deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-12 13:27:23 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Merge branch 'main' into ADO-9517656-Update-for-Business

Browse Source
This commit is contained in:
Gary Moore 2025-02-11 21:11:41 -08:00
commit 2086399999
21 changed files with 312 additions and 105 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
education/docfx.json
View File

@ -60,7 +60,10 @@
"shdyas",
"Stacyrch140",
"garycentric",
"dstrome"
"dstrome",
"padmagit77",
"aditisrivastava07",
"Ruchika-mittal01"
]
},
"fileMetadata": {

16
windows/client-management/mdm/policies-in-preview.md
View File

@ -1,7 +1,7 @@
---
title: Configuration service provider preview policies
description: Learn more about configuration service provider (CSP) policies that are available for Windows Insider Preview.
ms.date: 01/14/2025
ms.date: 02/11/2025
---
<!-- Auto-Generated CSP Document -->
@ -19,6 +19,10 @@ This article lists the policies that are applicable for Windows Insider Preview
- [TurnOffApplicationFootprint](policy-csp-appdeviceinventory.md#turnoffapplicationfootprint)
- [TurnOffWin32AppBackup](policy-csp-appdeviceinventory.md#turnoffwin32appbackup)
## ApplicationManagement
- [AllowedNonAdminPackageFamilyNameRules](policy-csp-applicationmanagement.md#allowednonadminpackagefamilynamerules)
## ClientCertificateInstall CSP
- [AttestPrivateKey](clientcertificateinstall-csp.md#userscepuniqueidinstallattestprivatekey)
@ -108,6 +112,7 @@ This article lists the policies that are applicable for Windows Insider Preview
## LocalPoliciesSecurityOptions
- [InteractiveLogon_NumberOfPreviousLogonsToCache](policy-csp-localpoliciessecurityoptions.md#interactivelogon_numberofpreviouslogonstocache)
- [UserAccountControl_BehaviorOfTheElevationPromptForAdministratorProtection](policy-csp-localpoliciessecurityoptions.md#useraccountcontrol_behavioroftheelevationpromptforadministratorprotection)
- [UserAccountControl_TypeOfAdminApprovalMode](policy-csp-localpoliciessecurityoptions.md#useraccountcontrol_typeofadminapprovalmode)
@ -121,6 +126,7 @@ This article lists the policies that are applicable for Windows Insider Preview
## NewsAndInterests
- [DisableWidgetsOnLockScreen](policy-csp-newsandinterests.md#disablewidgetsonlockscreen)
- [DisableWidgetsBoard](policy-csp-newsandinterests.md#disablewidgetsboard)
## PassportForWork CSP
@ -130,14 +136,14 @@ This article lists the policies that are applicable for Windows Insider Preview
- [ConfigureIppTlsCertificatePolicy](policy-csp-printers.md#configureipptlscertificatepolicy)
## Reboot CSP
- [WeeklyRecurrent](reboot-csp.md#scheduleweeklyrecurrent)
## RemoteDesktopServices
- [TS_SERVER_REMOTEAPP_USE_SHELLAPPRUNTIME](policy-csp-remotedesktopservices.md#ts_server_remoteapp_use_shellappruntime)
## SettingsSync
- [EnableWindowsbackup](policy-csp-settingssync.md#enablewindowsbackup)
## Start
- [AlwaysShowNotificationIcon](policy-csp-start.md#alwaysshownotificationicon)

2
windows/client-management/mdm/policy-csp-admx-kerberos.md
View File

@ -172,6 +172,8 @@ This policy setting allows you to specify which DNS host names and which DNS suf
<!-- HostToRealm-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
> [!NOTE]
> The list of DNS host names and DNS suffixes has a 2048 character limit. This policy would not apply if you exceed this limit.
<!-- HostToRealm-Editable-End -->
<!-- HostToRealm-DFProperties-Begin -->

56
windows/client-management/mdm/policy-csp-applicationmanagement.md
View File

@ -1,7 +1,7 @@
---
title: ApplicationManagement Policy CSP
description: Learn more about the ApplicationManagement Area in Policy CSP.
ms.date: 11/26/2024
ms.date: 02/11/2025
---
<!-- Auto-Generated CSP Document -->
@ -9,6 +9,10 @@ ms.date: 11/26/2024
<!-- ApplicationManagement-Begin -->
# Policy CSP - ApplicationManagement
[!INCLUDE [ADMX-backed CSP tip](includes/mdm-admx-csp-note.md)]
[!INCLUDE [Windows Insider tip](includes/mdm-insider-csp-note.md)]
<!-- ApplicationManagement-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- ApplicationManagement-Editable-End -->
@ -283,6 +287,56 @@ Allows or denies development of Microsoft Store applications and installing them
<!-- AllowDeveloperUnlock-End -->
<!-- AllowedNonAdminPackageFamilyNameRules-Begin -->
## AllowedNonAdminPackageFamilyNameRules
<!-- AllowedNonAdminPackageFamilyNameRules-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ❌ Pro <br> ✅ Enterprise <br> ✅ Education <br> ❌ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
<!-- AllowedNonAdminPackageFamilyNameRules-Applicability-End -->
<!-- AllowedNonAdminPackageFamilyNameRules-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/ApplicationManagement/AllowedNonAdminPackageFamilyNameRules
```
<!-- AllowedNonAdminPackageFamilyNameRules-OmaUri-End -->
<!-- AllowedNonAdminPackageFamilyNameRules-Description-Begin -->
<!-- Description-Source-Not-Found -->
<!-- AllowedNonAdminPackageFamilyNameRules-Description-End -->
<!-- AllowedNonAdminPackageFamilyNameRules-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- AllowedNonAdminPackageFamilyNameRules-Editable-End -->
<!-- AllowedNonAdminPackageFamilyNameRules-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `chr` (string) |
| Access Type | Add, Delete, Get, Replace |
<!-- AllowedNonAdminPackageFamilyNameRules-DFProperties-End -->
<!-- AllowedNonAdminPackageFamilyNameRules-AdmxBacked-Begin -->
<!-- ADMX-Not-Found -->
[!INCLUDE [ADMX-backed policy note](includes/mdm-admx-policy-note.md)]
**ADMX mapping**:
| Name | Value |
|:--|:--|
| Name | AllowedNonAdminPackageFamilyNameRules |
| ADMX File Name | AppxPackageManager.admx |
<!-- AllowedNonAdminPackageFamilyNameRules-AdmxBacked-End -->
<!-- AllowedNonAdminPackageFamilyNameRules-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- AllowedNonAdminPackageFamilyNameRules-Examples-End -->
<!-- AllowedNonAdminPackageFamilyNameRules-End -->
<!-- AllowGameDVR-Begin -->
## AllowGameDVR

8
windows/client-management/mdm/policy-csp-connectivity.md
View File

@ -1,7 +1,7 @@
---
title: Connectivity Policy CSP
description: Learn more about the Connectivity Area in Policy CSP.
ms.date: 01/14/2025
ms.date: 02/11/2025
---
<!-- Auto-Generated CSP Document -->
@ -314,7 +314,7 @@ This policy is deprecated.
<!-- AllowPhonePCLinking-Description-Begin -->
<!-- Description-Source-ADMX -->
This policy allows IT admins to turn off the ability to Link a Phone with a PC to continue reading, emailing and other tasks that requires linking between Phone and PC.
This policy allows IT admins to turn off the ability to Link a Phone with a PC to continue reading, emailing and other tasks that require linking between Phone and PC.
- If you enable this policy setting, the Windows device will be able to enroll in Phone-PC linking functionality and participate in Continue on PC experiences.
@ -1012,9 +1012,9 @@ For more information, see [MS15-011: Vulnerability in Group Policy could allow r
Determines whether a user can install and configure the Network Bridge.
> [!IMPORTANT]
> This settings is location aware. It only applies when a computer is connected to the same DNS domain network it was connected to when the setting was refreshed on that computer. If a computer is connected to a DNS domain network other than the one it was connected to when the setting was refreshed, this setting doesn't apply.
> This setting is location aware. It only applies when a computer is connected to the same DNS domain network it was connected to when the setting was refreshed on that computer. If a computer is connected to a DNS domain network other than the one it was connected to when the setting was refreshed, this setting doesn't apply.
