
| Name | Value |
|:--|:--|
| Name | MinDiskSizeAllowedToPeer |
| Friendly Name | Minimum disk size allowed to use Peer Caching (in GB) |
| Element Name | Minimum disk size allowed to use Peer Caching (in GB) |
| Friendly Name | Minimum disk size allowed to use P2P (in GB) |
| Element Name | Minimum disk size allowed to use P2P (in GB) |
| Location | Computer Configuration |
| Path | Windows Components > Delivery Optimization |
| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization |
@ -1165,7 +1131,7 @@ Recommended values: 64 GB to 256 GB.
<!-- DOMinFileSizeToCache-Description-Begin -->
<!-- Description-Source-DDF-Forced -->
Specifies the minimum content file size in MB enabled to use Peer Caching. Recommended values: 1 MB to 100,000 MB. The default value is 100 MB.
Specifies the minimum content file size in MB eligible to use P2P.
<!-- DOMinFileSizeToCache-Description-End -->
<!-- DOMinFileSizeToCache-Editable-Begin -->
@ -1189,8 +1155,8 @@ Specifies the minimum content file size in MB enabled to use Peer Caching. Recom
| Name | Value |
|:--|:--|
| Name | MinFileSizeToCache |
| Friendly Name | Minimum Peer Caching Content File Size (in MB) |
| Element Name | Minimum Peer Caching Content File Size (in MB) |
| Friendly Name | Minimum P2P Content File Size (in MB) |
| Element Name | Minimum P2P Content File Size (in MB) |
| Location | Computer Configuration |
| Path | Windows Components > Delivery Optimization |
| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization |
@ -1220,7 +1186,7 @@ Specifies the minimum content file size in MB enabled to use Peer Caching. Recom
<!-- DOMinRAMAllowedToPeer-Description-Begin -->
<!-- Description-Source-DDF-Forced -->
Specifies the minimum RAM size in GB required to use Peer Caching. For example, if the minimum set is 1 GB, then devices with 1 GB or higher available RAM will be allowed to use Peer caching. Recommended values: 1 GB to 4 GB. The default value is 4 GB.
Specifies the minimum total RAM size in GB required to use P2P.
<!-- DOMinRAMAllowedToPeer-Description-End -->
<!-- DOMinRAMAllowedToPeer-Editable-Begin -->
@ -1244,8 +1210,8 @@ Specifies the minimum RAM size in GB required to use Peer Caching. For example,
| Name | Value |
|:--|:--|
| Name | MinRAMAllowedToPeer |
| Friendly Name | Minimum RAM capacity (inclusive) required to enable use of Peer Caching (in GB) |
| Element Name | Minimum RAM capacity (inclusive) required to enable use of Peer Caching (in GB) |
| Friendly Name | Minimum RAM capacity (inclusive) required to enable use of P2P (in GB) |
| Element Name | Minimum RAM capacity (inclusive) required to enable use of P2P (in GB) |
| Location | Computer Configuration |
| Path | Windows Components > Delivery Optimization |
| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization |
@ -1275,9 +1241,7 @@ Specifies the minimum RAM size in GB required to use Peer Caching. For example,
<!-- DOModifyCacheDrive-Description-Begin -->
<!-- Description-Source-ADMX -->
Specifies the drive Delivery Optimization shall use for its cache.
By default, %SystemDrive% is used to store the cache. The drive location can be specified using environment variables, drive letter or using a full path.
Specifies the drive that Delivery Optimization should use for its cache. The drive location can be specified using environment variables, drive letter or using a full path.
<!-- DOModifyCacheDrive-Description-End -->
<!-- DOModifyCacheDrive-Editable-Begin -->
@ -1330,7 +1294,7 @@ By default, %SystemDrive% is used to store the cache. The drive location can be
<!-- DOMonthlyUploadDataCap-Description-Begin -->
<!-- Description-Source-DDF-Forced -->
Specifies the maximum total bytes in GB that Delivery Optimization is allowed to upload to Internet peers in each calendar month. The value 0 (zero) means unlimited; No monthly upload limit's applied if 0 is set. The default value is 5120 (5 TB).
Specifies the maximum bytes in GB that Delivery Optimization is allowed to upload to Internet peers in each calendar month.
<!-- DOMonthlyUploadDataCap-Description-End -->
<!-- DOMonthlyUploadDataCap-Editable-Begin -->
@ -1386,8 +1350,6 @@ Specifies the maximum total bytes in GB that Delivery Optimization is allowed to
<!-- DOPercentageMaxBackgroundBandwidth-Description-Begin -->
<!-- Description-Source-ADMX -->
Specifies the maximum background download bandwidth that Delivery Optimization uses across all concurrent download activities as a percentage of available download bandwidth.
The default value 0 (zero) means that Delivery Optimization dynamically adjusts to use the available bandwidth for background downloads.
<!-- DOPercentageMaxBackgroundBandwidth-Description-End -->
<!-- DOPercentageMaxBackgroundBandwidth-Editable-Begin -->
@ -1445,8 +1407,6 @@ Downloads from LAN peers won't be throttled even when this policy is set.
<!-- DOPercentageMaxForegroundBandwidth-Description-Begin -->
<!-- Description-Source-ADMX -->
Specifies the maximum foreground download bandwidth that Delivery Optimization uses across all concurrent download activities as a percentage of available download bandwidth.
The default value 0 (zero) means that Delivery Optimization dynamically adjusts to use the available bandwidth for foreground downloads.
<!-- DOPercentageMaxForegroundBandwidth-Description-End -->
<!-- DOPercentageMaxForegroundBandwidth-Editable-Begin -->
@ -1501,7 +1461,7 @@ The default value 0 (zero) means that Delivery Optimization dynamically adjusts
<!-- DORestrictPeerSelectionBy-Description-Begin -->
<!-- Description-Source-DDF-Forced -->
Set this policy to restrict peer selection via selected option. Options available are: 1=Subnet mask, 2 = Local discovery (DNS-SD). These options apply to both Download Mode LAN (1) and Group (2).
Specifies to restrict peer selection using the selected method, in addition to the DownloadMode policy.
<!-- DORestrictPeerSelectionBy-Description-End -->
<!-- DORestrictPeerSelectionBy-Editable-Begin -->
@ -1528,7 +1488,7 @@ In Windows 11 the 'Local Peer Discovery' option was introduced to restrict peer
|:--|:--|
| 0 (Default) | None. |
| 1 | Subnet mask. |
| 2 | Local peer discovery (DNS-SD). |
| 2 | Local discovery (DNS-SD). |
<!-- DORestrictPeerSelectionBy-AllowedValues-End -->
<!-- DORestrictPeerSelectionBy-GpMapping-Begin -->
@ -1681,7 +1641,7 @@ This policy allows an IT Admin to define the following details:
<!-- DOVpnKeywords-Description-Begin -->
<!-- Description-Source-ADMX -->
This policy allows you to set one or more keywords used to recognize VPN connections. To add multiple keywords, separate them with commas.
Specifies one or more keywords used to recognize VPN connections. To add multiple keywords, separate each by a comma.
<!-- DOVpnKeywords-Description-End -->
<!-- DOVpnKeywords-Editable-Begin -->

