Merge pull request #10746 from MicrosoftDocs/main

Publish main to live, 04/04/25, 10:30 AM PDT
2025-05-12 13:27:23 +00:00 · 2025-04-04 23:46:30 +05:30 · 2025-04-04 23:46:30 +05:30 · 2abc643850
commit 2abc643850
parent f3ebf12f8b 7d9b35e2d5
15 changed files with 760 additions and 163 deletions
--- a/windows/client-management/mdm/bitlocker-csp.md
+++ b/windows/client-management/mdm/bitlocker-csp.md
@ -1,7 +1,7 @@
 ---
 title: BitLocker CSP
 description: Learn more about the BitLocker CSP.
-ms.date: 03/12/2025
+ms.date: 04/04/2025
 ms.topic: generated-reference
 ---
@ -175,7 +175,7 @@ The expected values for this policy are:
 1 = This is the default, when the policy isn't set. Warning prompt and encryption notification is allowed.
-0 = Disables the warning prompt and encryption notification. Starting in Windows 10, next major update, the value 0 only takes effect on Microsoft Entra joined devices.
+0 = Disables the warning prompt and encryption notification. Starting in Windows 10, next major update, the value 0 only takes effect on Entra ID joined devices.
 Windows will attempt to silently enable BitLocker for value 0.
 <!-- Device-AllowWarningForOtherDiskEncryption-Description-End -->
@ -209,7 +209,7 @@ Windows will attempt to silently enable BitLocker for value 0.
 | Value | Description |
 |:--|:--|
-| 0 | Disables the warning prompt. Starting in Windows 10, version 1803, the value 0 can only be set for Microsoft Entra joined devices. Windows will attempt to silently enable BitLocker for value 0. |
+| 0 | Disables the warning prompt. Starting in Windows 10, version 1803, the value 0 can only be set for Entra ID joined devices. Windows will attempt to silently enable BitLocker for value 0. |
 | 1 (Default) | Warning prompt allowed. |
 <!-- Device-AllowWarningForOtherDiskEncryption-AllowedValues-End -->
@ -251,9 +251,9 @@ Windows will attempt to silently enable BitLocker for value 0.
 <!-- Device-ConfigureRecoveryPasswordRotation-Description-Begin -->
 <!-- Description-Source-DDF -->
-Allows Admin to configure Numeric Recovery Password Rotation upon use for OS and fixed drives on Microsoft Entra ID and hybrid domain joined devices.
+Allows Admin to configure Numeric Recovery Password Rotation upon use for OS and fixed drives on Entra ID and hybrid domain joined devices.
-When not configured, Rotation is turned on by default for Microsoft Entra ID only and off on hybrid. The Policy will be effective only when Active Directory back up for recovery password is configured to required.
+When not configured, Rotation is turned on by default for Entra ID only and off on hybrid. The Policy will be effective only when Active Directory back up for recovery password is configured to required.
 For OS drive: Turn on "Do not enable BitLocker until recovery information is stored to AD DS for operating system drives".
@ -261,8 +261,8 @@ For Fixed drives: Turn on "Do not enable BitLocker until recovery information is
 Supported Values: 0 - Numeric Recovery Passwords rotation OFF.
-1 - Numeric Recovery Passwords Rotation upon use ON for Microsoft Entra joined devices. Default value
+1 - Numeric Recovery Passwords Rotation upon use ON for Entra ID joined devices. Default value
-2 - Numeric Recovery Passwords Rotation upon use ON for both Microsoft Entra ID and hybrid devices.
+2 - Numeric Recovery Passwords Rotation upon use ON for both Entra ID and hybrid devices.
 <!-- Device-ConfigureRecoveryPasswordRotation-Description-End -->
 <!-- Device-ConfigureRecoveryPasswordRotation-Editable-Begin -->
@ -285,8 +285,8 @@ Supported Values: 0 - Numeric Recovery Passwords rotation OFF.
 | Value | Description |
 |:--|:--|
 | 0 (Default) | Refresh off (default). |
-| 1 | Refresh on for Microsoft Entra joined devices. |
+| 1 | Refresh on for Entra ID-joined devices. |
-| 2 | Refresh on for both Microsoft Entra joined and hybrid-joined devices. |
+| 2 | Refresh on for both Entra ID-joined and hybrid-joined devices. |
 <!-- Device-ConfigureRecoveryPasswordRotation-AllowedValues-End -->
 <!-- Device-ConfigureRecoveryPasswordRotation-Examples-Begin -->
@ -1212,7 +1212,7 @@ Disabling the policy won't turn off the encryption on the storage card. But will
 <!-- Device-RotateRecoveryPasswords-Description-Begin -->
 <!-- Description-Source-DDF -->
-Allows admin to push one-time rotation of all numeric recovery passwords for OS and Fixed Data drives on a Microsoft Entra ID or hybrid-joined device.
+Allows admin to push one-time rotation of all numeric recovery passwords for OS and Fixed Data drives on an Entra ID or hybrid-joined device.
 This policy is Execute type and rotates all numeric passwords when issued from MDM tools.
--- a/windows/client-management/mdm/bitlocker-ddf-file.md
+++ b/windows/client-management/mdm/bitlocker-ddf-file.md
@ -1,7 +1,7 @@
 ---
 title: BitLocker DDF file
 description: View the XML file containing the device description framework (DDF) for the BitLocker configuration service provider.
-ms.date: 02/13/2025
+ms.date: 04/04/2025
 ms.topic: generated-reference
 ---
@ -580,7 +580,7 @@ The following XML file contains the device description framework (DDF) for the B
                         1 = This is the default, when the policy is not set. Warning prompt and encryption notification is allowed.
                         0 = Disables the warning prompt and encryption notification. Starting in Windows 10, next major update, 
-                             the value 0 only takes affect on Azure Active Directory joined devices. 
+                             the value 0 only takes affect on Entra ID joined devices. 
                             Windows will attempt to silently enable BitLocker for value 0.
                         If you want to disable this policy use the following SyncML:
@ -600,7 +600,7 @@ The following XML file contains the device description framework (DDF) for the B
        <MSFT:AllowedValues ValueType="ENUM">
          <MSFT:Enum>
            <MSFT:Value>0</MSFT:Value>
-            <MSFT:ValueDescription>Disables the warning prompt. Starting in Windows 10, version 1803, the value 0 can only be set for Azure Active Directory joined devices. Windows will attempt to silently enable BitLocker for value 0.</MSFT:ValueDescription>
+            <MSFT:ValueDescription>Disables the warning prompt. Starting in Windows 10, version 1803, the value 0 can only be set for Entra ID joined devices. Windows will attempt to silently enable BitLocker for value 0.</MSFT:ValueDescription>
          </MSFT:Enum>
          <MSFT:Enum>
            <MSFT:Value>1</MSFT:Value>
@ -680,15 +680,15 @@ The following XML file contains the device description framework (DDF) for the B
          <Replace />
        </AccessType>
        <DefaultValue>0</DefaultValue>
-        <Description> Allows Admin to configure Numeric Recovery Password Rotation upon use for OS and fixed drives on AAD and Hybrid domain joined devices.
+        <Description> Allows Admin to configure Numeric Recovery Password Rotation upon use for OS and fixed drives on Entra ID and Hybrid domain joined devices.
-                          When not configured, Rotation is turned on by default for AAD only and off on Hybrid. The Policy will be effective only when 
+                          When not configured, Rotation is turned on by default for Entra ID only and off on Hybrid. The Policy will be effective only when 
                          Active Directory back up for recovery password is configured to required.
                          For OS drive: Turn on "Do not enable Bitlocker until recovery information is stored to AD DS for operating system drives"
                          For Fixed drives: Turn on "Do not enable Bitlocker until recovery information is stored to AD DS for fixed data drives"
                          Supported Values: 0 - Numeric Recovery Passwords rotation OFF.