The Network Bridge allows users to create a layer 2 MAC bridge, enabling them to connect two or more network segements together. This connection appears in the Network Connections folder.
The Network Bridge allows users to create a layer 2 MAC bridge, enabling them to connect two or more network segments together. This connection appears in the Network Connections folder.
If you disable this setting or don't configure it, the user will be able to create and modify the configuration of a Network Bridge. Enabling this setting doesn't remove an existing Network Bridge from the user's computer.
<!-- ProhibitInstallationAndConfigurationOfNetworkBridge-Description-End -->

15
windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md
View File

@ -1,7 +1,7 @@
---
title: LocalPoliciesSecurityOptions Policy CSP
description: Learn more about the LocalPoliciesSecurityOptions Area in Policy CSP.
ms.date: 11/05/2024
ms.date: 02/11/2025
---
<!-- Auto-Generated CSP Document -->
@ -9,7 +9,7 @@ ms.date: 11/05/2024
<!-- LocalPoliciesSecurityOptions-Begin -->
# Policy CSP - LocalPoliciesSecurityOptions
[!INCLUDE [Windows Windows Insider Preview tip](includes/mdm-insider-csp-note.md)]
[!INCLUDE [Windows Insider tip](includes/mdm-insider-csp-note.md)]
<!-- LocalPoliciesSecurityOptions-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
@ -517,7 +517,7 @@ Audit: Shut down system immediately if unable to log security audits This securi
<!-- Devices_AllowedToFormatAndEjectRemovableMedia-Description-Begin -->
<!-- Description-Source-DDF -->
Devices: Allowed to format and eject removable media This security setting determines who is allowed to format and eject removable NTFS media. This capability can be given to: Administrators and Interactive Users Default: This policy isn't defined and only Administrators have this ability.
Devices: Allowed to format and eject removable media This security setting determines who is allowed to format and eject removable NTFS media. This capability can be given to: Administrators Administrators and Interactive Users Default: This policy isn't defined and only Administrators have this ability.
<!-- Devices_AllowedToFormatAndEjectRemovableMedia-Description-End -->
<!-- Devices_AllowedToFormatAndEjectRemovableMedia-Editable-Begin -->
@ -1568,13 +1568,12 @@ Interactive logon: Message title for users attempting to log on This security se
<!-- InteractiveLogon_NumberOfPreviousLogonsToCache-Description-Begin -->
<!-- Description-Source-DDF -->
Interactive logon: Number of previous logons to cache (in case domain controller isn't available) Each unique user's logon information is cached locally so that, in the event that a domain controller is unavailable during subsequent logon attempts, they're able to log on. The cached logon information is stored from the previous logon session. If a domain controller is unavailable and a user's logon information isn't cached, the user is prompted with this message: There are currently no logon servers available to service the logon request. In this policy setting, a value of 0 disables logon caching. Any value above 50 only caches 50 logon attempts. Windows supports a maximum of 50 cache entries and the number of entries consumed per user depends on the credential. For example, a maximum of 50 unique password user accounts can be cached on a Windows system, but only 25 smart card user accounts can be cached because both the password information and the smart card information are stored. When a user with cached logon information logs on again, the user's individual cached information is replaced. Default: Windows Server 2008: 25 All Other Versions: 10.
> [!NOTE]
> This setting previously showed as applicable to Windows 11, version 24H2 [10.0.26100] and later in error. MDM solutions may show as applicable to that version until a future release.
<!-- InteractiveLogon_NumberOfPreviousLogonsToCache-Description-End -->
<!-- InteractiveLogon_NumberOfPreviousLogonsToCache-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
> [!NOTE]
> This setting previously showed as applicable to Windows 11, version 24H2 [10.0.26100] and later in error. MDM solutions may show as applicable to that version until a future release.
<!-- InteractiveLogon_NumberOfPreviousLogonsToCache-Editable-End -->
<!-- InteractiveLogon_NumberOfPreviousLogonsToCache-DFProperties-Begin -->
@ -1783,7 +1782,7 @@ Microsoft network client: Digitally sign communications (if server agrees) This
- If this setting is enabled, the Microsoft network client will ask the server to perform SMB packet signing upon session setup. If packet signing has been enabled on the server, packet signing will be negotiated.
- If this policy is disabled, the SMB client will never negotiate SMB packet signing. Notes All Windows operating systems support both a client-side SMB component and a server-side SMB component. On Windows 2000 and later, enabling or requiring packet signing for client and server-side SMB components is controlled by the following four policy settings: Microsoft network client: Digitally sign communications (always) - Controls whether or not the client-side SMB component requires packet signing. Microsoft network client: Digitally sign communications (if server agrees) - Controls whether or not the client-side SMB component has packet signing enabled. Microsoft network server: Digitally sign communications (always) - Controls whether or not the server-side SMB component requires packet signing. Microsoft network server: Digitally sign communications (if client agrees) - Controls whether or not the server-side SMB component has packet signing enabled. If both client-side and server-side SMB signing are enabled and the client establishes an SMB 1.0 connection to the server, SMB signing will be attempted. SMB packet signing can significantly degrade SMB performance, depending on dialect version, OS version, file sizes, processor offloading capabilities, and application IO behaviors. This setting only applies to SMB 1.0 connections. For more information, reference:< https://go.microsoft.com/fwlink/?LinkID=787136>.
- If this policy is disabled, the SMB client will never negotiate SMB packet signing. Notes All Windows operating systems support both a client-side SMB component and a server-side SMB component. On Windows 2000 and later, enabling or requiring packet signing for client and server-side SMB components is controlled by the following four policy settings: Microsoft network client: Digitally sign communications (always) - Controls whether or not the client-side SMB component requires packet signing. Microsoft network client: Digitally sign communications (if server agrees) - Controls whether or not the client-side SMB component has packet signing enabled. Microsoft network server: Digitally sign communications (always) - Controls whether or not the server-side SMB component requires packet signing. Microsoft network server: Digitally sign communications (if client agrees) - Controls whether or not the server-side SMB component has packet signing enabled. If both client-side and server-side SMB signing is enabled and the client establishes an SMB 1.0 connection to the server, SMB signing will be attempted. SMB packet signing can significantly degrade SMB performance, depending on dialect version, OS version, file sizes, processor offloading capabilities, and application IO behaviors. This setting only applies to SMB 1.0 connections. For more information, reference:< https://go.microsoft.com/fwlink/?LinkID=787136>.
<!-- MicrosoftNetworkClient_DigitallySignCommunicationsIfServerAgrees-Description-End -->
<!-- MicrosoftNetworkClient_DigitallySignCommunicationsIfServerAgrees-Editable-Begin -->
@ -2024,7 +2023,7 @@ Microsoft network server: Digitally sign communications (if client agrees) This
- If this policy is disabled, the SMB client will never negotiate SMB packet signing. on domain controllers only.
> [!IMPORTANT]
> For Windows 2000 servers to negotiate signing with Windows NT 4.0 clients, the following registry value must be set to 1 on the server running Windows 2000: HKLM\System\CurrentControlSet\Services\lanmanserver\parameters\enableW9xsecuritysignature Notes All Windows operating systems support both a client-side SMB component and a server-side SMB component. For Windows 2000 and above, enabling or requiring packet signing for client and server-side SMB components is controlled by the following four policy settings: Microsoft network client: Digitally sign communications (always) - Controls whether or not the client-side SMB component requires packet signing. Microsoft network client: Digitally sign communications (if server agrees) - Controls whether or not the client-side SMB component has packet signing enabled. Microsoft network server: Digitally sign communications (always) - Controls whether or not the server-side SMB component requires packet signing. Microsoft network server: Digitally sign communications (if client agrees) - Controls whether or not the server-side SMB component has packet signing enabled. If both client-side and server-side SMB signing are enabled and the client establishes an SMB 1.0 connection to the server, SMB signing will be attempted. SMB packet signing can significantly degrade SMB performance, depending on dialect version, OS version, file sizes, processor offloading capabilities, and application IO behaviors. This setting only applies to SMB 1.0 connections. For more information, reference:< https://go.microsoft.com/fwlink/?LinkID=787136>.
