xsd updates

2025-05-12 13:27:23 +00:00 · 2025-04-23 20:26:53 +02:00 · 2025-04-23 20:26:53 +02:00 · 2f0785f52c
commit 2f0785f52c
parent 8914a1a9df 78eed57ca9
58 changed files with 2758 additions and 5454 deletions
--- a/.github/workflows/AutoPublish.yml
+++ b/.github/workflows/AutoPublish.yml
@ -0,0 +1,25 @@
+name: (Scheduled) Publish to live
+
+permissions:
+  contents: write
+  pull-requests: write
+
+on:
+  schedule:
+    - cron: "25 5,11,17,22 * * *" # Times are UTC based on Daylight Saving Time. Need to be adjusted for Standard Time. Scheduling at :25 to account for queuing lag.
+
+  workflow_dispatch:
+
+jobs:
+
+  auto-publish:
+    if: github.repository_owner == 'MicrosoftDocs' && contains(github.event.repository.topics, 'build')
+    uses: MicrosoftDocs/microsoft-365-docs/.github/workflows/Shared-AutoPublish.yml@workflows-prod
+    with:
+        PayloadJson: ${{ toJSON(github) }}
+        EnableAutoPublish: true
+
+    secrets:
+        AccessToken: ${{ secrets.GITHUB_TOKEN }}
+        PrivateKey: ${{ secrets.M365_APP_PRIVATE_KEY }}
+        ClientId: ${{ secrets.M365_APP_CLIENT_ID }}
--- a/.github/workflows/StaleBranch.yml
+++ b/.github/workflows/StaleBranch.yml
@ -3,11 +3,16 @@ name: (Scheduled) Stale branch removal
 permissions:
  contents: write

+# This workflow is designed to be run in the days up to, and including, a "deletion day", specified by 'DeleteOnDayOfMonth' in env: in https://github.com/MicrosoftDocs/microsoft-365-docs/blob/workflows-prod/.github/workflows/Shared-StaleBranch.yml.
+# On the days leading up to "deletion day", the workflow will report the branches to be deleted. This lets users see which branches will be deleted. On "deletion day", those branches are deleted.
+# The workflow should not be configured to run after "deletion day" so that users can review the branches were deleted.
+# Recommendation: configure cron to run on days 1,15-31 where 1 is what's configured in 'DeleteOnDayOfMonth'. If 'DeleteOnDayOfMonth' is set to something else, update cron to run the two weeks leading up to it.
+
 on:
  schedule:
-    - cron: "0 9 1 * *"
+    - cron: "0 9 1,15-31 * *"

-  # workflow_dispatch:
+  workflow_dispatch:
  

 jobs:
--- a/includes/licensing/_edition-requirements.md
+++ b/includes/licensing/_edition-requirements.md
@ -41,7 +41,7 @@ ms.topic: include
 |**[Microsoft Defender Application Guard (MDAG) configure via MDM](/windows/client-management/mdm/windowsdefenderapplicationguard-csp)**|❌|Yes|❌|Yes|
 |**[Microsoft Defender Application Guard (MDAG) for Edge enterprise mode and enterprise management](/windows/security/application-security/application-isolation/microsoft-defender-application-guard/configure-md-app-guard)**|❌|Yes|❌|Yes|
 |**[Microsoft Defender Application Guard (MDAG) for Edge standalone mode](/windows/security/application-security/application-isolation/microsoft-defender-application-guard/md-app-guard-overview)**|Yes|Yes|Yes|Yes|
-|**[Microsoft Defender Application Guard (MDAG) for Microsoft Office](https://support.microsoft.com/office/application-guard-for-office-9e0fb9c2-ffad-43bf-8ba3-78f785fdba46)**|❌|Yes|❌|Yes|
+|**[Microsoft Defender Application Guard (MDAG) for Microsoft Office](/defender-office-365/app-guard-for-office-install)**|❌|Yes|❌|Yes|
 |**Microsoft Defender Application Guard (MDAG) public APIs**|❌|Yes|❌|Yes|
 |**[Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint)**|Yes|Yes|Yes|Yes|
 |**[Microsoft Defender SmartScreen](/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/)**|Yes|Yes|Yes|Yes|
--- a/includes/licensing/_licensing-requirements.md
+++ b/includes/licensing/_licensing-requirements.md
@ -1,7 +1,7 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
-ms.date: 11/02/2023
+ms.date: 04/14/2025
 ms.topic: include
 ---

@ -41,7 +41,7 @@ ms.topic: include
 |**[Microsoft Defender Application Guard (MDAG) configure via MDM](/windows/client-management/mdm/windowsdefenderapplicationguard-csp)**|❌|Yes|Yes|Yes|Yes|
 |**[Microsoft Defender Application Guard (MDAG) for Edge enterprise mode and enterprise management](/windows/security/application-security/application-isolation/microsoft-defender-application-guard/configure-md-app-guard)**|❌|Yes|Yes|Yes|Yes|
 |**[Microsoft Defender Application Guard (MDAG) for Edge standalone mode](/windows/security/application-security/application-isolation/microsoft-defender-application-guard/md-app-guard-overview)**|Yes|Yes|Yes|Yes|Yes|
-|**[Microsoft Defender Application Guard (MDAG) for Microsoft Office](https://support.microsoft.com/office/application-guard-for-office-9e0fb9c2-ffad-43bf-8ba3-78f785fdba46)**|❌|❌|❌|❌|❌|
+|**[Microsoft Defender Application Guard (MDAG) for Microsoft Office](/defender-office-365/app-guard-for-office-install)**|❌|❌|❌|❌|❌|
 |**Microsoft Defender Application Guard (MDAG) public APIs**|❌|Yes|Yes|Yes|Yes|
 |**[Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint)**|❌|❌|Yes|❌|Yes|
 |**[Microsoft Defender SmartScreen](/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/)**|Yes|Yes|Yes|Yes|Yes|
--- a/includes/licensing/unbranded-boot.md
+++ b/includes/licensing/unbranded-boot.md
@ -0,0 +1,14 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 04/09/2025
+ms.topic: include
+---
+
+### Windows edition requirements
+
+The following list contains the Windows editions that support Unbranded Boot:
+
+✅ Enterprise / Enterprise LTSC\
+✅ Education\
+✅ IoT Enterprise / IoT Enterprise LTSC
--- a/windows/client-management/mdm/policies-in-preview.md
+++ b/windows/client-management/mdm/policies-in-preview.md
@ -1,7 +1,7 @@
 ---
 title: Configuration service provider preview policies
 description: Learn more about configuration service provider (CSP) policies that are available for Windows Insider Preview.
-ms.date: 04/04/2025
+ms.date: 04/21/2025
 ms.topic: generated-reference
 ---

@ -111,6 +111,17 @@ This article lists the policies that are applicable for Windows Insider Preview
 - [StartInstallation](language-pack-management-csp.md#installlanguage-idstartinstallation)
 - [SystemPreferredUILanguages](language-pack-management-csp.md#languagesettingssystempreferreduilanguages)

+## LanmanServer
+
+- [AuditClientDoesNotSupportEncryption](policy-csp-lanmanserver.md#auditclientdoesnotsupportencryption)
+- [AuditClientDoesNotSupportSigning](policy-csp-lanmanserver.md#auditclientdoesnotsupportsigning)
+- [AuditInsecureGuestLogon](policy-csp-lanmanserver.md#auditinsecureguestlogon)
+- [AuthRateLimiterDelayInMs](policy-csp-lanmanserver.md#authratelimiterdelayinms)
+- [EnableAuthRateLimiter](policy-csp-lanmanserver.md#enableauthratelimiter)
+- [EnableMailslots](policy-csp-lanmanserver.md#enablemailslots)
+- [MaxSmb2Dialect](policy-csp-lanmanserver.md#maxsmb2dialect)
+- [MinSmb2Dialect](policy-csp-lanmanserver.md#minsmb2dialect)
+
 ## LanmanWorkstation

 - [AuditInsecureGuestLogon](policy-csp-lanmanworkstation.md#auditinsecureguestlogon)
@ -218,6 +229,22 @@ This article lists the policies that are applicable for Windows Insider Preview
 - [DisableSubscription](windowslicensing-csp.md#subscriptionsdisablesubscription)
 - [RemoveSubscription](windowslicensing-csp.md#subscriptionsremovesubscription)

+## WirelessNetworkPreference CSP
+
+- [IsEnabled](wirelessnetworkpreference-csp.md#isenabled)
+- [PreferCellularOverWiFi](wirelessnetworkpreference-csp.md#prefercellularoverwifi)
+- [eSIMprofilesCount](wirelessnetworkpreference-csp.md#statusesimprofilescount)
+- [eSIMprofilesMatched](wirelessnetworkpreference-csp.md#statusesimprofilesmatched)
+- [eSIMpolicyStatus](wirelessnetworkpreference-csp.md#statusesimpolicystatus)
+- [NetworkDiscoveryOption](wirelessnetworkpreference-csp.md#parameterscellularparametersnetworkdiscoveryoption)
+- [MaxRescanIntervalInSeconds](wirelessnetworkpreference-csp.md#parameterscellularparametersmaxrescanintervalinseconds)
+- [PreferredProfileWakeConnectionTimerInSeconds](wirelessnetworkpreference-csp.md#parameterscellularparameterspreferredprofilewakeconnectiontimerinseconds)
+- [ProfileRegistrationTimerInSeconds](wirelessnetworkpreference-csp.md#parameterscellularparametersprofileregistrationtimerinseconds)
+- [ScreenOffDurationToTriggerNetworkDiscoveryInMinutes](wirelessnetworkpreference-csp.md#parameterscellularparametersscreenoffdurationtotriggernetworkdiscoveryinminutes)
+- [Priority](wirelessnetworkpreference-csp.md#connectionprofilesconnectionprofileidpriority)
+- [WirelessType](wirelessnetworkpreference-csp.md#connectionprofilesconnectionprofileidwirelesstype)
+- [PLMNID](wirelessnetworkpreference-csp.md#connectionprofilesconnectionprofileidcellularplmnid)
+
 ## Related articles

 [Policy configuration service provider](policy-configuration-service-provider.md)
--- a/windows/client-management/mdm/policy-configuration-service-provider.md
+++ b/windows/client-management/mdm/policy-configuration-service-provider.md
@ -1,7 +1,7 @@
 ---
 title: Policy CSP
 description: Learn more about the Policy CSP.
-ms.date: 03/12/2025
+ms.date: 04/21/2025
 ms.topic: generated-reference
 ---

@ -1120,6 +1120,7 @@ Specifies the name/value pair used in the policy. See the individual Area DDFs f
 - [InternetExplorer](policy-csp-internetexplorer.md)
 - [Kerberos](policy-csp-kerberos.md)
 - [KioskBrowser](policy-csp-kioskbrowser.md)
+- [LanmanServer](policy-csp-lanmanserver.md)
 - [LanmanWorkstation](policy-csp-lanmanworkstation.md)
 - [Licensing](policy-csp-licensing.md)
 - [LocalPoliciesSecurityOptions](policy-csp-localpoliciessecurityoptions.md)
--- a/windows/client-management/mdm/policy-csp-accounts.md
+++ b/windows/client-management/mdm/policy-csp-accounts.md
@ -144,7 +144,7 @@ Allows IT Admins the ability to disable the Microsoft Account Sign-In Assistant
 <!-- AllowMicrosoftAccountSignInAssistant-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 > [!CAUTION]
-> If the Microsoft Account Sign-In Assistant service is disabled, the initial digital license activation with a Multiple Activation Key (MAK) will fail.
+> If the Microsoft Account Sign-In Assistant service is disabled, the initial digital license activation with a Multiple Activation Key (MAK) or Digital Product Key (DPK) will fail.
 <!-- AllowMicrosoftAccountSignInAssistant-Editable-End -->