68
windows/client-management/mdm/policy-csp-deviceguard.md
View File

@ -1,7 +1,7 @@
---
title: DeviceGuard Policy CSP
description: Learn more about the DeviceGuard Area in Policy CSP.
ms.date: 01/18/2024
ms.date: 01/14/2025
---
<!-- Auto-Generated CSP Document -->
@ -9,6 +9,8 @@ ms.date: 01/18/2024
<!-- DeviceGuard-Begin -->
# Policy CSP - DeviceGuard
[!INCLUDE [Windows Insider tip](includes/mdm-insider-csp-note.md)]
<!-- DeviceGuard-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- DeviceGuard-Editable-End -->
@ -205,6 +207,70 @@ Credential Guard Configuration: 0 - Turns off CredentialGuard remotely if config
<!-- LsaCfgFlags-End -->
<!-- MachineIdentityIsolation-Begin -->
## MachineIdentityIsolation
<!-- MachineIdentityIsolation-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ❌ Pro <br> ✅ Enterprise <br> ✅ Education <br> ❌ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
<!-- MachineIdentityIsolation-Applicability-End -->
<!-- MachineIdentityIsolation-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/DeviceGuard/MachineIdentityIsolation
```
<!-- MachineIdentityIsolation-OmaUri-End -->
<!-- MachineIdentityIsolation-Description-Begin -->
<!-- Description-Source-DDF-Forced -->
Machine Identity Isolation: 0 - Machine password is only LSASS-bound and stored in $MACHINE.ACC registry key. 1 - Machine password both LSASS-bound and IUM-bound. It's stored in $MACHINE.ACC and $MACHINE.ACC.IUM registry keys. 2 - Machine password is only IUM-bound and stored in $MACHINE.ACC.IUM registry key.
<!-- MachineIdentityIsolation-Description-End -->
<!-- MachineIdentityIsolation-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- MachineIdentityIsolation-Editable-End -->
<!-- MachineIdentityIsolation-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `int` |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 0 |
<!-- MachineIdentityIsolation-DFProperties-End -->
<!-- MachineIdentityIsolation-AllowedValues-Begin -->
**Allowed values**:
| Value | Description |
|:--|:--|
| 0 (Default) | (Disabled) Machine password is only LSASS-bound and stored in $MACHINE.ACC registry key. |
| 1 | (Enabled in audit mode) Machine password both LSASS-bound and IUM-bound. It's stored in $MACHINE.ACC and $MACHINE.ACC.IUM registry keys. |
| 2 | (Enabled in enforcement mode) Machine password is only IUM-bound and stored in $MACHINE.ACC.IUM registry key. |
<!-- MachineIdentityIsolation-AllowedValues-End -->
<!-- MachineIdentityIsolation-GpMapping-Begin -->
**Group policy mapping**:
| Name | Value |
|:--|:--|
| Name | VirtualizationBasedSecurity |
| Friendly Name | Turn On Virtualization Based Security |
| Element Name | Machine Identity Isolation Configuration. |
| Location | Computer Configuration |
| Path | System > Device Guard |
| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\DeviceGuard |
| ADMX File Name | DeviceGuard.admx |
<!-- MachineIdentityIsolation-GpMapping-End -->
<!-- MachineIdentityIsolation-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- MachineIdentityIsolation-Examples-End -->
<!-- MachineIdentityIsolation-End -->
<!-- RequirePlatformSecurityFeatures-Begin -->
## RequirePlatformSecurityFeatures

181
windows/client-management/mdm/policy-csp-humanpresence.md
View File

@ -1,7 +1,7 @@
---
title: HumanPresence Policy CSP
description: Learn more about the HumanPresence Area in Policy CSP.
ms.date: 09/27/2024
ms.date: 01/14/2025
---
<!-- Auto-Generated CSP Document -->
@ -9,6 +9,8 @@ ms.date: 09/27/2024
<!-- HumanPresence-Begin -->
# Policy CSP - HumanPresence
[!INCLUDE [Windows Insider tip](includes/mdm-insider-csp-note.md)]
<!-- HumanPresence-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- HumanPresence-Editable-End -->
@ -526,6 +528,183 @@ Determines the timeout for Lock on Leave forced by the MDM policy. The user will
<!-- ForceLockTimeout-End -->
<!-- ForcePrivacyScreen-Begin -->
## ForcePrivacyScreen
<!-- ForcePrivacyScreen-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ❌ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
<!-- ForcePrivacyScreen-Applicability-End -->
<!-- ForcePrivacyScreen-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/HumanPresence/ForcePrivacyScreen
```
<!-- ForcePrivacyScreen-OmaUri-End -->
<!-- ForcePrivacyScreen-Description-Begin -->
<!-- Description-Source-DDF -->
Determines whether detect when other people are looking at my screen is forced on/off by the MDM policy. The user won't be able to change this setting and the UI will be greyed out.
<!-- ForcePrivacyScreen-Description-End -->
<!-- ForcePrivacyScreen-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- ForcePrivacyScreen-Editable-End -->
<!-- ForcePrivacyScreen-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `int` |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 0 |
<!-- ForcePrivacyScreen-DFProperties-End -->
<!-- ForcePrivacyScreen-AllowedValues-Begin -->
**Allowed values**:
| Value | Description |
|:--|:--|
| 2 | ForcedOff. |
| 1 | ForcedOn. |
| 0 (Default) | DefaultToUserChoice. |
<!-- ForcePrivacyScreen-AllowedValues-End -->
<!-- ForcePrivacyScreen-GpMapping-Begin -->
**Group policy mapping**:
| Name | Value |
|:--|:--|
| Name | ForcePrivacyScreen |
| Path | Sensors > AT > WindowsComponents > HumanPresence |
<!-- ForcePrivacyScreen-GpMapping-End -->
<!-- ForcePrivacyScreen-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- ForcePrivacyScreen-Examples-End -->
<!-- ForcePrivacyScreen-End -->
<!-- ForcePrivacyScreenDim-Begin -->
## ForcePrivacyScreenDim
<!-- ForcePrivacyScreenDim-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ❌ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
<!-- ForcePrivacyScreenDim-Applicability-End -->
<!-- ForcePrivacyScreenDim-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/HumanPresence/ForcePrivacyScreenDim
```
<!-- ForcePrivacyScreenDim-OmaUri-End -->
<!-- ForcePrivacyScreenDim-Description-Begin -->
<!-- Description-Source-DDF -->
Determines whether dim the screen when other people are looking at my screen checkbox is forced checked/unchecked by the MDM policy. The user won't be able to change this setting and the checkbox in the UI will be greyed out.
<!-- ForcePrivacyScreenDim-Description-End -->
<!-- ForcePrivacyScreenDim-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- ForcePrivacyScreenDim-Editable-End -->
<!-- ForcePrivacyScreenDim-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `int` |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 0 |
<!-- ForcePrivacyScreenDim-DFProperties-End -->
<!-- ForcePrivacyScreenDim-AllowedValues-Begin -->
**Allowed values**:
| Value | Description |
|:--|:--|
| 2 | ForcedUnchecked. |
| 1 | ForcedChecked. |
| 0 (Default) | DefaultToUserChoice. |
<!-- ForcePrivacyScreenDim-AllowedValues-End -->
<!-- ForcePrivacyScreenDim-GpMapping-Begin -->
**Group policy mapping**:
| Name | Value |
|:--|:--|
| Name | ForcePrivacyScreenDim |
| Path | Sensors > AT > WindowsComponents > HumanPresence |
<!-- ForcePrivacyScreenDim-GpMapping-End -->
<!-- ForcePrivacyScreenDim-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- ForcePrivacyScreenDim-Examples-End -->
<!-- ForcePrivacyScreenDim-End -->
<!-- ForcePrivacyScreenNotification-Begin -->
## ForcePrivacyScreenNotification
<!-- ForcePrivacyScreenNotification-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ❌ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
<!-- ForcePrivacyScreenNotification-Applicability-End -->
<!-- ForcePrivacyScreenNotification-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/HumanPresence/ForcePrivacyScreenNotification
```
<!-- ForcePrivacyScreenNotification-OmaUri-End -->
<!-- ForcePrivacyScreenNotification-Description-Begin -->
<!-- Description-Source-DDF -->
Determines whether providing alert when people are looking at my screen checkbox is forced checked/unchecked by the MDM policy. The user won't be able to change this setting and the checkbox in the UI will be greyed out.
<!-- ForcePrivacyScreenNotification-Description-End -->
<!-- ForcePrivacyScreenNotification-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- ForcePrivacyScreenNotification-Editable-End -->
<!-- ForcePrivacyScreenNotification-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `int` |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 0 |
<!-- ForcePrivacyScreenNotification-DFProperties-End -->
<!-- ForcePrivacyScreenNotification-AllowedValues-Begin -->
**Allowed values**:
| Value | Description |
|:--|:--|
| 2 | ForcedUnchecked. |
| 1 | ForcedChecked. |
| 0 (Default) | DefaultToUserChoice. |
<!-- ForcePrivacyScreenNotification-AllowedValues-End -->
<!-- ForcePrivacyScreenNotification-GpMapping-Begin -->
**Group policy mapping**:
| Name | Value |
|:--|:--|
| Name | ForcePrivacyScreenNotification |
| Path | Sensors > AT > WindowsComponents > HumanPresence |
<!-- ForcePrivacyScreenNotification-GpMapping-End -->
<!-- ForcePrivacyScreenNotification-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- ForcePrivacyScreenNotification-Examples-End -->
<!-- ForcePrivacyScreenNotification-End -->
<!-- HumanPresence-CspMoreInfo-Begin -->
<!-- Add any additional information about this CSP here. Anything outside this section will get overwritten. -->
<!-- HumanPresence-CspMoreInfo-End -->