-                                            1 - Numeric Recovery Passwords Rotation upon use ON for AAD joined devices. Default value
+                                            1 - Numeric Recovery Passwords Rotation upon use ON for Entra ID joined devices. Default value
-                                            2 - Numeric Recovery Passwords Rotation upon use ON for both AAD and Hybrid devices
+                                            2 - Numeric Recovery Passwords Rotation upon use ON for both Entra ID and Hybrid devices
                         If you want to disable this policy use the following SyncML:
@ -716,11 +716,11 @@ The following XML file contains the device description framework (DDF) for the B
          </MSFT:Enum>
          <MSFT:Enum>
            <MSFT:Value>1</MSFT:Value>
-            <MSFT:ValueDescription>Refresh on for Azure AD-joined devices</MSFT:ValueDescription>
+            <MSFT:ValueDescription>Refresh on for Entra ID-joined devices</MSFT:ValueDescription>
          </MSFT:Enum>
          <MSFT:Enum>
            <MSFT:Value>2</MSFT:Value>
-            <MSFT:ValueDescription>Refresh on for both Azure AD-joined and hybrid-joined devices</MSFT:ValueDescription>
+            <MSFT:ValueDescription>Refresh on for both Entra ID-joined and hybrid-joined devices</MSFT:ValueDescription>
          </MSFT:Enum>
        </MSFT:AllowedValues>
      </DFProperties>
@ -731,7 +731,7 @@ The following XML file contains the device description framework (DDF) for the B
        <AccessType>
          <Exec />
        </AccessType>
-        <Description> Allows admin to push one-time rotation of all numeric recovery passwords for OS and Fixed Data drives on an Azure Active Directory or hybrid-joined device.
+        <Description> Allows admin to push one-time rotation of all numeric recovery passwords for OS and Fixed Data drives on an Entra ID or hybrid-joined device.
                          This policy is Execute type and rotates all numeric passwords when issued from MDM tools.
 The policy only comes into effect when Active Directory backup for a recovery password is configured to "required."
--- a/windows/client-management/mdm/firewall-csp.md
+++ b/windows/client-management/mdm/firewall-csp.md
@ -1,7 +1,7 @@
 ---
 title: Firewall CSP
 description: Learn more about the Firewall CSP.
-ms.date: 03/12/2025
+ms.date: 04/04/2025
 ms.topic: generated-reference
 ---
@ -1896,9 +1896,7 @@ New rules have the EdgeTraversal property disabled by default.
 <!-- Device-MdmStore-FirewallRules-{FirewallRuleName}-Enabled-Description-Begin -->
 <!-- Description-Source-DDF -->
-Indicates whether the rule is enabled or disabled. If the rule must be enabled, this value must be set to true.
+Indicates whether the rule is enabled or disabled. If not specified - a new rule is enabled by default.
 If not specified - a new rule is disabled by default.
 <!-- Device-MdmStore-FirewallRules-{FirewallRuleName}-Enabled-Description-End -->
 <!-- Device-MdmStore-FirewallRules-{FirewallRuleName}-Enabled-Editable-Begin -->
@ -3254,9 +3252,7 @@ If not specified the default is OUT.
 <!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-Enabled-Description-Begin -->
 <!-- Description-Source-DDF -->
-Indicates whether the rule is enabled or disabled. If the rule must be enabled, this value must be set to true.
+Indicates whether the rule is enabled or disabled. If not specified - a new rule is enabled by default.
 If not specified - a new rule is disabled by default.
 <!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-Enabled-Description-End -->
 <!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-Enabled-Editable-Begin -->
--- a/windows/client-management/mdm/firewall-ddf-file.md
+++ b/windows/client-management/mdm/firewall-ddf-file.md
@ -1,7 +1,7 @@
 ---
 title: Firewall DDF file
 description: View the XML file containing the device description framework (DDF) for the Firewall configuration service provider.
-ms.date: 02/13/2025
+ms.date: 04/04/2025
 ms.topic: generated-reference
 ---
@ -4060,8 +4060,7 @@ An IPv6 address range in the format of "start address - end address" with no spa
                <Get />
                <Replace />
              </AccessType>
-              <Description>Indicates whether the rule is enabled or disabled. If the rule must be enabled, this value must be set to true.
+              <Description>Indicates whether the rule is enabled or disabled. If not specified - a new rule is enabled by default.</Description>
 If not specified - a new rule is disabled by default.</Description>
              <DFFormat>
                <bool />
              </DFFormat>
@ -4760,8 +4759,7 @@ An IPv6 address range in the format of "start address - end address" with no spa
                <Get />
                <Replace />
              </AccessType>
-              <Description>Indicates whether the rule is enabled or disabled. If the rule must be enabled, this value must be set to true.
+              <Description>Indicates whether the rule is enabled or disabled. If not specified - a new rule is enabled by default.</Description>
 If not specified - a new rule is disabled by default.</Description>
              <DFFormat>
                <bool />
              </DFFormat>
--- a/windows/client-management/mdm/policies-in-preview.md
+++ b/windows/client-management/mdm/policies-in-preview.md
@ -1,7 +1,7 @@
 ---
 title: Configuration service provider preview policies
 description: Learn more about configuration service provider (CSP) policies that are available for Windows Insider Preview.
-ms.date: 03/26/2025
+ms.date: 04/04/2025
 ms.topic: generated-reference
 ---
@ -23,6 +23,7 @@ This article lists the policies that are applicable for Windows Insider Preview
 ## ApplicationManagement
 - [AllowedNonAdminPackageFamilyNameRules](policy-csp-applicationmanagement.md#allowednonadminpackagefamilynamerules)
 - [ConfigureMSIXAuthenticationAuthorizedDomains](policy-csp-applicationmanagement.md#configuremsixauthenticationauthorizeddomains)
 ## ClientCertificateInstall CSP
@ -92,9 +93,8 @@ This article lists the policies that are applicable for Windows Insider Preview
 ## HumanPresence
- [ForcePrivacyScreen](policy-csp-humanpresence.md#forceprivacyscreen)
+- [ForceOnlookerDetection](policy-csp-humanpresence.md#forceonlookerdetection)
- [ForcePrivacyScreenDim](policy-csp-humanpresence.md#forceprivacyscreendim)
+- [ForceOnlookerDetectionAction](policy-csp-humanpresence.md#forceonlookerdetectionaction)
 - [ForcePrivacyScreenNotification](policy-csp-humanpresence.md#forceprivacyscreennotification)
 ## InternetExplorer
@ -111,6 +111,16 @@ This article lists the policies that are applicable for Windows Insider Preview
 - [StartInstallation](language-pack-management-csp.md#installlanguage-idstartinstallation)
 - [SystemPreferredUILanguages](language-pack-management-csp.md#languagesettingssystempreferreduilanguages)
 ## LanmanWorkstation
 - [AuditInsecureGuestLogon](policy-csp-lanmanworkstation.md#auditinsecureguestlogon)
 - [AuditServerDoesNotSupportEncryption](policy-csp-lanmanworkstation.md#auditserverdoesnotsupportencryption)
 - [AuditServerDoesNotSupportSigning](policy-csp-lanmanworkstation.md#auditserverdoesnotsupportsigning)
 - [EnableMailslots](policy-csp-lanmanworkstation.md#enablemailslots)
 - [MaxSmb2Dialect](policy-csp-lanmanworkstation.md#maxsmb2dialect)
 - [MinSmb2Dialect](policy-csp-lanmanworkstation.md#minsmb2dialect)
 - [RequireEncryption](policy-csp-lanmanworkstation.md#requireencryption)
 ## LocalPoliciesSecurityOptions
 - [InteractiveLogon_NumberOfPreviousLogonsToCache](policy-csp-localpoliciessecurityoptions.md#interactivelogon_numberofpreviouslogonstocache)
@ -133,6 +143,10 @@ This article lists the policies that are applicable for Windows Insider Preview
 - [DisablePostLogonProvisioning](passportforwork-csp.md#devicetenantidpoliciesdisablepostlogonprovisioning)
 ## Power
 - [EnableEnergySaver](policy-csp-power.md#enableenergysaver)
 ## Printers
 - [ConfigureIppTlsCertificatePolicy](policy-csp-printers.md#configureipptlscertificatepolicy)
@ -165,6 +179,10 @@ This article lists the policies that are applicable for Windows Insider Preview
 - [ExchangeModernAuthEnabled](surfacehub-csp.md#deviceaccountexchangemodernauthenabled)
 ## System
 - [DisableCHPE](policy-csp-system.md#disablechpe)
 ## TextInput
 - [TouchKeyboardControllerModeAvailability](policy-csp-textinput.md#touchkeyboardcontrollermodeavailability)
@ -180,10 +198,12 @@ This article lists the policies that are applicable for Windows Insider Preview
 ## WindowsAI
 - [DisableAIDataAnalysis](policy-csp-windowsai.md#disableaidataanalysis)
 - [SetDenyAppListForRecall](policy-csp-windowsai.md#setdenyapplistforrecall)
 - [SetDenyUriListForRecall](policy-csp-windowsai.md#setdenyurilistforrecall)
 - [SetMaximumStorageSpaceForRecallSnapshots](policy-csp-windowsai.md#setmaximumstoragespaceforrecallsnapshots)
 - [SetMaximumStorageDurationForRecallSnapshots](policy-csp-windowsai.md#setmaximumstoragedurationforrecallsnapshots)
 - [DisableClickToDo](policy-csp-windowsai.md#disableclicktodo)
 - [DisableImageCreator](policy-csp-windowsai.md#disableimagecreator)
 - [DisableCocreator](policy-csp-windowsai.md#disablecocreator)
 - [DisableGenerativeFill](policy-csp-windowsai.md#disablegenerativefill)
--- a/windows/client-management/mdm/policy-csp-applicationmanagement.md
+++ b/windows/client-management/mdm/policy-csp-applicationmanagement.md
@ -1,7 +1,7 @@
 ---
 title: ApplicationManagement Policy CSP
 description: Learn more about the ApplicationManagement Area in Policy CSP.