 <!-- AllowMicrosoftAccountSignInAssistant-DFProperties-Begin -->
--- a/windows/client-management/mdm/policy-csp-lanmanserver.md
+++ b/windows/client-management/mdm/policy-csp-lanmanserver.md
@ -0,0 +1,557 @@
+---
+title: LanmanServer Policy CSP
+description: Learn more about the LanmanServer Area in Policy CSP.
+ms.date: 04/21/2025
+ms.topic: generated-reference
+---
+
+<!-- Auto-Generated CSP Document -->
+
+<!-- LanmanServer-Begin -->
+# Policy CSP - LanmanServer
+
+[!INCLUDE [Windows Insider tip](includes/mdm-insider-csp-note.md)]
+
+<!-- LanmanServer-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- LanmanServer-Editable-End -->
+
+<!-- AuditClientDoesNotSupportEncryption-Begin -->
+## AuditClientDoesNotSupportEncryption
+
+<!-- AuditClientDoesNotSupportEncryption-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100.3613] and later <br> ✅ Windows Insider Preview |
+<!-- AuditClientDoesNotSupportEncryption-Applicability-End -->
+
+<!-- AuditClientDoesNotSupportEncryption-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Policy/Config/LanmanServer/AuditClientDoesNotSupportEncryption
+```
+<!-- AuditClientDoesNotSupportEncryption-OmaUri-End -->
+
+<!-- AuditClientDoesNotSupportEncryption-Description-Begin -->
+<!-- Description-Source-ADMX -->
+This policy controls whether the SMB server will log the event when the SMB client doesn't support encryption.
+
+- If you enable this policy setting, the SMB server will log the event when the SMB client doesn't support encryption.
+
+- If you disable or don't configure this policy setting, the SMB server won't log the event.
+<!-- AuditClientDoesNotSupportEncryption-Description-End -->
+
+<!-- AuditClientDoesNotSupportEncryption-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- AuditClientDoesNotSupportEncryption-Editable-End -->
+
+<!-- AuditClientDoesNotSupportEncryption-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `int` |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value  | 0 |
+<!-- AuditClientDoesNotSupportEncryption-DFProperties-End -->
+
+<!-- AuditClientDoesNotSupportEncryption-AllowedValues-Begin -->
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 (Default) | Disabled. |
+| 1 | Enabled. |
+<!-- AuditClientDoesNotSupportEncryption-AllowedValues-End -->
+
+<!-- AuditClientDoesNotSupportEncryption-GpMapping-Begin -->
+**Group policy mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | Pol_AuditClientDoesNotSupportEncryption |
+| Friendly Name | Audit client does not support encryption |
+| Location | Computer Configuration |
+| Path | Network > Lanman Server |
+| Registry Key Name | Software\Policies\Microsoft\Windows\LanmanServer |
+| Registry Value Name | AuditClientDoesNotSupportEncryption |
+| ADMX File Name | LanmanServer.admx |
+<!-- AuditClientDoesNotSupportEncryption-GpMapping-End -->
+
+<!-- AuditClientDoesNotSupportEncryption-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- AuditClientDoesNotSupportEncryption-Examples-End -->
+
+<!-- AuditClientDoesNotSupportEncryption-End -->
+
+<!-- AuditClientDoesNotSupportSigning-Begin -->
+## AuditClientDoesNotSupportSigning
+
+<!-- AuditClientDoesNotSupportSigning-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100.3613] and later <br> ✅ Windows Insider Preview |
+<!-- AuditClientDoesNotSupportSigning-Applicability-End -->
+
+<!-- AuditClientDoesNotSupportSigning-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Policy/Config/LanmanServer/AuditClientDoesNotSupportSigning
+```
+<!-- AuditClientDoesNotSupportSigning-OmaUri-End -->
+
+<!-- AuditClientDoesNotSupportSigning-Description-Begin -->
+<!-- Description-Source-ADMX -->
+This policy controls whether the SMB server will log the event when the SMB client doesn't support signing.
+
+If you enable this policy setting, the SMB server will log the event when the SMB client doesn't support signing.
+<!-- AuditClientDoesNotSupportSigning-Description-End -->
+
+<!-- AuditClientDoesNotSupportSigning-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- AuditClientDoesNotSupportSigning-Editable-End -->
+
+<!-- AuditClientDoesNotSupportSigning-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `int` |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value  | 0 |
+<!-- AuditClientDoesNotSupportSigning-DFProperties-End -->
+
+<!-- AuditClientDoesNotSupportSigning-AllowedValues-Begin -->
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 (Default) | Disabled. |
+| 1 | Enabled. |
+<!-- AuditClientDoesNotSupportSigning-AllowedValues-End -->
+
+<!-- AuditClientDoesNotSupportSigning-GpMapping-Begin -->
+**Group policy mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | Pol_AuditClientDoesNotSupportSigning |
+| Friendly Name | Audit client does not support signing |
+| Location | Computer Configuration |
+| Path | Network > Lanman Server |
+| Registry Key Name | Software\Policies\Microsoft\Windows\LanmanServer |
+| Registry Value Name | AuditClientDoesNotSupportSigning |
+| ADMX File Name | LanmanServer.admx |
+<!-- AuditClientDoesNotSupportSigning-GpMapping-End -->
+
+<!-- AuditClientDoesNotSupportSigning-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- AuditClientDoesNotSupportSigning-Examples-End -->
+
+<!-- AuditClientDoesNotSupportSigning-End -->
+
+<!-- AuditInsecureGuestLogon-Begin -->
+## AuditInsecureGuestLogon
+
+<!-- AuditInsecureGuestLogon-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100.3613] and later <br> ✅ Windows Insider Preview |
+<!-- AuditInsecureGuestLogon-Applicability-End -->
+
+<!-- AuditInsecureGuestLogon-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Policy/Config/LanmanServer/AuditInsecureGuestLogon
+```
+<!-- AuditInsecureGuestLogon-OmaUri-End -->
+
+<!-- AuditInsecureGuestLogon-Description-Begin -->
+<!-- Description-Source-ADMX -->
+This policy controls whether the SMB server will enable the audit event when the client is logged-on as guest account.
+
+- If you enable this policy setting, the SMB server will log the event when the client is logged-on as guest account.
+
+- If you disable or don't configure this policy setting, the SMB server won't log the event.
+<!-- AuditInsecureGuestLogon-Description-End -->
+
+<!-- AuditInsecureGuestLogon-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- AuditInsecureGuestLogon-Editable-End -->
+
+<!-- AuditInsecureGuestLogon-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `int` |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value  | 0 |
+<!-- AuditInsecureGuestLogon-DFProperties-End -->
+
+<!-- AuditInsecureGuestLogon-AllowedValues-Begin -->
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 (Default) | Disabled. |
+| 1 | Enabled. |
+<!-- AuditInsecureGuestLogon-AllowedValues-End -->
+
+<!-- AuditInsecureGuestLogon-GpMapping-Begin -->
+**Group policy mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | Pol_AuditInsecureGuestLogon |
+| Friendly Name | Audit insecure guest logon |
+| Location | Computer Configuration |
+| Path | Network > Lanman Server |
+| Registry Key Name | Software\Policies\Microsoft\Windows\LanmanServer |
+| Registry Value Name | AuditInsecureGuestLogon |
+| ADMX File Name | LanmanServer.admx |
+<!-- AuditInsecureGuestLogon-GpMapping-End -->
+
+<!-- AuditInsecureGuestLogon-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- AuditInsecureGuestLogon-Examples-End -->
+
+<!-- AuditInsecureGuestLogon-End -->
+
+<!-- AuthRateLimiterDelayInMs-Begin -->
+## AuthRateLimiterDelayInMs
+
+<!-- AuthRateLimiterDelayInMs-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100.3613] and later <br> ✅ Windows Insider Preview |
+<!-- AuthRateLimiterDelayInMs-Applicability-End -->
+
+<!-- AuthRateLimiterDelayInMs-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Policy/Config/LanmanServer/AuthRateLimiterDelayInMs
+```
+<!-- AuthRateLimiterDelayInMs-OmaUri-End -->
+
+<!-- AuthRateLimiterDelayInMs-Description-Begin -->
+<!-- Description-Source-ADMX -->
+This policy controls whether the SMB server will use a default value in milliseconds for the invalid authentication delay.
+
+- If you configure this policy setting, the authentication rate limiter will use the specified value for delaying invalid authentication attempts.
+
+- If you don't configure this policy setting, the authentication rate limiter will use the default value or the value from local registry under HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters.
+<!-- AuthRateLimiterDelayInMs-Description-End -->
+
+<!-- AuthRateLimiterDelayInMs-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- AuthRateLimiterDelayInMs-Editable-End -->
+
+<!-- AuthRateLimiterDelayInMs-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `int` |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | Range: `[0-10000]` |
+| Default Value  | 2000 |
+<!-- AuthRateLimiterDelayInMs-DFProperties-End -->
+
+<!-- AuthRateLimiterDelayInMs-GpMapping-Begin -->
+**Group policy mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | Pol_AuthRateLimiterDelayInMs |
+| Friendly Name | Set authentication rate limiter delay (milliseconds) |
+| Location | Computer Configuration |
+| Path | Network > Lanman Server |
+| Registry Key Name | Software\Policies\Microsoft\Windows\LanmanServer |
+| ADMX File Name | LanmanServer.admx |
+<!-- AuthRateLimiterDelayInMs-GpMapping-End -->
+
+<!-- AuthRateLimiterDelayInMs-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- AuthRateLimiterDelayInMs-Examples-End -->
+
+<!-- AuthRateLimiterDelayInMs-End -->
+
+<!-- EnableAuthRateLimiter-Begin -->
+## EnableAuthRateLimiter
+
+<!-- EnableAuthRateLimiter-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100.3613] and later <br> ✅ Windows Insider Preview |
+<!-- EnableAuthRateLimiter-Applicability-End -->
+
+<!-- EnableAuthRateLimiter-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Policy/Config/LanmanServer/EnableAuthRateLimiter
+```
+<!-- EnableAuthRateLimiter-OmaUri-End -->
+
+<!-- EnableAuthRateLimiter-Description-Begin -->
+<!-- Description-Source-ADMX -->
+This policy controls whether the SMB server will enable or disable the authentication rate limiter.
+
+- If you disable this policy setting, the authentication rate limiter won't be enabled.
+
+- If you don't configure this policy setting, the authentication rate limiter may still be working depending on the delay settings (the recommended delay value is 2000ms).
+<!-- EnableAuthRateLimiter-Description-End -->
+
+<!-- EnableAuthRateLimiter-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- EnableAuthRateLimiter-Editable-End -->
+
+<!-- EnableAuthRateLimiter-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `int` |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value  | 1 |
+<!-- EnableAuthRateLimiter-DFProperties-End -->
+
+<!-- EnableAuthRateLimiter-AllowedValues-Begin -->
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 | Disabled. |
+| 1 (Default) | Enabled. |
+<!-- EnableAuthRateLimiter-AllowedValues-End -->
+
+<!-- EnableAuthRateLimiter-GpMapping-Begin -->
+**Group policy mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | Pol_EnableAuthRateLimiter |
+| Friendly Name | Enable authentication rate limiter |
+| Location | Computer Configuration |
+| Path | Network > Lanman Server |
+| Registry Key Name | Software\Policies\Microsoft\Windows\LanmanServer |
+| Registry Value Name | EnableAuthRateLimiter |
+| ADMX File Name | LanmanServer.admx |
+<!-- EnableAuthRateLimiter-GpMapping-End -->
+
+<!-- EnableAuthRateLimiter-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- EnableAuthRateLimiter-Examples-End -->
+
+<!-- EnableAuthRateLimiter-End -->
+
+<!-- EnableMailslots-Begin -->
+## EnableMailslots
+
+<!-- EnableMailslots-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100.3613] and later <br> ✅ Windows Insider Preview |
+<!-- EnableMailslots-Applicability-End -->
+
+<!-- EnableMailslots-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Policy/Config/LanmanServer/EnableMailslots
+```
+<!-- EnableMailslots-OmaUri-End -->
+
+<!-- EnableMailslots-Description-Begin -->
+<!-- Description-Source-ADMX -->
+This policy controls whether the SMB server will enable or disable remote mailslots over the computer browser service.
+
+- If you disable this policy setting, the computer browser service will no longer run as expected.
+
+- If you don't configure this policy setting, the computer browser may still be working with remote mailslots enabled.
+
+> [!NOTE]
+> This policy requires a Windows reboot to take effect.
+<!-- EnableMailslots-Description-End -->
+
+<!-- EnableMailslots-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- EnableMailslots-Editable-End -->
+
+<!-- EnableMailslots-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `int` |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value  | 0 |
+<!-- EnableMailslots-DFProperties-End -->
+
+<!-- EnableMailslots-AllowedValues-Begin -->
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 (Default) | Disabled. |
+| 1 | Enabled. |
+<!-- EnableMailslots-AllowedValues-End -->
+
+<!-- EnableMailslots-GpMapping-Begin -->
+**Group policy mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | Pol_EnableMailslots |
+| Friendly Name | Enable remote mailslots |
+| Location | Computer Configuration |
+| Path | Network > Lanman Server |
+| Registry Key Name | Software\Policies\Microsoft\Windows\Bowser |
+| Registry Value Name | EnableMailslots |
+| ADMX File Name | LanmanServer.admx |
+<!-- EnableMailslots-GpMapping-End -->
+
+<!-- EnableMailslots-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- EnableMailslots-Examples-End -->
+
+<!-- EnableMailslots-End -->
+
+<!-- MaxSmb2Dialect-Begin -->
+## MaxSmb2Dialect
+
+<!-- MaxSmb2Dialect-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100.3613] and later <br> ✅ Windows Insider Preview |
+<!-- MaxSmb2Dialect-Applicability-End -->
+
+<!-- MaxSmb2Dialect-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Policy/Config/LanmanServer/MaxSmb2Dialect
+```
+<!-- MaxSmb2Dialect-OmaUri-End -->
+
+<!-- MaxSmb2Dialect-Description-Begin -->
+<!-- Description-Source-ADMX -->
+This policy controls the maximum version of SMB protocol.
+
+> [!NOTE]
+> This group policy doesn't prevent use of SMB 1 if that component is still installed and enabled.
+<!-- MaxSmb2Dialect-Description-End -->
+
+<!-- MaxSmb2Dialect-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- MaxSmb2Dialect-Editable-End -->
+
+<!-- MaxSmb2Dialect-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `int` |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value  | 785 |
+<!-- MaxSmb2Dialect-DFProperties-End -->
+
+<!-- MaxSmb2Dialect-AllowedValues-Begin -->
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 514 | SMB 2.0.2. |
+| 528 | SMB 2.1.0. |
+| 768 | SMB 3.0.0. |
+| 770 | SMB 3.0.2. |
+| 785 (Default) | SMB 3.1.1. |
+<!-- MaxSmb2Dialect-AllowedValues-End -->
+
+<!-- MaxSmb2Dialect-GpMapping-Begin -->
+**Group policy mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | Pol_MaxSmb2Dialect |
+| Friendly Name | Mandate the maximum version of SMB |
+| Location | Computer Configuration |
+| Path | Network > Lanman Server |
+| Registry Key Name | Software\Policies\Microsoft\Windows\LanmanServer |
+| ADMX File Name | LanmanServer.admx |
+<!-- MaxSmb2Dialect-GpMapping-End -->
+
+<!-- MaxSmb2Dialect-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- MaxSmb2Dialect-Examples-End -->
+
+<!-- MaxSmb2Dialect-End -->
+
+<!-- MinSmb2Dialect-Begin -->
+## MinSmb2Dialect
+
+<!-- MinSmb2Dialect-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100.3613] and later <br> ✅ Windows Insider Preview |
+<!-- MinSmb2Dialect-Applicability-End -->
+
+<!-- MinSmb2Dialect-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Policy/Config/LanmanServer/MinSmb2Dialect
+```
+<!-- MinSmb2Dialect-OmaUri-End -->
+
+<!-- MinSmb2Dialect-Description-Begin -->
+<!-- Description-Source-ADMX -->
+This policy controls the minimum version of SMB protocol.
+
+> [!NOTE]
+> This group policy doesn't prevent use of SMB 1 if that component is still installed and enabled.
+<!-- MinSmb2Dialect-Description-End -->
+
+<!-- MinSmb2Dialect-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- MinSmb2Dialect-Editable-End -->
+
+<!-- MinSmb2Dialect-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `int` |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value  | 514 |
+<!-- MinSmb2Dialect-DFProperties-End -->
+
+<!-- MinSmb2Dialect-AllowedValues-Begin -->
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 514 (Default) | SMB 2.0.2. |
+| 528 | SMB 2.1.0. |
+| 768 | SMB 3.0.0. |
+| 770 | SMB 3.0.2. |
+| 785 | SMB 3.1.1. |
+<!-- MinSmb2Dialect-AllowedValues-End -->
+
+<!-- MinSmb2Dialect-GpMapping-Begin -->
+**Group policy mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | Pol_MinSmb2Dialect |
+| Friendly Name | Mandate the minimum version of SMB |
+| Location | Computer Configuration |
+| Path | Network > Lanman Server |
+| Registry Key Name | Software\Policies\Microsoft\Windows\LanmanServer |
+| ADMX File Name | LanmanServer.admx |
+<!-- MinSmb2Dialect-GpMapping-End -->
+
+<!-- MinSmb2Dialect-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- MinSmb2Dialect-Examples-End -->
+
+<!-- MinSmb2Dialect-End -->
+
+<!-- LanmanServer-CspMoreInfo-Begin -->
+<!-- Add any additional information about this CSP here. Anything outside this section will get overwritten. -->
+<!-- LanmanServer-CspMoreInfo-End -->
+
+<!-- LanmanServer-End -->
+
+## Related articles
+
+[Policy configuration service provider](policy-configuration-service-provider.md)
--- a/windows/client-management/mdm/toc.yml
+++ b/windows/client-management/mdm/toc.yml
@ -471,6 +471,8 @@ items:
          href: policy-csp-kerberos.md
        - name: KioskBrowser
          href: policy-csp-kioskbrowser.md
+        - name: LanmanServer
+          href: policy-csp-lanmanserver.md
        - name: LanmanWorkstation
          href: policy-csp-lanmanworkstation.md
        - name: Licensing
@ -999,3 +1001,8 @@ items:
      items:
      - name: WiredNetwork DDF file
        href: wirednetwork-ddf-file.md
+    - name: WirelessNetworkPreference
+      href: wirelessnetworkpreference-csp.md
+      items:
+      - name: WirelessNetworkPreference DDF file
+        href: wirelessnetworkpreference-ddf-file.md
--- a/windows/client-management/mdm/wirelessnetworkpreference-csp.md
+++ b/windows/client-management/mdm/wirelessnetworkpreference-csp.md
@ -0,0 +1,844 @@
+---
+title: WirelessNetworkPreference CSP
+description: Learn more about the WirelessNetworkPreference CSP.
+ms.date: 04/21/2025
+ms.topic: generated-reference
+---
+
+<!-- Auto-Generated CSP Document -->
+
+<!-- WirelessNetworkPreference-Begin -->
+# WirelessNetworkPreference CSP
+
+[!INCLUDE [Windows Insider tip](includes/mdm-insider-csp-note.md)]
+
+<!-- WirelessNetworkPreference-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- WirelessNetworkPreference-Editable-End -->
+
+<!-- WirelessNetworkPreference-Tree-Begin -->
+The following list shows the WirelessNetworkPreference configuration service provider nodes:
+
+- ./Device/Vendor/MSFT/WirelessNetworkPreference
+  - [ConnectionProfiles](#connectionprofiles)
+    - [{ConnectionProfileID}](#connectionprofilesconnectionprofileid)
+      - [Cellular](#connectionprofilesconnectionprofileidcellular)
+        - [PLMNID](#connectionprofilesconnectionprofileidcellularplmnid)
+      - [Priority](#connectionprofilesconnectionprofileidpriority)
+      - [WirelessType](#connectionprofilesconnectionprofileidwirelesstype)
+  - [IsEnabled](#isenabled)
+  - [Parameters](#parameters)
+    - [CellularParameters](#parameterscellularparameters)
+      - [MaxRescanIntervalInSeconds](#parameterscellularparametersmaxrescanintervalinseconds)
+      - [NetworkDiscoveryOption](#parameterscellularparametersnetworkdiscoveryoption)
+      - [PreferredProfileWakeConnectionTimerInSeconds](#parameterscellularparameterspreferredprofilewakeconnectiontimerinseconds)
+      - [ProfileRegistrationTimerInSeconds](#parameterscellularparametersprofileregistrationtimerinseconds)
+      - [ScreenOffDurationToTriggerNetworkDiscoveryInMinutes](#parameterscellularparametersscreenoffdurationtotriggernetworkdiscoveryinminutes)
+  - [PreferCellularOverWiFi](#prefercellularoverwifi)
+  - [Status](#status)
+    - [eSIMpolicyStatus](#statusesimpolicystatus)
+    - [eSIMprofilesCount](#statusesimprofilescount)
+    - [eSIMprofilesMatched](#statusesimprofilesmatched)
+<!-- WirelessNetworkPreference-Tree-End -->
+
+<!-- Device-ConnectionProfiles-Begin -->
+## ConnectionProfiles
+
+<!-- Device-ConnectionProfiles-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+<!-- Device-ConnectionProfiles-Applicability-End -->
+
+<!-- Device-ConnectionProfiles-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/WirelessNetworkPreference/ConnectionProfiles
+```
+<!-- Device-ConnectionProfiles-OmaUri-End -->
+
+<!-- Device-ConnectionProfiles-Description-Begin -->
+<!-- Description-Source-DDF -->
+Profiles to connect to wireless networks in a specified priority order.
+<!-- Device-ConnectionProfiles-Description-End -->
+
+<!-- Device-ConnectionProfiles-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- Device-ConnectionProfiles-Editable-End -->
+
+<!-- Device-ConnectionProfiles-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `node` |
+| Access Type | Get |
+<!-- Device-ConnectionProfiles-DFProperties-End -->
+
+<!-- Device-ConnectionProfiles-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- Device-ConnectionProfiles-Examples-End -->
+
+<!-- Device-ConnectionProfiles-End -->
+
+<!-- Device-ConnectionProfiles-{ConnectionProfileID}-Begin -->
+### ConnectionProfiles/{ConnectionProfileID}
+
+<!-- Device-ConnectionProfiles-{ConnectionProfileID}-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+<!-- Device-ConnectionProfiles-{ConnectionProfileID}-Applicability-End -->
+
+<!-- Device-ConnectionProfiles-{ConnectionProfileID}-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/WirelessNetworkPreference/ConnectionProfiles/{ConnectionProfileID}
+```
+<!-- Device-ConnectionProfiles-{ConnectionProfileID}-OmaUri-End -->
+
+<!-- Device-ConnectionProfiles-{ConnectionProfileID}-Description-Begin -->
+<!-- Description-Source-DDF -->
+Unique identifier of a network preference policy. Unique ID is auto-generated.
+<!-- Device-ConnectionProfiles-{ConnectionProfileID}-Description-End -->
+
+<!-- Device-ConnectionProfiles-{ConnectionProfileID}-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- Device-ConnectionProfiles-{ConnectionProfileID}-Editable-End -->
+
+<!-- Device-ConnectionProfiles-{ConnectionProfileID}-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `node` |
+| Access Type | Add, Delete, Get |
+| Dynamic Node Naming | ServerGeneratedUniqueIdentifier |
+<!-- Device-ConnectionProfiles-{ConnectionProfileID}-DFProperties-End -->
+
+<!-- Device-ConnectionProfiles-{ConnectionProfileID}-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- Device-ConnectionProfiles-{ConnectionProfileID}-Examples-End -->
+
+<!-- Device-ConnectionProfiles-{ConnectionProfileID}-End -->
+
+<!-- Device-ConnectionProfiles-{ConnectionProfileID}-Cellular-Begin -->
+#### ConnectionProfiles/{ConnectionProfileID}/Cellular
+
+<!-- Device-ConnectionProfiles-{ConnectionProfileID}-Cellular-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+<!-- Device-ConnectionProfiles-{ConnectionProfileID}-Cellular-Applicability-End -->
+
+<!-- Device-ConnectionProfiles-{ConnectionProfileID}-Cellular-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/WirelessNetworkPreference/ConnectionProfiles/{ConnectionProfileID}/Cellular
+```
+<!-- Device-ConnectionProfiles-{ConnectionProfileID}-Cellular-OmaUri-End -->
+
+<!-- Device-ConnectionProfiles-{ConnectionProfileID}-Cellular-Description-Begin -->
+<!-- Description-Source-DDF -->
+Identifiers for cellular networks.
+<!-- Device-ConnectionProfiles-{ConnectionProfileID}-Cellular-Description-End -->