54
windows/client-management/mdm/policy-csp-printers.md
View File

@ -1,7 +1,7 @@
---
title: Printers Policy CSP
description: Learn more about the Printers Area in Policy CSP.
ms.date: 09/27/2024
ms.date: 01/14/2025
---
<!-- Auto-Generated CSP Document -->
@ -11,6 +11,8 @@ ms.date: 09/27/2024
[!INCLUDE [ADMX-backed CSP tip](includes/mdm-admx-csp-note.md)]
[!INCLUDE [Windows Insider tip](includes/mdm-insider-csp-note.md)]
<!-- Printers-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- Printers-Editable-End -->
@ -348,6 +350,56 @@ The following are the supported values:
<!-- ConfigureIppPageCountsPolicy-End -->
<!-- ConfigureIppTlsCertificatePolicy-Begin -->
## ConfigureIppTlsCertificatePolicy
<!-- ConfigureIppTlsCertificatePolicy-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
<!-- ConfigureIppTlsCertificatePolicy-Applicability-End -->
<!-- ConfigureIppTlsCertificatePolicy-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/Printers/ConfigureIppTlsCertificatePolicy
```
<!-- ConfigureIppTlsCertificatePolicy-OmaUri-End -->
<!-- ConfigureIppTlsCertificatePolicy-Description-Begin -->
<!-- Description-Source-Not-Found -->
<!-- ConfigureIppTlsCertificatePolicy-Description-End -->
<!-- ConfigureIppTlsCertificatePolicy-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- ConfigureIppTlsCertificatePolicy-Editable-End -->
<!-- ConfigureIppTlsCertificatePolicy-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `chr` (string) |
| Access Type | Add, Delete, Get, Replace |
<!-- ConfigureIppTlsCertificatePolicy-DFProperties-End -->
<!-- ConfigureIppTlsCertificatePolicy-AdmxBacked-Begin -->
<!-- ADMX-Not-Found -->
[!INCLUDE [ADMX-backed policy note](includes/mdm-admx-policy-note.md)]
**ADMX mapping**:
| Name | Value |
|:--|:--|
| Name | ConfigureIppTlsCertificatePolicy |
| ADMX File Name | Printing.admx |
<!-- ConfigureIppTlsCertificatePolicy-AdmxBacked-End -->
<!-- ConfigureIppTlsCertificatePolicy-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- ConfigureIppTlsCertificatePolicy-Examples-End -->
<!-- ConfigureIppTlsCertificatePolicy-End -->
<!-- ConfigureRedirectionGuardPolicy-Begin -->
## ConfigureRedirectionGuardPolicy

14
windows/client-management/mdm/vpnv2-csp.md
View File

@ -1,7 +1,7 @@
---
title: VPNv2 CSP
description: Learn more about the VPNv2 CSP.
ms.date: 01/18/2024
ms.date: 01/14/2025
---
<!-- Auto-Generated CSP Document -->
@ -863,11 +863,7 @@ Returns the type of App/Id. This value can be either of the following: PackageFa
<!-- Device-{ProfileName}-ByPassForLocal-Description-Begin -->
<!-- Description-Source-DDF -->
False: Don't Bypass for Local traffic.
True: ByPass VPN Interface for Local Traffic.
Optional. When this setting is True, requests to local resources that are available on the same Wi-Fi network as the VPN client can bypass the VPN. For example, if enterprise policy for VPN requires force tunnel for VPN, but enterprise intends to allow the remote user to connect locally to media center in their home, then this option should be set to True. The user can bypass VPN for local subnet traffic. When this is set to False, the setting is disabled and no subnet exceptions are allowed.
Not supported.
<!-- Device-{ProfileName}-ByPassForLocal-Description-End -->
<!-- Device-{ProfileName}-ByPassForLocal-Editable-Begin -->
@ -5160,11 +5156,7 @@ Returns the type of App/Id. This value can be either of the following: PackageFa
<!-- User-{ProfileName}-ByPassForLocal-Description-Begin -->
<!-- Description-Source-DDF -->
False: Don't Bypass for Local traffic.
True: ByPass VPN Interface for Local Traffic.
Optional. When this setting is True, requests to local resources that are available on the same Wi-Fi network as the VPN client can bypass the VPN. For example, if enterprise policy for VPN requires force tunnel for VPN, but enterprise intends to allow the remote user to connect locally to media center in their home, then this option should be set to True. The user can bypass VPN for local subnet traffic. When this is set to False, the setting is disabled and no subnet exceptions are allowed.
Not supported.
<!-- User-{ProfileName}-ByPassForLocal-Description-End -->
<!-- User-{ProfileName}-ByPassForLocal-Editable-Begin -->

12
windows/client-management/mdm/vpnv2-ddf-file.md
View File

@ -1,7 +1,7 @@
---
title: VPNv2 DDF file
description: View the XML file containing the device description framework (DDF) for the VPNv2 configuration service provider.
ms.date: 06/28/2024
ms.date: 01/14/2025
---
<!-- Auto-Generated CSP Document -->
@ -1156,10 +1156,7 @@ The following XML file contains the device description framework (DDF) for the V
<Replace />
</AccessType>
<Description>
False : Do not Bypass for Local traffic
True : ByPass VPN Interface for Local Traffic
Optional. When this setting is True, requests to local resources that are available on the same Wi-Fi network as the VPN client can bypass the VPN. For example, if enterprise policy for VPN requires force tunnel for VPN, but enterprise intends to allow the remote user to connect locally to media center in their home, then this option should be set to True. The user can bypass VPN for local subnet traffic. When this is set to False, the setting is disabled and no subnet exceptions are allowed.
Not supported.
</Description>
<DFFormat>
<bool />
@ -4425,10 +4422,7 @@ A device tunnel profile must be deleted before another device tunnel profile can
<Replace />
</AccessType>
<Description>
False : Do not Bypass for Local traffic
True : ByPass VPN Interface for Local Traffic
Optional. When this setting is True, requests to local resources that are available on the same Wi-Fi network as the VPN client can bypass the VPN. For example, if enterprise policy for VPN requires force tunnel for VPN, but enterprise intends to allow the remote user to connect locally to media center in their home, then this option should be set to True. The user can bypass VPN for local subnet traffic. When this is set to False, the setting is disabled and no subnet exceptions are allowed.
Not supported.
</Description>
<DFFormat>
<bool />

2
windows/client-management/toc.yml
View File

@ -48,7 +48,7 @@ items:
href: enterprise-app-management.md
- name: Manage updates
href: device-update-management.md
- name: Updated Windows and Microsoft Copilot experience
- name: Updated Windows and Microsoft 365 Copilot Chat experience
href: manage-windows-copilot.md
- name: Manage Recall
href: manage-recall.md

2
windows/configuration/taskbar/pinned-apps.md
View File

@ -193,7 +193,7 @@ Alternatively, you can configure devices using a [custom policy][MEM-1] with the
- **Value:** content of the XML file
> [!NOTE]
> The content of the file must be entered as a single line in the `Value` field. Use a text editor to remove any line breaks from the XML file, usually with a function called *join lines*.
> The content of the file must be entered as a single line in the `Value` field. Use a text editor to remove any line breaks from the XML file, usually with a function called *join lines* or *linearize*. If customizations.xml is being modified directly instead of using the WCD editor, the XML brackets need to be escaped / replaced with \&lt; and \&gt; entity encodings. Single and double quote characters do not need to be escaped.
[!INCLUDE [provisioning-package-2](../../../includes/configure/provisioning-package-2.md)]

2
windows/deployment/TOC.yml
View File

@ -294,6 +294,8 @@ items:
href: update/windows-update-logs.md
- name: Servicing stack updates
href: update/servicing-stack-updates.md
- name: Checkpoint cumulative updates and Microsoft Update Catalog usage
href: update/catalog-checkpoint-cumulative-updates.md
- name: Update CSP policies
href: /windows/client-management/mdm/policy-csp-update?context=/windows/deployment/context/context
- name: Update other Microsoft products

93
windows/deployment/update/catalog-checkpoint-cumulative-updates.md Normal file
View File

@ -0,0 +1,93 @@
---
title: Checkpoint cumulative updates and the Microsoft Update Catalog
description: This article describes how to handle checkpoint cumulative updates when you use the Microsoft Update Catalog to update devices and images.
ms.service: windows-client
ms.subservice: itpro-updates
ms.topic: conceptual
ms.author: mstewart
author: mestew
manager: aaroncz
ms.collection:
- tier2
ms.localizationpriority: medium
appliesto:
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11, version 24H2 and later</a>
- ✅ <a href="https://learn.microsoft.com/windows/release-health/windows-server-release-info" target="_blank">Windows Server 2025 and later</a>
ms.date: 01/31/2025
---
# Checkpoint cumulative updates and Microsoft Update Catalog usage
<!--9693727-->
Starting Windows 11, version 24H2, monthly security updates and optional nonsecurity preview release updates might be preceded by a checkpoint cumulative update. Devices updating from Windows Update (WU) and Windows Server Update Services (WSUS) release channels can continue to seamlessly install the latest monthly security update or the optional nonsecurity preview release regardless of whether there are any preceding checkpoint cumulative updates, so **update processes involving WU and WSUS remain unchanged**. This article covers how Microsoft Update Catalog users can easily update their devices (or images) through checkpoint cumulative updates.
## Checkpoint cumulative updates
Windows 11 quality updates use servicing technology and are built cumulatively from the time when a new Windows OS was released to manufacturing (RTM). These monthly updates include all the changes since RTM in the form of binary differentials computed from the initial version of those binaries.
With Windows 11, version 24H2, Microsoft introduced a new concept of checkpoint cumulative updates. This change allows you to get features and security enhancements via the latest cumulative update through smaller, incremental differentials containing only the changes since the previous checkpoint cumulative update. This change means that you can save time, bandwidth, and hard drive space.
Going forward, Microsoft might periodically release cumulative updates as checkpoints. The subsequent updates will then consist of:
- The update package files associated with the checkpoints, and
- New update package files that contain incremental binary differentials against the version of binaries in the last checkpoint.
This process might be repeated multiple times, thereby generating multiple checkpoints during the lifecycle of a given Windows release. The Windows 11, version 24H2 servicing stack can merge all the checkpoints and only download and install content that's missing on the device.
If any checkpoint cumulative updates precede a target update, a device or image needs to take all prior checkpoint cumulative updates before it can take the target update. In other words, a post-checkpoint latest cumulative update can be applied to images/devices that are on that checkpoint or on a subsequent latest cumulative update. For updates sourced from WU and WSUS this process happens seamlessly. You can continue to use the same tools and processes that you currently use for approving and deploying updates. We expect that your experience updating through a checkpoint cumulative update will position you to efficiently take future checkpoint cumulative updates.
### Applicability
A checkpoint cumulative update is just another monthly security update that informs how subsequent updates are built. There's no policy change or new requirement around when users must take these updates, though it's best practice to take monthly security updates at the earliest opportunity to keep your devices protected and productive.
### Update Windows installation media
This feature doesn't introduce any change to the applicability of monthly security updates. As before, these updates apply to the main OS (install.wim) and to WinPE (boot.wim) but not to WinRE (winre.wim).
WinRE is serviced by applying the servicing stack update from a cumulative update (latest cumulative update doesn't apply) and SafeOS Dynamic Update. This is how it has been for a while now, and there's no recent change to WinRE servicing and certainly no change due to the checkpoint cumulative updates feature. We understand that not everybody may have had a shared understanding about this, but applying servicing stack update then SafeOS Dynamic Update is the only way to ensure WinRE is serviced. For more information, see [Update Windows installation media with Dynamic Update](media-dynamic-update.md).
## Updating from the Microsoft Update Catalog
When installing a given monthly security or optional nonsecurity preview update, [Microsoft Update Catalog](https://www.catalog.update.microsoft.com) users can determine and download the prior checkpoint cumulative updates and apply them sequentially under certain situations, or in one go using Deployment Image Servicing and Management (DISM).
### Finding prior checkpoint cumulative updates
For a given update, users can look up the KB article and find all preceding checkpoints, if any, listed under the **Catalog** release channel. For instance, the 2024-12 monthly security update (KB5048667) has one preceding checkpoint cumulative update per [December 10, 2024-KB5048667 (OS Build 26100.2605)](https://support.microsoft.com/topic/708755a6-d809-4a8a-8d20-53c4108590e6#ID0ELBD=Catalog):
> <b>Install each MSU file individually, in order</b> <p>Download and install each MSU file individually either using DISM or [Windows Update Standalone Installer](https://support.microsoft.com/topic/799ba3df-ec7e-b05e-ee13-1cdae8f23b19) in the following order: <ul><li> windows11.0-kb5043080-x64_953449672073f8fb99badb4cc6d5d7849b9c83e8.msu </li> <li>windows11.0-kb5048667-x64_d4ad0ca69de9a02bc356757581e0e0d6960c9f93.msu </li></ul>
Alternately, users can search the KB number in the [Microsoft Update Catalog](https://catalog.update.microsoft.com/) and select the **Download** button for the selected architecture. The download pop-up shows all prior checkpoints for the update so that users can conveniently download all `.msu` files and apply them to their image or device. For instance, Microsoft Update Catalog shows the [2024-12 cumulative update (KB5048667)](https://support.microsoft.com/help/5048667) has one preceding checkpoint cumulative update, [KB5043080](https://support.microsoft.com/help/5043080).
### Updating through checkpoint cumulative updates
**Device has the latest checkpoint cumulative update and doesn't need customization:**
Devices or images that have the latest checkpoint cumulative update installed and don't need Features on Demand (FoD) or language pack customization can be updated to the latest target cumulative update with no change to your existing process. You can copy the target `.msu` file from Microsoft Update Catalog and install it, for instance using [Add-WindowsPackage (DISM)](/powershell/module/dism/add-windowspackage) or [DISM operating system package (`.cab` or `.msu`) servicing command-line options](/windows-hardware/manufacture/desktop/dism-operating-system-package-servicing-command-line-options).