-ms.date: 03/12/2025
+ms.date: 04/04/2025
 ms.topic: generated-reference
 ---
@ -635,6 +635,54 @@ Manages non-Administrator users' ability to install Windows app packages.
 <!-- BlockNonAdminUserInstall-End -->
 <!-- ConfigureMSIXAuthenticationAuthorizedDomains-Begin -->
 ## ConfigureMSIXAuthenticationAuthorizedDomains
 <!-- ConfigureMSIXAuthenticationAuthorizedDomains-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
 | ✅ Device <br> ❌ User | ❌ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
 <!-- ConfigureMSIXAuthenticationAuthorizedDomains-Applicability-End -->
 <!-- ConfigureMSIXAuthenticationAuthorizedDomains-OmaUri-Begin -->
 ```Device
 ./Device/Vendor/MSFT/Policy/Config/ApplicationManagement/ConfigureMSIXAuthenticationAuthorizedDomains
 ```
 <!-- ConfigureMSIXAuthenticationAuthorizedDomains-OmaUri-End -->
 <!-- ConfigureMSIXAuthenticationAuthorizedDomains-Description-Begin -->
 <!-- Description-Source-DDF -->
 Defines a regular expression in ECMA Script. When performing a streaming MSIX install, if this regular expression matches the domain name (uppercased) then the user's EntraID OAuth token will be attached to the request.
 <!-- ConfigureMSIXAuthenticationAuthorizedDomains-Description-End -->
 <!-- ConfigureMSIXAuthenticationAuthorizedDomains-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 <!-- ConfigureMSIXAuthenticationAuthorizedDomains-Editable-End -->
 <!-- ConfigureMSIXAuthenticationAuthorizedDomains-DFProperties-Begin -->
 **Description framework properties**:
 | Property name | Property value |
 |:--|:--|
 | Format | `chr` (string) |
 | Access Type | Add, Delete, Get, Replace |
 <!-- ConfigureMSIXAuthenticationAuthorizedDomains-DFProperties-End -->
 <!-- ConfigureMSIXAuthenticationAuthorizedDomains-GpMapping-Begin -->
 **Group policy mapping**:
 | Name | Value |
 |:--|:--|
 | Name | ConfigureMSIXAuthenticationAuthorizedDomains |
 | Path | AppxPackageManager > AT > WindowsComponents > AppxDeployment |
 <!-- ConfigureMSIXAuthenticationAuthorizedDomains-GpMapping-End -->
 <!-- ConfigureMSIXAuthenticationAuthorizedDomains-Examples-Begin -->
 <!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
 <!-- ConfigureMSIXAuthenticationAuthorizedDomains-Examples-End -->
 <!-- ConfigureMSIXAuthenticationAuthorizedDomains-End -->
 <!-- DisableStoreOriginatedApps-Begin -->
 ## DisableStoreOriginatedApps
--- a/windows/client-management/mdm/policy-csp-defender.md
+++ b/windows/client-management/mdm/policy-csp-defender.md
@ -1,7 +1,7 @@
 ---
 title: Defender Policy CSP
 description: Learn more about the Defender Area in Policy CSP.
-ms.date: 03/12/2025
+ms.date: 04/04/2025
 ms.topic: generated-reference
 ---
@ -728,7 +728,7 @@ This policy setting allows you to configure scheduled scans and on-demand (manua
 |:--|:--|
 | Format | `int` |
 | Access Type | Add, Delete, Get, Replace |
-| Default Value  | 0 |
+| Default Value  | 1 |
 <!-- AllowScanningNetworkFiles-DFProperties-End -->
 <!-- AllowScanningNetworkFiles-AllowedValues-Begin -->
@ -736,8 +736,8 @@ This policy setting allows you to configure scheduled scans and on-demand (manua
 | Value | Description |
 |:--|:--|
-| 0 (Default) | Not allowed. Turns off scanning of network files. |
+| 0 | Not allowed. Turns off scanning of network files. |
-| 1 | Allowed. Scans network files. |
+| 1 (Default) | Allowed. Scans network files. |
 <!-- AllowScanningNetworkFiles-AllowedValues-End -->
 <!-- AllowScanningNetworkFiles-GpMapping-Begin -->
--- a/windows/client-management/mdm/policy-csp-humanpresence.md
+++ b/windows/client-management/mdm/policy-csp-humanpresence.md
@ -1,7 +1,7 @@
 ---
 title: HumanPresence Policy CSP
 description: Learn more about the HumanPresence Area in Policy CSP.
-ms.date: 03/12/2025
+ms.date: 04/04/2025
 ms.topic: generated-reference
 ---
@ -529,31 +529,31 @@ Determines the timeout for Lock on Leave forced by the MDM policy. The user will
 <!-- ForceLockTimeout-End -->
-<!-- ForcePrivacyScreen-Begin -->
+<!-- ForceOnlookerDetection-Begin -->
-## ForcePrivacyScreen
+## ForceOnlookerDetection
-<!-- ForcePrivacyScreen-Applicability-Begin -->
+<!-- ForceOnlookerDetection-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
 | ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
-<!-- ForcePrivacyScreen-Applicability-End -->
+<!-- ForceOnlookerDetection-Applicability-End -->
-<!-- ForcePrivacyScreen-OmaUri-Begin -->
+<!-- ForceOnlookerDetection-OmaUri-Begin -->
 ```Device
-./Device/Vendor/MSFT/Policy/Config/HumanPresence/ForcePrivacyScreen
+./Device/Vendor/MSFT/Policy/Config/HumanPresence/ForceOnlookerDetection
 ```
-<!-- ForcePrivacyScreen-OmaUri-End -->
+<!-- ForceOnlookerDetection-OmaUri-End -->
-<!-- ForcePrivacyScreen-Description-Begin -->
+<!-- ForceOnlookerDetection-Description-Begin -->
 <!-- Description-Source-DDF -->
 Determines whether detect when other people are looking at my screen is forced on/off by the MDM policy. The user won't be able to change this setting and the UI will be greyed out.