> For Windows 2000 servers to negotiate signing with Windows NT 4.0 clients, the following registry value must be set to 1 on the server running Windows 2000: HKLM\System\CurrentControlSet\Services\lanmanserver\parameters\enableW9xsecuritysignature Notes All Windows operating systems support both a client-side SMB component and a server-side SMB component. For Windows 2000 and above, enabling or requiring packet signing for client and server-side SMB components is controlled by the following four policy settings: Microsoft network client: Digitally sign communications (always) - Controls whether or not the client-side SMB component requires packet signing. Microsoft network client: Digitally sign communications (if server agrees) - Controls whether or not the client-side SMB component has packet signing enabled. Microsoft network server: Digitally sign communications (always) - Controls whether or not the server-side SMB component requires packet signing. Microsoft network server: Digitally sign communications (if client agrees) - Controls whether or not the server-side SMB component has packet signing enabled. If both client-side and server-side SMB signing is enabled and the client establishes an SMB 1.0 connection to the server, SMB signing will be attempted. SMB packet signing can significantly degrade SMB performance, depending on dialect version, OS version, file sizes, processor offloading capabilities, and application IO behaviors. This setting only applies to SMB 1.0 connections. For more information, reference:< https://go.microsoft.com/fwlink/?LinkID=787136>.
<!-- MicrosoftNetworkServer_DigitallySignCommunicationsIfClientAgrees-Description-End -->
<!-- MicrosoftNetworkServer_DigitallySignCommunicationsIfClientAgrees-Editable-Begin -->

60
windows/client-management/mdm/policy-csp-newsandinterests.md
View File

@ -1,7 +1,7 @@
---
title: NewsAndInterests Policy CSP
description: Learn more about the NewsAndInterests Area in Policy CSP.
ms.date: 11/27/2024
ms.date: 02/11/2025
---
<!-- Auto-Generated CSP Document -->
@ -84,6 +84,64 @@ This policy applies to the entire widgets experience, including content on the t
<!-- AllowNewsAndInterests-End -->
<!-- DisableWidgetsBoard-Begin -->
## DisableWidgetsBoard
<!-- DisableWidgetsBoard-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
<!-- DisableWidgetsBoard-Applicability-End -->
<!-- DisableWidgetsBoard-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/NewsAndInterests/DisableWidgetsBoard
```
<!-- DisableWidgetsBoard-OmaUri-End -->
<!-- DisableWidgetsBoard-Description-Begin -->
<!-- Description-Source-DDF -->
Disable widgets board.
<!-- DisableWidgetsBoard-Description-End -->
<!-- DisableWidgetsBoard-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- DisableWidgetsBoard-Editable-End -->
<!-- DisableWidgetsBoard-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `int` |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 0 |
<!-- DisableWidgetsBoard-DFProperties-End -->
<!-- DisableWidgetsBoard-AllowedValues-Begin -->
**Allowed values**:
| Value | Description |
|:--|:--|
| 0 (Default) | Enabled. |
| 1 | Disabled. |
<!-- DisableWidgetsBoard-AllowedValues-End -->
<!-- DisableWidgetsBoard-GpMapping-Begin -->
**Group policy mapping**:
| Name | Value |
|:--|:--|
| Name | DisableWidgetsBoard |
| Path | NewsAndInterests > AT > WindowsComponents > NewsAndInterests |
<!-- DisableWidgetsBoard-GpMapping-End -->
<!-- DisableWidgetsBoard-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- DisableWidgetsBoard-Examples-End -->
<!-- DisableWidgetsBoard-End -->
<!-- DisableWidgetsOnLockScreen-Begin -->
## DisableWidgetsOnLockScreen

54
windows/client-management/mdm/policy-csp-settingssync.md
View File

@ -1,7 +1,7 @@
---
title: SettingsSync Policy CSP
description: Learn more about the SettingsSync Area in Policy CSP.
ms.date: 09/27/2024
ms.date: 02/11/2025
---
<!-- Auto-Generated CSP Document -->
@ -11,6 +11,8 @@ ms.date: 09/27/2024
[!INCLUDE [ADMX-backed CSP tip](includes/mdm-admx-csp-note.md)]
[!INCLUDE [Windows Insider tip](includes/mdm-insider-csp-note.md)]
<!-- SettingsSync-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- SettingsSync-Editable-End -->
@ -137,6 +139,56 @@ If you don't set or disable this setting, syncing of the "language preferences"
<!-- DisableLanguageSettingSync-End -->
<!-- EnableWindowsbackup-Begin -->
## EnableWindowsbackup
<!-- EnableWindowsbackup-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
<!-- EnableWindowsbackup-Applicability-End -->
<!-- EnableWindowsbackup-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/SettingsSync/EnableWindowsbackup
```
<!-- EnableWindowsbackup-OmaUri-End -->
<!-- EnableWindowsbackup-Description-Begin -->
<!-- Description-Source-Not-Found -->
<!-- EnableWindowsbackup-Description-End -->
<!-- EnableWindowsbackup-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- EnableWindowsbackup-Editable-End -->
<!-- EnableWindowsbackup-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `chr` (string) |
| Access Type | Add, Delete, Get, Replace |
<!-- EnableWindowsbackup-DFProperties-End -->
<!-- EnableWindowsbackup-AdmxBacked-Begin -->
<!-- ADMX-Not-Found -->
[!INCLUDE [ADMX-backed policy note](includes/mdm-admx-policy-note.md)]
**ADMX mapping**:
| Name | Value |
|:--|:--|
| Name | EnableWindowsbackup |
| ADMX File Name | SettingSync.admx |
<!-- EnableWindowsbackup-AdmxBacked-End -->
<!-- EnableWindowsbackup-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- EnableWindowsbackup-Examples-End -->
<!-- EnableWindowsbackup-End -->
<!-- SettingsSync-CspMoreInfo-Begin -->
<!-- Add any additional information about this CSP here. Anything outside this section will get overwritten. -->
<!-- SettingsSync-CspMoreInfo-End -->

14
windows/client-management/mdm/policy-csp-windowsai.md
View File

@ -1,7 +1,7 @@
---
title: WindowsAI Policy CSP
description: Learn more about the WindowsAI Area in Policy CSP.
ms.date: 12/09/2024
ms.date: 02/11/2025
---
<!-- Auto-Generated CSP Document -->
@ -659,12 +659,12 @@ When this setting isn't configured, the OS configures the storage allocation for
| Value | Description |
|:--|:--|
| 0 (Default) | Let the OS define the maximum storage amount based on hard drive storage size. |
| 10000 | 10GB. |
| 25000 | 25GB. |
| 50000 | 50GB. |
| 75000 | 75GB. |
| 100000 | 100GB. |
| 150000 | 150GB. |
| 10240 | 10GB. |
| 25600 | 25GB. |
| 51200 | 50GB. |
| 76800 | 75GB. |
| 102400 | 100GB. |
| 153600 | 150GB. |
<!-- SetMaximumStorageSpaceForRecallSnapshots-AllowedValues-End -->
<!-- SetMaximumStorageSpaceForRecallSnapshots-GpMapping-Begin -->

12
windows/client-management/mdm/reboot-csp.md
View File

@ -1,7 +1,7 @@
---
title: Reboot CSP
description: Learn more about the Reboot CSP.
ms.date: 01/18/2024
ms.date: 02/11/2025
---
<!-- Auto-Generated CSP Document -->
@ -9,8 +9,6 @@ ms.date: 01/18/2024
<!-- Reboot-Begin -->
# Reboot CSP
[!INCLUDE [Windows Insider tip](includes/mdm-insider-csp-note.md)]
<!-- Reboot-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
The Reboot configuration service provider is used to configure reboot settings.
@ -122,7 +120,7 @@ The supported operation is Get.
<!-- Device-Schedule-DailyRecurrent-Description-Begin -->
<!-- Description-Source-DDF -->
Value in ISO8601, time is required. Either setting DailyRecurrent or WeeklyRecurrent is supported but not both at same time. A reboot will be scheduled each day at the configured time starting at the date and time. Setting a null (empty) date will delete the existing schedule.
Value in ISO8601 date and time format (such as 2025-10-07. T10:35:00) is required. While it's supported to set either DailyRecurrent or WeeklyRecurrent schedules, it isn't supported to enable both settings simultaneously. A reboot will be scheduled to occur every day at the configured time starting at the specified date and time. Setting a null (empty) date will delete the existing schedule.