Examples of eligible devices:
| Device is on | Needs to install|
|---|---|
|<ul><li>The checkpoint cumulative update, 2024-09 (KB5043080)</li></ul>|<ul><li>A subsequent monthly security update like 2024-11 (KB5046617), or</li> <li>A subsequent optional nonsecurity release like 2024-11 (KB5046740) </li></ul>|
|<ul><li>A subsequent optional nonsecurity preview release like 2024-09 (KB5043178), or</li> <li> A subsequent monthly security update like 2024-10 (KB5044284)</li></ul>|<ul><li>A subsequent monthly security update like 2025-01 (KB5050009), or</li> <li> A subsequent optional nonsecurity release like 2024-11 (KB5046740) </li></ul>|
**Device needs FoD or language pack customization:**
Installing FoDs or language packs requires the full latest cumulative update payload, which now can be split across files associated with each preceding checkpoint cumulative update. So, when customizing FoDs or language packs for offline media, all prior checkpoint cumulative updates and the target cumulative update need to be installed regardless of whether the device already had any of the prior checkpoints cumulative update installed. This needs to be done using DISM.
1. Copy the .msu files of the latest cumulative update (the target) and all prior checkpoint cumulative updates to a local folder. Make sure there are no other .msu files present.
1. Mount the install.wim file.
1. Run `DISM /add-package` with the latest `.msu` file as the sole target.
1. Run `/Cleanup-Image /StartComponentCleanup`.
1. Unmount.
1. Run `DISM /export-image` to optimize the image size, if that's important to you.
**Device doesn't have the latest checkpoint cumulative update and doesn't need customization:**
Devices that aren't on the latest checkpoint cumulative update and don't need FoD/language pack customization can either install all needed cumulative updates one by one in the right sequence. Alternately they can be updated using DISM to install all cumulative updates in one go. For more information, see the [Updating through checkpoint cumulative updates](#updating-through-checkpoint-cumulative-updates) section. If there are total four checkpoint cumulative updates available and device already has the first one installed, DISM applies the remaining three checkpoint cumulative updates in the right order followed by the target cumulative update, all in one go.
## Related articles
- [Servicing stack updates](/windows/deployment/update/servicing-stack-updates)
- [Features on Demand](/windows-hardware/manufacture/desktop/features-on-demand-v2--capabilities)
- [How to download updates that include drivers and hotfixes from the Microsoft Update Catalog](/troubleshoot/windows-client/installing-updates-features-roles/download-updates-drivers-hotfixes-windows-update-catalog)
- [Update Windows installation media with Dynamic Update](media-dynamic-update.md)

17
windows/deployment/update/includes/checkpoint-cumulative-updates.md Normal file
View File

@ -0,0 +1,17 @@
---
author: mestew
ms.author: mstewart
manager: aaroncz
ms.subservice: itpro-updates
ms.service: windows-client
ms.topic: include
ms.date: 01/31/2025
ms.localizationpriority: medium
---
<!-- This file is used multiple times in release-cycle.md. Headings are driven by article context. 9693727-->
Starting Windows 11, version 24H2, Microsoft may periodically release cumulative updates as checkpoints. The subsequent updates will consist of:
- The update package files associated with the checkpoints, and
- New update package files that contain incremental binary differentials against the version of binaries in the last checkpoint.
Multiple checkpoints may be shipped during the lifecycle of a given Windows release. Devices updating from Windows Update and WSUS can continue to seamlessly install the latest monthly security update regardless of whether there are any preceding checkpoint cumulative updates, **no change is needed to their update process**. Catalog users can review [Checkpoint cumulative updates and Microsoft Update Catalog usage](../catalog-checkpoint-cumulative-updates.md) for reference.

16
windows/deployment/update/release-cycle.md
View File

@ -1,6 +1,6 @@
---
title: Update release cycle for Windows clients
description: Learn about the release cycle forupdates so Windows clients in your organization stay productive and protected.
description: Learn about the release cycle for updates so Windows clients in your organization stay productive and protected.
ms.service: windows-client
ms.subservice: itpro-updates
ms.topic: conceptual
@ -11,7 +11,7 @@ ms.localizationpriority: medium
appliesto:
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
ms.date: 06/04/2024
ms.date: 01/31/2025
---
# Update release cycle for Windows clients
@ -54,6 +54,9 @@ Monthly security update releases are available through the following channels:
Many update management tools, such as [Microsoft Configuration Manager](/mem/configmgr/) and [Microsoft Intune](/mem/intune/), rely on these channels for update deployment.
<!--Using include for checkpoint cumulative updates-->
[!INCLUDE [Checkpoint cumulative updates](./includes/checkpoint-cumulative-updates.md)]
## Optional nonsecurity preview release
**Optional nonsecurity preview releases** provide IT admins an opportunity for early validation of that content prior to the **monthly security update release**. Admins can test and validate production-quality releases ahead of the planned monthly security update release for the following month. These updates are optional, cumulative, nonsecurity preview releases. New features might initially be deployed in the prior month's **optional nonsecurity preview release**, then ship in the following **monthly security update release**. **Optional nonsecurity preview releases** are typically released on the fourth Tuesday of the month at 10:00 AM Pacific Time (PST/PDT). These releases are only offered to the most recent, supported versions of Windows.
@ -66,10 +69,14 @@ Many update management tools, such as [Microsoft Configuration Manager](/mem/con
- LCU preview
To access the optional nonsecurity preview release:
- Navigate to**Settings** > **Update & Security** > **Windows Update**and select**Check for updates**.
- Navigate to **Settings** > **Update & Security** > **Windows Update** and select **Check for updates**.
- Use [Windows Insider Program for Business](https://insider.windows.com/for-business)
- Use the [Microsoft Update Catalog](https://www.catalog.update.microsoft.com/Home.aspx).
<!--Using include for checkpoint cumulative updates-->
[!INCLUDE [Checkpoint cumulative updates](./includes/checkpoint-cumulative-updates.md)]
## OOB releases
**Out-of-band (OOB) releases** might be provided to fix a recently identified issue or vulnerability. They're used in atypical cases when an issue is detected and can't wait for the next monthly release, because devices must be updated immediately to address security vulnerabilities or to resolve a quality issue impacting many devices. **Out-of-band (OOB) releases** are provided outside of the monthly schedule when there's an exceptional need.
@ -84,6 +91,9 @@ Some key considerations about OOB releases include:
- Some OOB releases are classified as noncritical.
- Noncritical releases only go to the Microsoft Update Catalog for users or organizations to voluntarily obtain the update.
<!--Using include for checkpoint cumulative updates-->
[!INCLUDE [Checkpoint cumulative updates](./includes/checkpoint-cumulative-updates.md)]
## Continuous innovation for Windows 11
Starting with Windows 11, version 22H2, new features and enhancements are introduced periodically to provide continuous innovation for Windows 11. These features and enhancements use the normal update servicing channels you're already familiar with. At first, new features are introduced with an **optional nonsecurity preview release** and gradually rolled out to unmanaged clients. These new features are released later as part of a **monthly security update release**.

8
windows/deployment/upgrade/log-files.md
View File

@ -11,7 +11,7 @@ ms.collection:
- highpri
- tier2
ms.subservice: itpro-deploy
ms.date: 01/18/2024
ms.date: 01/29/2025
appliesto:
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10</a>
@ -51,13 +51,13 @@ A `setupact.log` or `setuperr.log` entry includes the following elements:
1. **The date and time** - 2023-09-08 09:20:05
1. **The log level** - Info, Warning, Error, Fatal Error
2. **The log level** - Info, Warning, Error, Fatal Error
1. **The logging component** - CONX, MOUPG, PANTHR, SP, IBSLIB, MIG, DISM, CSI, CBS
3. **The logging component** - CONX, MOUPG, PANTHR, SP, IBSLIB, MIG, DISM, CSI, CBS
The logging components SP (setup platform), MIG (migration engine), and CONX (compatibility information) are useful for troubleshooting Windows Setup errors.
1. **The message** - Operation completed successfully.
4. **The message** - Operation completed successfully.
See the following example:

2
windows/deployment/upgrade/resolve-windows-upgrade-errors.md
View File

@ -8,7 +8,7 @@ ms.localizationpriority: medium
ms.topic: conceptual
ms.service: windows-client
ms.subservice: itpro-deploy
ms.date: 01/18/2024
ms.date: 01/29/2025
appliesto:
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10</a>

2
windows/deployment/upgrade/setupdiag.md
View File

@ -12,7 +12,7 @@ ms.topic: troubleshooting
ms.collection:
- highpri
- tier2
ms.date: 01/18/2024
ms.date: 01/29/2025
appliesto:
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10</a>

2
windows/deployment/upgrade/submit-errors.md
View File

@ -8,7 +8,7 @@ author: frankroj
ms.localizationpriority: medium
ms.topic: conceptual
ms.subservice: itpro-deploy
ms.date: 01/18/2024
ms.date: 01/29/2025
appliesto:
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10</a>

2
windows/deployment/upgrade/windows-error-reporting.md
View File

@ -8,7 +8,7 @@ author: frankroj
ms.localizationpriority: medium
ms.topic: conceptual
ms.subservice: itpro-deploy
ms.date: 01/18/2024
ms.date: 01/29/2025
appliesto:
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10</a>

2
windows/deployment/upgrade/windows-upgrade-paths.md
View File

@ -11,7 +11,7 @@ ms.collection:
- highpri
- tier2
ms.subservice: itpro-deploy
ms.date: 02/13/2024
ms.date: 01/29/2025
appliesto:
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10</a>
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>

2
windows/deployment/usmt/getting-started-with-the-user-state-migration-tool.md
View File

@ -8,7 +8,7 @@ ms.service: windows-client
author: frankroj
ms.topic: conceptual
ms.subservice: itpro-deploy
ms.date: 08/30/2024
ms.date: 01/29/2025
appliesto:
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10</a>

2
windows/deployment/usmt/migrate-application-settings.md
View File

@ -6,7 +6,7 @@ manager: aaroncz
ms.author: frankroj
ms.service: windows-client
author: frankroj
ms.date: 08/30/2024
ms.date: 01/29/2025
ms.topic: conceptual
ms.subservice: itpro-deploy
appliesto:

2
windows/deployment/usmt/migration-store-types-overview.md
View File

@ -6,7 +6,7 @@ manager: aaroncz
ms.author: frankroj
ms.service: windows-client
author: frankroj
ms.date: 01/09/2024
ms.date: 01/29/2025
ms.topic: conceptual
ms.subservice: itpro-deploy
appliesto:

2
windows/deployment/usmt/offline-migration-reference.md
View File

@ -6,7 +6,7 @@ manager: aaroncz
ms.author: frankroj
ms.service: windows-client
author: frankroj
ms.date: 01/09/2024
ms.date: 01/29/2025
ms.topic: conceptual
ms.subservice: itpro-deploy
appliesto:

2
windows/deployment/usmt/understanding-migration-xml-files.md
View File

@ -6,7 +6,7 @@ manager: aaroncz
ms.author: frankroj
ms.service: windows-client
author: frankroj
ms.date: 01/09/2024
ms.date: 01/29/2025
ms.topic: conceptual
ms.subservice: itpro-deploy
appliesto:

2
windows/deployment/usmt/usmt-best-practices.md
View File

@ -6,7 +6,7 @@ manager: aaroncz
ms.author: frankroj
ms.service: windows-client
author: frankroj
ms.date: 01/09/2024
ms.date: 01/29/2025
ms.topic: conceptual
ms.subservice: itpro-deploy
appliesto:

2
windows/deployment/usmt/usmt-choose-migration-store-type.md
View File

@ -6,7 +6,7 @@ manager: aaroncz
ms.author: frankroj
ms.service: windows-client
author: frankroj
ms.date: 01/09/2024
ms.date: 01/29/2025
ms.topic: conceptual
ms.subservice: itpro-deploy
appliesto:

2
windows/deployment/usmt/usmt-command-line-syntax.md
View File

@ -6,7 +6,7 @@ manager: aaroncz
ms.author: frankroj
ms.service: windows-client
author: frankroj
ms.date: 01/09/2024
ms.date: 01/29/2025
ms.topic: conceptual
ms.subservice: itpro-deploy
appliesto:

2
windows/deployment/usmt/usmt-common-migration-scenarios.md
View File

@ -6,7 +6,7 @@ manager: aaroncz
ms.author: frankroj
ms.service: windows-client
author: frankroj
ms.date: 01/09/2024
ms.date: 01/29/2025
ms.topic: conceptual
ms.subservice: itpro-deploy
appliesto:

2
windows/deployment/usmt/usmt-configxml-file.md
View File

@ -6,7 +6,7 @@ manager: aaroncz
ms.author: frankroj
ms.service: windows-client
author: frankroj
ms.date: 01/09/2024
ms.date: 01/29/2025
ms.topic: conceptual
ms.subservice: itpro-deploy
appliesto:

2
windows/deployment/usmt/usmt-conflicts-and-precedence.md
View File

@ -6,7 +6,7 @@ manager: aaroncz
ms.author: frankroj
ms.service: windows-client
author: frankroj
ms.date: 01/09/2024
ms.date: 01/29/2025
ms.topic: conceptual
ms.subservice: itpro-deploy
appliesto:

2
windows/deployment/usmt/usmt-custom-xml-examples.md
View File

@ -8,7 +8,7 @@ ms.service: windows-client
author: frankroj
ms.topic: conceptual
ms.subservice: itpro-deploy
ms.date: 01/09/2024
ms.date: 01/29/2025
appliesto:
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10</a>

2
windows/deployment/usmt/usmt-customize-xml-files.md
View File

@ -6,7 +6,7 @@ manager: aaroncz
ms.author: frankroj
ms.service: windows-client
author: frankroj
ms.date: 01/09/2024
ms.date: 01/29/2025
ms.topic: conceptual
ms.subservice: itpro-deploy
appliesto:

2
windows/deployment/usmt/usmt-determine-what-to-migrate.md
View File

@ -6,7 +6,7 @@ manager: aaroncz
ms.author: frankroj
ms.service: windows-client
author: frankroj
ms.date: 01/09/2024
ms.date: 01/29/2025
ms.topic: conceptual
ms.subservice: itpro-deploy
appliesto:

2
windows/deployment/usmt/usmt-estimate-migration-store-size.md
View File

@ -6,7 +6,7 @@ manager: aaroncz
ms.author: frankroj
ms.service: windows-client
author: frankroj
ms.date: 01/09/2024
ms.date: 01/29/2025
ms.topic: conceptual
ms.subservice: itpro-deploy
appliesto:

2