+
+<!-- Device-ConnectionProfiles-{ConnectionProfileID}-Cellular-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- Device-ConnectionProfiles-{ConnectionProfileID}-Cellular-Editable-End -->
+
+<!-- Device-ConnectionProfiles-{ConnectionProfileID}-Cellular-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `node` |
+| Access Type | Add, Delete, Get |
+<!-- Device-ConnectionProfiles-{ConnectionProfileID}-Cellular-DFProperties-End -->
+
+<!-- Device-ConnectionProfiles-{ConnectionProfileID}-Cellular-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- Device-ConnectionProfiles-{ConnectionProfileID}-Cellular-Examples-End -->
+
+<!-- Device-ConnectionProfiles-{ConnectionProfileID}-Cellular-End -->
+
+<!-- Device-ConnectionProfiles-{ConnectionProfileID}-Cellular-PLMNID-Begin -->
+##### ConnectionProfiles/{ConnectionProfileID}/Cellular/PLMNID
+
+<!-- Device-ConnectionProfiles-{ConnectionProfileID}-Cellular-PLMNID-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+<!-- Device-ConnectionProfiles-{ConnectionProfileID}-Cellular-PLMNID-Applicability-End -->
+
+<!-- Device-ConnectionProfiles-{ConnectionProfileID}-Cellular-PLMNID-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/WirelessNetworkPreference/ConnectionProfiles/{ConnectionProfileID}/Cellular/PLMNID
+```
+<!-- Device-ConnectionProfiles-{ConnectionProfileID}-Cellular-PLMNID-OmaUri-End -->
+
+<!-- Device-ConnectionProfiles-{ConnectionProfileID}-Cellular-PLMNID-Description-Begin -->
+<!-- Description-Source-DDF -->
+5- or 6-digit string identifying a cellular network. It consists of the combination of Mobile Country Code (MCC) and Mobile Network Code (MNC).
+<!-- Device-ConnectionProfiles-{ConnectionProfileID}-Cellular-PLMNID-Description-End -->
+
+<!-- Device-ConnectionProfiles-{ConnectionProfileID}-Cellular-PLMNID-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- Device-ConnectionProfiles-{ConnectionProfileID}-Cellular-PLMNID-Editable-End -->
+
+<!-- Device-ConnectionProfiles-{ConnectionProfileID}-Cellular-PLMNID-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `chr` (string) |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | Regular Expression: `^[0-9]{5,6}$` |
+<!-- Device-ConnectionProfiles-{ConnectionProfileID}-Cellular-PLMNID-DFProperties-End -->
+
+<!-- Device-ConnectionProfiles-{ConnectionProfileID}-Cellular-PLMNID-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- Device-ConnectionProfiles-{ConnectionProfileID}-Cellular-PLMNID-Examples-End -->
+
+<!-- Device-ConnectionProfiles-{ConnectionProfileID}-Cellular-PLMNID-End -->
+
+<!-- Device-ConnectionProfiles-{ConnectionProfileID}-Priority-Begin -->
+#### ConnectionProfiles/{ConnectionProfileID}/Priority
+
+<!-- Device-ConnectionProfiles-{ConnectionProfileID}-Priority-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+<!-- Device-ConnectionProfiles-{ConnectionProfileID}-Priority-Applicability-End -->
+
+<!-- Device-ConnectionProfiles-{ConnectionProfileID}-Priority-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/WirelessNetworkPreference/ConnectionProfiles/{ConnectionProfileID}/Priority
+```
+<!-- Device-ConnectionProfiles-{ConnectionProfileID}-Priority-OmaUri-End -->
+
+<!-- Device-ConnectionProfiles-{ConnectionProfileID}-Priority-Description-Begin -->
+<!-- Description-Source-DDF -->
+Priority of a policy compared to the others where 1 represents the highest priority. Thus, the smaller this value is, the higher preference this specific network will receive in establishing a data connection.
+<!-- Device-ConnectionProfiles-{ConnectionProfileID}-Priority-Description-End -->
+
+<!-- Device-ConnectionProfiles-{ConnectionProfileID}-Priority-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- Device-ConnectionProfiles-{ConnectionProfileID}-Priority-Editable-End -->
+
+<!-- Device-ConnectionProfiles-{ConnectionProfileID}-Priority-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `int` |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | Range: `[1-2147483647]` |
+<!-- Device-ConnectionProfiles-{ConnectionProfileID}-Priority-DFProperties-End -->
+
+<!-- Device-ConnectionProfiles-{ConnectionProfileID}-Priority-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- Device-ConnectionProfiles-{ConnectionProfileID}-Priority-Examples-End -->
+
+<!-- Device-ConnectionProfiles-{ConnectionProfileID}-Priority-End -->
+
+<!-- Device-ConnectionProfiles-{ConnectionProfileID}-WirelessType-Begin -->
+#### ConnectionProfiles/{ConnectionProfileID}/WirelessType
+
+<!-- Device-ConnectionProfiles-{ConnectionProfileID}-WirelessType-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+<!-- Device-ConnectionProfiles-{ConnectionProfileID}-WirelessType-Applicability-End -->
+
+<!-- Device-ConnectionProfiles-{ConnectionProfileID}-WirelessType-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/WirelessNetworkPreference/ConnectionProfiles/{ConnectionProfileID}/WirelessType
+```
+<!-- Device-ConnectionProfiles-{ConnectionProfileID}-WirelessType-OmaUri-End -->
+
+<!-- Device-ConnectionProfiles-{ConnectionProfileID}-WirelessType-Description-Begin -->
+<!-- Description-Source-DDF -->
+Type of wireless network (either Cellular or Wi-Fi). 0 represents Cellular, and 1 represents Wi-Fi. Currently only cellular is supported.
+<!-- Device-ConnectionProfiles-{ConnectionProfileID}-WirelessType-Description-End -->
+
+<!-- Device-ConnectionProfiles-{ConnectionProfileID}-WirelessType-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- Device-ConnectionProfiles-{ConnectionProfileID}-WirelessType-Editable-End -->
+
+<!-- Device-ConnectionProfiles-{ConnectionProfileID}-WirelessType-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `bin` |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value  | 0 |
+<!-- Device-ConnectionProfiles-{ConnectionProfileID}-WirelessType-DFProperties-End -->
+
+<!-- Device-ConnectionProfiles-{ConnectionProfileID}-WirelessType-AllowedValues-Begin -->
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 (Default) | Cellular. |
+| 1 | Wi-Fi. |
+<!-- Device-ConnectionProfiles-{ConnectionProfileID}-WirelessType-AllowedValues-End -->
+
+<!-- Device-ConnectionProfiles-{ConnectionProfileID}-WirelessType-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- Device-ConnectionProfiles-{ConnectionProfileID}-WirelessType-Examples-End -->
+
+<!-- Device-ConnectionProfiles-{ConnectionProfileID}-WirelessType-End -->
+
+<!-- Device-IsEnabled-Begin -->
+## IsEnabled
+
+<!-- Device-IsEnabled-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+<!-- Device-IsEnabled-Applicability-End -->
+
+<!-- Device-IsEnabled-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/WirelessNetworkPreference/IsEnabled
+```
+<!-- Device-IsEnabled-OmaUri-End -->
+
+<!-- Device-IsEnabled-Description-Begin -->
+<!-- Description-Source-DDF -->
+It determines whether the wireless connectivity management policy is enabled or not.
+<!-- Device-IsEnabled-Description-End -->
+
+<!-- Device-IsEnabled-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- Device-IsEnabled-Editable-End -->
+
+<!-- Device-IsEnabled-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `bool` |
+| Access Type | Get, Replace |
+| Default Value  | False |
+<!-- Device-IsEnabled-DFProperties-End -->
+
+<!-- Device-IsEnabled-AllowedValues-Begin -->
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| False (Default) | Disable the wireless management policy. |
+| True | Enable the wireless management policy. |
+<!-- Device-IsEnabled-AllowedValues-End -->
+
+<!-- Device-IsEnabled-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- Device-IsEnabled-Examples-End -->
+
+<!-- Device-IsEnabled-End -->
+
+<!-- Device-Parameters-Begin -->
+## Parameters
+
+<!-- Device-Parameters-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+<!-- Device-Parameters-Applicability-End -->
+
+<!-- Device-Parameters-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/WirelessNetworkPreference/Parameters
+```
+<!-- Device-Parameters-OmaUri-End -->
+
+<!-- Device-Parameters-Description-Begin -->
+<!-- Description-Source-DDF -->
+Parameters to configure the behavior of the wireless connectivity management service.
+<!-- Device-Parameters-Description-End -->
+
+<!-- Device-Parameters-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- Device-Parameters-Editable-End -->
+
+<!-- Device-Parameters-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `node` |
+| Access Type | Get |
+<!-- Device-Parameters-DFProperties-End -->
+
+<!-- Device-Parameters-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- Device-Parameters-Examples-End -->
+
+<!-- Device-Parameters-End -->
+
+<!-- Device-Parameters-CellularParameters-Begin -->
+### Parameters/CellularParameters
+
+<!-- Device-Parameters-CellularParameters-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+<!-- Device-Parameters-CellularParameters-Applicability-End -->
+
+<!-- Device-Parameters-CellularParameters-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/WirelessNetworkPreference/Parameters/CellularParameters
+```
+<!-- Device-Parameters-CellularParameters-OmaUri-End -->
+
+<!-- Device-Parameters-CellularParameters-Description-Begin -->
+<!-- Description-Source-DDF -->
+Parameters to configure the cellular-specific behavior of the wireless connectivity management service.
+<!-- Device-Parameters-CellularParameters-Description-End -->
+
+<!-- Device-Parameters-CellularParameters-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- Device-Parameters-CellularParameters-Editable-End -->
+
+<!-- Device-Parameters-CellularParameters-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `node` |
+| Access Type | Get |
+<!-- Device-Parameters-CellularParameters-DFProperties-End -->
+
+<!-- Device-Parameters-CellularParameters-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- Device-Parameters-CellularParameters-Examples-End -->
+
+<!-- Device-Parameters-CellularParameters-End -->
+
+<!-- Device-Parameters-CellularParameters-MaxRescanIntervalInSeconds-Begin -->
+#### Parameters/CellularParameters/MaxRescanIntervalInSeconds
+
+<!-- Device-Parameters-CellularParameters-MaxRescanIntervalInSeconds-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+<!-- Device-Parameters-CellularParameters-MaxRescanIntervalInSeconds-Applicability-End -->
+
+<!-- Device-Parameters-CellularParameters-MaxRescanIntervalInSeconds-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/WirelessNetworkPreference/Parameters/CellularParameters/MaxRescanIntervalInSeconds
+```
+<!-- Device-Parameters-CellularParameters-MaxRescanIntervalInSeconds-OmaUri-End -->
+
+<!-- Device-Parameters-CellularParameters-MaxRescanIntervalInSeconds-Description-Begin -->
+<!-- Description-Source-DDF -->
+Maximum time (in seconds) from the point that no connection could be established using the permissible eSIM profiles on the device to the start of the next round of network discovery attempts. A smaller interval increases network discovery frequency and can decrease battery life significantly. A value of 0 means that the device is to pick a reasonable interval per its own discretion.
+<!-- Device-Parameters-CellularParameters-MaxRescanIntervalInSeconds-Description-End -->
+
+<!-- Device-Parameters-CellularParameters-MaxRescanIntervalInSeconds-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- Device-Parameters-CellularParameters-MaxRescanIntervalInSeconds-Editable-End -->
+
+<!-- Device-Parameters-CellularParameters-MaxRescanIntervalInSeconds-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `int` |
+| Access Type | Get, Replace |
+| Allowed Values | Range: `[0-360]` |
+| Default Value  | 0 |
+<!-- Device-Parameters-CellularParameters-MaxRescanIntervalInSeconds-DFProperties-End -->
+
+<!-- Device-Parameters-CellularParameters-MaxRescanIntervalInSeconds-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- Device-Parameters-CellularParameters-MaxRescanIntervalInSeconds-Examples-End -->
+
+<!-- Device-Parameters-CellularParameters-MaxRescanIntervalInSeconds-End -->
+
+<!-- Device-Parameters-CellularParameters-NetworkDiscoveryOption-Begin -->
+#### Parameters/CellularParameters/NetworkDiscoveryOption
+
+<!-- Device-Parameters-CellularParameters-NetworkDiscoveryOption-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+<!-- Device-Parameters-CellularParameters-NetworkDiscoveryOption-Applicability-End -->
+
+<!-- Device-Parameters-CellularParameters-NetworkDiscoveryOption-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/WirelessNetworkPreference/Parameters/CellularParameters/NetworkDiscoveryOption
+```
+<!-- Device-Parameters-CellularParameters-NetworkDiscoveryOption-OmaUri-End -->
+
+<!-- Device-Parameters-CellularParameters-NetworkDiscoveryOption-Description-Begin -->
+<!-- Description-Source-DDF -->
+Configures which approach should be used in the network discovery process. There are two possible values: (0) no network scan will be performed - rather, registration and connection will be attempted with each eSIM profile in descending order of preference; or (1) Network scan will be performed using the current active eSIM profile. This option works for modems that when performing a network scan show the complete list of available networks independently of which eSIM profile is active.
+<!-- Device-Parameters-CellularParameters-NetworkDiscoveryOption-Description-End -->
+
+<!-- Device-Parameters-CellularParameters-NetworkDiscoveryOption-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- Device-Parameters-CellularParameters-NetworkDiscoveryOption-Editable-End -->
+
+<!-- Device-Parameters-CellularParameters-NetworkDiscoveryOption-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `int` |
+| Access Type | Get, Replace |
+| Default Value  | 0 |
+<!-- Device-Parameters-CellularParameters-NetworkDiscoveryOption-DFProperties-End -->
+
+<!-- Device-Parameters-CellularParameters-NetworkDiscoveryOption-AllowedValues-Begin -->
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 (Default) | No network scan will be performed -- rather, registration and connection will be attempted with each eSIM profile in descending order of preference. |
+| 1 | Network scan will be performed using the current active eSIM profile. |
+<!-- Device-Parameters-CellularParameters-NetworkDiscoveryOption-AllowedValues-End -->
+
+<!-- Device-Parameters-CellularParameters-NetworkDiscoveryOption-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- Device-Parameters-CellularParameters-NetworkDiscoveryOption-Examples-End -->
+
+<!-- Device-Parameters-CellularParameters-NetworkDiscoveryOption-End -->
+
+<!-- Device-Parameters-CellularParameters-PreferredProfileWakeConnectionTimerInSeconds-Begin -->
+#### Parameters/CellularParameters/PreferredProfileWakeConnectionTimerInSeconds
+
+<!-- Device-Parameters-CellularParameters-PreferredProfileWakeConnectionTimerInSeconds-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+<!-- Device-Parameters-CellularParameters-PreferredProfileWakeConnectionTimerInSeconds-Applicability-End -->
+
+<!-- Device-Parameters-CellularParameters-PreferredProfileWakeConnectionTimerInSeconds-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/WirelessNetworkPreference/Parameters/CellularParameters/PreferredProfileWakeConnectionTimerInSeconds
+```
+<!-- Device-Parameters-CellularParameters-PreferredProfileWakeConnectionTimerInSeconds-OmaUri-End -->
+
+<!-- Device-Parameters-CellularParameters-PreferredProfileWakeConnectionTimerInSeconds-Description-Begin -->
+<!-- Description-Source-DDF -->
+When the device is woken from sleep with the most-preferred profile already enabled, this value configures the amount of time (in seconds) before the agent will give up on waiting for connection re-establishment with the most-preferred profile and start network discovery.
+<!-- Device-Parameters-CellularParameters-PreferredProfileWakeConnectionTimerInSeconds-Description-End -->
+
+<!-- Device-Parameters-CellularParameters-PreferredProfileWakeConnectionTimerInSeconds-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- Device-Parameters-CellularParameters-PreferredProfileWakeConnectionTimerInSeconds-Editable-End -->
+
+<!-- Device-Parameters-CellularParameters-PreferredProfileWakeConnectionTimerInSeconds-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `int` |
+| Access Type | Get, Replace |
+| Allowed Values | Range: `[30-360]` |
+| Default Value  | 200 |
+<!-- Device-Parameters-CellularParameters-PreferredProfileWakeConnectionTimerInSeconds-DFProperties-End -->
+
+<!-- Device-Parameters-CellularParameters-PreferredProfileWakeConnectionTimerInSeconds-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- Device-Parameters-CellularParameters-PreferredProfileWakeConnectionTimerInSeconds-Examples-End -->
+
+<!-- Device-Parameters-CellularParameters-PreferredProfileWakeConnectionTimerInSeconds-End -->
+
+<!-- Device-Parameters-CellularParameters-ProfileRegistrationTimerInSeconds-Begin -->
+#### Parameters/CellularParameters/ProfileRegistrationTimerInSeconds
+
+<!-- Device-Parameters-CellularParameters-ProfileRegistrationTimerInSeconds-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+<!-- Device-Parameters-CellularParameters-ProfileRegistrationTimerInSeconds-Applicability-End -->
+
+<!-- Device-Parameters-CellularParameters-ProfileRegistrationTimerInSeconds-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/WirelessNetworkPreference/Parameters/CellularParameters/ProfileRegistrationTimerInSeconds
+```
+<!-- Device-Parameters-CellularParameters-ProfileRegistrationTimerInSeconds-OmaUri-End -->
+
+<!-- Device-Parameters-CellularParameters-ProfileRegistrationTimerInSeconds-Description-Begin -->
+<!-- Description-Source-DDF -->
+When evaluating eSIM profiles for connectivity, this value configures the amount of time (in seconds) that the agent will wait for network registration before considering this profile unsatisfactory and moving on to the next one.
+<!-- Device-Parameters-CellularParameters-ProfileRegistrationTimerInSeconds-Description-End -->
+
+<!-- Device-Parameters-CellularParameters-ProfileRegistrationTimerInSeconds-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- Device-Parameters-CellularParameters-ProfileRegistrationTimerInSeconds-Editable-End -->
+
+<!-- Device-Parameters-CellularParameters-ProfileRegistrationTimerInSeconds-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `int` |
+| Access Type | Get, Replace |
+| Allowed Values | Range: `[30-360]` |
+| Default Value  | 60 |
+<!-- Device-Parameters-CellularParameters-ProfileRegistrationTimerInSeconds-DFProperties-End -->
+
+<!-- Device-Parameters-CellularParameters-ProfileRegistrationTimerInSeconds-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- Device-Parameters-CellularParameters-ProfileRegistrationTimerInSeconds-Examples-End -->
+
+<!-- Device-Parameters-CellularParameters-ProfileRegistrationTimerInSeconds-End -->
+
+<!-- Device-Parameters-CellularParameters-ScreenOffDurationToTriggerNetworkDiscoveryInMinutes-Begin -->
+#### Parameters/CellularParameters/ScreenOffDurationToTriggerNetworkDiscoveryInMinutes
+
+<!-- Device-Parameters-CellularParameters-ScreenOffDurationToTriggerNetworkDiscoveryInMinutes-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+<!-- Device-Parameters-CellularParameters-ScreenOffDurationToTriggerNetworkDiscoveryInMinutes-Applicability-End -->
+
+<!-- Device-Parameters-CellularParameters-ScreenOffDurationToTriggerNetworkDiscoveryInMinutes-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/WirelessNetworkPreference/Parameters/CellularParameters/ScreenOffDurationToTriggerNetworkDiscoveryInMinutes
+```
+<!-- Device-Parameters-CellularParameters-ScreenOffDurationToTriggerNetworkDiscoveryInMinutes-OmaUri-End -->
+
+<!-- Device-Parameters-CellularParameters-ScreenOffDurationToTriggerNetworkDiscoveryInMinutes-Description-Begin -->
+<!-- Description-Source-DDF -->
+When the device experiences screen off and back on, this value configures the minimum duration (in minutes) of the screen off period that will trigger network discovery.
+<!-- Device-Parameters-CellularParameters-ScreenOffDurationToTriggerNetworkDiscoveryInMinutes-Description-End -->
+
+<!-- Device-Parameters-CellularParameters-ScreenOffDurationToTriggerNetworkDiscoveryInMinutes-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- Device-Parameters-CellularParameters-ScreenOffDurationToTriggerNetworkDiscoveryInMinutes-Editable-End -->
+
+<!-- Device-Parameters-CellularParameters-ScreenOffDurationToTriggerNetworkDiscoveryInMinutes-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `int` |
+| Access Type | Get, Replace |
+| Allowed Values | Range: `[0-30]` |
+| Default Value  | 10 |
+<!-- Device-Parameters-CellularParameters-ScreenOffDurationToTriggerNetworkDiscoveryInMinutes-DFProperties-End -->
+
+<!-- Device-Parameters-CellularParameters-ScreenOffDurationToTriggerNetworkDiscoveryInMinutes-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- Device-Parameters-CellularParameters-ScreenOffDurationToTriggerNetworkDiscoveryInMinutes-Examples-End -->
+
+<!-- Device-Parameters-CellularParameters-ScreenOffDurationToTriggerNetworkDiscoveryInMinutes-End -->
+
+<!-- Device-PreferCellularOverWiFi-Begin -->
+## PreferCellularOverWiFi
+
+<!-- Device-PreferCellularOverWiFi-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+<!-- Device-PreferCellularOverWiFi-Applicability-End -->
+
+<!-- Device-PreferCellularOverWiFi-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/WirelessNetworkPreference/PreferCellularOverWiFi
+```
+<!-- Device-PreferCellularOverWiFi-OmaUri-End -->
+
+<!-- Device-PreferCellularOverWiFi-Description-Begin -->
+<!-- Description-Source-DDF -->
+It determines the order of preference between Wi-Fi and cellular networks. When the value is set to "False", Wi-Fi is preferred over cellular. When the value is set to "True", cellular is preferred over Wi-Fi.
+<!-- Device-PreferCellularOverWiFi-Description-End -->
+
+<!-- Device-PreferCellularOverWiFi-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- Device-PreferCellularOverWiFi-Editable-End -->
+
+<!-- Device-PreferCellularOverWiFi-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `bool` |
+| Access Type | Get, Replace |
+| Default Value  | False |
+<!-- Device-PreferCellularOverWiFi-DFProperties-End -->
+
+<!-- Device-PreferCellularOverWiFi-AllowedValues-Begin -->
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| False (Default) | Prefer Wi-Fi over Cellular. |
+| True | Prefer Cellular over Wi-Fi. |
+<!-- Device-PreferCellularOverWiFi-AllowedValues-End -->
+
+<!-- Device-PreferCellularOverWiFi-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- Device-PreferCellularOverWiFi-Examples-End -->
+
+<!-- Device-PreferCellularOverWiFi-End -->
+
+<!-- Device-Status-Begin -->
+## Status
+
+<!-- Device-Status-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+<!-- Device-Status-Applicability-End -->
+
+<!-- Device-Status-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/WirelessNetworkPreference/Status
+```
+<!-- Device-Status-OmaUri-End -->
+
+<!-- Device-Status-Description-Begin -->
+<!-- Description-Source-DDF -->
+Nodes that indicate the status of the wireless connectivity management service.
+<!-- Device-Status-Description-End -->
+
+<!-- Device-Status-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- Device-Status-Editable-End -->
+
+<!-- Device-Status-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `node` |
+| Access Type | Get |
+<!-- Device-Status-DFProperties-End -->
+
+<!-- Device-Status-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- Device-Status-Examples-End -->
+
+<!-- Device-Status-End -->
+
+<!-- Device-Status-eSIMpolicyStatus-Begin -->
+### Status/eSIMpolicyStatus
+
+<!-- Device-Status-eSIMpolicyStatus-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+<!-- Device-Status-eSIMpolicyStatus-Applicability-End -->
+