-<!-- ForcePrivacyScreen-Description-End -->
+<!-- ForceOnlookerDetection-Description-End -->
-<!-- ForcePrivacyScreen-Editable-Begin -->
+<!-- ForceOnlookerDetection-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
-<!-- ForcePrivacyScreen-Editable-End -->
+<!-- ForceOnlookerDetection-Editable-End -->
-<!-- ForcePrivacyScreen-DFProperties-Begin -->
+<!-- ForceOnlookerDetection-DFProperties-Begin -->
 **Description framework properties**:
 | Property name | Property value |
@ -561,9 +561,9 @@ Determines whether detect when other people are looking at my screen is forced o
 | Format | `int` |
 | Access Type | Add, Delete, Get, Replace |
 | Default Value  | 0 |
-<!-- ForcePrivacyScreen-DFProperties-End -->
+<!-- ForceOnlookerDetection-DFProperties-End -->
-<!-- ForcePrivacyScreen-AllowedValues-Begin -->
+<!-- ForceOnlookerDetection-AllowedValues-Begin -->
 **Allowed values**:
 | Value | Description |
@ -571,48 +571,48 @@ Determines whether detect when other people are looking at my screen is forced o
 | 2 | ForcedOff. |
 | 1 | ForcedOn. |
 | 0 (Default) | DefaultToUserChoice. |
-<!-- ForcePrivacyScreen-AllowedValues-End -->
+<!-- ForceOnlookerDetection-AllowedValues-End -->
-<!-- ForcePrivacyScreen-GpMapping-Begin -->
+<!-- ForceOnlookerDetection-GpMapping-Begin -->
 **Group policy mapping**:
 | Name | Value |
 |:--|:--|
-| Name | ForcePrivacyScreen |
+| Name | ForceOnlookerDetection |
 | Path | Sensors > AT > WindowsComponents > HumanPresence |
-<!-- ForcePrivacyScreen-GpMapping-End -->
+<!-- ForceOnlookerDetection-GpMapping-End -->
-<!-- ForcePrivacyScreen-Examples-Begin -->
+<!-- ForceOnlookerDetection-Examples-Begin -->
 <!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
-<!-- ForcePrivacyScreen-Examples-End -->
+<!-- ForceOnlookerDetection-Examples-End -->
-<!-- ForcePrivacyScreen-End -->
+<!-- ForceOnlookerDetection-End -->
-<!-- ForcePrivacyScreenDim-Begin -->
+<!-- ForceOnlookerDetectionAction-Begin -->
-## ForcePrivacyScreenDim
+## ForceOnlookerDetectionAction
-<!-- ForcePrivacyScreenDim-Applicability-Begin -->
+<!-- ForceOnlookerDetectionAction-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
 | ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
-<!-- ForcePrivacyScreenDim-Applicability-End -->
+<!-- ForceOnlookerDetectionAction-Applicability-End -->
-<!-- ForcePrivacyScreenDim-OmaUri-Begin -->
+<!-- ForceOnlookerDetectionAction-OmaUri-Begin -->
 ```Device
-./Device/Vendor/MSFT/Policy/Config/HumanPresence/ForcePrivacyScreenDim
+./Device/Vendor/MSFT/Policy/Config/HumanPresence/ForceOnlookerDetectionAction
 ```
-<!-- ForcePrivacyScreenDim-OmaUri-End -->
+<!-- ForceOnlookerDetectionAction-OmaUri-End -->
-<!-- ForcePrivacyScreenDim-Description-Begin -->
+<!-- ForceOnlookerDetectionAction-Description-Begin -->
 <!-- Description-Source-DDF -->
-Determines whether dim the screen when other people are looking at my screen checkbox is forced checked/unchecked by the MDM policy. The user won't be able to change this setting and the checkbox in the UI will be greyed out.
+Determines whether the Onlooker Detection action is forced by the MDM policy. The user won't be able to change this setting and the toggle in the UI will be greyed out.
-<!-- ForcePrivacyScreenDim-Description-End -->
+<!-- ForceOnlookerDetectionAction-Description-End -->
-<!-- ForcePrivacyScreenDim-Editable-Begin -->
+<!-- ForceOnlookerDetectionAction-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
-<!-- ForcePrivacyScreenDim-Editable-End -->
+<!-- ForceOnlookerDetectionAction-Editable-End -->
-<!-- ForcePrivacyScreenDim-DFProperties-Begin -->
+<!-- ForceOnlookerDetectionAction-DFProperties-Begin -->
 **Description framework properties**:
 | Property name | Property value |
@ -620,91 +620,33 @@ Determines whether dim the screen when other people are looking at my screen che
 | Format | `int` |
 | Access Type | Add, Delete, Get, Replace |
 | Default Value  | 0 |
-<!-- ForcePrivacyScreenDim-DFProperties-End -->
+<!-- ForceOnlookerDetectionAction-DFProperties-End -->
-<!-- ForcePrivacyScreenDim-AllowedValues-Begin -->
+<!-- ForceOnlookerDetectionAction-AllowedValues-Begin -->
 **Allowed values**:
 | Value | Description |
 |:--|:--|
-| 2 | ForcedUnchecked. |
+| 3 | ForcedDimAndNotify. |
-| 1 | ForcedChecked. |
+| 2 | ForcedNotify. |
 | 1 | ForcedDim. |
 | 0 (Default) | DefaultToUserChoice. |
-<!-- ForcePrivacyScreenDim-AllowedValues-End -->
+<!-- ForceOnlookerDetectionAction-AllowedValues-End -->
-<!-- ForcePrivacyScreenDim-GpMapping-Begin -->
+<!-- ForceOnlookerDetectionAction-GpMapping-Begin -->
 **Group policy mapping**:
 | Name | Value |
 |:--|:--|
-| Name | ForcePrivacyScreenDim |
+| Name | ForceOnlookerDetectionAction |
 | Path | Sensors > AT > WindowsComponents > HumanPresence |
-<!-- ForcePrivacyScreenDim-GpMapping-End -->
+<!-- ForceOnlookerDetectionAction-GpMapping-End -->
-<!-- ForcePrivacyScreenDim-Examples-Begin -->
+<!-- ForceOnlookerDetectionAction-Examples-Begin -->
 <!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
-<!-- ForcePrivacyScreenDim-Examples-End -->
+<!-- ForceOnlookerDetectionAction-Examples-End -->
-<!-- ForcePrivacyScreenDim-End -->
+<!-- ForceOnlookerDetectionAction-End -->
 <!-- ForcePrivacyScreenNotification-Begin -->
 ## ForcePrivacyScreenNotification
 <!-- ForcePrivacyScreenNotification-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
 | ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
 <!-- ForcePrivacyScreenNotification-Applicability-End -->
 <!-- ForcePrivacyScreenNotification-OmaUri-Begin -->
 ```Device
 ./Device/Vendor/MSFT/Policy/Config/HumanPresence/ForcePrivacyScreenNotification
 ```
 <!-- ForcePrivacyScreenNotification-OmaUri-End -->
 <!-- ForcePrivacyScreenNotification-Description-Begin -->
 <!-- Description-Source-DDF -->
 Determines whether providing alert when people are looking at my screen checkbox is forced checked/unchecked by the MDM policy. The user won't be able to change this setting and the checkbox in the UI will be greyed out.
 <!-- ForcePrivacyScreenNotification-Description-End -->
 <!-- ForcePrivacyScreenNotification-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 <!-- ForcePrivacyScreenNotification-Editable-End -->
 <!-- ForcePrivacyScreenNotification-DFProperties-Begin -->
 **Description framework properties**:
 | Property name | Property value |
 |:--|:--|
 | Format | `int` |
 | Access Type | Add, Delete, Get, Replace |
 | Default Value  | 0 |
 <!-- ForcePrivacyScreenNotification-DFProperties-End -->
 <!-- ForcePrivacyScreenNotification-AllowedValues-Begin -->
 **Allowed values**:
 | Value | Description |
 |:--|:--|
 | 2 | ForcedUnchecked. |
 | 1 | ForcedChecked. |
 | 0 (Default) | DefaultToUserChoice. |
 <!-- ForcePrivacyScreenNotification-AllowedValues-End -->
 <!-- ForcePrivacyScreenNotification-GpMapping-Begin -->
 **Group policy mapping**:
 | Name | Value |
 |:--|:--|
 | Name | ForcePrivacyScreenNotification |
 | Path | Sensors > AT > WindowsComponents > HumanPresence |
 <!-- ForcePrivacyScreenNotification-GpMapping-End -->
 <!-- ForcePrivacyScreenNotification-Examples-Begin -->
 <!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
 <!-- ForcePrivacyScreenNotification-Examples-End -->
 <!-- ForcePrivacyScreenNotification-End -->
 <!-- HumanPresence-CspMoreInfo-Begin -->
 <!-- Add any additional information about this CSP here. Anything outside this section will get overwritten. -->
--- a/windows/client-management/mdm/policy-csp-lanmanworkstation.md
+++ b/windows/client-management/mdm/policy-csp-lanmanworkstation.md
@ -1,7 +1,7 @@
 ---
 title: LanmanWorkstation Policy CSP
 description: Learn more about the LanmanWorkstation Area in Policy CSP.