windows/deployment/usmt/usmt-exclude-files-and-settings.md
View File

@ -6,7 +6,7 @@ manager: aaroncz
ms.author: frankroj
ms.service: windows-client
author: frankroj
ms.date: 01/09/2024
ms.date: 01/29/2025
ms.topic: conceptual
ms.subservice: itpro-deploy
appliesto:

2
windows/deployment/usmt/usmt-extract-files-from-a-compressed-migration-store.md
View File

@ -6,7 +6,7 @@ manager: aaroncz
ms.author: frankroj
ms.service: windows-client
author: frankroj
ms.date: 01/09/2024
ms.date: 01/29/2025
ms.topic: conceptual
ms.subservice: itpro-deploy
appliesto:

2
windows/deployment/usmt/usmt-faq.yml
View File

@ -11,7 +11,7 @@ metadata:
ms.mktglfcycl: deploy
ms.sitesec: library
audience: itpro
ms.date: 01/09/2024
ms.date: 01/29/2025
ms.topic: faq
title: Frequently Asked Questions
summary: |

2
windows/deployment/usmt/usmt-general-conventions.md
View File

@ -6,7 +6,7 @@ manager: aaroncz
ms.author: frankroj
ms.service: windows-client
author: frankroj
ms.date: 01/09/2024
ms.date: 01/29/2025
ms.topic: conceptual
ms.subservice: itpro-deploy
appliesto:

2
windows/deployment/usmt/usmt-hard-link-migration-store.md
View File

@ -6,7 +6,7 @@ manager: aaroncz
ms.author: frankroj
ms.service: windows-client
author: frankroj
ms.date: 01/09/2024
ms.date: 01/29/2025
ms.topic: conceptual
ms.subservice: itpro-deploy
appliesto:

2
windows/deployment/usmt/usmt-how-it-works.md
View File

@ -8,7 +8,7 @@ ms.service: windows-client
author: frankroj
ms.topic: conceptual
ms.subservice: itpro-deploy
ms.date: 01/09/2024
ms.date: 01/29/2025
appliesto:
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10</a>

2
windows/deployment/usmt/usmt-how-to.md
View File

@ -6,7 +6,7 @@ manager: aaroncz
ms.author: frankroj
ms.service: windows-client
author: frankroj
ms.date: 01/09/2024
ms.date: 01/29/2025
ms.topic: conceptual
ms.subservice: itpro-deploy
appliesto:

2
windows/deployment/usmt/usmt-identify-application-settings.md
View File

@ -6,7 +6,7 @@ manager: aaroncz
ms.author: frankroj
ms.service: windows-client
author: frankroj
ms.date: 01/09/2024
ms.date: 01/29/2025
ms.topic: conceptual
ms.subservice: itpro-deploy
appliesto:

2
windows/deployment/usmt/usmt-identify-file-types-files-and-folders.md
View File

@ -6,7 +6,7 @@ manager: aaroncz
ms.author: frankroj
ms.service: windows-client
author: frankroj
ms.date: 01/09/2024
ms.date: 01/29/2025
ms.topic: conceptual
ms.subservice: itpro-deploy
appliesto:

2
windows/deployment/usmt/usmt-identify-operating-system-settings.md
View File

@ -6,7 +6,7 @@ manager: aaroncz
ms.author: frankroj
ms.service: windows-client
author: frankroj
ms.date: 01/09/2024
ms.date: 01/29/2025
ms.topic: conceptual
ms.subservice: itpro-deploy
appliesto:

2
windows/deployment/usmt/usmt-identify-users.md
View File

@ -9,7 +9,7 @@ author: frankroj
ms.topic: conceptual
ms.localizationpriority: medium
ms.subservice: itpro-deploy
ms.date: 01/09/2024
ms.date: 01/29/2025
appliesto:
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10</a>

2
windows/deployment/usmt/usmt-include-files-and-settings.md
View File

@ -6,7 +6,7 @@ manager: aaroncz
ms.author: frankroj
ms.service: windows-client
author: frankroj
ms.date: 01/09/2024
ms.date: 01/29/2025
ms.topic: conceptual
ms.subservice: itpro-deploy
appliesto:

2
windows/deployment/usmt/usmt-loadstate-syntax.md
View File

@ -6,7 +6,7 @@ manager: aaroncz
ms.author: frankroj
ms.service: windows-client
author: frankroj
ms.date: 04/30/2024
ms.date: 01/29/2025
ms.topic: conceptual
ms.subservice: itpro-deploy
appliesto:

2
windows/deployment/usmt/usmt-log-files.md
View File

@ -6,7 +6,7 @@ manager: aaroncz
ms.author: frankroj
ms.service: windows-client
author: frankroj
ms.date: 01/09/2024
ms.date: 01/29/2025
ms.topic: conceptual
ms.subservice: itpro-deploy
appliesto:

2
windows/deployment/usmt/usmt-migrate-efs-files-and-certificates.md
View File

@ -6,7 +6,7 @@ manager: aaroncz
ms.author: frankroj
ms.service: windows-client
author: frankroj
ms.date: 01/09/2024
ms.date: 01/29/2025
ms.topic: conceptual
ms.subservice: itpro-deploy
appliesto:

2
windows/deployment/usmt/usmt-migrate-user-accounts.md
View File

@ -6,7 +6,7 @@ manager: aaroncz
ms.author: frankroj
ms.service: windows-client
author: frankroj
ms.date: 01/09/2024
ms.date: 01/29/2025
ms.topic: conceptual
ms.subservice: itpro-deploy
appliesto:

2
windows/deployment/usmt/usmt-migration-store-encryption.md
View File

@ -6,7 +6,7 @@ manager: aaroncz
ms.author: frankroj
ms.service: windows-client
author: frankroj
ms.date: 01/09/2024
ms.date: 01/29/2025
ms.topic: conceptual
ms.subservice: itpro-deploy
appliesto:

2
windows/deployment/usmt/usmt-overview.md
View File

@ -7,7 +7,7 @@ author: frankroj
ms.reviewer: kevinmi,warrenw
manager: aaroncz
ms.author: frankroj
ms.date: 01/09/2024
ms.date: 01/29/2025
ms.topic: overview
ms.collection:
- highpri

2
windows/deployment/usmt/usmt-plan-your-migration.md
View File

@ -6,7 +6,7 @@ manager: aaroncz
ms.author: frankroj
ms.service: windows-client
author: frankroj
ms.date: 01/09/2024
ms.date: 01/29/2025
ms.topic: conceptual
ms.subservice: itpro-deploy
appliesto:

2
windows/deployment/usmt/usmt-recognized-environment-variables.md
View File

@ -7,7 +7,7 @@ ms.reviewer: kevinmi,warrenw
manager: aaroncz
ms.author: frankroj
author: frankroj
ms.date: 01/09/2024
ms.date: 01/29/2025
ms.topic: conceptual
ms.collection:
- highpri

2
windows/deployment/usmt/usmt-reference.md
View File

@ -6,7 +6,7 @@ manager: aaroncz
ms.author: frankroj
ms.service: windows-client
author: frankroj
ms.date: 01/09/2024
ms.date: 01/29/2025
ms.topic: conceptual
ms.subservice: itpro-deploy
appliesto:

2
windows/deployment/usmt/usmt-requirements.md
View File

@ -6,7 +6,7 @@ manager: aaroncz
ms.author: frankroj
ms.service: windows-client
author: frankroj
ms.date: 04/30/2024
ms.date: 01/29/2025
ms.topic: conceptual
ms.subservice: itpro-deploy
appliesto:

2
windows/deployment/usmt/usmt-reroute-files-and-settings.md
View File

@ -6,7 +6,7 @@ manager: aaroncz
ms.author: frankroj
ms.service: windows-client
author: frankroj
ms.date: 01/09/2024
ms.date: 01/29/2025
ms.topic: conceptual
ms.subservice: itpro-deploy
appliesto:

2
windows/deployment/usmt/usmt-resources.md
View File

@ -6,7 +6,7 @@ manager: aaroncz
ms.author: frankroj
ms.service: windows-client
author: frankroj
ms.date: 01/09/2024
ms.date: 01/29/2025
ms.topic: conceptual
ms.subservice: itpro-deploy
appliesto:

2
windows/deployment/usmt/usmt-scanstate-syntax.md
View File

@ -6,7 +6,7 @@ manager: aaroncz
ms.author: frankroj
ms.service: windows-client
author: frankroj
ms.date: 04/30/2024
ms.date: 01/29/2025
ms.topic: conceptual
ms.subservice: itpro-deploy
appliesto:

2
windows/deployment/usmt/usmt-technical-reference.md
View File

@ -6,7 +6,7 @@ manager: aaroncz
ms.author: frankroj
ms.service: windows-client
author: frankroj
ms.date: 01/09/2024
ms.date: 01/29/2025
ms.topic: conceptual
ms.subservice: itpro-deploy
appliesto:

2
windows/deployment/usmt/usmt-test-your-migration.md
View File

@ -6,7 +6,7 @@ manager: aaroncz
ms.author: frankroj
ms.service: windows-client
author: frankroj
ms.date: 01/09/2024
ms.date: 01/29/2025
ms.topic: conceptual
ms.subservice: itpro-deploy
appliesto:

2
windows/deployment/usmt/usmt-topics.md
View File

@ -6,7 +6,7 @@ manager: aaroncz
ms.author: frankroj
ms.service: windows-client
author: frankroj
ms.date: 01/09/2024
ms.date: 01/29/2025
ms.topic: conceptual
ms.subservice: itpro-deploy
appliesto:

2
windows/deployment/usmt/usmt-troubleshooting.md
View File

@ -6,7 +6,7 @@ manager: aaroncz
ms.author: frankroj
ms.service: windows-client
author: frankroj
ms.date: 01/09/2024
ms.date: 01/29/2025
ms.topic: conceptual
ms.subservice: itpro-deploy
appliesto:

2
windows/deployment/usmt/usmt-utilities.md
View File

@ -6,7 +6,7 @@ manager: aaroncz
ms.author: frankroj
ms.service: windows-client
author: frankroj
ms.date: 01/09/2024
ms.date: 01/29/2025
ms.topic: conceptual
ms.subservice: itpro-deploy
appliesto:

2
windows/deployment/usmt/usmt-what-does-usmt-migrate.md
View File

@ -6,7 +6,7 @@ manager: aaroncz
ms.author: frankroj
ms.service: windows-client
author: frankroj
ms.date: 01/18/2024
ms.date: 01/29/2025
ms.topic: conceptual
ms.subservice: itpro-deploy
appliesto:

2
windows/deployment/usmt/usmt-xml-elements-library.md
View File

@ -6,7 +6,7 @@ manager: aaroncz
ms.author: frankroj
ms.service: windows-client
author: frankroj
ms.date: 01/09/2024
ms.date: 01/29/2025
ms.topic: conceptual
ms.subservice: itpro-deploy
appliesto:

2
windows/deployment/usmt/usmt-xml-reference.md
View File

@ -6,7 +6,7 @@ manager: aaroncz
ms.author: frankroj
ms.service: windows-client
author: frankroj
ms.date: 01/09/2024
ms.date: 01/29/2025
ms.topic: conceptual
ms.subservice: itpro-deploy
appliesto:

2
windows/deployment/usmt/verify-the-condition-of-a-compressed-migration-store.md
View File

@ -6,7 +6,7 @@ manager: aaroncz
ms.author: frankroj
ms.service: windows-client
author: frankroj
ms.date: 01/09/2024
ms.date: 01/29/2025
ms.topic: conceptual
ms.subservice: itpro-deploy
appliesto:

2
windows/deployment/usmt/xml-file-requirements.md
View File

@ -6,7 +6,7 @@ manager: aaroncz
ms.author: frankroj
ms.service: windows-client
author: frankroj
ms.date: 01/09/2024
ms.date: 01/29/2025
ms.topic: conceptual
ms.subservice: itpro-deploy
appliesto:

6
windows/deployment/windows-autopatch/manage/windows-autopatch-hotpatch-updates.md
View File

@ -40,9 +40,9 @@ VBS must be turned on for a device to be offered Hotpatch updates. For informati
### Arm 64 devices must disable compiled hybrid PE usage (CHPE) (Arm 64 CPU Only)
This requirement only applies to Arm 64 CPU devices when using Hotpatch updates. Hotpatch updates aren't compatible with servicing CHPE OS binaries located in the `%SystemRoot%\SyChpe32` folder. To ensure all the Hotpatch updates are applied, you must set the CHPE disable flag and restart the device to disable CHPE usage. You only need to set this flag one time. The registry setting remains applied through updates. To disable CHPE, set the following registry key:
Path: `**HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management**`
Key value: `**HotPatchRestrictions=1**`
This requirement only applies to Arm 64 CPU devices when using Hotpatch updates. Hotpatch updates aren't compatible with servicing CHPE OS binaries located in the `%SystemRoot%\SyChpe32` folder. To ensure all the Hotpatch updates are applied, you must set the CHPE disable flag and restart the device to disable CHPE usage. You only need to set this flag one time. The registry setting remains applied through updates. To disable CHPE, create and/or set the following DWORD registry key:
Path: `HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management`
DWORD key value: HotPatchRestrictions=1
> [!IMPORTANT]
> This setting is required because it forces the operating system to use the emulation x86-only binaries instead of CHPE binaries on Arm 64 devices. CHPE binaries include native Arm 64 code to improve performance, excluding the CHPE binaries might affect performance or compatibility. Be sure to test application compatibility and performance before rolling out Hotpatch updates widely on Arm 64 CPU based devices.

4
windows/security/application-security/application-control/app-control-for-business/design/applications-that-can-bypass-appcontrol.md
View File

@ -49,7 +49,7 @@ Unless your use scenarios explicitly require them, Microsoft recommends that you
- texttransform.exe
- visualuiaverifynative.exe
- system.management.automation.dll
- webclnt.dll/davsvc.dll
- webclnt.dll/davsvc.dll<sup>3</sup>
- wfc.exe
- windbg.exe
- wmic.exe
@ -62,6 +62,8 @@ Unless your use scenarios explicitly require them, Microsoft recommends that you
<sup>2</sup> If you're using your reference system in a development context and use msbuild.exe to build managed applications, we recommend that you allow msbuild.exe in your code integrity policies. Otherwise, we recommend that you block msbuild.exe.
<sup>3</sup> If you block WebDAV DLLs, we recommend that you also disable the **WebClient** service using a group policy or MDM policies.
<sup>*</sup> Microsoft recognizes the efforts of people in the security community who help us protect customers through responsible vulnerability disclosure, and extends thanks to the following people:
<br />

3
windows/security/docfx.json
View File

@ -142,9 +142,10 @@
"✅ <a href=\"https://learn.microsoft.com/windows/release-health/windows-server-release-info\" target=\"_blank\">Windows Server 2019</a>",
"✅ <a href=\"https://learn.microsoft.com/windows/release-health/windows-server-release-info\" target=\"_blank\">Windows Server 2016</a>"
],
"application-security/application-control/windows-defender-application-control/**/*.md": [
"application-security/application-control/app-control-for-business/**/*.md": [
"✅ <a href=\"https://learn.microsoft.com/windows/release-health/supported-versions-windows-client\" target=\"_blank\">Windows 11</a>",
"✅ <a href=\"https://learn.microsoft.com/windows/release-health/supported-versions-windows-client\" target=\"_blank\">Windows 10</a>",
"✅ <a href=\"https://learn.microsoft.com/windows/release-health/windows-server-release-info\" target=\"_blank\">Windows Server 2025</a>",
"✅ <a href=\"https://learn.microsoft.com/windows/release-health/windows-server-release-info\" target=\"_blank\">Windows Server 2022</a>",
"✅ <a href=\"https://learn.microsoft.com/windows/release-health/windows-server-release-info\" target=\"_blank\">Windows Server 2019</a>",
"✅ <a href=\"https://learn.microsoft.com/windows/release-health/windows-server-release-info\" target=\"_blank\">Windows Server 2016</a>"

2
windows/security/identity-protection/hello-for-business/rdp-sign-in.md
View File

@ -1,7 +1,7 @@
---
title: Remote Desktop sign-in with Windows Hello for Business
description: Learn how to configure Remote Desktop (RDP) sign-in with Windows Hello for Business.
ms.date: 06/11/2024
ms.date: 01/27/2025
ms.topic: how-to
---

4
windows/security/identity-protection/passwordless-strategy/journey-step-3.md
View File

@ -2,7 +2,7 @@
title: Transition into a passwordless deployment
description: Learn about how to transition into a passwordless deployment, the third step of the Microsoft passwordless journey.
ms.topic: concept-article
ms.date: 10/29/2024
ms.date: 01/30/2025
---
# Transition into a passwordless deployment
@ -123,7 +123,7 @@ function Generate-RandomPassword{
$NewPassword = ConvertTo-SecureString -String (Generate-RandomPassword) -AsPlainText -Force
Set-ADAccountPassword -identity $userId -NewPassword $NewPassword -Reset
Set-ADAccountPassword -identity $samAccountName -NewPassword $NewPassword -Reset
```
If your organizational policies allow it, you can configure the randomized passwords to never expire, or use a long expiration period. This configuration prevents the user from being prompted to change their password.