+<!-- Device-Status-eSIMpolicyStatus-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/WirelessNetworkPreference/Status/eSIMpolicyStatus
+```
+<!-- Device-Status-eSIMpolicyStatus-OmaUri-End -->
+
+<!-- Device-Status-eSIMpolicyStatus-Description-Begin -->
+<!-- Description-Source-DDF -->
+An integer indicating the current status of the wireless connectivity management service. If the value is zero, there are no errors. \n\n 0 = No errors. \n 1 = No policies are configured. \n 2 = More than one policy has the same priority. \n 3 = More than one policy references the same PLMNID. \n 4 = Invalid PLMNID for one or more of the configured profiles. \n 5 = More than one eSIM profile stored in the eUICC with the same PLMN ID. \n 6 = Invalid configuration value for one or more of the cellular parameters. Please review CSP documentation. \n\n Warning: Any of these errors will result in a complete halt of the wireless connectivity management service.
+<!-- Device-Status-eSIMpolicyStatus-Description-End -->
+
+<!-- Device-Status-eSIMpolicyStatus-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- Device-Status-eSIMpolicyStatus-Editable-End -->
+
+<!-- Device-Status-eSIMpolicyStatus-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `int` |
+| Access Type | Get |
+<!-- Device-Status-eSIMpolicyStatus-DFProperties-End -->
+
+<!-- Device-Status-eSIMpolicyStatus-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- Device-Status-eSIMpolicyStatus-Examples-End -->
+
+<!-- Device-Status-eSIMpolicyStatus-End -->
+
+<!-- Device-Status-eSIMprofilesCount-Begin -->
+### Status/eSIMprofilesCount
+
+<!-- Device-Status-eSIMprofilesCount-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+<!-- Device-Status-eSIMprofilesCount-Applicability-End -->
+
+<!-- Device-Status-eSIMprofilesCount-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/WirelessNetworkPreference/Status/eSIMprofilesCount
+```
+<!-- Device-Status-eSIMprofilesCount-OmaUri-End -->
+
+<!-- Device-Status-eSIMprofilesCount-Description-Begin -->
+<!-- Description-Source-DDF -->
+Count of operational eSIM profiles stored in the eUICC.
+<!-- Device-Status-eSIMprofilesCount-Description-End -->
+
+<!-- Device-Status-eSIMprofilesCount-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- Device-Status-eSIMprofilesCount-Editable-End -->
+
+<!-- Device-Status-eSIMprofilesCount-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `int` |
+| Access Type | Get |
+<!-- Device-Status-eSIMprofilesCount-DFProperties-End -->
+
+<!-- Device-Status-eSIMprofilesCount-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- Device-Status-eSIMprofilesCount-Examples-End -->
+
+<!-- Device-Status-eSIMprofilesCount-End -->
+
+<!-- Device-Status-eSIMprofilesMatched-Begin -->
+### Status/eSIMprofilesMatched
+
+<!-- Device-Status-eSIMprofilesMatched-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+<!-- Device-Status-eSIMprofilesMatched-Applicability-End -->
+
+<!-- Device-Status-eSIMprofilesMatched-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/WirelessNetworkPreference/Status/eSIMprofilesMatched
+```
+<!-- Device-Status-eSIMprofilesMatched-OmaUri-End -->
+
+<!-- Device-Status-eSIMprofilesMatched-Description-Begin -->
+<!-- Description-Source-DDF -->
+Count of operational eSIM profiles stored on the eUICC whose PLMN matches one of the ConnectionProfileIDs setup under the ConnectionProfiles node. Only matched profiles with no errors will be counted. If more than one eSIM profile with the same PLMN ID is configured on the policy and/or more than one eSIM profile with the same PLMN ID is stored in the eUICC, then they won't be counted even if there is a match.
+<!-- Device-Status-eSIMprofilesMatched-Description-End -->
+
+<!-- Device-Status-eSIMprofilesMatched-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- Device-Status-eSIMprofilesMatched-Editable-End -->
+
+<!-- Device-Status-eSIMprofilesMatched-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `int` |
+| Access Type | Get |
+<!-- Device-Status-eSIMprofilesMatched-DFProperties-End -->
+
+<!-- Device-Status-eSIMprofilesMatched-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- Device-Status-eSIMprofilesMatched-Examples-End -->
+
+<!-- Device-Status-eSIMprofilesMatched-End -->
+
+<!-- WirelessNetworkPreference-CspMoreInfo-Begin -->
+<!-- Add any additional information about this CSP here. Anything outside this section will get overwritten. -->
+<!-- WirelessNetworkPreference-CspMoreInfo-End -->
+
+<!-- WirelessNetworkPreference-End -->
+
+## Related articles
+
+[Configuration service provider reference](configuration-service-provider-reference.md)
--- a/windows/client-management/mdm/wirelessnetworkpreference-ddf-file.md
+++ b/windows/client-management/mdm/wirelessnetworkpreference-ddf-file.md
@ -0,0 +1,543 @@
+---
+title: WirelessNetworkPreference DDF file
+description: View the XML file containing the device description framework (DDF) for the WirelessNetworkPreference configuration service provider.
+ms.date: 04/21/2025
+ms.topic: generated-reference
+---
+
+<!-- Auto-Generated CSP Document -->
+
+# WirelessNetworkPreference DDF file
+
+The following XML file contains the device description framework (DDF) for the WirelessNetworkPreference configuration service provider.
+
+```xml
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE MgmtTree PUBLIC " -//OMA//DTD-DM-DDF 1.2//EN" "http://www.openmobilealliance.org/tech/DTD/DM_DDF-V1_2.dtd"[<?oma-dm-ddf-ver supported-versions="1.2"?>]>
+<MgmtTree xmlns:MSFT="http://schemas.microsoft.com/MobileDevice/DM">
+  <VerDTD>1.2</VerDTD>
+  <MSFT:Diagnostics>
+  </MSFT:Diagnostics>
+  <Node>
+    <NodeName>WirelessNetworkPreference</NodeName>
+    <Path>./Device/Vendor/MSFT</Path>
+    <DFProperties>
+      <AccessType>
+        <Get />
+      </AccessType>
+      <Description>Represents information associated with wireless networks prioritization including detailed connectivity priorities for specific cellular networks with a unique PLMN_ID.</Description>
+      <DFFormat>
+        <node />
+      </DFFormat>
+      <Occurrence>
+        <One />
+      </Occurrence>
+      <Scope>
+        <Permanent />
+      </Scope>
+      <DFType>
+        <DDFName />
+      </DFType>
+      <MSFT:Applicability>
+        <MSFT:OsBuildVersion>99.9.99999</MSFT:OsBuildVersion>
+        <MSFT:CspVersion>1.0</MSFT:CspVersion>
+        <MSFT:EditionAllowList>0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x88;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD;0xCF;0xD2;</MSFT:EditionAllowList>
+      </MSFT:Applicability>
+    </DFProperties>
+    <Node>
+      <NodeName>IsEnabled</NodeName>
+      <DFProperties>
+        <AccessType>
+          <Get />
+          <Replace />
+        </AccessType>
+        <DefaultValue>False</DefaultValue>
+        <Description>It determines whether the wireless connectivity management policy is enabled or not.</Description>
+        <DFFormat>
+          <bool />
+        </DFFormat>
+        <Occurrence>
+          <One />
+        </Occurrence>
+        <Scope>
+          <Permanent />
+        </Scope>
+        <DFType>
+          <MIME />
+        </DFType>
+        <MSFT:AllowedValues ValueType="ENUM">
+          <MSFT:Enum>
+            <MSFT:Value>False</MSFT:Value>
+            <MSFT:ValueDescription>Disable the wireless management policy.</MSFT:ValueDescription>
+          </MSFT:Enum>
+          <MSFT:Enum>
+            <MSFT:Value>True</MSFT:Value>
+            <MSFT:ValueDescription>Enable the wireless management policy.</MSFT:ValueDescription>
+          </MSFT:Enum>
+        </MSFT:AllowedValues>
+      </DFProperties>
+    </Node>
+    <Node>
+      <NodeName>PreferCellularOverWiFi</NodeName>
+      <DFProperties>
+        <AccessType>
+          <Get />
+          <Replace />
+        </AccessType>
+        <DefaultValue>False</DefaultValue>
+        <Description>It determines the order of preference between Wi-Fi and cellular networks. When the value is set to “False”, Wi-Fi is preferred over cellular. When the value is set to “True”, cellular is preferred over Wi-Fi. </Description>
+        <DFFormat>
+          <bool />
+        </DFFormat>
+        <Occurrence>
+          <One />
+        </Occurrence>
+        <Scope>
+          <Permanent />
+        </Scope>
+        <DFType>
+          <MIME />
+        </DFType>
+        <MSFT:AllowedValues ValueType="ENUM">
+          <MSFT:Enum>
+            <MSFT:Value>False</MSFT:Value>
+            <MSFT:ValueDescription>Prefer Wi-Fi over Cellular.</MSFT:ValueDescription>
+          </MSFT:Enum>
+          <MSFT:Enum>
+            <MSFT:Value>True</MSFT:Value>
+            <MSFT:ValueDescription>Prefer Cellular over Wi-Fi.</MSFT:ValueDescription>
+          </MSFT:Enum>
+        </MSFT:AllowedValues>
+      </DFProperties>
+    </Node>
+    <Node>
+      <NodeName>Status</NodeName>
+      <DFProperties>
+        <AccessType>
+          <Get />
+        </AccessType>
+        <Description>Nodes that indicate the status of the wireless connectivity management service.</Description>
+        <DFFormat>
+          <node />
+        </DFFormat>
+        <Occurrence>
+          <One />
+        </Occurrence>
+        <Scope>
+          <Permanent />
+        </Scope>
+        <DFType>
+          <DDFName />
+        </DFType>
+      </DFProperties>
+      <Node>
+        <NodeName>eSIMprofilesCount</NodeName>
+        <DFProperties>
+          <AccessType>
+            <Get />
+          </AccessType>
+          <Description>Count of operational eSIM profiles stored in the eUICC.</Description>
+          <DFFormat>
+            <int />
+          </DFFormat>
+          <Occurrence>
+            <One />
+          </Occurrence>
+          <Scope>
+            <Permanent />
+          </Scope>
+          <DFType>
+            <MIME />
+          </DFType>
+        </DFProperties>
+      </Node>
+      <Node>
+        <NodeName>eSIMprofilesMatched</NodeName>
+        <DFProperties>
+          <AccessType>
+            <Get />
+          </AccessType>
+          <Description>Count of operational eSIM profiles stored on the eUICC whose PLMN matches one of the ConnectionProfileIDs setup under the ConnectionProfiles node. Only matched profiles with no errors will be counted. If more than one eSIM profile with the same PLMN ID is configured on the policy and/or more than one eSIM profile with the same PLMN ID is stored in the eUICC, then they will not be counted even if there is a match.</Description>
+          <DFFormat>
+            <int />
+          </DFFormat>
+          <Occurrence>
+            <One />
+          </Occurrence>
+          <Scope>
+            <Permanent />
+          </Scope>
+          <DFType>
+            <MIME />
+          </DFType>
+        </DFProperties>
+      </Node>
+      <Node>
+        <NodeName>eSIMpolicyStatus</NodeName>
+        <DFProperties>
+          <AccessType>
+            <Get />
+          </AccessType>
+          <Description>An integer indicating the current status of the wireless connectivity management service. If the value is zero, there are no errors. \n\n 0 = No errors. \n 1 = No policies are configured. \n 2 = More than one policy has the same priority. \n 3 = More than one policy references the same PLMNID. \n 4 = Invalid PLMNID for one or more of the configured profiles. \n 5 = More than one eSIM profile stored in the eUICC with the same PLMN ID. \n 6 = Invalid configuration value for one or more of the cellular parameters. Please review CSP documentation. \n\n Warning: Any of these errors will result in a complete halt of the wireless connectivity management service.</Description>
+          <DFFormat>
+            <int />
+          </DFFormat>
+          <Occurrence>
+            <One />
+          </Occurrence>
+          <Scope>
+            <Permanent />
+          </Scope>
+          <DFType>
+            <MIME />
+          </DFType>
+        </DFProperties>
+      </Node>
+    </Node>
+    <Node>
+      <NodeName>Parameters</NodeName>
+      <DFProperties>
+        <AccessType>
+          <Get />
+        </AccessType>
+        <Description>Parameters to configure the behavior of the wireless connectivity management service.</Description>
+        <DFFormat>
+          <node />
+        </DFFormat>
+        <Occurrence>
+          <One />
+        </Occurrence>
+        <Scope>
+          <Permanent />
+        </Scope>
+        <DFType>
+          <DDFName />
+        </DFType>
+      </DFProperties>
+      <Node>
+        <NodeName>CellularParameters</NodeName>
+        <DFProperties>
+          <AccessType>
+            <Get />
+          </AccessType>
+          <Description>Parameters to configure the cellular-specific behavior of the wireless connectivity management service.</Description>
+          <DFFormat>
+            <node />
+          </DFFormat>
+          <Occurrence>
+            <One />
+          </Occurrence>
+          <Scope>
+            <Permanent />
+          </Scope>
+          <DFType>
+            <DDFName />
+          </DFType>
+        </DFProperties>
+        <Node>
+          <NodeName>NetworkDiscoveryOption</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+              <Replace />
+            </AccessType>
+            <DefaultValue>0</DefaultValue>
+            <Description>Configures which approach should be used in the network discovery process. There are two possible values: (0) no network scan will be performed – rather, registration and connection will be attempted with each eSIM profile in descending order of preference; or (1) Network scan will be performed using the current active eSIM profile. This option works for modems that when performing a network scan show the complete list of available networks independently of which eSIM profile is active.</Description>
+            <DFFormat>
+              <int />
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME />
+            </DFType>
+            <MSFT:AllowedValues ValueType="ENUM">
+              <MSFT:Enum>
+                <MSFT:Value>0</MSFT:Value>
+                <MSFT:ValueDescription>No network scan will be performed -- rather, registration and connection will be attempted with each eSIM profile in descending order of preference.</MSFT:ValueDescription>
+              </MSFT:Enum>
+              <MSFT:Enum>
+                <MSFT:Value>1</MSFT:Value>
+                <MSFT:ValueDescription>Network scan will be performed using the current active eSIM profile.</MSFT:ValueDescription>
+              </MSFT:Enum>
+            </MSFT:AllowedValues>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>MaxRescanIntervalInSeconds</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+              <Replace />
+            </AccessType>
+            <DefaultValue>0</DefaultValue>
+            <Description>Maximum time (in seconds) from the point that no connection could be established using the permissible eSIM profiles on the device to the start of the next round of network discovery attempts. A smaller interval increases network discovery frequency and can decrease battery life significantly. A value of 0 means that the device is to pick a reasonable interval per its own discretion.</Description>
+            <DFFormat>
+              <int />
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME />
+            </DFType>
+            <MSFT:AllowedValues ValueType="Range">
+              <MSFT:Value>[0-360]</MSFT:Value>
+            </MSFT:AllowedValues>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>PreferredProfileWakeConnectionTimerInSeconds</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+              <Replace />
+            </AccessType>
+            <DefaultValue>200</DefaultValue>
+            <Description>When the device is woken from sleep with the most-preferred profile already enabled, this value configures the amount of time (in seconds) before the agent will give up on waiting for connection re-establishment with the most-preferred profile and start network discovery.</Description>
+            <DFFormat>
+              <int />
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME />
+            </DFType>
+            <MSFT:AllowedValues ValueType="Range">
+              <MSFT:Value>[30-360]</MSFT:Value>
+            </MSFT:AllowedValues>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>ProfileRegistrationTimerInSeconds</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+              <Replace />
+            </AccessType>
+            <DefaultValue>60</DefaultValue>
+            <Description>When evaluating eSIM profiles for connectivity, this value configures the amount of time (in seconds) that the agent will wait for network registration before considering this profile unsatisfactory and moving on to the next one.</Description>
+            <DFFormat>
+              <int />
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME />
+            </DFType>
+            <MSFT:AllowedValues ValueType="Range">
+              <MSFT:Value>[30-360]</MSFT:Value>
+            </MSFT:AllowedValues>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>ScreenOffDurationToTriggerNetworkDiscoveryInMinutes</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+              <Replace />
+            </AccessType>
+            <DefaultValue>10</DefaultValue>
+            <Description>When the device experiences screen off and back on, this value configures the minimum duration (in minutes) of the screen off period that will trigger network discovery.</Description>
+            <DFFormat>
+              <int />
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME />
+            </DFType>
+            <MSFT:AllowedValues ValueType="Range">
+              <MSFT:Value>[0-30]</MSFT:Value>
+            </MSFT:AllowedValues>
+          </DFProperties>
+        </Node>
+      </Node>
+    </Node>
+    <Node>
+      <NodeName>ConnectionProfiles</NodeName>
+      <DFProperties>
+        <AccessType>
+          <Get />
+        </AccessType>
+        <Description>Profiles to connect to wireless networks in a specified priority order.</Description>
+        <DFFormat>
+          <node />
+        </DFFormat>
+        <Occurrence>
+          <One />
+        </Occurrence>
+        <Scope>
+          <Permanent />
+        </Scope>
+        <DFType>
+          <DDFName />
+        </DFType>
+      </DFProperties>
+      <Node>
+        <NodeName>
+        </NodeName>
+        <DFProperties>
+          <AccessType>
+            <Add />
+            <Delete />
+            <Get />
+          </AccessType>
+          <Description>Unique identifier of a network preference policy. Unique ID is auto-generated.</Description>
+          <DFFormat>
+            <node />
+          </DFFormat>
+          <Occurrence>
+            <ZeroOrMore />
+          </Occurrence>
+          <Scope>
+            <Dynamic />
+          </Scope>
+          <DFTitle>ConnectionProfileID</DFTitle>
+          <DFType>
+            <DDFName />
+          </DFType>
+          <MSFT:DynamicNodeNaming>
+            <MSFT:ServerGeneratedUniqueIdentifier />
+          </MSFT:DynamicNodeNaming>
+        </DFProperties>
+        <Node>
+          <NodeName>Priority</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description>Priority of a policy compared to the others where 1 represents the highest priority. Thus, the smaller this value is, the higher preference this specific network will receive in establishing a data connection. </Description>
+            <DFFormat>
+              <int />
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME />
+            </DFType>
+            <MSFT:AllowedValues ValueType="Range">
+              <MSFT:Value>[1-2147483647]</MSFT:Value>
+            </MSFT:AllowedValues>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>WirelessType</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <DefaultValue>0</DefaultValue>
+            <Description>Type of wireless network (either Cellular or Wi-Fi). 0 represents Cellular, and 1 represents Wi-Fi. Currently only cellular is supported.</Description>
+            <DFFormat>
+              <bin />
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME />
+            </DFType>
+            <MSFT:AllowedValues ValueType="ENUM">
+              <MSFT:Enum>
+                <MSFT:Value>0</MSFT:Value>
+                <MSFT:ValueDescription>Cellular</MSFT:ValueDescription>
+              </MSFT:Enum>
+              <MSFT:Enum>
+                <MSFT:Value>1</MSFT:Value>
+                <MSFT:ValueDescription>Wi-Fi</MSFT:ValueDescription>
+              </MSFT:Enum>
+            </MSFT:AllowedValues>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>Cellular</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+            </AccessType>
+            <Description>Identifiers for cellular networks.</Description>
+            <DFFormat>
+              <node />
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <DDFName />
+            </DFType>
+          </DFProperties>
+          <Node>
+            <NodeName>PLMNID</NodeName>
+            <DFProperties>
+              <AccessType>
+                <Add />
+                <Delete />
+                <Get />
+                <Replace />
+              </AccessType>
+              <Description>5- or 6-digit string identifying a cellular network. It consists of the combination of Mobile Country Code (MCC) and Mobile Network Code (MNC). </Description>
+              <DFFormat>
+                <chr />
+              </DFFormat>
+              <Occurrence>
+                <One />
+              </Occurrence>
+              <Scope>
+                <Dynamic />
+              </Scope>
+              <DFType>
+                <MIME />
+              </DFType>
+              <MSFT:AllowedValues ValueType="RegEx">
+                <MSFT:Value>^[0-9]{5,6}$</MSFT:Value>
+              </MSFT:AllowedValues>
+            </DFProperties>
+          </Node>
+        </Node>
+      </Node>
+    </Node>
+  </Node>
+</MgmtTree>
+```
+
+## Related articles
+
+[WirelessNetworkPreference configuration service provider reference](wirelessnetworkpreference-csp.md)
--- a/windows/configuration/images/icons/xml.svg
+++ b/windows/configuration/images/icons/xml.svg
@ -0,0 +1,7 @@
+<svg width="18" height="18" viewBox="0 0 18 18" fill="none" xmlns="http://www.w3.org/2000/svg">
+<path d="M3.46385 12.006L1.41972 14.0625L3.46272 16.11L2.66735 16.9054L0.224976 14.4596V13.6643L2.66622 11.2129L3.46385 12.006ZM9.79985 11.2185L9.01235 12.0161L11.0666 14.0625L9.00672 16.11L9.79985 16.9076L12.2625 14.463V13.6654L9.79985 11.2185ZM4.5281 17.2598L5.59685 17.6153L7.84685 10.8653L6.7781 10.5098L4.5281 17.2598Z" fill="#0883D9"/>
+<g opacity="0.75">
+<path d="M15.5858 4.66425L12.2108 1.28925L11.8125 1.125H2.8125L2.25 1.6875V10.125H3.375V2.25H11.25V5.625H14.625V15.75H12.5618L11.43 16.875H15.1875L15.75 16.3125V5.0625L15.5858 4.66425Z" fill="#0883D9"/>
+<path opacity="0.1" d="M15.1875 5.0625V16.3125H11.9959L13.3875 14.931V13.1985L10.125 10.125H2.8125V1.6875H11.8125L15.1875 5.0625Z" fill="#0883D9"/>
+</g>
+</svg>
--- a/windows/configuration/unbranded-boot/images/boot.jpg
+++ b/windows/configuration/unbranded-boot/images/boot.jpg
--- a/windows/configuration/unbranded-boot/images/boot.png
+++ b/windows/configuration/unbranded-boot/images/boot.png
--- a/windows/configuration/unbranded-boot/index.md
+++ b/windows/configuration/unbranded-boot/index.md
@ -1,160 +1,155 @@
 ---
 title: Unbranded Boot
-description: Unbranded Boot
-ms.date: 09/10/2024
-ms.topic: overview
+description: Learn about Unbranded Boot, a feature that suppresses Windows elements that appear when Windows starts. Unbranded Boot can also suppress the crash screen when Windows encounters an error that it can't recover from.
+ms.date: 04/11/2025
+ms.topic: how-to
 ---