-ms.date: 03/12/2025
+ms.date: 04/04/2025
 ms.topic: generated-reference
 ---
@ -10,10 +10,213 @@ ms.topic: generated-reference
 <!-- LanmanWorkstation-Begin -->
 # Policy CSP - LanmanWorkstation
 [!INCLUDE [Windows Insider tip](includes/mdm-insider-csp-note.md)]
 <!-- LanmanWorkstation-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 <!-- LanmanWorkstation-Editable-End -->
 <!-- AuditInsecureGuestLogon-Begin -->
 ## AuditInsecureGuestLogon
 <!-- AuditInsecureGuestLogon-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
 | ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100.3613] and later <br> ✅ Windows Insider Preview |
 <!-- AuditInsecureGuestLogon-Applicability-End -->
 <!-- AuditInsecureGuestLogon-OmaUri-Begin -->
 ```Device
 ./Device/Vendor/MSFT/Policy/Config/LanmanWorkstation/AuditInsecureGuestLogon
 ```
 <!-- AuditInsecureGuestLogon-OmaUri-End -->
 <!-- AuditInsecureGuestLogon-Description-Begin -->
 <!-- Description-Source-ADMX -->
 This policy controls whether the SMB client will enable the audit event when the client is logged-on as guest account.
 - If you enable this policy setting, the SMB client will log the event when the client is logged-on as guest account.
 - If you disable or don't configure this policy setting, the SMB client won't log the event.
 <!-- AuditInsecureGuestLogon-Description-End -->
 <!-- AuditInsecureGuestLogon-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 <!-- AuditInsecureGuestLogon-Editable-End -->
 <!-- AuditInsecureGuestLogon-DFProperties-Begin -->
 **Description framework properties**:
 | Property name | Property value |
 |:--|:--|
 | Format | `int` |
 | Access Type | Add, Delete, Get, Replace |
 | Default Value  | 0 |
 <!-- AuditInsecureGuestLogon-DFProperties-End -->
 <!-- AuditInsecureGuestLogon-AllowedValues-Begin -->
 **Allowed values**:
 | Value | Description |
 |:--|:--|
 | 0 (Default) | Disabled. |
 | 1 | Enabled. |
 <!-- AuditInsecureGuestLogon-AllowedValues-End -->
 <!-- AuditInsecureGuestLogon-GpMapping-Begin -->
 **Group policy mapping**:
 | Name | Value |
 |:--|:--|
 | Name | Pol_AuditInsecureGuestLogon |
 | Friendly Name | Audit insecure guest logon |
 | Location | Computer Configuration |
 | Path | Network > Lanman Workstation |
 | Registry Key Name | Software\Policies\Microsoft\Windows\LanmanWorkstation |
 | Registry Value Name | AuditInsecureGuestLogon |
 | ADMX File Name | LanmanWorkstation.admx |
 <!-- AuditInsecureGuestLogon-GpMapping-End -->
 <!-- AuditInsecureGuestLogon-Examples-Begin -->
 <!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
 <!-- AuditInsecureGuestLogon-Examples-End -->
 <!-- AuditInsecureGuestLogon-End -->
 <!-- AuditServerDoesNotSupportEncryption-Begin -->
 ## AuditServerDoesNotSupportEncryption
 <!-- AuditServerDoesNotSupportEncryption-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
 | ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100.3613] and later <br> ✅ Windows Insider Preview |
 <!-- AuditServerDoesNotSupportEncryption-Applicability-End -->
 <!-- AuditServerDoesNotSupportEncryption-OmaUri-Begin -->
 ```Device
 ./Device/Vendor/MSFT/Policy/Config/LanmanWorkstation/AuditServerDoesNotSupportEncryption
 ```
 <!-- AuditServerDoesNotSupportEncryption-OmaUri-End -->
 <!-- AuditServerDoesNotSupportEncryption-Description-Begin -->
 <!-- Description-Source-ADMX -->
 This policy controls whether the SMB client will enable the audit event when the SMB server doesn't support encryption.
 - If you enable this policy setting, the SMB client will log the event when the SMB server doesn't support encryption.
 - If you disable or don't configure this policy setting, the SMB client won't log the event.
 <!-- AuditServerDoesNotSupportEncryption-Description-End -->
 <!-- AuditServerDoesNotSupportEncryption-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 <!-- AuditServerDoesNotSupportEncryption-Editable-End -->
 <!-- AuditServerDoesNotSupportEncryption-DFProperties-Begin -->
 **Description framework properties**:
 | Property name | Property value |
 |:--|:--|
 | Format | `int` |
 | Access Type | Add, Delete, Get, Replace |
 | Default Value  | 0 |
 <!-- AuditServerDoesNotSupportEncryption-DFProperties-End -->
 <!-- AuditServerDoesNotSupportEncryption-AllowedValues-Begin -->
 **Allowed values**:
 | Value | Description |
 |:--|:--|
 | 0 (Default) | Disabled. |
 | 1 | Enabled. |
 <!-- AuditServerDoesNotSupportEncryption-AllowedValues-End -->
 <!-- AuditServerDoesNotSupportEncryption-GpMapping-Begin -->
 **Group policy mapping**:
 | Name | Value |
 |:--|:--|
 | Name | Pol_AuditServerDoesNotSupportEncryption |
 | Friendly Name | Audit server does not support encryption |
 | Location | Computer Configuration |
 | Path | Network > Lanman Workstation |
 | Registry Key Name | Software\Policies\Microsoft\Windows\LanmanWorkstation |
 | Registry Value Name | AuditServerDoesNotSupportEncryption |
 | ADMX File Name | LanmanWorkstation.admx |
 <!-- AuditServerDoesNotSupportEncryption-GpMapping-End -->
 <!-- AuditServerDoesNotSupportEncryption-Examples-Begin -->
 <!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
 <!-- AuditServerDoesNotSupportEncryption-Examples-End -->
 <!-- AuditServerDoesNotSupportEncryption-End -->
 <!-- AuditServerDoesNotSupportSigning-Begin -->
 ## AuditServerDoesNotSupportSigning
 <!-- AuditServerDoesNotSupportSigning-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
 | ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100.3613] and later <br> ✅ Windows Insider Preview |
 <!-- AuditServerDoesNotSupportSigning-Applicability-End -->
 <!-- AuditServerDoesNotSupportSigning-OmaUri-Begin -->
 ```Device
 ./Device/Vendor/MSFT/Policy/Config/LanmanWorkstation/AuditServerDoesNotSupportSigning
 ```
 <!-- AuditServerDoesNotSupportSigning-OmaUri-End -->
 <!-- AuditServerDoesNotSupportSigning-Description-Begin -->
 <!-- Description-Source-ADMX -->
 This policy controls whether the SMB client will enable the audit event when the SMB server doesn't support signing.
 - If you enable this policy setting, the SMB client will log the event when the SMB server doesn't support signing.
 - If you disable or don't configure this policy setting, the SMB client won't log the event.