15
windows/security/operating-system-security/device-management/windows-security-configuration-framework/get-support-for-security-baselines.md
View File

@ -16,16 +16,7 @@ The Security Compliance Manager (SCM) is now retired and is no longer supported.
More information about this change can be found on the [Microsoft Security Guidance blog](/archive/blogs/secguide/security-compliance-manager-scm-retired-new-tools-and-procedures).
### Where can I get an older version of a Windows baseline?
Any version of Windows baseline before Windows 10, version 1703, can still be downloaded using SCM. Any future versions of Windows baseline will be available through SCT. See the version matrix in this article to see if your version of Windows baseline is available on SCT.
- [SCM 4.0 Download](/previous-versions/tn-archive/cc936627(v=technet.10))
- [SCM Frequently Asked Questions (FAQ)](https://social.technet.microsoft.com/wiki/contents/articles/1836.microsoft-security-compliance-manager-scm-frequently-asked-questions-faq.aspx)
- [SCM Release Notes](https://social.technet.microsoft.com/wiki/contents/articles/1864.microsoft-security-compliance-manager-scm-release-notes.aspx)
- [SCM baseline download help](https://social.technet.microsoft.com/wiki/contents/articles/1865.microsoft-security-compliance-manager-scm-baseline-download-help.aspx)
### What file formats are supported by the new SCT?
### What file formats are supported by the SCT?
The toolkit supports formats created by the Windows GPO backup feature (`.pol`, `.inf`, and `.csv`). Policy Analyzer saves its data in XML files with a `.PolicyRules` file extension. LGPO also supports its own LGPO text file format as a text-based analog for the binary registry.pol file format. For more information, see the LGPO documentation. Keep in mind that SCMs' `.cab` files are no longer supported.
@ -56,16 +47,16 @@ No. SCM supported only SCAP 1.0, which wasn't updated as SCAP evolved. The new t
| Name | Build | Baseline Release Date | Security Tools |
|--|--|--|--|
| Windows Server 2025 | [SecGuide](https://techcommunity.microsoft.com/blog/microsoft-security-baselines/windows-server-2025-security-baseline/4358733) | January 2025 | [SCT 1.0](https://www.microsoft.com/download/details.aspx?id=55319) |
| Windows Server 2022 | [SecGuide](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/windows-server-2022-security-baseline/ba-p/2724685) | September 2021 | [SCT 1.0](https://www.microsoft.com/download/details.aspx?id=55319) |
| Windows Server 2019 | [SecGuide](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/security-baseline-final-for-windows-10-v1809-and-windows-server/ba-p/701082) | November 2018 | [SCT 1.0](https://www.microsoft.com/download/details.aspx?id=55319) |
| Windows Server 2016 | [SecGuide](/archive/blogs/secguide/security-baseline-for-windows-10-v1607-anniversary-edition-and-windows-server-2016) | October 2016 | [SCT 1.0](https://www.microsoft.com/download/details.aspx?id=55319) |
| Windows Server 2012 R2 | [SecGuide](/archive/blogs/secguide/security-baseline-for-windows-10-v1607-anniversary-edition-and-windows-server-2016) | August 2014 | [SCT 1.0](https://www.microsoft.com/download/details.aspx?id=55319) |
### Microsoft products
| Name | Details | Security Tools |
|--|--|--|
| Microsoft 365 Apps for enterprise, version 2306 | [SecGuide](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/security-baseline-for-m365-apps-for-enterprise-v2306/ba-p/3858702) | [SCT 1.0](https://www.microsoft.com/download/details.aspx?id=55319) |
| Microsoft 365 Apps for enterprise, version 2412 | [SecGuide](https://techcommunity.microsoft.com/blog/microsoft-security-baselines/security-baseline-for-m365-apps-for-enterprise-v2412/4357320) | [SCT 1.0](https://www.microsoft.com/download/details.aspx?id=55319) |
| Microsoft Edge, version 128 | [SecGuide](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/security-baseline-for-microsoft-edge-version-128/ba-p/4237524) | [SCT 1.0](https://www.microsoft.com/download/details.aspx?id=55319) |
## Related articles