 # Unbranded Boot

-You can suppress Windows elements that appear when Windows starts or resumes and can suppress the crash screen when Windows encounters an error that it can't recover from. This feature is known as Unbranded Boot.
+Unbranded Boot is a Windows feature that allows you to suppress Windows elements that appear when Windows starts. It can also suppress the crash screen when Windows encounters an error that it can't recover from. This feature is useful for devices that are used in public spaces, such as kiosks and digital signs, where a clean and professional appearance is important.
+
+[!INCLUDE [unbranded-boot](../../../includes/licensing/unbranded-boot.md)]
+
+## Enable Unbranded Boot
+
+Unbranded Boot is an optional component and isn't enabled by default in Windows. To configure it, you must first enable it.
+
+There are different ways to enable Unbranded Boot, select the method that best fits your needs to learn more.
+
+#### [:::image type="icon" source="../images/icons/control-panel.svg"::: **Control Panel**](#tab/control-panel1)
+
+To enable Unbranded Boot using the Control Panel, follow these steps:
+
+1. Open **Control Panel** > **Programs** > **Turn Windows features on or off** or use the command `optionalfeatures.exe`
+1. Expand **Device Lockdown** and select **Unbranded Boot**
+1. Select **OK** to enable Unbranded Boot
+1. Restart your device to apply the changes
+
+#### [:::image type="icon" source="../images/icons/powershell.svg"::: **PowerShell**](#tab/powershell1)
+
+To enable Unbranded Boot using PowerShell, follow these steps:
+
+1. Open a PowerShell window with administrator privileges
+1. Run the following command:
+    ```powershell
+    Enable-WindowsOptionalFeature -FeatureName Client-DeviceLockdown,Client-EmbeddedBootExp -Online
+    ```
+1. Restart your device to apply the changes
+
+---

 > [!IMPORTANT]
 > The first user to sign in to the device must be an administrator. This ensures that the **RunOnce** registry settings correctly apply the settings. Also, when using auto sign-in, you must not configure auto sign-in on your device at design time. Instead, auto sign-in should be configured manually after first signing in as an administrator.