 <!-- AuditServerDoesNotSupportSigning-Description-End -->
 <!-- AuditServerDoesNotSupportSigning-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 <!-- AuditServerDoesNotSupportSigning-Editable-End -->
 <!-- AuditServerDoesNotSupportSigning-DFProperties-Begin -->
 **Description framework properties**:
 | Property name | Property value |
 |:--|:--|
 | Format | `int` |
 | Access Type | Add, Delete, Get, Replace |
 | Default Value  | 0 |
 <!-- AuditServerDoesNotSupportSigning-DFProperties-End -->
 <!-- AuditServerDoesNotSupportSigning-AllowedValues-Begin -->
 **Allowed values**:
 | Value | Description |
 |:--|:--|
 | 0 (Default) | Disabled. |
 | 1 | Enabled. |
 <!-- AuditServerDoesNotSupportSigning-AllowedValues-End -->
 <!-- AuditServerDoesNotSupportSigning-GpMapping-Begin -->
 **Group policy mapping**:
 | Name | Value |
 |:--|:--|
 | Name | Pol_AuditServerDoesNotSupportSigning |
 | Friendly Name | Audit server does not support signing |
 | Location | Computer Configuration |
 | Path | Network > Lanman Workstation |
 | Registry Key Name | Software\Policies\Microsoft\Windows\LanmanWorkstation |
 | Registry Value Name | AuditServerDoesNotSupportSigning |
 | ADMX File Name | LanmanWorkstation.admx |
 <!-- AuditServerDoesNotSupportSigning-GpMapping-End -->
 <!-- AuditServerDoesNotSupportSigning-Examples-Begin -->
 <!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
 <!-- AuditServerDoesNotSupportSigning-Examples-End -->
 <!-- AuditServerDoesNotSupportSigning-End -->
 <!-- EnableInsecureGuestLogons-Begin -->
 ## EnableInsecureGuestLogons
@ -85,6 +288,282 @@ Insecure guest logons are used by file servers to allow unauthenticated access t
 <!-- EnableInsecureGuestLogons-End -->
 <!-- EnableMailslots-Begin -->
 ## EnableMailslots
 <!-- EnableMailslots-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
 | ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100.3613] and later <br> ✅ Windows Insider Preview |
 <!-- EnableMailslots-Applicability-End -->
 <!-- EnableMailslots-OmaUri-Begin -->
 ```Device
 ./Device/Vendor/MSFT/Policy/Config/LanmanWorkstation/EnableMailslots
 ```
 <!-- EnableMailslots-OmaUri-End -->
 <!-- EnableMailslots-Description-Begin -->
 <!-- Description-Source-ADMX -->
 This policy controls whether the SMB client will enable or disable remote mailslots over MUP.
 - If you disable this policy setting, remote mailslots won't function over MUP, hence they won't go through the SMB client redirector.
 - If you don't configure this policy setting, remote mailslots may be allowed through MUP.
 <!-- EnableMailslots-Description-End -->
 <!-- EnableMailslots-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 <!-- EnableMailslots-Editable-End -->
 <!-- EnableMailslots-DFProperties-Begin -->
 **Description framework properties**:
 | Property name | Property value |
 |:--|:--|
 | Format | `int` |
 | Access Type | Add, Delete, Get, Replace |
 | Default Value  | 0 |
 <!-- EnableMailslots-DFProperties-End -->
 <!-- EnableMailslots-AllowedValues-Begin -->
 **Allowed values**:
 | Value | Description |
 |:--|:--|
 | 0 (Default) | Disabled. |
 | 1 | Enabled. |
 <!-- EnableMailslots-AllowedValues-End -->
 <!-- EnableMailslots-GpMapping-Begin -->
 **Group policy mapping**:
 | Name | Value |
 |:--|:--|
 | Name | Pol_EnableMailslots |
 | Friendly Name | Enable remote mailslots |
 | Location | Computer Configuration |
 | Path | Network > Lanman Workstation |
 | Registry Key Name | Software\Policies\Microsoft\Windows\NetworkProvider |
 | Registry Value Name | EnableMailslots |
 | ADMX File Name | LanmanWorkstation.admx |
 <!-- EnableMailslots-GpMapping-End -->
 <!-- EnableMailslots-Examples-Begin -->
 <!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
 <!-- EnableMailslots-Examples-End -->
 <!-- EnableMailslots-End -->
 <!-- MaxSmb2Dialect-Begin -->
 ## MaxSmb2Dialect
 <!-- MaxSmb2Dialect-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
 | ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100.3613] and later <br> ✅ Windows Insider Preview |
 <!-- MaxSmb2Dialect-Applicability-End -->
 <!-- MaxSmb2Dialect-OmaUri-Begin -->
 ```Device
 ./Device/Vendor/MSFT/Policy/Config/LanmanWorkstation/MaxSmb2Dialect
 ```
 <!-- MaxSmb2Dialect-OmaUri-End -->
 <!-- MaxSmb2Dialect-Description-Begin -->
 <!-- Description-Source-ADMX -->
 This policy controls the maximum version of SMB protocol.
 > [!NOTE]
 > This group policy doesn't prevent use of SMB 1 if that component is still installed and enabled.
 <!-- MaxSmb2Dialect-Description-End -->
 <!-- MaxSmb2Dialect-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 <!-- MaxSmb2Dialect-Editable-End -->
 <!-- MaxSmb2Dialect-DFProperties-Begin -->
 **Description framework properties**:
 | Property name | Property value |
 |:--|:--|
 | Format | `int` |
 | Access Type | Add, Delete, Get, Replace |
 | Default Value  | 785 |
 <!-- MaxSmb2Dialect-DFProperties-End -->
 <!-- MaxSmb2Dialect-AllowedValues-Begin -->
 **Allowed values**:
 | Value | Description |
 |:--|:--|
 | 514 | SMB 2.0.2. |
 | 528 | SMB 2.1.0. |
 | 768 | SMB 3.0.0. |
 | 770 | SMB 3.0.2. |
 | 785 (Default) | SMB 3.1.1. |
 <!-- MaxSmb2Dialect-AllowedValues-End -->
 <!-- MaxSmb2Dialect-GpMapping-Begin -->
 **Group policy mapping**:
 | Name | Value |
 |:--|:--|
 | Name | Pol_MaxSmb2Dialect |
 | Friendly Name | Mandate the maximum version of SMB |
 | Location | Computer Configuration |
 | Path | Network > Lanman Workstation |
 | Registry Key Name | Software\Policies\Microsoft\Windows\LanmanWorkstation |
 | ADMX File Name | LanmanWorkstation.admx |
 <!-- MaxSmb2Dialect-GpMapping-End -->
 <!-- MaxSmb2Dialect-Examples-Begin -->
 <!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
 <!-- MaxSmb2Dialect-Examples-End -->
 <!-- MaxSmb2Dialect-End -->
 <!-- MinSmb2Dialect-Begin -->
 ## MinSmb2Dialect
 <!-- MinSmb2Dialect-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
 | ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100.3613] and later <br> ✅ Windows Insider Preview |
 <!-- MinSmb2Dialect-Applicability-End -->
 <!-- MinSmb2Dialect-OmaUri-Begin -->
 ```Device
 ./Device/Vendor/MSFT/Policy/Config/LanmanWorkstation/MinSmb2Dialect
 ```
 <!-- MinSmb2Dialect-OmaUri-End -->
 <!-- MinSmb2Dialect-Description-Begin -->
 <!-- Description-Source-ADMX -->
 This policy controls the minimum version of SMB protocol.
 > [!NOTE]
 > This group policy doesn't prevent use of SMB 1 if that component is still installed and enabled.
 <!-- MinSmb2Dialect-Description-End -->
 <!-- MinSmb2Dialect-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 <!-- MinSmb2Dialect-Editable-End -->
 <!-- MinSmb2Dialect-DFProperties-Begin -->
 **Description framework properties**:
 | Property name | Property value |
 |:--|:--|
 | Format | `int` |
 | Access Type | Add, Delete, Get, Replace |
 | Default Value  | 514 |
 <!-- MinSmb2Dialect-DFProperties-End -->
 <!-- MinSmb2Dialect-AllowedValues-Begin -->
 **Allowed values**:
 | Value | Description |
 |:--|:--|
 | 514 (Default) | SMB 2.0.2. |
 | 528 | SMB 2.1.0. |
 | 768 | SMB 3.0.0. |
 | 770 | SMB 3.0.2. |
 | 785 | SMB 3.1.1. |
 <!-- MinSmb2Dialect-AllowedValues-End -->
 <!-- MinSmb2Dialect-GpMapping-Begin -->
 **Group policy mapping**:
 | Name | Value |
 |:--|:--|
 | Name | Pol_MinSmb2Dialect |
 | Friendly Name | Mandate the minimum version of SMB |
 | Location | Computer Configuration |
 | Path | Network > Lanman Workstation |
 | Registry Key Name | Software\Policies\Microsoft\Windows\LanmanWorkstation |
 | ADMX File Name | LanmanWorkstation.admx |
 <!-- MinSmb2Dialect-GpMapping-End -->
 <!-- MinSmb2Dialect-Examples-Begin -->
 <!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
 <!-- MinSmb2Dialect-Examples-End -->
 <!-- MinSmb2Dialect-End -->
 <!-- RequireEncryption-Begin -->
 ## RequireEncryption
 <!-- RequireEncryption-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
 | ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100.3613] and later <br> ✅ Windows Insider Preview |
 <!-- RequireEncryption-Applicability-End -->
 <!-- RequireEncryption-OmaUri-Begin -->
 ```Device
 ./Device/Vendor/MSFT/Policy/Config/LanmanWorkstation/RequireEncryption
 ```
 <!-- RequireEncryption-OmaUri-End -->
 <!-- RequireEncryption-Description-Begin -->
 <!-- Description-Source-ADMX -->
 This policy controls whether the SMB client will require encryption.