6
windows/security/operating-system-security/device-management/windows-security-configuration-framework/security-compliance-toolkit-10.md
View File

@ -23,18 +23,16 @@ The Security Compliance Toolkit consists of:
- Windows 10 security baselines
- Windows 10, version 22H2
- Windows 10, version 21H2
- Windows 10, version 20H2
- Windows 10, version 1809
- Windows 10, version 1607
- Windows 10, version 1507
- Windows Server security baselines
- Windows Server 2025
- Windows Server 2022
- Windows Server 2019
- Windows Server 2016
- Windows Server 2012 R2
- Microsoft Office security baseline
- Office 2016
- Microsoft 365 Apps for Enterprise Version 2206
- Microsoft 365 Apps for Enterprise Version 2412
- Microsoft Edge security baseline
- Microsoft Edge version 128
- Tools

2
windows/security/operating-system-security/network-security/vpn/how-to-configure-diffie-hellman-protocol-over-ikev2-vpn-connections.md
View File

@ -1,7 +1,7 @@
---
title: How to configure cryptographic settings for IKEv2 VPN connections
description: Learn how to update the IKEv2 cryptographic settings of VPN servers and clients by running VPN cmdlets to secure connections.
ms.date: 05/06/2024
ms.date: 01/27/2025
ms.topic: how-to
---

2
windows/security/operating-system-security/network-security/vpn/how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md
View File

@ -1,7 +1,7 @@
---
title: How to use single sign-on (SSO) over VPN and Wi-Fi connections
description: Explains requirements to enable single sign-on (SSO) to on-premises domain resources over WiFi or VPN connections.
ms.date: 05/06/2024
ms.date: 01/27/2025
ms.topic: how-to
---

13
windows/security/operating-system-security/network-security/vpn/vpn-authentication.md
View File

@ -1,7 +1,7 @@
---
title: VPN authentication options
description: Learn about the EAP authentication methods that Windows supports in VPNs to provide secure authentication using username/password and certificate-based methods.
ms.date: 05/06/2024
ms.date: 01/27/2025
ms.topic: concept-article
---
@ -80,14 +80,3 @@ The following image shows the field for EAP XML in a Microsoft Intune VPN profil
:::image type="content" source="images/vpn-eap-xml.png" alt-text="Screenshot showing EAP XML configuration in Intune profile.":::
## Related topics
- [VPN technical guide](vpn-guide.md)
- [VPN connection types](vpn-connection-type.md)
- [VPN routing decisions](vpn-routing.md)
- [VPN and conditional access](vpn-conditional-access.md)
- [VPN name resolution](vpn-name-resolution.md)
- [VPN auto-triggered profile options](vpn-auto-trigger-profile.md)
- [VPN security features](vpn-security-features.md)
- [VPN profile options](vpn-profile-options.md)
- [Extensible Authentication Protocol (EAP) for network access](/windows-server/networking/technologies/extensible-authentication-protocol/network-access)

13
windows/security/operating-system-security/network-security/vpn/vpn-auto-trigger-profile.md
View File

@ -1,7 +1,7 @@
---
title: VPN auto-triggered profile options
description: With auto-triggered VPN profile options, Windows can automatically establish a VPN connection based on IT admin-defined rules. Learn about the types of auto-trigger rules that you can create for VPN connections.
ms.date: 05/06/2024
ms.date: 01/27/2025
ms.topic: how-to
---
@ -77,14 +77,3 @@ See [VPN profile options](vpn-profile-options.md) and [VPNv2 CSP](/windows/clien
The following image shows associating apps to a VPN connection in a VPN Profile configuration policy using Microsoft Intune.
:::image type="content" source="images/vpn-app-trigger.png" alt-text="Creation of VPN profile in Intune: application association options." lightbox="images/vpn-app-trigger.png":::
## Related articles
- [VPN technical guide](vpn-guide.md)
- [VPN connection types](vpn-connection-type.md)
- [VPN routing decisions](vpn-routing.md)
- [VPN authentication options](vpn-authentication.md)
- [VPN and conditional access](vpn-conditional-access.md)
- [VPN name resolution](vpn-name-resolution.md)
- [VPN security features](vpn-security-features.md)
- [VPN profile options](vpn-profile-options.md)

23
windows/security/operating-system-security/network-security/vpn/vpn-conditional-access.md
View File