-## Requirements
+## Configure Unbranded Boot

-Unbranded Boot can be enabled on:
+The following instructions provide details about how to configure your devices. Select the option that best suits your needs.

- Windows 10 Enterprise
- Windows 10 IoT Enterprise
- Windows 10 Education
- Windows 11 Enterprise
- Windows 11 IoT Enterprise
- Windows 11 Education
+> [!NOTE]
+> If Windows is already installed, you can't apply a provisioning package to configure Unbranded Boot. Instead, you must use the command prompt to configure Unbranded Boot.

-## Terminology
+#### [:::image type="icon" source="../images/icons/cmd.svg"::: **Command prompt**](#tab/cmd)

- **Turn on, Enable:** To make the setting available to the device and optionally apply the settings to the device. Generally "turn on" is used in the user interface or control panel, whereas "enable" is used for command line.
+You can use the `bcdedit.exe` command to configure Unbranded Boot settings at runtime.

- **Configure:** To customize the setting or subsettings.
+> [!NOTE]
+> `Bcdedit.exe` is a command-line tool for editing the Boot Configuration Data (BCD) of Windows. Administrator privileges are required to use BCDEdit to modify the BCD.

- **Embedded Boot Experience:** this feature is called "Embedded Boot Experience" in Windows 10, build 1511.
-
- **Custom Boot Experience:** this feature is called "Custom Boot Experience" in Windows 10, build 1607 and later.
-
-## Turn on Unbranded Boot settings
-
-Unbranded Boot is an optional component and isn't enabled by default in Windows. It must be enabled prior to configuring.
-
-If Windows has already been installed, you can't apply a provisioning package to configure Unbranded Boot; instead you must use BDCEdit to configure Unbranded boot if Windows is installed.
-
-BCDEdit is the primary tool for editing the Boot Configuration Database (BCD) of Windows and is included in Windows in the %WINDIR%\\System32 folder. Administrator privileges are required to use BCDEdit to modify the BCD.
-
-### Turn on Unbranded Boot by using Control Panel
-
-1. In the Windows search bar, type **Turn Windows features on or off** and either press **Enter** or tap or select **Turn Windows features on or off** to open the **Windows Features** window.
-1. In the **Windows Features** window, expand the **Device Lockdown** node, and select (to turn on) or clear (to turn off) the checkbox for **Unbranded Boot**.
-1. Select **OK**. The **Windows Features** window indicates that Windows is searching for required files and displays a progress bar. Once found, the window indicates that Windows is applying the changes. When completed, the window indicates the requested changes are completed.
-1. Restart your device to apply the changes.
-
-## Configure Unbranded Boot settings at runtime using BCDEdit
-
-1. Open a command prompt as an administrator.
-1. Run the following command to disable the F8 key during startup to prevent access to the **Advanced startup options** menu.
+1. Open a command prompt as an administrator
+1. Run the following command to disable the F8 key during startup to prevent access to the **Advanced startup options** menu

   ```cmd
   bcdedit.exe -set {globalsettings} advancedoptions false
   ```

-1. Run the following command to disable the F10 key during startup to prevent access to the **Advanced startup options** menu.
+1. Run the following command to disable the F10 key during startup to prevent access to the **Advanced startup options** menu

   ```cmd
   bcdedit.exe -set {globalsettings} optionsedit false
   ```

-1. Run the following command to suppress all Windows UI elements (logo, status indicator, and status message) during startup.
+1. Run the following command to suppress all Windows UI elements (logo, status indicator, and status message) during startup

   ```cmd
   bcdedit.exe -set {globalsettings} bootuxdisabled on
   ```

-1. Run the following command to suppress any error screens that are displayed during boot. If **noerrordisplay** is on and the boot manager hits a *WinLoad Error* or *Bad Disk Error*, the system displays a black screen.
+1. Run the following command to suppress any error screens that are displayed during boot. If `noerrordisplay` is set to `on` and the boot manager hits a *WinLoad Error* or *Bad Disk Error*, the system displays a black screen

   ```cmd
   bcdedit.exe -set {bootmgr} noerrordisplay on
   ```

-## Configure Unbranded Boot using Unattend
+#### [:::image type="icon" source="../images/icons/xml.svg"::: **Unattend**](#tab/unattend)

-You can also configure the Unattend settings in the [Microsoft-Windows-Embedded-BootExp](/windows-hardware/customize/desktop/unattend/microsoft-windows-embedded-bootexp) component to add Unbranded Boot features to your image during the design or imaging phase. You can manually create an Unattend answer file or use Windows System Image Manager (Windows SIM) to add the appropriate settings to your answer file. For more information about the Unbranded Boot settings and XML examples, see the settings in Microsoft-Windows-Embedded-BootExp.
+You can configure the Unattend settings in the `Microsoft-Windows-Embedded-BootExp` component to add Unbranded Boot features to your image during the design or imaging phase. You can manually create an Unattend answer file or use Windows System Image Manager (Windows SIM) to add the appropriate settings to your answer file.

 ### Unbranded Boot settings

-The following table shows Unbranded Boot settings and their values.
+The following table lists Unbranded Boot settings and their values.

 | Setting | Description | Value |
 |---------|-------------|-------|
-| DisableBootMenu | Contains an integer that disables the F8 and F10 keys during startup to prevent access to the Advanced startup options menu. | Set to 1 to disable the menu; otherwise; set to 0 (zero). The default value is 0. |
-| DisplayDisabled | Contains an integer that configures the device to display a blank screen when Windows encounters an error that it can't recover from. | Set to 1 to display a blank screen on error; otherwise; set to 0 (zero). The default value is 0. |
-| HideAllBootUI | Contains an integer that suppresses all Windows UI elements (logo, status indicator, and status message) during startup. | Set to 1 to suppress all Windows UI elements during startup; otherwise; set to 0 (zero). The default value is 0. |
-| HideBootLogo | Contains an integer that suppresses the default Windows logo that displays during the OS loading phase. | Set to 1 to suppress the default Windows logo; otherwise; set to 0 (zero). The default value is 0. |
-| HideBootStatusIndicator | Contains an integer that suppresses the status indicator that displays during the OS loading phase. | Set to 1 to suppress the status indicator; otherwise; set to 0 (zero). The default value is 0. |
-| HideBootStatusMessage | Contains an integer that suppresses the startup status text that displays during the OS loading phase. | Set to 1 to suppress the startup status text; otherwise; set to 0 (zero). The default value is 0. |
+| `DisableBootMenu` | Contains an integer that disables the F8 and F10 keys during startup to prevent access to the *Advanced startup options* menu. | - Set to `1` to disable the menu<br>- The default value is `0`|
+| `DisplayDisabled` | Contains an integer that configures the device to display a blank screen when Windows encounters an error that it can't recover from. | - Set to `1` to display a blank screen on error<br>- The default value is `0`|
+| `HideAllBootUI` | Contains an integer that suppresses all Windows UI elements (logo, status indicator, and status message) during startup. | - Set to `1` to suppress all Windows UI elements during startup<br>- The default value is `0`|
+| `HideBootLogo` | Contains an integer that suppresses the default Windows logo that displays during the OS loading phase. | - Set to `1` to suppress the default Windows logo<br>- The default value is `0`|
+| `HideBootStatusIndicator` | Contains an integer that suppresses the status indicator that displays during the OS loading phase. | - Set to `1` to suppress the status indicator<br>- The default value is `0`|
+| `HideBootStatusMessage` | Contains an integer that suppresses the startup status text that displays during the OS loading phase. | - Set to `1` to suppress the startup status text<br>- The default value is `0`|

-## Customize the boot screen using Windows Configuration Designer and Deployment Image Servicing and Management (DISM)
+For more information about the Unbranded Boot settings and XML examples, see the settings in [Microsoft-Windows-Embedded-BootExp](/windows-hardware/customize/desktop/unattend/microsoft-windows-embedded-bootexp).

-You must enable Unbranded boot on the installation media with DISM before you can apply settings for Unbranded boot using either Windows Configuration Designer or applying a provisioning package during setup.
+#### [:::image type="icon" source="../images/icons/provisioning-package.svg"::: **PPKG**](#tab/ppkg)

-1. Create a provisioning package or create a new Windows image in Windows Configuration Designer by following the instructions in [Create a provisioning package](/windows/configuration/provisioning-packages/provisioning-create-package).
+Customize the boot screen using Windows Configuration Designer and Deployment Image Servicing and Management (DISM).

-1. In the Available customizations page, select **Runtime settings** &gt; **SMISettings** and then set the value for the boot screen settings. The following values are just examples.
+You must enable Unbranded Boot on the installation media with DISM before you can apply settings for Unbranded Boot using either Windows Configuration Designer or applying a provisioning package during setup.

-   - **HideAllBootUI**=FALSE
-   - **HideBootLogo**=FALSE
-   - **HideBootStatusIndicator**=TRUE
-   - **HideBootStatusMessage**=TRUE
-   - **CrashDumpEnabled**=Full dump
+[!INCLUDE [provisioning-package-1](../../../includes/configure/provisioning-package-1.md)]

-   > [!TIP]
-   > For more information, see [SMISettings](/windows/configuration/wcd/wcd-smisettings) in the Windows Configuration Designer reference.
+|Path|Value|
+|---|---|
+|`Runtime settings/SMISettings/HideAllBootUI`| `TRUE` or `FALSE`|
+|`Runtime settings/SMISettings/HideBootLogo`| `TRUE` or `FALSE`|
+|`Runtime settings/SMISettings/HideBootStatusIndicator`| `TRUE` or `FALSE`|
+|`Runtime settings/SMISettings/HideBootStatusMessage`| `TRUE` or `FALSE`|

-1. Once you have finished configuring the settings and building the package or image, you use DISM to apply the settings.
-   1. Open a command prompt with administrator privileges.
-   1. Copy install.wim to a temporary folder on hard drive (in the following steps, it assumes it's called c:\\wim).
-   1. Create a new directory.
+> [!TIP]
+> For more information, see [SMISettings](/windows/configuration/wcd/wcd-smisettings) in the Windows Configuration Designer reference.
+
+Once you finish to configure the settings and building the package or image, use DISM to apply the settings:
+
+1. Open a command prompt with administrator privileges
+1. Copy `install.wim` to a temporary folder on the hard drive (for example, `c:\wim`)
+1. Create a new directory to mount the image:

    ```cmd
    md c:\wim
    ```
-
-   1. Mount the image.
-
+1. Mount the image:
    ```cmd
    dism /mount-wim /wimfile:c:\bootmedia\sources\install.wim /index:1 /MountDir:c:\wim
    ```
-
-   1. Enable the feature.
-
+1. Enable the feature:
    ```cmd
    dism /image:c:\wim /enable-feature /featureName:Client-EmbeddedBootExp
    ```
-
-   1. Commit the change.
-
+1. Commit the change:
    ```cmd
    dism /unmount-wim /MountDir:c:\wim /Commit
    ```

-In the following image, the BootLogo is outlined in green, the BootStatusIndicator is outlined in red, and the BootStatusMessage is outlined in blue.
+---

-![unbranded boot screen](images/boot.jpg)
+In the following image:
+
+1. `BootLogo` is outlined in green
+1. `BootStatusIndicator` is outlined in red
+1. `BootStatusMessage` is outlined in blue
+
+:::image type="content" source="images/boot.png" alt-text="Screenshot of the boot screen showing the areas that can be configured with Unbranded Boot." border="false":::

 ## Replace the startup logo

 The only supported way to replace the startup logo with a custom logo is to modify the Boot Graphics Resource Table (BGRT) on a device that uses UEFI as the firmware interface. If your device uses the BGRT to include a custom logo, it's always displayed and you can't suppress the custom logo.
-
-## Suppress Errors During Boot
-
-Errors that occur during early Windows Boot are typically a sign of bad device configuration or failing hardware and require user intervention to recover. You can suppress all error screens during early boot by enabling the **noerrordisplay** BCD setting.
-
-1. Open a command prompt as an administrator.
-1. Run the following command to suppress error screens during boot.
-
-   ```cmd
-   bcdedit.exe -set {bootmgr} noerrordisplay on
-   ```
-
-## Related articles
-
- [Custom Logon](../custom-logon/index.md)
--- a/windows/deployment/do/delivery-optimization-endpoints.md
+++ b/windows/deployment/do/delivery-optimization-endpoints.md
@ -14,7 +14,7 @@ appliesto:
 - ✅ <a href=https://learn.microsoft.com/windows/deployment/do/waas-microsoft-connected-cache target=_blank>Microsoft Connected Cache for ISPs</a>
 - ✅ <a href=https://learn.microsoft.com/windows/deployment/do/waas-microsoft-connected-cache target=_blank>Microsoft Connected Cache for Enterprise and Education</a>
 - ✅ <a href=https://learn.microsoft.com/mem/configmgr/core/plan-design/hierarchy/microsoft-connected-cache target=_blank>Connected Cache on a Configuration Manager distribution point</a>		
-ms.date: 05/23/2024
+ms.date: 04/15/2025
 ---

 # Microsoft Connected Cache content and services endpoints
@ -39,3 +39,4 @@ Use the table below to reference any particular content types or services endpoi
 | *.azure-devices.net, *.global.azure-devices-provisioning.net, *.azurecr.io, *.blob.core.windows.net, *.mcr.microsoft.com, github.com | HTTPs / 443 | IoT Edge / IoT Hub communication| [Complete list](/azure/iot-hub/iot-hub-devguide-protocols) of Azure IoT Hub communication protocols and ports. [Azure IoT Guide](/azure/iot-hub/iot-hub-devguide-endpoints) to understanding Azure IoT Hub endpoints. | Connected Cache Managed in Azure |
 | *.ubuntu.com, api.snapcraft.io | HTTP / 80 </br> HTTPs / 443 | Ubuntu package updates | Used by Linux distribution image in WSL on Windows host machine to deploy Connected Cache. | Connected Cache Managed in Azure |
 | packages.microsoft.com | HTTP / 80 </br> HTTPs / 443 | Microsoft package updates | Used to deploy required Connected Cache packages to Windows and Linux host machines. | Connected Cache Managed in Azure |
+| aka.ms, raw.githubusercontent.com | HTTPs / 443 | Azure IoT Identity Service | Checks the identity service version file is the latest version. | Connected Cache Managed in Azure |
--- a/windows/deployment/do/mcc-ent-edu-overview.md
+++ b/windows/deployment/do/mcc-ent-edu-overview.md
@ -89,8 +89,8 @@ The following diagram displays an overview of how Connected Cache functions:
 1. The Microsoft Connected Cache container is deployed to the device using Azure IoT Edge container management services and the cache server begins reporting status and metrics to Delivery Optimization services.
 1. The DOCacheHost setting is configured using Intune or other MDM, DHCP custom option, or registry key.
 1. Devices request content from the cache server, the cache server forwards the requests to the CDN and fills the cache, the cache server delivers the content requested to the devices, and uses Peer to Peer (depending on DO Download mode settings) for all DO content.
-1. Devices can fall back to CDN if the cache server is unavailable for any reason or use Delivery Optimization delay fallback to http (CDN) settings to prefer the local cache server.
-You can view data about Microsoft Connected Cache downloads on management portal and Windows Update for Business reports.
+1. Devices can fall back to CDN if the cache server is unavailable for any reason or use Delivery Optimization delay fallback to http (CDN) settings to prefer the local cache server. If the cache server fails to respond, the client downloads the content from the CDN. To delay this behavior, set the [DelayCacheServerFallbackForeground/DelayCacheServerFallbackBackground](/windows/deployment/do/waas-delivery-optimization-reference#delay-foreground-download-cache-server-fallback-in-secs) setting to avoid the immediate fallback. You can view data about Microsoft Connected Cache downloads on management portal and Windows Update for Business reports.
+