<!-- Device-Schedule-DailyRecurrent-Description-End -->
<!-- Device-Schedule-DailyRecurrent-Editable-Begin -->
@ -161,7 +159,7 @@ Value in ISO8601, time is required. Either setting DailyRecurrent or WeeklyRecur
<!-- Device-Schedule-Single-Description-Begin -->
<!-- Description-Source-DDF -->
Value in ISO8601, both the date and time are required. A reboot will be scheduled at the configured date time. Setting a null (empty) date will delete the existing schedule.
Value in ISO8601 date and time format (such as 2025-10-07. T10:35:00) is required. Both the date and time are required. A reboot will be scheduled to occur at the specified date and time. Setting a null (empty) date will delete the existing schedule.
<!-- Device-Schedule-Single-Description-End -->
<!-- Device-Schedule-Single-Editable-Begin -->
@ -189,7 +187,7 @@ Value in ISO8601, both the date and time are required. A reboot will be schedule
<!-- Device-Schedule-WeeklyRecurrent-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- Device-Schedule-WeeklyRecurrent-Applicability-End -->
<!-- Device-Schedule-WeeklyRecurrent-OmaUri-Begin -->
@ -200,7 +198,7 @@ Value in ISO8601, both the date and time are required. A reboot will be schedule
<!-- Device-Schedule-WeeklyRecurrent-Description-Begin -->
<!-- Description-Source-DDF -->
Value in ISO8601, time is required. Either setting DailyRecurrent or WeeklyRecurrent is supported but not both at same time. A reboot will be scheduled every week at the configured time starting at the date and time. Setting a null (empty) date will delete the existing schedule.
Value in ISO8601 date and time format (such as 2025-10-07. T10:35:00) is required. While it's supported to set either DailyRecurrent or WeeklyRecurrent schedules, it isn't supported to enable both settings simultaneously. A reboot will be scheduled to occur every week at the configured day and time starting at the specified date and time. Setting a null (empty) date will delete the existing schedule.
<!-- Device-Schedule-WeeklyRecurrent-Description-End -->
<!-- Device-Schedule-WeeklyRecurrent-Editable-Begin -->

12
windows/client-management/mdm/reboot-ddf-file.md
View File

@ -1,7 +1,7 @@
---
title: Reboot DDF file
description: View the XML file containing the device description framework (DDF) for the Reboot configuration service provider.
ms.date: 06/28/2024
ms.date: 02/11/2025
---
<!-- Auto-Generated CSP Document -->
@ -95,7 +95,7 @@ The following XML file contains the device description framework (DDF) for the R
<Get />
<Replace />
</AccessType>
<Description>Value in ISO8601, both the date and time are required. A reboot will be scheduled at the configured date time. Setting a null (empty) date will delete the existing schedule.</Description>
<Description>Value in ISO8601 date and time format (such as 2025-10-07T10:35:00) is required. Both the date and time are required. A reboot will be scheduled to occur at the specified date and time. Setting a null (empty) date will delete the existing schedule.</Description>
<DFFormat>
<chr />
</DFFormat>
@ -122,7 +122,7 @@ The following XML file contains the device description framework (DDF) for the R
<Get />
<Replace />
</AccessType>
<Description>Value in ISO8601, time is required. Either setting DailyRecurrent or WeeklyRecurrent is supported but not both at same time. A reboot will be scheduled each day at the configured time starting at the date and time. Setting a null (empty) date will delete the existing schedule.</Description>
<Description>Value in ISO8601 date and time format (such as 2025-10-07T10:35:00) is required. While it is supported to set either DailyRecurrent or WeeklyRecurrent schedules, it is not supported to enable both settings simultaneously. A reboot will be scheduled to occur every day at the configured time starting at the specified date and time. Setting a null (empty) date will delete the existing schedule.</Description>
<DFFormat>
<chr />
</DFFormat>
@ -149,7 +149,7 @@ The following XML file contains the device description framework (DDF) for the R
<Get />
<Replace />
</AccessType>
<Description>Value in ISO8601, time is required. Either setting DailyRecurrent or WeeklyRecurrent is supported but not both at same time. A reboot will be scheduled every week at the configured time starting at the date and time. Setting a null (empty) date will delete the existing schedule.</Description>
<Description>Value in ISO8601 date and time format (such as 2025-10-07T10:35:00) is required. While it is supported to set either DailyRecurrent or WeeklyRecurrent schedules, it is not supported to enable both settings simultaneously. A reboot will be scheduled to occur every week at the configured day and time starting at the specified date and time. Setting a null (empty) date will delete the existing schedule.</Description>
<DFFormat>
<chr />
</DFFormat>
@ -164,8 +164,8 @@ The following XML file contains the device description framework (DDF) for the R
<MIME />
</DFType>
<MSFT:Applicability>
<MSFT:OsBuildVersion>99.9.99999</MSFT:OsBuildVersion>
<MSFT:CspVersion>9.9</MSFT:CspVersion>
<MSFT:OsBuildVersion>10.0.26100</MSFT:OsBuildVersion>
<MSFT:CspVersion>1.0</MSFT:CspVersion>
</MSFT:Applicability>
<MSFT:AllowedValues ValueType="None">
</MSFT:AllowedValues>

4
windows/deployment/do/delivery-optimization-endpoints.md
View File

@ -36,4 +36,6 @@ Use the table below to reference any particular content types or services endpoi
| *.assets1.xboxlive.com, *.assets2.xboxlive.com, *.dlassets.xboxlive.com, *.dlassets2.xboxlive.com, *.d1.xboxlive.com, *.d2.xboxlive.com, *.assets.xbox.com, *.xbl-dlassets-origin.xboxlive.com, *.assets-origin.xboxlive.com, *.xvcb1.xboxlive.com, *.xvcb2.xboxlive.com, *.xvcf1.xboxlive.com, *.xvcf2.xboxlive.com | HTTP / 80 | Xbox | | Both |
| *.tlu.dl.adu.microsoft.com, *.nlu.dl.adu.microsoft.com, *.dcsfe.prod.adu.microsoft.com | HTTP / 80 | Device Update | [Complete list](/azure/iot-hub-device-update/) of endpoints for Device Update updates. | Both |
| *.do.dsp.mp.microsoft.com | HTTP / 80 </br> HTTPs / 443 | Microsoft Connected Cache -> Delivery Optimization Services communication | [Complete list](../do/waas-delivery-optimization-faq.yml) of endpoints for Delivery Optimization only. | Connected Cache Managed in Azure |
| *.azure-devices.net, *.global.azure-devices-provisioning.net, *.azurecr.io, *.blob.core.windows.net, *.mcr.microsoft.com, github.com | AMQP / 5671 </br> MQTT / 8883 </br> HTTPs / 443 | IoT Edge / IoT Hub communication| [Complete list](/azure/iot-hub/iot-hub-devguide-protocols) of Azure IoT Hub communication protocols and ports. [Azure IoT Guide](/azure/iot-hub/iot-hub-devguide-endpoints) to understanding Azure IoT Hub endpoints. | Connected Cache Managed in Azure |
| *.azure-devices.net, *.global.azure-devices-provisioning.net, *.azurecr.io, *.blob.core.windows.net, *.mcr.microsoft.com, github.com | HTTPs / 443 | IoT Edge / IoT Hub communication| [Complete list](/azure/iot-hub/iot-hub-devguide-protocols) of Azure IoT Hub communication protocols and ports. [Azure IoT Guide](/azure/iot-hub/iot-hub-devguide-endpoints) to understanding Azure IoT Hub endpoints. | Connected Cache Managed in Azure |
| *.ubuntu.com, api.snapcraft.io | HTTP / 80 </br> HTTPs / 443 | Ubuntu package updates | Used by Linux distribution image in WSL on Windows host machine to deploy Connected Cache. | Connected Cache Managed in Azure |
| packages.microsoft.com | HTTP / 80 </br> HTTPs / 443 | Microsoft package updates | Used to deploy required Connected Cache packages to Windows and Linux host machines. | Connected Cache Managed in Azure |

2
windows/deployment/do/mcc-ent-prerequisites.md
View File

@ -30,6 +30,8 @@ This article details the requirements and recommended specifications for using M
- [Windows Enterprise E3 or E5](/windows/whats-new/windows-licensing#windows-11-enterprise), included in [Microsoft 365 F3, E3, or E5](https://www.microsoft.com/microsoft-365/enterprise/microsoft365-plans-and-pricing?msockid=32c407b43d5968050f2b13443c746916)
- Windows Education A3 or A5, included in [Microsoft 365 A3 or A5](https://www.microsoft.com/education/products/microsoft-365?msockid=32c407b43d5968050f2b13443c746916#Education-plans)
Note that there is no limit to the number of licensed machines that may concurrently download from a Connected Cache node.