 - If you enable this policy setting, the SMB client will require the SMB server to support encryption and encrypt the data.
 - If you disable or don't configure this policy setting, the SMB client won't require encryption. However, SMB encryption may still be required; see notes below.
 > [!NOTE]
 > This policy is combined with per-share, per-server, and per mapped drive connection properties, through which SMB encryption may be required. The SMB server must support and enable SMB encryption. For example, should this policy be disabled (or not configured), the SMB client may still perform encryption if an SMB server share has required encryption.
 > [!IMPORTANT]
 > SMB encryption requires SMB 3.0 or later.
 <!-- RequireEncryption-Description-End -->
 <!-- RequireEncryption-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 <!-- RequireEncryption-Editable-End -->
 <!-- RequireEncryption-DFProperties-Begin -->
 **Description framework properties**:
 | Property name | Property value |
 |:--|:--|
 | Format | `int` |
 | Access Type | Add, Delete, Get, Replace |
 | Default Value  | 0 |
 <!-- RequireEncryption-DFProperties-End -->
 <!-- RequireEncryption-AllowedValues-Begin -->
 **Allowed values**:
 | Value | Description |
 |:--|:--|
 | 0 (Default) | Disabled. |
 | 1 | Enabled. |
 <!-- RequireEncryption-AllowedValues-End -->
 <!-- RequireEncryption-GpMapping-Begin -->
 **Group policy mapping**:
 | Name | Value |
 |:--|:--|
 | Name | Pol_RequireEncryption |
 | Friendly Name | Require Encryption |
 | Location | Computer Configuration |
 | Path | Network > Lanman Workstation |
 | Registry Key Name | Software\Policies\Microsoft\Windows\LanmanWorkstation |
 | Registry Value Name | RequireEncryption |
 | ADMX File Name | LanmanWorkstation.admx |
 <!-- RequireEncryption-GpMapping-End -->
 <!-- RequireEncryption-Examples-Begin -->
 <!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
 <!-- RequireEncryption-Examples-End -->
 <!-- RequireEncryption-End -->
 <!-- LanmanWorkstation-CspMoreInfo-Begin -->
 <!-- Add any additional information about this CSP here. Anything outside this section will get overwritten. -->
 <!-- LanmanWorkstation-CspMoreInfo-End -->
--- a/windows/client-management/mdm/policy-csp-power.md
+++ b/windows/client-management/mdm/policy-csp-power.md
@ -1,7 +1,7 @@
 ---
 title: Power Policy CSP
 description: Learn more about the Power Area in Policy CSP.
-ms.date: 03/12/2025
+ms.date: 04/04/2025
 ms.topic: generated-reference
 ---
@ -12,6 +12,8 @@ ms.topic: generated-reference
 [!INCLUDE [ADMX-backed CSP tip](includes/mdm-admx-csp-note.md)]
 [!INCLUDE [Windows Insider tip](includes/mdm-insider-csp-note.md)]
 <!-- Power-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 <!-- Power-Editable-End -->
@ -307,6 +309,64 @@ If the user has configured a slide show to run on the lock screen when the machi
 <!-- DisplayOffTimeoutPluggedIn-End -->
 <!-- EnableEnergySaver-Begin -->
 ## EnableEnergySaver
 <!-- EnableEnergySaver-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
 | ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
 <!-- EnableEnergySaver-Applicability-End -->
 <!-- EnableEnergySaver-OmaUri-Begin -->
 ```Device
 ./Device/Vendor/MSFT/Policy/Config/Power/EnableEnergySaver
 ```
 <!-- EnableEnergySaver-OmaUri-End -->
 <!-- EnableEnergySaver-Description-Begin -->
 <!-- Description-Source-DDF -->
 This policy will extend battery life and reduce energy consumption by enabling Energy Saver to always be on. Energy Saver will always be on for desktops as well as laptops regardless of battery level for both AC and DC. If you disable or don't configure this policy setting, then Energy Saver will turn on based on the EnergySaverBatteryThreshold group policy.
 <!-- EnableEnergySaver-Description-End -->
 <!-- EnableEnergySaver-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 <!-- EnableEnergySaver-Editable-End -->
 <!-- EnableEnergySaver-DFProperties-Begin -->
 **Description framework properties**:
 | Property name | Property value |
 |:--|:--|
 | Format | `int` |
 | Access Type | Add, Delete, Get, Replace |
 | Default Value  | 1 |
 <!-- EnableEnergySaver-DFProperties-End -->
 <!-- EnableEnergySaver-AllowedValues-Begin -->
 **Allowed values**:
 | Value | Description |
 |:--|:--|
 | 0 | Disable energy saver policy. |
 | 1 (Default) | Enable energy saver always-on mode. |
 <!-- EnableEnergySaver-AllowedValues-End -->
 <!-- EnableEnergySaver-GpMapping-Begin -->
 **Group policy mapping**:
 | Name | Value |
 |:--|:--|
 | Name | EnableEnergySaver |
 | Path | Power > AT > System > PowerManagementCat > EnergySaverSettingsCat |
 <!-- EnableEnergySaver-GpMapping-End -->
 <!-- EnableEnergySaver-Examples-Begin -->
 <!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
 <!-- EnableEnergySaver-Examples-End -->
 <!-- EnableEnergySaver-End -->
 <!-- EnergySaverBatteryThresholdOnBattery-Begin -->
 ## EnergySaverBatteryThresholdOnBattery
@ -344,6 +404,7 @@ This policy setting allows you to specify battery charge level at which Energy S
 | Access Type | Add, Delete, Get, Replace |
 | Allowed Values | Range: `[0-100]` |
 | Default Value  | 0 |
 | Dependency [Power_EnergySaverBatteryThresholdOnBattery_DependencyGroup] | Dependency Type: `DependsOn` <br> Dependency URI: `./Device/Vendor/MSFT/Policy/Config/Power/EnableEnergySaver` <br> Dependency Allowed Value: `[1]` <br> Dependency Allowed Value Type: `Range` <br>  |
 <!-- EnergySaverBatteryThresholdOnBattery-DFProperties-End -->
 <!-- EnergySaverBatteryThresholdOnBattery-GpMapping-Begin -->
@ -403,6 +464,7 @@ This policy setting allows you to specify battery charge level at which Energy S
 | Access Type | Add, Delete, Get, Replace |
 | Allowed Values | Range: `[0-100]` |
 | Default Value  | 0 |
 | Dependency [Power_EnergySaverBatteryThresholdPluggedIn_DependencyGroup] | Dependency Type: `DependsOn` <br> Dependency URI: `./Device/Vendor/MSFT/Policy/Config/Power/EnableEnergySaver` <br> Dependency Allowed Value: `[1]` <br> Dependency Allowed Value Type: `Range` <br>  |
 <!-- EnergySaverBatteryThresholdPluggedIn-DFProperties-End -->
 <!-- EnergySaverBatteryThresholdPluggedIn-GpMapping-Begin -->
--- a/windows/client-management/mdm/policy-csp-system.md
+++ b/windows/client-management/mdm/policy-csp-system.md
@ -1,7 +1,7 @@
 ---
 title: System Policy CSP
 description: Learn more about the System Area in Policy CSP.