 ## Next steps

--- a/windows/deployment/do/waas-delivery-optimization-faq.yml
+++ b/windows/deployment/do/waas-delivery-optimization-faq.yml
@ -17,7 +17,7 @@ metadata:
    - ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
    - ✅ <a href=https://learn.microsoft.com/en-us/windows/release-health/windows-server-release-info target=_blank>Windows Server 2019, and later</a>
    - ✅ <a href=https://learn.microsoft.com/windows/deployment/do/waas-delivery-optimization target=_blank>Delivery Optimization</a>	
-  ms.date: 02/27/2025
+  ms.date: 04/14/2025
 title: Frequently Asked Questions about Delivery Optimization
 summary: |
  This article answers frequently asked questions about Delivery Optimization.
@ -30,6 +30,8 @@ summary: |
  - [Delivery Optimization is downloading Windows content on my devices directly from an IP Address, is it expected?](#delivery-optimization-is-downloading-windows-content-on-my-devices-directly-from-an-ip-address--is-it-expected)
  - [How do I turn off Delivery Optimization?](#how-do-i-turn-off-delivery-optimization)
  - [My download is failing with error code 0x80d03002, how do I fix it?](#my-download-is-failing-with-error-code-0x80d03002--how-do-i-fix-it)
+  - [What do the Delivery Optimization error codes mean?](#what-do-the-delivery-optimization-error-codes-mean)
+  - [How does Delivery Optimization measure and throttle download bandwidth?](#how-does-delivery-optimization-measure-and-throttle-download-bandwidth)

  **Network related configuration questions**:
 
@ -74,12 +76,24 @@ sections:

          > [!NOTE]
          > Disabling Delivery Optimization won't prevent content from downloading to your devices. If you're looking to pause updates, you need to set policies for the relevant components such as Windows Update, Windows Store or Microsoft Edge browser.  If you're looking to reduce the load on your network, look into using Delivery Optimization Peer-to-Peer, Microsoft Connected Cache or apply the [network throttling policies](waas-delivery-optimization-reference.md#maximum-download-bandwidth) available for Delivery Optimization.
-       
      - question: My download is failing with error code 0x80d03002, how do I fix it?
        answer: |
          If you set the DownloadMode policy to '100' (Bypass) some content downloads that require Delivery Optimization may fail with error code 0x80d03002.
          If you intend to disable peer-to-peer capabilities of Delivery Optimization, change the Delivery Optimization [Download mode](waas-delivery-optimization-reference.md#download-mode) setting to '0', which will disable peer-to-peer and provide hash checks. [Download mode](waas-delivery-optimization-reference.md#download-mode) set to '99' should only be used when the device is offline and doesn't have internet access.
          Don't set **Download mode** to '100' (Bypass), which can cause some content to fail to download. Starting in Windows 11, Download mode '100' is deprecated.
+      - question: What do the Delivery Optimization error codes mean?
+        answer: |
+          For a list of common Delivery Optimization error codes, visit the [Delivery Optimization Troubleshooter](http://aka.ms/do-fix). This resource provides descriptions of various error codes. Using the Delivery Optimization Troubleshooter can help you identify and resolve issues with Delivery Optimization, providing configuration values and other useful information to help address problems effectively.
+      - question: How does Delivery Optimization measure and throttle download bandwidth?
+        answer: |
+          By default, Delivery Optimization measures and targets to use no more than 45% of the available bandwidth during a background download or 90% for an interactive, foreground download (user initiated). The target download speed is measured for the HTTP source and Group/Internet peers. The target download speed measures the download throughput available to the source, not only the local network card. A speed test is performed dynamically every few minutes during a download, so it can adjust to congestion on the network.      
+          
+          Throttling will apply only to downloads from the internet which include the HTTP source and Group peers. To make changes to the default behavior, use the settings from the Delivery Optimization section in Windows Settings (Delivery Optimization -> Advanced Options) to change these values. In addition, there are policies available to manage bandwidth usage for Delivery Optimization. To ensure smooth deployments, we recommend familiarizing yourself with the bandwidth defaults and policies available to better configure them for your environment. Note that Delivery Optimization does not manage deployment strategies.
+       
+          For more information, see [Bandwidth throttle options](delivery-optimization-configure.md#bandwidth-throttling-options).
+
+          > [!NOTE]
+          > For LAN peers, neither the target download speed is calculated nor is throttling applied.

  - name: Network related configuration questions
    questions:
@ -139,7 +153,7 @@ sections:
         No. It relies on the cloud service for peer discovery, resulting in a list of peers and their IP addresses. Client devices then connect to their peers to obtain download files over TCP/IP.    
      - question: How does Delivery Optimization deal with congestion on the router from peer-to-peer activity on the LAN?
        answer: |
-         Starting in Windows 10, version 1903, Delivery Optimization uses LEDBAT to relieve such congestion. For more information, see this post on the [Networking Blog](https://techcommunity.microsoft.com/t5/Networking-Blog/Windows-Transport-converges-on-two-Congestion-Providers-Cubic/ba-p/339819).
+         Starting in Windows 11, version 22H2, Delivery Optimization uses LEDBAT (server-side LEDBAT) and rLEDBAT (receiver-side LEDBAT) to relieve such congestion. In Delivery Optimization, LEDBAT is specifically used for P2P connections, while rLEDBAT is utilized for HTTP and Connected Cache connections, particularly for background downloads. For more information, see this post on the [Networking Blog](https://techcommunity.microsoft.com/t5/Networking-Blog/Windows-Transport-converges-on-two-Congestion-Providers-Cubic/ba-p/339819).
      - question: How does Delivery Optimization handle VPNs?
        answer: |
          Delivery Optimization attempts to identify VPNs by checking the network adapter type and details. A connection is treated as a VPN if the adapter description contains certain keywords, such as "VPN" or "secure."
@ -169,7 +183,7 @@ sections:
          For more information about remote work if you're using Configuration Manager, see this post on the [Configuration Manager blog](https://techcommunity.microsoft.com/t5/configuration-manager-blog/managing-patch-tuesday-with-configuration-manager-in-a-remote/ba-p/1269444).
      - question: How does Delivery Optimization handle networks where a public IP address is used in place of a private IP address?
        answer: |
-          Starting with Windows 10, version 1903 or later, Delivery Optimization no longer restricts connections between LAN peers to those using private IP addresses. If you use public IP addresses instead of private IP addresses, you can use Delivery Optimization in LAN mode.
+          Starting with Windows 10, version 1903 or later, Delivery Optimization no longer restricts connections between LAN peers to those using private IP addresses (defined by RFC 1918). If you use public IP addresses instead of private IP addresses, you can use Delivery Optimization in LAN mode.

          > [!NOTE]
          > If you use public IP addresses instead of private in LAN mode, the bytes downloaded from or uploaded to LAN peers with public IP addresses might be reported as coming from Internet peers.
@ -185,4 +199,3 @@ sections:
          1. In the search box on the taskbar, type **Disk Cleanup**, and then select it from the list of results.
          1. On the **Disk Cleanup** tab, select the **Delivery Optimization Files** check box.
          1. Select **OK**. On the dialog that appears, select **Delete Files**.
-
--- a/windows/deployment/do/waas-delivery-optimization-reference.md
+++ b/windows/deployment/do/waas-delivery-optimization-reference.md
@ -14,7 +14,7 @@ appliesto:
 - ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
 - ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
 - ✅ <a href=https://learn.microsoft.com/windows/deployment/do/waas-delivery-optimization target=_blank>Delivery Optimization</a>
-ms.date: 04/03/2025
+ms.date: 04/15/2025
 ---

 # Delivery Optimization reference
@ -329,7 +329,7 @@ This policy allows you to specify how your client(s) can discover Delivery Optim
 - 1 = DHCP Option 235.
 - 2 = DHCP Option 235 Force.

-With either option, the client queries DHCP Option ID 235 and use the returned value as the Cache Server Hostname. Option 2 overrides the Cache Server Hostname policy, if configured. **By default, this policy has no value.**
+With either option, the client queries DHCP Option ID 235 and uses the returned value as the Cache Server Hostname. If [DOCacheHost](#cache-server-hostname) policy is also configured, then DHCP Option 235 Force (2) is required to override it. **By default, this policy has no value.**

 Configure this policy to designate Delivery Optimization in Network Cache servers through a custom DHCP Option. Specify the custom DHCP option on your DHCP server as *text* type. You can add one or more values as either fully qualified domain names (FQDN) or IP addresses. To add multiple values, separate each FQDN or IP address with commas.

--- a/windows/deployment/windows-autopatch/manage/windows-autopatch-hotpatch-updates.md
+++ b/windows/deployment/windows-autopatch/manage/windows-autopatch-hotpatch-updates.md
@ -1,7 +1,7 @@
 ---
 title: Hotpatch updates
 description: Use Hotpatch updates to receive security updates without restarting your device
-ms.date: 04/04/2025
+ms.date: 04/11/2025
 ms.service: windows-client
 ms.subservice: autopatch
 ms.topic: how-to
@ -21,25 +21,20 @@ Hotpatch updates are designed to reduce downtime and disruptions. Hotpatch updat

 Hotpatch is an extension of Windows Update and requires Autopatch to create and deploy hotpatches to devices enrolled in the Autopatch quality update policy.

-> [!NOTE]
-> Hotpatch is also available on Windows Server and Windows 365. For more information, see [Hotpatch for Windows Server Azure Edition](/windows-server/get-started/enable-hotpatch-azure-edition).
-
 ## Key benefits

 - Hotpatch updates streamline the installation process and enhance compliance efficiency.
 - No changes are required to your existing update ring configurations. Your existing ring configurations are honored alongside Hotpatch policies.
 - The [Hotpatch quality update report](../monitor/windows-autopatch-hotpatch-quality-update-report.md) provides a per policy level view of the current update statuses for all devices that receive Hotpatch updates.

-## Release cycles
+## Prerequisites

-For more information about the release calendar for Hotpatch updates, see [Release notes for Hotpatch](https://support.microsoft.com/topic/release-notes-for-hotpatch-public-preview-on-windows-11-version-24h2-enterprise-clients-c117ee02-fd35-4612-8ea9-949c5d0ba6d1).
+To benefit from Hotpatch updates, devices must meet the following prerequisites:

-| Quarter | Baseline updates (requires restart) | Hotpatch (no restart required) |
-| ----- | ----- | ----- |
-| 1 | January | February and March |
-| 2 | April | May and June |
-| 3 | July | August and September |
-| 4 | October | November and December |
+- For licensing requirements, see [Prerequisites](../prepare/windows-autopatch-prerequisites.md)
+- Windows 11 Enterprise version 24H2 or later
+- Devices must be on the latest baseline release version to qualify for Hotpatch updates. Microsoft releases Baseline updates quarterly as standard cumulative updates. For more information on the latest schedule for these releases, see [Release notes for Hotpatch](https://support.microsoft.com/topic/release-notes-for-hotpatch-in-azure-automanage-for-windows-server-2022-4e234525-5bd5-4171-9886-b475dabe0ce8?preview=true).
+- Microsoft Intune to manage hotpatch update deployment with the [Windows quality update policy with hotpatch turned on](#enroll-devices-to-receive-hotpatch-updates).

 ## Operating system configuration prerequisites

@ -49,28 +44,30 @@ To prepare a device to receive Hotpatch updates, configure the following operati

 VBS must be turned on for a device to be offered Hotpatch updates. For information on how to set and detect if VBS is enabled, see [Virtualization-based Security (VBS)](/windows/security/hardware-security/enable-virtualization-based-protection-of-code-integrity?tabs=security).

-### Arm 64 devices must disable compiled hybrid PE usage (CHPE) (Arm 64 CPU Only) (Public preview)
+> [!NOTE]
+> Devices might be temporarily ineligible because they don’t have VBS enabled or aren’t currently on the latest baseline release. To ensure that all your Windows devices are configured properly to be eligible for hotpatch updates, see [Troubleshoot hotpatch updates](#troubleshoot-hotpatch-updates).
+
+### Arm 64 devices must disable compiled hybrid PE usage (CHPE) (Arm 64 CPU Only)

 > [!IMPORTANT]
 > **Arm 64 devices are in public preview**. It's being actively developed and might not be complete. They're made available on a "Preview" basis. You can test and use these features in production environments and scenarios and provide feedback.

-This requirement only applies to Arm 64 CPU devices when using Hotpatch updates. Hotpatch updates aren't compatible with servicing CHPE OS binaries located in the `%SystemRoot%\SyChpe32` folder. To ensure all the Hotpatch updates are applied, you must set the CHPE disable flag and restart the device to disable CHPE usage. You only need to set this flag one time. The registry setting remains applied through updates. To disable CHPE, create and/or set the following DWORD registry key:
-Path: `HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management`
-DWORD key value: HotPatchRestrictions=1
+This requirement only applies to Arm 64 CPU devices when using Hotpatch updates. Hotpatch updates aren't compatible with servicing CHPE OS binaries located in the `%SystemRoot%\SyChpe32` folder.
+
+To ensure all the Hotpatch updates are applied, you must set the CHPE disable flag and restart the device to disable CHPE usage. You only need to set this flag one time. The registry setting remains applied through updates.

 > [!IMPORTANT]
 > This setting is required because it forces the operating system to use the emulation x86-only binaries instead of CHPE binaries on Arm 64 devices. CHPE binaries include native Arm 64 code to improve performance, excluding the CHPE binaries might affect performance or compatibility. Be sure to test application compatibility and performance before rolling out Hotpatch updates widely on Arm 64 CPU based devices.

+To disable CHPE, create and/or set the following DWORD registry key:
+Path: `HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management`
+DWORD key value: HotPatchRestrictions=1
+
+> [!NOTE]
+> There are no plans to support hotpatch updates on Arm64 devices with CHPE enabled. Disabling CHPE is required only for Arm64 devices. AMD and Intel CPUs don’t have CHPE.
+
 If you choose to no longer use Hotpatch updates, clear the CHPE disable flag (`HotPatchRestrictions=0`) then restart the device to turn on CHPE usage.  

-## Eligible devices
-
-To benefit from Hotpatch updates, devices must meet the following prerequisites:
-
- Operating System: Devices must be running Windows 11 24H2 or later.
- VBS (Virtualization-based security): VBS must be enabled to ensure secure installation of Hotpatch updates.
- Latest Baseline Release: Devices must be on the latest baseline release version to qualify for Hotpatch updates. Microsoft releases Baseline updates quarterly as standard cumulative updates. For more information on the latest schedule for these releases, see [Release notes for Hotpatch](https://support.microsoft.com/topic/release-notes-for-hotpatch-in-azure-automanage-for-windows-server-2022-4e234525-5bd5-4171-9886-b475dabe0ce8?preview=true).
-
 ## Ineligible devices

 Devices that don't meet one or more prerequisites automatically receive the Latest Cumulative Update (LCU) instead. Latest Cumulative Update (LCU) contains monthly updates that supersede the previous month's updates containing both security and nonsecurity releases.  
@ -80,6 +77,32 @@ LCUs requires you to restart the device, but the LCU ensures that the device rem
 > [!NOTE]
 > If devices aren't eligible for Hotpatch updates, these devices are offered the LCU. The LCU keeps your configured Update ring settings, it doesn't change the settings.