## Cache node host machine requirements
### General requirements

17
windows/deployment/do/mcc-ent-release-notes.md
View File

@ -18,16 +18,29 @@ ms.date: 10/30/2024
This article contains details about the latest releases of Connected Cache. Since Connected Cache is a preview service, some releases may contain breaking changes.
## Install script v2.0.0.2
Released on **2/7/2025**
These changes only affect the installation scripts for Connected Cache. To take advantage of these changes, you'll need to redeploy your existing cache nodes using the updated installation script.
### Improvements
- **Removes dependency on AMQP/MQTT ports**: Cache nodes deployed using this updated installation script will no longer use AMQP (5671) or MQTT (8883) ports. This change simplifies the network configuration for cache nodes and reduces the number of ports that need to be opened in your network security group.
- **Improves cleanup during uninstall**: Windows-hosted cache nodes will now remove port proxy rules when uninstalled using the `uninstallmcconwsl.ps1` script. This change ensures that the host machine's WSL port-forwarding rules are cleaned up properly when uninstalling Connected Cache.
- **Changes install error codes from decimal to hex code**: Install error codes for Windows-hosted cache nodes are now displayed in hex code format, improving error code readability.
- **Uses configured proxy to perform install**: If a proxy was configured for the Windows-hosted cache node in Azure portal, the cache node uses the specified proxy during installation.
## Release v1.2.1.2076_E (public preview launch)
The public preview released on **10/30/2024**
For customers that installed earlier versions of Connected Cache, this release contains breaking changes that affect both Linux and Windows host machines. Please see the [early preview documentation page](mcc-ent-early-preview.md) for more details.
For customers that installed earlier versions of Connected Cache, this release contains breaking changes that affect both Linux and Windows host machines. See the [early preview documentation page](mcc-ent-early-preview.md) for more details.
### Feature updates
- **Metrics and charts in Azure portal**: You can now visualize *Outbound egress* and *Volume by Content type* charts for your cache node on Azure portal. You can also create custom monitoring charts for your cache nodes. This capability is under the **Metrics** tab on Azure portal.
- **Cache nodes for Windows or Linux host machines**: Cache nodes can now be created and deployed to Windows host machine or Linux host machines by simply choosing the OS when creating cache nodes.
- **Cache nodes for Windows or Linux host machines**: Cache nodes can now be created and deployed to Windows host machine or Linux host machines by choosing the OS when creating cache nodes.
- **Ubuntu 22.04 LTS**: Cache nodes can now be deployed on Ubuntu 22.04 LTS.
- **Azure CLI support**: Cache nodes can now be created and managed via Azure CLI.
- **Proxy**: We added support for unauthenticated proxy and cloud proxy integration.

6
windows/deployment/do/mcc-ent-troubleshooting.md
View File

@ -23,8 +23,6 @@ This article contains instructions on how to troubleshoot different issues you m
This section describes known issues with the latest release of Microsoft Connected Cache for Enterprise and Education. See the [Release Notes page](mcc-ent-release-notes.md) for more details on the fixes included in the latest release.
### Cache node monitoring chart in the Azure portal user interface displays incorrect information
### Script provisionmcconwsl.ps1 fails when executed on a Windows 11 host machine configured to use Japanese language
In the Connected Cache installation script (provisionmcconwsl.ps1), the check processing is executed until the value of the last execution code (Last Result) of the installation task becomes 0 in the following processing. However, in Japanese OS, the return value is null because "Last Result" is displayed, and an exception occurs.
@ -82,6 +80,10 @@ You can expect to see the following types of log files:
1. **WSL_Mcc_UserUninstall_Transcript**: This log file records the output of the "uninstallmcconwsl.ps1" script that the user can run to uninstall MCC software from the host machine.
1. **WSL_Mcc_Uninstall_FromRegisteredTask_Transcript**: This log file records the output of the "MCC_Uninstall_Task" scheduled task that is responsible for uninstalling the MCC software from the host machine when called by the "uninstallmcconwsl.ps1" script.
### Group Policy Object conflicts with Scheduled Task registration
Enabling the Group Policy Object: [Network access: Do not allow storage of passwords and credentials for network authentication](/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/network-access-do-not-allow-storage-of-passwords-and-credentials-for-network-authentication) will prevent the Connected Cache software from registering the scheduled tasks necessary for successful cache node registration and operation.
### WSL2 fails to install with message "A specified logon session doesn't exist"
If you're encountering this failure message when attempting to run the PowerShell command `wsl.exe --install --no-distribution` on your Windows host machine, verify that you're logged on as a local administrator and running the command from an elevated PowerShell window.

31
windows/deployment/windows-autopatch/manage/windows-autopatch-hotpatch-updates.md
View File

@ -1,7 +1,7 @@
---
title: Hotpatch updates
description: Use Hotpatch updates to receive security updates without restarting your device
ms.date: 11/19/2024
ms.date: 02/03/2025
ms.service: windows-client
ms.subservice: autopatch
ms.topic: how-to
@ -22,7 +22,12 @@ ms.collection:
> [!IMPORTANT]
> This feature is in public preview. It's being actively developed and might not be complete. They're made available on a "Preview" basis. You can test and use these features in production environments and scenarios and provide feedback.
Hotpatch updates are [Monthly B release security updates](/windows/deployment/update/release-cycle#monthly-security-update-release) that can be installed without requiring you to restart the device. Hotpatch updates are designed to reduce downtime and disruptions. By minimizing the need to restart, these updates help ensure faster compliance, making it easier for organizations to maintain security while keeping workflows uninterrupted.
Hotpatch updates are designed to reduce downtime and disruptions. Hotpatch updates are [Monthly B release security updates](/windows/deployment/update/release-cycle#monthly-security-update-release) that install and take effect without requiring you to restart the device. By minimizing the need to restart, these updates help ensure faster compliance, making it easier for organizations to maintain security while keeping workflows uninterrupted.
Hotpatch is an extension of Windows Update and requires Autopatch to create and deploy hotpatches to devices enrolled in the Autopatch quality update policy.
> [!NOTE]
> Hotpatch is also available on Windows Server and Windows 365. For more information, see [Hotpatch for Windows Server Azure Edition](/windows-server/get-started/enable-hotpatch-azure-edition).
## Key benefits
@ -30,6 +35,17 @@ Hotpatch updates are [Monthly B release security updates](/windows/deployment/up
- No changes are required to your existing update ring configurations. Your existing ring configurations are honored alongside Hotpatch policies.
- The [Hotpatch quality update report](../monitor/windows-autopatch-hotpatch-quality-update-report.md) provides a per policy level view of the current update statuses for all devices that receive Hotpatch updates.
## Release cycles
For more information about the release calendar for Hotpatch updates, see [Release notes for Hotpatch](https://support.microsoft.com/topic/release-notes-for-hotpatch-public-preview-on-windows-11-version-24h2-enterprise-clients-c117ee02-fd35-4612-8ea9-949c5d0ba6d1).
| Quarter | Baseline updates (requires restart) | Hotpatch (no restart required) |
| ----- | ----- | ----- |
| 1 | January | February and March |
| 2 | April | May and June |
| 3 | July | August and September |
| 4 | October | November and December |
## Operating system configuration prerequisites
To prepare a device to receive Hotpatch updates, configure the following operating system settings on the device. You must configure these settings for the device to be offered the Hotpatch update and to apply all Hotpatch updates.