@ -1,7 +1,7 @@
---
title: VPN and conditional access
description: Learn how to integrate the VPN client with the Conditional Access platform, and how to create access rules for Microsoft Entra connected apps.
ms.date: 05/06/2024
ms.date: 01/27/2025
ms.topic: how-to
---
@ -19,7 +19,7 @@ Conditional Access Platform components used for Device Compliance include the fo
- [Windows Health Attestation Service](../../system-security/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md) (optional)
- Microsoft Entra Certificate Authority - It's a requirement that the client certificate used for the cloud-based device compliance solution be issued by a Microsoft Entra ID-based Certificate Authority (CA). A Microsoft Entra CA is essentially a mini-CA cloud tenant in Azure. The Microsoft Entra CA can't be configured as part of an on-premises Enterprise CA.
See also [Always On VPN deployment for Windows Server and Windows 10](/windows-server/remote/remote-access/vpn/always-on-vpn/deploy/always-on-vpn-deploy).
- Microsoft Entra ID-issued short-lived certificates - When a VPN connection attempt is made, the Microsoft Entra Token Broker on the local device communicates with Microsoft Entra ID, which then checks for health based on compliance rules. If compliant, Microsoft Entra ID sends back a short-lived certificate that is used to authenticate the VPN. Note that certificate authentication methods such as EAP-TLS can be used. When the client reconnects and determines that the certificate has expired, the client will again check with Microsoft Entra ID for health validation before a new certificate is issued.
- Microsoft Entra ID-issued short-lived certificates - When a VPN connection attempt is made, the Microsoft Entra Token Broker on the local device communicates with Microsoft Entra ID, which then checks for health based on compliance rules. If compliant, Microsoft Entra ID sends back a short-lived certificate that is used to authenticate the VPN. Certificate authentication methods such as EAP-TLS can be used. When the client reconnects and determines that the certificate has expired, the client will again check with Microsoft Entra ID for health validation before a new certificate is issued.
- [Microsoft Intune device compliance policies](/mem/intune/protect/device-compliance-get-started): Cloud-based device compliance uses Microsoft Intune Compliance Policies, which are capable of querying the device state and define compliance rules for the following, among other things.
- Antivirus status
- Auto-update status and update compliance
@ -35,7 +35,7 @@ The following client-side components are also required:
## VPN device compliance
At this time, the Microsoft Entra certificates issued to users don't contain a CRL Distribution Point (CDP) and aren't suitable for Key Distribution Centers (KDCs) to issue Kerberos tokens. For users to gain access to on-premises resources such as files on a network share, client authentication certificates must be deployed to the Windows profiles of the users, and their VPNv2 profiles must contain the &lt;SSO&gt; section.
At this time, the Microsoft Entra certificates issued to users don't contain a CRL Distribution Point (CDP) and aren't suitable for Key Distribution Centers (KDCs) to issue Kerberos tokens. For users to gain access to on-premises resources such as files on a network share, client authentication certificates must be deployed to the Windows profiles of the users, and their VPNv2 profiles must contain the `<SSO>` section.
Server-side infrastructure requirements to support VPN device compliance include:
@ -60,8 +60,8 @@ Two client-side configuration service providers are leveraged for VPN device com
- Upon request, forward the Health Attestation Certificate (received from HAS) and related runtime information to the MDM server for verification
> [!NOTE]
> It's required that certificates used for obtaining Kerberos tickets to be issued from an on-premises CA, and that SSO to be enabled in the user's VPN profile. This will enable the user to access on-premises resources.
> In the case of AzureAD-only joined devices (not hybrid joined devices), if the user certificate issued by the on-premises CA has the user UPN from AzureAD in Subject and SAN (Subject Alternative Name), the VPN profile must be modified to ensure that the client does not cache the credentials used for VPN authentication. To do this, after deploying the VPN profile to the client, modify the *Rasphone.pbk* on the client by changing the entry **UseRasCredentials** from 1 (default) to 0 (zero).
> It's required that certificates used for obtaining Kerberos tickets to be issued from an on-premises CA, and that SSO to be enabled in the user's VPN profile. This allows the user to access on-premises resources.
> In the case of Microsoft Entra joined devices (not hybrid joined devices), if the user certificate issued by the on-premises CA has the user UPN from Microsoft Entra in Subject and SAN (Subject Alternative Name), the VPN profile must be modified to ensure that the client doesn't cache the credentials used for VPN authentication. To do this, after deploying the VPN profile to the client, modify the *Rasphone.pbk* on the client by changing the entry **UseRasCredentials** from 1 (default) to 0 (zero).
## Client connection flow
@ -71,7 +71,7 @@ The VPN client side connection flow works as follows:
When a VPNv2 Profile is configured with \<DeviceCompliance> \<Enabled>true<\/Enabled> the VPN client uses this connection flow:
1. The VPN client calls into Windows 10's or Windows 11's Microsoft Entra Token Broker, identifying itself as a VPN client.
1. The VPN client calls into Windows 10 or Windows 11 Microsoft Entra Token Broker, identifying itself as a VPN client.
1. The Microsoft Entra Token Broker authenticates to Microsoft Entra ID and provides it with information about the device trying to connect. The Microsoft Entra Server checks if the device is in compliance with the policies.
1. If compliant, Microsoft Entra ID requests a short-lived certificate.
1. Microsoft Entra ID pushes down a short-lived certificate to the Certificate Store via the Token Broker. The Token Broker then returns control back over to the VPN client for further connection processing.
@ -92,14 +92,3 @@ See [VPN profile options](vpn-profile-options.md) and [VPNv2 CSP](/windows/clien
- [Tip of the Day: The Conditional Access Framework and Device Compliance for VPN (Part 2)](/archive/blogs/tip_of_the_day/tip-of-the-day-the-conditional-access-framework-and-device-compliance-for-vpn-part-2)
- [Tip of the Day: The Conditional Access Framework and Device Compliance for VPN (Part 3)](/archive/blogs/tip_of_the_day/tip-of-the-day-the-conditional-access-framework-and-device-compliance-for-vpn-part-3)
- [Tip of the Day: The Conditional Access Framework and Device Compliance for VPN (Part 4)](/archive/blogs/tip_of_the_day/tip-of-the-day-the-conditional-access-framework-and-device-compliance-for-vpn-part-4)
## Related articles
- [VPN technical guide](vpn-guide.md)
- [VPN connection types](vpn-connection-type.md)
- [VPN routing decisions](vpn-routing.md)
- [VPN authentication options](vpn-authentication.md)
- [VPN name resolution](vpn-name-resolution.md)
- [VPN auto-triggered profile options](vpn-auto-trigger-profile.md)
- [VPN security features](vpn-security-features.md)
- [VPN profile options](vpn-profile-options.md)

12
windows/security/operating-system-security/network-security/vpn/vpn-connection-type.md
View File

@ -1,7 +1,7 @@
---
title: VPN connection types
description: Learn about Windows VPN platform clients and the VPN connection-type features that can be configured.
ms.date: 05/06/2024
ms.date: 01/27/2025
ms.topic: concept-article
---
@ -46,13 +46,3 @@ In Intune, you can also include custom XML for non-Microsoft plug-in profiles:
> [!div class="mx-imgBorder"]
> ![Custom XML.](images/vpn-custom-xml-intune.png)
## Related articles
- [VPN technical guide](vpn-guide.md)
- [VPN routing decisions](vpn-routing.md)
- [VPN authentication options](vpn-authentication.md)
- [VPN and conditional access](vpn-conditional-access.md)
- [VPN name resolution](vpn-name-resolution.md)
- [VPN auto-triggered profile options](vpn-auto-trigger-profile.md)
- [VPN security features](vpn-security-features.md)
- [VPN profile options](vpn-profile-options.md)

2
windows/security/operating-system-security/network-security/vpn/vpn-guide.md
View File

@ -1,7 +1,7 @@
---
title: Windows VPN technical guide
description: Learn how to plan and configure Windows devices for your organization's VPN solution.
ms.date: 05/06/2024
ms.date: 01/27/2025
ms.topic: overview
---

13
windows/security/operating-system-security/network-security/vpn/vpn-name-resolution.md
View File

@ -1,7 +1,7 @@
---
title: VPN name resolution
description: Learn how name resolution works when using a VPN connection.
ms.date: 05/06/2024
ms.date: 01/27/2025
ms.topic: concept-article
---
@ -58,14 +58,3 @@ The fields in **Add or edit DNS rule** in the Intune profile correspond to the X
| **Name** | **VPNv2/*ProfileName*/DomainNameInformationList/*dniRowId*/DomainName** |
| **Servers (comma separated)** | **VPNv2/*ProfileName*/DomainNameInformationList/*dniRowId*/DnsServers** |
| **Proxy server** | **VPNv2/*ProfileName*/DomainNameInformationList/*dniRowId*/WebServers** |
## Related articles
- [VPN technical guide](vpn-guide.md)
- [VPN connection types](vpn-connection-type.md)
- [VPN routing decisions](vpn-routing.md)
- [VPN authentication options](vpn-authentication.md)
- [VPN and conditional access](vpn-conditional-access.md)
- [VPN auto-triggered profile options](vpn-auto-trigger-profile.md)
- [VPN security features](vpn-security-features.md)
- [VPN profile options](vpn-profile-options.md)

2
windows/security/operating-system-security/network-security/vpn/vpn-office-365-optimization.md
View File

@ -2,7 +2,7 @@
title: Optimize Microsoft 365 traffic for remote workers with the Windows VPN client
description: Learn how to optimize Microsoft 365 traffic for remote workers with the Windows VPN client
ms.topic: how-to
ms.date: 05/06/2024
ms.date: 01/27/2025
---
# Optimize Microsoft 365 traffic for remote workers with the Windows VPN client

12
windows/security/operating-system-security/network-security/vpn/vpn-profile-options.md
View File

@ -1,7 +1,7 @@
---
title: VPN profile options
description: Windows adds Virtual Private Network (VPN) profile options to help manage how users connect. VPNs give users secure remote access to the company network.
ms.date: 05/06/2024
ms.date: 01/27/2025
ms.topic: how-to
---
@ -316,13 +316,3 @@ After you configure the settings that you want using ProfileXML, you can create
- [VPNv2 configuration service provider (CSP) reference](/windows/client-management/mdm/vpnv2-csp)
- [How to Create VPN Profiles in Configuration Manager](/previous-versions/system-center/system-center-2012-R2/dn261200(v=technet.10))
## Related articles
- [VPN technical guide](vpn-guide.md)
- [VPN connection types](vpn-connection-type.md)
- [VPN routing decisions](vpn-routing.md)
- [VPN authentication options](vpn-authentication.md)
- [VPN and conditional access](vpn-conditional-access.md)
- [VPN name resolution](vpn-name-resolution.md)
- [VPN auto-triggered profile options](vpn-auto-trigger-profile.md)
- [VPN security features](vpn-security-features.md)

13
windows/security/operating-system-security/network-security/vpn/vpn-routing.md
View File

@ -1,5 +1,5 @@
---
ms.date: 05/06/2024
ms.date: 01/27/2025
title: VPN routing decisions
description: Learn about approaches that either send all data through a VPN or only selected data. The one you choose impacts capacity planning and security expectations.
ms.topic: concept-article
@ -43,14 +43,3 @@ When you configure a VPN profile in Microsoft Intune, you can enable split tunne
![split tunnel.](images/vpn-split.png)
Once enabled, you can add the routes that should use the VPN connection.
## Related articles
- [VPN technical guide](vpn-guide.md)
- [VPN connection types](vpn-connection-type.md)
- [VPN authentication options](vpn-authentication.md)
- [VPN and conditional access](vpn-conditional-access.md)
- [VPN name resolution](vpn-name-resolution.md)
- [VPN auto-triggered profile options](vpn-auto-trigger-profile.md)
- [VPN security features](vpn-security-features.md)
- [VPN profile options](vpn-profile-options.md)

13
windows/security/operating-system-security/network-security/vpn/vpn-security-features.md
View File

@ -1,7 +1,7 @@
---
title: VPN security features
description: Learn about security features for VPN, including LockDown VPN and traffic filters.
ms.date: 05/06/2024
ms.date: 01/27/2025
ms.topic: concept-article
---
@ -55,14 +55,3 @@ A VPN profile configured with LockDown secures the device to only allow network
> [!CAUTION]
> Be careful when deploying LockDown VPN, as the resultant connection won't be able to send or receive any network traffic without the VPN connection being established.
## Related articles
- [VPN technical guide](vpn-guide.md)
- [VPN connection types](vpn-connection-type.md)
- [VPN routing decisions](vpn-routing.md)
- [VPN authentication options](vpn-authentication.md)
- [VPN and conditional access](vpn-conditional-access.md)
- [VPN name resolution](vpn-name-resolution.md)
- [VPN auto-triggered profile options](vpn-auto-trigger-profile.md)
- [VPN profile options](vpn-profile-options.md)