-ms.date: 03/12/2025
+ms.date: 04/04/2025
 ms.topic: generated-reference
 ---
@ -12,6 +12,8 @@ ms.topic: generated-reference
 [!INCLUDE [ADMX-backed CSP tip](includes/mdm-admx-csp-note.md)]
 [!INCLUDE [Windows Insider tip](includes/mdm-insider-csp-note.md)]
 <!-- System-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 <!-- System-Editable-End -->
@ -1195,6 +1197,59 @@ If you don't configure this policy setting, or you set it to "Enable diagnostic
 <!-- ConfigureTelemetryOptInSettingsUx-End -->
 <!-- DisableCHPE-Begin -->
 ## DisableCHPE
 <!-- DisableCHPE-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
 | ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
 <!-- DisableCHPE-Applicability-End -->
 <!-- DisableCHPE-OmaUri-Begin -->
 ```Device
 ./Device/Vendor/MSFT/Policy/Config/System/DisableCHPE
 ```
 <!-- DisableCHPE-OmaUri-End -->
 <!-- DisableCHPE-Description-Begin -->
 <!-- Description-Source-DDF -->
 This policy setting controls whether loading CHPE binaries is disabled on the ARM64 device. This policy has no effect on x64 devices.
 - If you enable this policy setting, ARM64 devices won't load CHPE binaries. This setting is required for hotpatching on ARM64 devices.
 - If you disable or don't configure this policy setting, ARM64 devices will load CHPE binaries.
 <!-- DisableCHPE-Description-End -->
 <!-- DisableCHPE-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 <!-- DisableCHPE-Editable-End -->
 <!-- DisableCHPE-DFProperties-Begin -->
 **Description framework properties**:
 | Property name | Property value |
 |:--|:--|
 | Format | `int` |
 | Access Type | Add, Delete, Get, Replace |
 | Default Value  | 0 |
 <!-- DisableCHPE-DFProperties-End -->
 <!-- DisableCHPE-AllowedValues-Begin -->
 **Allowed values**:
 | Value | Description |
 |:--|:--|
 | 0 (Default) | CHPE Binaries Enabled (Default). |
 | 1 | CHPE Binaries Disabled. |
 <!-- DisableCHPE-AllowedValues-End -->
 <!-- DisableCHPE-Examples-Begin -->
 <!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
 <!-- DisableCHPE-Examples-End -->
 <!-- DisableCHPE-End -->
 <!-- DisableDeviceDelete-Begin -->
 ## DisableDeviceDelete
--- a/windows/client-management/mdm/policy-csp-update.md
+++ b/windows/client-management/mdm/policy-csp-update.md
@ -1,7 +1,7 @@
 ---
 title: Update Policy CSP
 description: Learn more about the Update Area in Policy CSP.
-ms.date: 03/12/2025
+ms.date: 04/04/2025
 ms.topic: generated-reference
 ---
@ -2054,7 +2054,7 @@ Enables the IT admin to manage automatic update behavior to scan, download, and
 | Value | Description |
 |:--|:--|
 | 0 | Notify the user before downloading the update. This policy is used by the enterprise who wants to enable the end-users to manage data usage. With this option users are notified when there are updates that apply to the device and are ready for download. Users can download and install the updates from the Windows Update control panel. |
-| 1 | Auto install the update and then notify the user to schedule a device restart. Updates are downloaded automatically on non-metered networks and installed during "Automatic Maintenance" when the device isn't in use and isn't running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update will install updates immediately. If the installation requires a restart, the end-user is prompted to schedule the restart time. The end-user has up to seven days to schedule the restart and after that, a restart of the device is forced. Enabling the end-user to control the start time reduces the risk of accidental data loss caused by applications that don't shutdown properly on restart. |
+| 1 | Auto install the update and then notify the user to schedule a device restart. Updates are downloaded automatically on non-metered networks and installed during "Automatic Maintenance" when the device isn't in use and isn't running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update will install updates immediately. If the installation requires a restart, the end-user is prompted to schedule the restart time. After the update is installed, if the user hasn't scheduled a restart, the device will attempt to restart automatically. The user will be notified about the scheduled restart and can reschedule it if the proposed time is inconvenient. Enabling the end-user to control the start time reduces the risk of accidental data loss caused by applications that don't shutdown properly on restart. |
 | 2 (Default) | Auto install and restart. Updates are downloaded automatically on non-metered networks and installed during "Automatic Maintenance" when the device isn't in use and isn't running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update will install updates right away. If a restart is required, then the device is automatically restarted when the device isn't actively being used. This is the default behavior for unmanaged devices. Devices are updated quickly, but it increases the risk of accidental data loss caused by an application that doesn't shutdown properly on restart. |
 | 3 | Auto install and restart at a specified time. The IT specifies the installation day and time. If no day and time are specified, the default is 3 AM daily. Automatic installation happens at this time and device restart happens after a 15-minute countdown. If the user is logged in when Windows is ready to restart, the user can interrupt the 15-minute countdown to delay the restart. |
 | 4 | Auto install and restart without end-user control. Updates are downloaded automatically on non-metered networks and installed during "Automatic Maintenance" when the device isn't in use and isn't running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update will install updates right away. If a restart is required, then the device is automatically restarted when the device isn't actively being used. This setting option also sets the end-user control panel to read-only. |
--- a/windows/client-management/mdm/reboot-ddf-file.md
+++ b/windows/client-management/mdm/reboot-ddf-file.md
@ -1,7 +1,7 @@
 ---
 title: Reboot DDF file
 description: View the XML file containing the device description framework (DDF) for the Reboot configuration service provider.
-ms.date: 02/13/2025
+ms.date: 04/04/2025
 ms.topic: generated-reference
 ---
--- a/windows/deployment/windows-autopatch/manage/windows-autopatch-hotpatch-updates.md
+++ b/windows/deployment/windows-autopatch/manage/windows-autopatch-hotpatch-updates.md
@ -1,7 +1,7 @@
 ---
 title: Hotpatch updates
 description: Use Hotpatch updates to receive security updates without restarting your device
-ms.date: 04/02/2025
+ms.date: 04/04/2025
 ms.service: windows-client
 ms.subservice: autopatch
 ms.topic: how-to
@ -91,7 +91,7 @@ LCUs requires you to restart the device, but the LCU ensures that the device rem
 1. Select **Devices** from the left navigation menu.
 1. Under the **Manage updates** section, select **Windows updates**.
 1. Go to the **Quality updates** tab.
-1. Select **Create**, and select **Windows quality update policy (preview)**.
+1. Select **Create**, and select **Windows quality update policy**.
 1. Under the **Basics** section, enter a name for your new policy and select Next.
 1. Under the **Settings** section, set **"When available, apply without restarting the device ("Hotpatch")** to **Allow**. Then, select **Next**.
 1. Select the appropriate Scope tags or leave as Default and select **Next**.
--- a/windows/deployment/windows-autopatch/monitor/windows-autopatch-hotpatch-quality-update-report.md
+++ b/windows/deployment/windows-autopatch/monitor/windows-autopatch-hotpatch-quality-update-report.md
@ -1,7 +1,7 @@
 ---
 title: Hotpatch quality update report
 description: Use the Hotpatch quality update report to view the current update statuses for all devices that receive Hotpatch updates
-ms.date: 03/31/2025
+ms.date: 04/04/2025
 ms.service: windows-client
 ms.subservice: autopatch
 ms.topic: how-to
@ -15,10 +15,7 @@ ms.collection:
  - tier1
 ---
-# Hotpatch quality update report (public preview)
+# Hotpatch quality update report
 > [!IMPORTANT]
 > This feature is in public preview. It is being actively developed and might not be complete. They're made available on a "Preview" basis. You can test and use these features in production environments and scenarios and provide feedback.
 The Hotpatch quality update report provides a per policy level view of the current update statuses for all devices that receive Hotpatch updates. For more information about Hotpatching, see [Hotpatch updates](../manage/windows-autopatch-hotpatch-updates.md).
@ -27,7 +24,7 @@ The Hotpatch quality update report provides a per policy level view of the curre
 1. Go to the [Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
 1. Navigate to **Reports** > **Windows Autopatch** > **Windows quality updates**.
 1. Select the **Reports** tab.
-1. Select **Hotpatch quality updates (preview)**.
+1. Select **Hotpatch quality updates**.
 > [!NOTE]
 > The data in this report is refreshed every four hours with data received by your Windows Autopatch managed devices. The last refreshed on date/time can be seen at the top of the page. For more information about how often Windows Autopatch receives data from your managed devices, see [Data latency](../monitor/windows-autopatch-windows-quality-and-feature-update-reports-overview.md#about-data-latency).