@ -66,13 +82,6 @@ LCUs requires you to restart the device, but the LCU ensures that the device rem
> [!NOTE]
> If devices aren't eligible for Hotpatch updates, these devices are offered the LCU. The LCU keeps your configured Update ring settings, it doesn't change the settings.
## Release cycles
For more information about the release calendar for Hotpatch updates, see [Release notes for Hotpatch](https://support.microsoft.com/topic/release-notes-for-hotpatch-in-azure-automanage-for-windows-server-2022-4e234525-5bd5-4171-9886-b475dabe0ce8?preview=true).
- Baseline Release Months: January, April, July, October
- Hotpatch Release Months: February, March, May, June, August, September, November, December
## Enroll devices to receive Hotpatch updates
> [!NOTE]
@ -95,3 +104,7 @@ These steps ensure that targeted devices, which are [eligible](#eligible-devices
> [!NOTE]
> Turning on Hotpatch updates doesn't change the existing deadline-driven or scheduled install configurations on your managed devices. Deferral and active hour settings still apply.
## Roll back a hotpatch update
Automatic rollback of a Hotpatch update isnt supported but you can uninstall them. If you experience an unexpected issue with hotpatch updates, you can investigate by uninstalling the hotpatch update and installing the latest standard cumulative update (LCU) and restart. Uninstalling a hotpatch update is quick, however, it does require a device restart.

2
windows/deployment/windows-autopatch/prepare/windows-autopatch-configure-network.md
View File

@ -63,7 +63,7 @@ The following URLs must be on the allowed list of your proxy and firewall so tha
| Microsoft service | URLs required on allowlist |
| ----- | ----- |
| Windows Autopatch | <ul><li>mmdcustomer.microsoft.com</li><li>mmdls.microsoft.com</li><li>logcollection.mmd.microsoft.com</li><li>support.mmd.microsoft.com</li><li>devicelistenerprod.microsoft.com</li><li>login.windows.net</li><li>device.autopatch.microsoft.com</li></ul>|
| Windows Autopatch | <ul><li>mmdcustomer.microsoft.com</li><li>mmdls.microsoft.com</li><li>devicelistenerprod.microsoft.com</li><li>login.windows.net</li><li>device.autopatch.microsoft.com</li></ul>|
## Delivery Optimization

1
windows/privacy/manage-windows-11-endpoints.md
View File

@ -174,6 +174,7 @@ To view endpoints for non-Enterprise Windows 11 editions, see [Windows 11 connec
|||TLSv1.2/HTTPS/HTTP|*.update.microsoft.com|
||The following endpoint is used for compatibility database updates for Windows.|HTTPS|adl.windows.com|
||The following endpoint is used for content regulation. If you turn off traffic for this endpoint, the Windows Update Agent will be unable to contact the endpoint, and fallback behavior will be used. This may result in content being either incorrectly downloaded or not downloaded at all.|TLSv1.2/HTTPS/HTTP|tsfe.trafficshaping.dsp.mp.microsoft.com|
||The following endpoint is for a public web API used by Windows and other OS-agnostic products to check for new updates. If you disable this endpoint, these products won't be able to check for and apply software updates.|TLSv1.2/HTTPS/HTTP|*.api.cdp.microsoft.com|
|Xbox Live|||[Learn how to turn off traffic to all of the following endpoint(s) for Xbox Live.](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#26-microsoft-store)|
||The following endpoints are used for Xbox Live.|HTTPS|dlassets-ssl.xboxlive.com|
|||TLSv1.2|da.xboxservices.com|

12
windows/security/application-security/application-control/app-control-for-business/design/select-types-of-rules-to-create.md
View File

@ -130,7 +130,9 @@ There's a defined list of SIDs that App Control recognizes as admins. If a filep
App Control's list of well-known admin SIDs are:
```
S-1-3-0; S-1-5-18; S-1-5-19; S-1-5-20; S-1-5-32-544; S-1-5-32-549; S-1-5-32-550; S-1-5-32-551; S-1-5-32-577; S-1-5-32-559; S-1-5-32-568; S-1-15-2-1430448594-2639229838-973813799-439329657-1197984847-4069167804-1277922394; S-1-15-2-95739096-486727260-2033287795-3853587803-1685597119-444378811-2746676523.
```
When filepath rules are generated using [New-CIPolicy](/powershell/module/configci/new-cipolicy), a unique, fully qualified path rule is generated for every file discovered in the scanned path(s). To create rules that instead allow all files under a specified folder path, use [New-CIPolicyRule](/powershell/module/configci/new-cipolicyrule) to define rules containing wildcards, using the [-FilePathRules](/powershell/module/configci/new-cipolicyrule#parameters) switch.
@ -140,8 +142,8 @@ The following wildcards can be used in App Control filepath rules:
| Wildcard character | Meaning | Supported operating systems |
|------------ | ----------- | ----------- |
| **`*`** | Matches zero or more characters. | Windows 11, Windows 10, and Windows Server 2022 |
| **`?`** | Matches a single character. | Windows 11 only |
| **`*`** | Matches zero or more characters. | Windows 10, Windows 11 and later, or Windows Server 2022 and later |
| **`?`** | Matches a single character. | Windows 11 and later, or Windows Server 2025 and later |
You can also use the following macros when the exact volume may vary: `%OSDRIVE%`, `%WINDIR%`, `%SYSTEM32%`. These macros can be used in combination with the wildcards above.
@ -154,9 +156,9 @@ You can also use the following macros when the exact volume may vary: `%OSDRIVE%
| Examples | Description | Supported operating systems |
|------------ | ----------- | ----------- |
| **C:\\Windows\\\*** <br> **D:\\EnterpriseApps\\MyApp\\\*** <br> **%OSDRIVE%\\Windows\\\*** | Wildcards placed at the end of a path authorize all files in the immediate path and its subdirectories recursively. | Windows 11, Windows 10, and Windows Server 2022 |
| **\*\\bar.exe** | Wildcards placed at the beginning of a path allow the exact specified filename in any location. | Windows 11, Windows 10, and Windows Server 2022 |
| **C:\\\*\\CCMCACHE\\\*\\7z????-x64.exe** <br> **%OSDRIVE%\\\*\\CCMCACHE\\\*\\7z????-x64.exe** | Wildcards used in the middle of a path allow all files that match that pattern. Consider carefully all the possible matches, particularly if your policy disables the admin-writeable check with the **Disabled:Runtime FilePath Rule Protection** option. In this example, both of these hypothetical paths would match: <br> *`C:\WINDOWS\CCMCACHE\12345\7zabcd-x64.exe`* <br> *`C:\USERS\AppControlUSER\Downloads\Malware\CCMCACHE\Pwned\7zhaha-x64.exe`* | Windows 11 only |
| **C:\\Windows\\\*** <br> **D:\\EnterpriseApps\\MyApp\\\*** <br> **%OSDRIVE%\\Windows\\\*** | Wildcards placed at the end of a path authorize all files in the immediate path and its subdirectories recursively. | Windows 10, Windows 11 and later, or Windows Server 2022 and later |
| **\*\\bar.exe** | Wildcards placed at the beginning of a path allow the exact specified filename in any location. | Windows 10, Windows 11 and later, or Windows Server 2022 and later |
| **C:\\\*\\CCMCACHE\\\*\\7z????-x64.exe** <br> **%OSDRIVE%\\\*\\CCMCACHE\\\*\\7z????-x64.exe** | Wildcards used in the middle of a path allow all files that match that pattern. Consider carefully all the possible matches, particularly if your policy disables the admin-writeable check with the **Disabled:Runtime FilePath Rule Protection** option. In this example, both of these hypothetical paths would match: <br> *`C:\WINDOWS\CCMCACHE\12345\7zabcd-x64.exe`* <br> *`C:\USERS\AppControlUSER\Downloads\Malware\CCMCACHE\Pwned\7zhaha-x64.exe`* | Windows 11 and later, or Windows Server 2025 and later |
Without a wildcard, the filepath rule allows only a specific file (ex. `C:\foo\bar.exe`).

4
windows/security/operating-system-security/data-protection/bitlocker/recovery-process.md
View File

@ -2,7 +2,7 @@
title: BitLocker recovery process
description: Learn how to obtain BitLocker recovery information for Microsoft Entra joined, Microsoft Entra hybrid joined, and Active Directory joined devices, and how to restore access to a locked drive.
ms.topic: how-to
ms.date: 12/05/2024
ms.date: 02/11/2025
---
# BitLocker recovery process
@ -75,7 +75,7 @@ The following list can be used as a template for creating a recovery process for
There are a few Microsoft Entra ID roles that allow a delegated administrator to read BitLocker recovery passwords from the devices in the tenant. While it's common for organizations to use the existing Microsoft Entra ID *[Cloud Device Administrator][ENTRA-2]* or *[Helpdesk Administrator][ENTRA-3]* built-in roles, you can also [create a custom role][ENTRA-5], delegating access to BitLocker keys using the `microsoft.directory/bitlockerKeys/key/read` permission. Roles can be delegated to access BitLocker recovery passwords for devices in specific Administrative Units.
> [!NOTE]
> When devices that utilize [Windows Autopilot](/mem/autopilot/windows-autopilot) are reused to join to Entra, **and there is a new device owner**, that new device owner must contact an administrator to acquire the BitLocker recovery key for that device. Custom role or administrative unit scoped administrators will lose access to BitLocker recovery keys for those devices that have undergone device ownership changes. These scoped administrators will need to contact a non-scoped administrator for the recovery keys. For more information, see the article [Find the primary user of an Intune device](/mem/intune/remote-actions/find-primary-user#change-a-devices-primary-user).
> When devices that utilize [Windows Autopilot](/mem/autopilot/windows-autopilot) are reused to join to Entra, **and there is a new device owner**, that new device owner must contact an administrator to acquire the BitLocker recovery key for that device. Custom role or administrative unit scoped administrators will continue to have access to BitLocker recovery keys for those devices that have undergone device ownership changes, unless the new device owner belongs to a custom role or adminstrative unit scope. In such an instance, the user will need to contact other scoped administrator for the recovery keys. For more information, see the article [Find the primary user of an Intune device](/mem/intune/remote-actions/find-primary-user#change-a-devices-primary-user).
The [Microsoft Entra admin center][ENTRA] allows administrators to retrieve BitLocker recovery passwords. To learn more about the process, see [View or copy BitLocker keys][ENTRA-4]. Another option to access BitLocker recovery passwords is to use the Microsoft Graph API, which might be useful for integrated or scripted solutions. For more information about this option, see [Get bitlockerRecoveryKey][GRAPH-1].

16
windows/whats-new/deprecated-features.md
View File

@ -1,7 +1,7 @@
---
title: Deprecated features in the Windows client
description: Review the list of features that Microsoft is no longer actively developing in Windows 10 and Windows 11.
ms.date: 01/24/2025
ms.date: 02/03/2025
ms.service: windows-client
ms.subservice: itpro-fundamentals
ms.localizationpriority: medium
@ -21,9 +21,9 @@ appliesto:
Each version of Windows client adds new features and functionality. Occasionally, new versions also remove features and functionality, often because they added a newer option. This article provides details about the features and functionalities that are no longer being developed in Windows client.<!-- this sentence is used by tip for RSS --> For more information about features that were removed, see [Windows features removed](removed-features.md).
For more information about features in Windows 11, see [Feature deprecations and removals](https://www.microsoft.com/windows/windows-11-specifications#table3).
To understand the distinction between *deprecation* and *removal*, see [Windows client features lifecycle](feature-lifecycle.md).
- To understand the distinction between *deprecation* and *removal*, see [Windows client features lifecycle](feature-lifecycle.md).
- For more information about how deprecation fits into the Windows lifecycle, see [Deprecation: What it means in the Windows lifecycle](https://techcommunity.microsoft.com/blog/windows-itpro-blog/deprecation-what-it-means-in-the-windows-lifecycle/4372457).
- For more information about features removed on upgrade to Windows 11 from Windows 10, see [Feature deprecations and removals](https://www.microsoft.com/windows/windows-11-specifications#table3).
The features in this article are no longer being actively developed, and might be removed in a future update. Some features were replaced with other features or functionality and some are now available from other sources.
@ -52,13 +52,13 @@ The features in this article are no longer being actively developed, and might b
| Paint 3D <!--8995017--> | Paint 3D is deprecated and will be removed from the Microsoft Store on November 4, 2024. To view and edit 2D images, you can use [Paint](https://apps.microsoft.com/detail/9pcfs5b6t72h) or [Photos](https://apps.microsoft.com/detail/9wzdncrfjbh4). For viewing 3D content, you can use [3D Viewer](https://apps.microsoft.com/detail/9nblggh42ths). For more information, see [Resources for deprecated features](deprecated-features-resources.md#paint-3d). | August 2024 |
| Adobe Type1 fonts <!--9183716-->| Adobe PostScript Type1 fonts are deprecated and support will be removed in a future release of Windows.</br></br> In January 2023, Adobe announced the [end of support for PostScript Type1 fonts](https://helpx.adobe.com/fonts/kb/postscript-type-1-fonts-end-of-support.html) for their latest software offerings. Remove any dependencies on this font type by selecting a supported font type. To display currently installed fonts, go to **Settings** > **Personalization** > **Fonts**. Application developers and content owners should test their apps and data files with the Adobe Type1 fonts removed. For more information, contact the application vendor or Adobe. | August 2024 |
| DirectAccess <!--8713507-->| DirectAccess is deprecated and will be removed in a future release of Windows. We recommend [migrating from DirectAccess to Always On VPN](/windows-server/remote/remote-access/da-always-on-vpn-migration/da-always-on-migration-overview). | June 2024 |
| NTLM <!--8396018-->| All versions of [NTLM](/windows/win32/secauthn/microsoft-ntlm), including LANMAN, NTLMv1, and NTLMv2, are no longer under active feature development and are deprecated. Use of NTLM will continue to work in the next release of Windows Server and the next annual release of Windows. Calls to NTLM should be replaced by calls to Negotiate, which will try to authenticate with Kerberos and only fall back to NTLM when necessary. For more information, see, [Resources for deprecated features](deprecated-features-resources.md). </br></br> **[Update - November 2024]**: NTLMv1 is [removed](removed-features.md) starting in Windows 11, version 24H2 and Windows Server 2025. <!--9544861--> | June 2024 |
| NTLM <!--8396018-->| All versions of [NTLM](/windows/win32/secauthn/microsoft-ntlm), including LANMAN, NTLMv1, and NTLMv2, are no longer under active feature development and are deprecated. Use of NTLM will continue to work in the next release of Windows Server and the next annual release of Windows. Calls to NTLM should be replaced by calls to Negotiate, which tries to authenticate with Kerberos and only falls back to NTLM when necessary. For more information, see, [Resources for deprecated features](deprecated-features-resources.md). </br></br> **[Update - November 2024]**: NTLMv1 is [removed](removed-features.md) starting in Windows 11, version 24H2 and Windows Server 2025. <!--9544861--> | June 2024 |
| Driver Verifier GUI (verifiergui.exe) <!--8995057--> | Driver Verifier GUI, verifiergui.exe, is deprecated and will be removed in a future version of Windows. You can use the [Verifier Command Line](/windows-hardware/drivers/devtest/verifier-command-line) (verifier.exe) instead of the Driver Verifier GUI.| May 2024 |
| NPLogonNotify and NPPasswordChangeNotify APIs <!--8787264--> | Starting in Windows 11, version 24H2, the inclusion of password payload in MPR notifications is set to disabled by default through group policy in [NPLogonNotify](/windows/win32/api/npapi/nf-npapi-nplogonnotify) and [NPPasswordChangeNotify](/windows/win32/api/npapi/nf-npapi-nppasswordchangenotify) APIs. The APIs may be removed in a future release. The primary reason for disabling this feature is to enhance security. When enabled, these APIs allow the caller to retrieve a user's password, presenting potential risks for password exposure and harvesting by malicious users. To include password payload in MPR notifications, set the [EnableMPRNotifications](/windows/client-management/mdm/policy-csp-windowslogon#enablemprnotifications) policy to `enabled`.| March 2024 |
| TLS server authentication certificates using RSA keys with key lengths shorter than 2048 bits <!--8644149-->| Support for certificates using RSA keys with key lengths shorter than 2048 bits will be deprecated. Internet standards and regulatory bodies disallowed the use of 1024-bit keys in 2013, recommending specifically that RSA keys should have a key length of 2048 bits or longer. For more information, see [Transitioning of Cryptographic Algorithms and Key Sizes - Discussion Paper (nist.gov)](https://csrc.nist.gov/CSRC/media/Projects/Key-Management/documents/transitions/Transitioning_CryptoAlgos_070209.pdf). This deprecation focuses on ensuring that all RSA certificates used for TLS server authentication must have key lengths greater than or equal to 2048 bits to be considered valid by Windows. </br></br> TLS certificates issued by enterprise or test certification authorities (CA) aren't impacted with this change. However, we recommend that they be updated to RSA keys greater than or equal to 2048 bits as a security best practice. This change is necessary to preserve security of Windows customers using certificates for authentication and cryptographic purposes.| March 2024|
| NPLogonNotify and NPPasswordChangeNotify APIs <!--8787264--> | Starting in Windows 11, version 24H2, the inclusion of password payload in MPR notifications is set to `disabled` by default through group policy in [NPLogonNotify](/windows/win32/api/npapi/nf-npapi-nplogonnotify) and [NPPasswordChangeNotify](/windows/win32/api/npapi/nf-npapi-nppasswordchangenotify) APIs. The APIs may be removed in a future release. The primary reason for disabling this feature is to enhance security. When enabled, these APIs allow the caller to retrieve a user's password, presenting potential risks for password exposure and harvesting by malicious users. To include password payload in MPR notifications, set the [EnableMPRNotifications](/windows/client-management/mdm/policy-csp-windowslogon#enablemprnotifications) policy to `enabled`.| March 2024 |
| TLS server authentication certificates using RSA keys with key lengths shorter than 2048 bits <!--8644149-->| Support for certificates using RSA keys with key lengths shorter than 2048 bits is deprecated. Internet standards and regulatory bodies disallowed the use of 1024-bit keys in 2013, recommending specifically that RSA keys should have a key length of 2048 bits or longer. For more information, see [Transitioning of Cryptographic Algorithms and Key Sizes - Discussion Paper (nist.gov)](https://csrc.nist.gov/CSRC/media/Projects/Key-Management/documents/transitions/Transitioning_CryptoAlgos_070209.pdf). This deprecation focuses on ensuring that all RSA certificates used for TLS server authentication must have key lengths greater than or equal to 2048 bits to be considered valid by Windows.</br></br> TLS certificates issued by enterprise or test certification authorities (CA) aren't impacted with this change. However, we recommend that they be updated to RSA keys greater than or equal to 2048 bits as a security best practice. This change is necessary to preserve security of Windows customers using certificates for authentication and cryptographic purposes.| March 2024|
| Test Base <!--8790681--> | [Test Base for Microsoft 365](/microsoft-365/test-base/overview), an Azure cloud service for application testing, is deprecated. The service will be retired in the future and will be no longer available for use after retirement. | March 2024 |
| Windows Mixed Reality <!--8412877, 9720344--> | [Windows Mixed Reality](/windows/mixed-reality/enthusiast-guide/before-you-start) is deprecated and will be removed in Windows 11, version 24H2. This deprecation includes the [Mixed Reality Portal](/windows/mixed-reality/enthusiast-guide/install-windows-mixed-reality) app, [Windows Mixed Reality for SteamVR](/windows/mixed-reality/enthusiast-guide/using-steamvr-with-windows-mixed-reality), and Steam VR Beta.Existing Windows Mixed Reality devices will continue to work with Steam through November 2026, if users remain on their current released version of Windows 11, version 23H2. After November 2026, Windows Mixed Reality will no longer receive security updates, nonsecurity updates, bug fixes, technical support, or online technical content updates. | December 2023 |
| Microsoft Defender Application Guard for Edge <!--8591267-->| [Microsoft Defender Application Guard](/windows/security/application-security/application-isolation/microsoft-defender-application-guard/md-app-guard-overview), including the [Windows Isolated App Launcher APIs](/windows/win32/api/isolatedapplauncher/), is deprecated for Microsoft Edge for Business and [will no longer be updated](feature-lifecycle.md). To learn more about Edge for Business security capabilities, see [Microsoft Edge security for your business](/deployedge/ms-edge-security-for-business). </br></br> **[Update - October 2024]**: Starting with Windows 11, version 24H2, Microsoft Defender Application Guard, including the [Windows Isolated App Launcher APIs](/windows/win32/api/isolatedapplauncher/), is no longer available. <br><br>**[Update - April 2024]**: Because Application Guard is deprecated there will not be a migration to Edge Manifest V3. The corresponding extensions and associated Windows Store app will not be available after May 2024. This affects the following browsers: *Application Guard Extension - Chrome* and *Application Guard Extension - Firefox*. If you want to block unprotected browsers until you are ready to retire MDAG usage in your enterprise, we recommend using AppLocker policies or [Microsoft Edge management service](/deployedge/microsoft-edge-management-service). For more information, see [Microsoft Edge and Microsoft Defender Application Guard](/deployedge/microsoft-edge-security-windows-defender-application-guard). <!--8932292-->| December 2023 |
| Microsoft Defender Application Guard for Edge <!--8591267-->| [Microsoft Defender Application Guard](/windows/security/application-security/application-isolation/microsoft-defender-application-guard/md-app-guard-overview), including the [Windows Isolated App Launcher APIs](/windows/win32/api/isolatedapplauncher/), is deprecated for Microsoft Edge for Business and [will no longer be updated](feature-lifecycle.md). To learn more about Edge for Business security capabilities, see [Microsoft Edge security for your business](/deployedge/ms-edge-security-for-business). </br></br> **[Update - October 2024]**: Starting with Windows 11, version 24H2, Microsoft Defender Application Guard, including the [Windows Isolated App Launcher APIs](/windows/win32/api/isolatedapplauncher/), is no longer available. <br><br>**[Update - April 2024]**: Because Application Guard is deprecated there won't be a migration to Edge Manifest V3. The corresponding extensions and associated Windows Store app won't be available after May 2024. This change affects the following browsers: *Application Guard Extension - Chrome* and *Application Guard Extension - Firefox*. If you want to block unprotected browsers until you're ready to retire MDAG usage in your enterprise, we recommend using AppLocker policies or [Microsoft Edge management service](/deployedge/microsoft-edge-management-service). For more information, see [Microsoft Edge and Microsoft Defender Application Guard](/deployedge/microsoft-edge-security-windows-defender-application-guard). <!--8932292-->| December 2023 |
| Legacy console mode <!-- 8577271 -->| The [legacy console mode](/windows/console/legacymode) is deprecated and no longer being updated. In future Windows releases, it will be available as an optional [Feature on Demand](/windows-hardware/manufacture/desktop/features-on-demand-v2--capabilities). This feature won't be installed by default. | December 2023 |
| Windows speech recognition <!--8396142-->| [Windows speech recognition](https://support.microsoft.com/windows/83ff75bd-63eb-0b6c-18d4-6fae94050571) is deprecated and is no longer being developed. This feature is being replaced with [voice access](https://support.microsoft.com/topic/4dcd23ee-f1b9-4fd1-bacc-862ab611f55d). Voice access is available for Windows 11, version 22H2, or later devices. Currently, voice access supports five English locales: English - US, English - UK, English - India, English - New Zealand, English - Canada, and English - Australia. For more information, see [Setup voice access](https://support.microsoft.com/topic/set-up-voice-access-9fc44e29-12bf-4d86-bc4e-e9bb69df9a0e). | December 2023 |
| Microsoft Defender Application Guard for Office <!--8396036-->| [Microsoft Defender Application Guard for Office](/microsoft-365/security/office-365-security/app-guard-for-office-install), including the [Windows Isolated App Launcher APIs](/windows/win32/api/isolatedapplauncher/), is being deprecated and will no longer be updated. We recommend transitioning to Microsoft Defender for Endpoint [attack surface reduction rules](/microsoft-365/security/defender-endpoint/overview-attack-surface-reduction) along with [Protected View](/microsoft-365/security/office-365-security/recommended-settings-for-eop-and-office365#global-settings-for-safe-attachments) and [Windows Defender Application Control](/windows/security/application-security/application-control/windows-defender-application-control/wdac). | November 2023 |