+## Release cycles
+
+For more information about the release calendar for hotpatch updates, see [Release notes for Hotpatch](https://support.microsoft.com/topic/release-notes-for-hotpatch-public-preview-on-windows-11-version-24h2-enterprise-clients-c117ee02-fd35-4612-8ea9-949c5d0ba6d1).
+
+- Baseline: Includes the latest security fixes, cumulative new features, and enhancements. Restart required.
+- Hotpatch: Includes security updates. No restarted required.
+
+| Quarter | Baseline updates (requires restart) | Hotpatch (no restart required) |
+| ----- | ----- | ----- |
+| 1 | January | February and March |
+| 2 | April | May and June |
+| 3 | July | August and September |
+| 4 | October | November and December |
+
+## Hotpatch on Windows 11 Enterprise or Windows Server 2025
+
+> [!NOTE]
+> Hotpatch is also available on Windows Server and Windows 365. For more information, see [Hotpatch for Windows Server Azure Edition](/windows-server/get-started/enable-hotpatch-azure-edition).
+
+Hotpatch updates are similar between Windows 11 and Windows Server 2025.
+
+- Windows Autopatch manages Windows 11 updates
+- Azure Update Manager and optional Azure Arc subscription for Windows 2025 Datacenter/Standard Editions (on-premises) manages Windows Server 2025 Datacenter Azure Edition. For more information, on Windows Server and Windows 365, see [Hotpatch for Windows Server Azure Edition](/windows-server/get-started/enable-hotpatch-azure-edition).
+
+The calendar dates, eight hotpatch months, and four baseline months, planned each year are the same for all the hotpatch-supported operating systems (OS). It’s possible for additional baseline months for one OS (for example, Windows Server 2022), while there are hotpatch months for another OS, such as Server 2025 or Windows 11, version 24H2. Review the release notes from [Windows release health](/windows/release-health/) to keep up to date.
+
 ## Enroll devices to receive Hotpatch updates

 > [!NOTE]
@ -94,11 +117,11 @@ LCUs requires you to restart the device, but the LCU ensures that the device rem
 1. Select **Create**, and select **Windows quality update policy**.
 1. Under the **Basics** section, enter a name for your new policy and select Next.
 1. Under the **Settings** section, set **"When available, apply without restarting the device ("Hotpatch")** to **Allow**. Then, select **Next**.
-1. Select the appropriate Scope tags or leave as Default and select **Next**.
+1. Select the appropriate Scope tags or leave as Default. Then, select **Next**.
 1. Assign the devices to the policy and select **Next**.
 1. Review the policy and select **Create**.

-These steps ensure that targeted devices, which are [eligible](#eligible-devices) to receive Hotpatch updates, are configured properly. [Ineligible devices](#ineligible-devices) are offered the latest cumulative updates (LCU).
+These steps ensure that targeted devices, which are [eligible](#prerequisites) to receive Hotpatch updates, are configured properly. [Ineligible devices](#ineligible-devices) are offered the latest cumulative updates (LCU).

 > [!NOTE]
 > Turning on Hotpatch updates doesn't change the existing deadline-driven or scheduled install configurations on your managed devices. Deferral and active hour settings still apply.
@ -106,3 +129,48 @@ These steps ensure that targeted devices, which are [eligible](#eligible-devices
 ## Roll back a hotpatch update

 Automatic rollback of a Hotpatch update isn’t supported but you can uninstall them. If you experience an unexpected issue with hotpatch updates, you can investigate by uninstalling the hotpatch update and installing the latest standard cumulative update (LCU) and restart. Uninstalling a hotpatch update is quick, however, it does require a device restart.
+
+## Troubleshoot hotpatch updates
+
+### Step 1: Verify the device is eligible for hotpatch updates and on a hotpatch baseline before the hotpatch update is installed
+
+Hotpatching follows the hotpatch release cycle. Review the prerequisites to ensure the device is [eligible](#prerequisites) for hotpatch updates. For information on devices that don’t meet the prerequisites, see [Ineligible devices](#ineligible-devices).
+
+For the latest release schedule, see the [hotpatch release notes](https://support.microsoft.com/topic/release-notes-for-hotpatch-public-preview-on-windows-11-version-24h2-enterprise-clients-c117ee02-fd35-4612-8ea9-949c5d0ba6d1). For information on Windows update history, see [Windows 11, version 24H2 update history](https://support.microsoft.com/topic/windows-11-version-24h2-update-history-0929c747-1815-4543-8461-0160d16f15e5).
+
+### Step 2: Verify the device has Virtualization-based security (VBS) turned on
+
+1. Select **Start**, and enter `System information` in the Search.
+1. Select **System information** from the results.
+1. Under **System summary**, under the **Item column**, find **Virtualization-based security**.
+1. Under the **Value column**, ensure it states **Running**.
+
+### Step 3: Verify the device is properly configured to turn on hotpatch updates
+
+1. In Intune, review your configured policies within Autopatch to see which groups of devices are targeted with a hotpatch policy by going to the **Windows Update** > **Quality Updates** page.  
+1. Ensure the hotpatch update policy is set to **Allow**.
+1. On the device, select **Start** > **Settings** > **Windows Update** > **Advanced options** > **Configured update policies** > find **Enable hotpatching when available**. This setting indicates that the device is enrolled in hotpatch updates as configured by Autopatch.
+
+### Step 4: Disable compiled hybrid PE usage (CHPE) (Arm64 CPU only)
+
+For more information, see [Arm 64 devices must disable compiled hybrid PE usage (CHPE) (Arm 64 CPU Only)](#arm-64-devices-must-disable-compiled-hybrid-pe-usage-chpe-arm-64-cpu-only).
+
+### Step 5: Use Event viewer to verify the device has hotpatch updates turned on
+
+1. Right-click on the **Start** menu, and select **Event viewer**.
+1. Search for **AllowRebootlessUpdates** in the filter. If AllowRebootlessUpdates is set to `1`, the device is enrolled in the Autopatch update policy and has hotpatch updates turned on:
+
+``
+"data": {
+"payload": "{\"Orchestrator\":{\"UpdatePolicy\":{\"Update/AllowRebootlessUpdates\":true}}}",
+"isEnrolled": 1,
+"isCached": 1,
+"vbsState": 2,
+``
+
+### Step 6: Check Windows Logs for any hotpatch errors
+
+Hotpatch updates provide an inbox monitor service that checks for the health of the updates installed on the device. If the monitor service detects an error, the service logs an event in the Windows Application Logs. If there's a critical error, the device installs the standard (LCU) update to ensure the device is fully secure.
+
+1. Right-click on the **Start** menu, and select **Event viewer**.
+1. Search for **hotpatch** in the filter to view the logs.
--- a/windows/deployment/windows-autopatch/overview/windows-autopatch-faq.yml
+++ b/windows/deployment/windows-autopatch/overview/windows-autopatch-faq.yml
@ -4,7 +4,7 @@ metadata:
  description: Answers to frequently asked questions about Windows Autopatch.
  ms.service: windows-client
  ms.topic: faq
-  ms.date: 03/31/2025
+  ms.date: 04/21/2025
  audience: itpro
  ms.localizationpriority: medium
  manager: aaroncz
@ -97,6 +97,71 @@ sections:
      - question: Can I configure when to move to the next ring or is it controlled by Windows Autopatch?
        answer: |
          You're in full control over when updates are deployed to their devices. Autopatch groups will recommend a set of intelligent defaults but those are fully customizable so that you can achieve your desired rollout.
+      - question: What is the expected behavior for turning on the Feature Update option for Autopatch groups?
+        answer: |
+          Starting in April 2025, default policies aren't created for new Autopatch customers. Existing customers will continue to receive support until Windows 10 reaches its End-of-Service (EOS). However, these policies won't transition to Windows 11.
+          
+          If you created an Autopatch group before April 2025:
+          - The Feature Update option is unselected by default.
+          - Selecting the Feature Update option creates a feature update policy for the newly created Autopatch group. This doesn't affect the Global DSS policy.
+          - The Feature Update option doesn't affect existing releases created before April 2025; these releases remain unchanged
+          
+          If you created an Autopatch group after April 2025:
+          - Selecting the Feature Update option creates a feature update policy and assigns it to all its deployment rings.
+          - Global DSS policy isn't affected.
+  - name: Hotpatch updates
+    questions:
+      - question: What are the licensing requirements for hotpatch updates?
+        answer: |
+          Windows 11 Enterprise E3 or E5, Windows 11 Enterprise F3 or F5, Windows 11 Education A3 or A5, or a Windows 365 Enterprise license. For more information, see [Prerequisites](../prepare/windows-autopatch-prerequisites.md).
+      - question: Can I still restart devices as often as I want?
+        answer: |
+          Yes, devices that install hotpatch updates are protected the moment the update is installed. However, if a user or your IT Admin wishes to restart the PC you can do it anytime. The device restarts and runs the hotpatch updates.
+      - question: Can I use hotpatch updates on Arm64 devices?
+        answer: |
+          Yes, hotpatch updates are available for Arm64 devices. For more information, see [Arm 64 devices must disable compiled hybrid PE usage (CHPE) (Arm 64 CPU Only)](../manage/windows-autopatch-hotpatch-updates.md#arm-64-devices-must-disable-compiled-hybrid-pe-usage-chpe-arm-64-cpu-only)).
+      - question: What is the default hotpatch behavior on Windows Home or Pro devices?
+        answer: |
+          Hotpatch updates aren't available to Home or Pro devices. Hotpatching requires domain admin or group policy. It's available only via Windows Autopatch update policy, which includes Windows 365 Enterprise, E3/E5, F3 and A3/A5 licenses. 
+      - question: How do I enroll devices to receive hotpatch updates?
+        answer: |
+          For more information, see [Enroll devices to receive hotpatch updates](../manage/windows-autopatch-hotpatch-updates.md#enroll-devices-to-receive-hotpatch-updates).
+      - question: What if some devices in my hotpatch policy aren't eligible for hotpatch updates?
+        answer: |
+          For more information on eligibility, see [Prerequisites](../prepare/windows-autopatch-prerequisites.md) and [ineligible devices](../manage/windows-autopatch-hotpatch-updates.md#ineligible-devices).
+      - question: How is hotpatching different for Windows 11 Enterprise and Windows Server 2025?
+        answer: |
+          For more information, see [Hotpatch on Windows 11 Enterprise or Windows Server 2025](../manage/windows-autopatch-hotpatch-updates.md#hotpatch-on-windows-11-enterprise-or-windows-server-2025).
+      - question: How can I tell which of my devices installed a hotpatch update?
+        answer: |
+          Devices receiving the hotpatch update have a different KB number tracking the release and a different OS version than devices receiving the standard update that requires a restart. The monthly KB release articles indicate if the KB installed is hotpatch capable and the corresponding OS version. The following Windows Update message appears “Great news! The latest security update was installed without a restart.”
+      - question: What if I restart a device after receiving a hotpatch update?
+        answer: |
+          The device stays on the hotpatch update KB/OS version after a restart. It won't receive any new features as part of the regular servicing track until the next quarterly cumulative baseline update. 
+      - question: Do hotpatch updates only update common system binaries loaded in third-party processes or only Microsoft processes?
+        answer: |
+          Hotpatch updates aren't limited to Microsoft processes. Hotpatch updates are only created for OS binaries. Any process loading OS binaries that have hotpatch updates installed are updated before the application or operating system uses the binaries. This includes common system dynamic link libraries (DLLs) like ntdll.dll. 
+      - question: How can I find out if a hotpatch update was applied to the specific DLL?
+        answer: | 
+          You can see the hotpatch modules in the memory dump. Symbols for hotpatched DLLs depend on the function that receives the update. Some code that is hotpatch-updated could be public (symbols), while other functions could be private (no symbols).  
+      - question: Are there kernel-mode hotpatch updates?
+        answer: |
+          Yes, there are kernel-mode hotpatch updates.
+      - question: What does a failure to apply a hotpatch update look like?
+        answer: |
+          Hotpatch failures are the same as CBS failures when installing other KBs (not enough disk space or download errors for example). In addition, hotpatch update errors are recorded in the event logs. Search the system log for the keyword “hotpatch” to see if your system encountered any errors.
+      - question: Can you switch from hotpatch update to the Standard Windows monthly updates?
+        answer: |
+          Yes, you can. You can manually download the standard Windows monthly update from the Microsoft Update Catalog. In this case, the device stops receiving hotpatch updates and receives standard Windows updates until the month after the next baseline update. Since the device is still enrolled in hotpatching, the device automatically rejoins the hotpatch cadence of updates after the update is released on the baseline month.
+      - question: How do hotpatch update events show up in audit logs?
+        answer: |
+          Process explorer shows it loaded in memory OS ``<binary name>_hotpatch`` loaded in memory. The hotpatch update KB includes a link to the CSV file listing the update payload. 
+      - question: Can I get security alerts through Event Tracing for Windows (ETW) about hotpatch updates?
+        answer: |
+          Hotpatch events are captured in the audit log. Search for “hotpatch” in the audit log to find related errors if any were captured.
+      - question: Do I need to test hotpatch updates if I already test monthly updates?
+        answer: |
+          You should test hotpatch updates when released 8 times a year (according to plan) and the regular monthly updates 12 times a year. There are no hotpatch updates for you to test in January (1B), April (4B), July (7B), or October (10B).
  - name: Support
    questions:
      - question: Does Windows Autopatch Support Dual Scan for Windows Update?
--- a/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2025.md
+++ b/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2025.md
@ -1,7 +1,7 @@
 ---
 title: What's new 2025
 description: This article lists the 2025 feature releases and any corresponding Message center post numbers.
-ms.date: 03/31/2025
+ms.date: 04/11/2025
 ms.service: windows-client
 ms.subservice: autopatch
 ms.topic: whats-new
@ -21,6 +21,15 @@ This article lists new and updated feature releases, and service releases, with

 Minor corrections such as typos, style, or formatting issues aren't listed.

+## April 2025
+
+### April feature releases or updates
+
+| Article | Description |
+| ----- | ----- |
+| [Hotpatch updates](../manage/windows-autopatch-hotpatch-updates.md) | Added [troubleshooting](../manage/windows-autopatch-hotpatch-updates.md#troubleshoot-hotpatch-updates) section |
+| [FAQ](../overview/windows-autopatch-faq.yml) | Added [hotpatch updates](../overview/windows-autopatch-faq.yml#hotpatch-updates) section to the FAQ. |
+
 ## March 2025

 ### March feature releases or updates
--- a/windows/privacy/manage-windows-1809-endpoints.md
+++ b/windows/privacy/manage-windows-1809-endpoints.md
@ -459,8 +459,8 @@ If you [turn off traffic for these endpoints](manage-connections-from-windows-op
 | svchost | HTTPS   | `*.delivery.mp.microsoft.com`  |

 These are dependent on enabling:
- [Device authentication](manage-windows-1809-endpoints.md#device-authentication)
- [Microsoft account](manage-windows-1809-endpoints.md#microsoft-account)
+- [Device authentication](#device-authentication)
+- [Microsoft account](#microsoft-account)

 The following endpoint is used for content regulation.
 If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-wu), the Windows Update Agent will be unable to contact the endpoint, and fallback behavior will be used. This may result in content being either incorrectly downloaded or not downloaded at all.
--- a/windows/security/application-security/application-control/app-control-for-business/design/microsoft-recommended-driver-block-rules.md
+++ b/windows/security/application-security/application-control/app-control-for-business/design/microsoft-recommended-driver-block-rules.md
--- a/windows/security/application-security/application-control/toc.yml
+++ b/windows/security/application-security/application-control/toc.yml
@ -9,6 +9,8 @@ items:
  items:
  - name: Overview
    href: user-account-control/index.md
+  - name: UAC Architecture
+    href: user-account-control/architecture.md
  - name: How UAC works
    href: user-account-control/how-it-works.md
  - name: UAC settings and configuration
--- a/windows/security/application-security/application-control/user-account-control/architecture.md
+++ b/windows/security/application-security/application-control/user-account-control/architecture.md
@ -0,0 +1,129 @@
+---
+title: User Account Control architecture
+description: Learn about the User Account Control (UAC) architecture.
+ms.topic: concept-article
+ms.date: 04/15/2025
+---
+
+# UAC Architecture
+
+The following diagram details the UAC architecture.
+
+:::image type="content" source="images/uac-architecture.gif" alt-text="Diagram that describes the UAC architecture.":::
+
+## User
+
+- **User performs operation requiring privilege**: If the operation changes the file system or registry, Virtualization is called. All other operations call ShellExecute.
+- **ShellExecute**: ShellExecute calls CreateProcess. ShellExecute looks for the `ERROR_ELEVATION_REQUIRED` error from CreateProcess. If it receives the error, ShellExecute calls the Application Information service to attempt to perform the requested task with the elevated prompt.
+- **CreateProcess**: If the application requires elevation, CreateProcess rejects the call with `ERROR_ELEVATION_REQUIRED`.
+
+## System
+
+- **Application Information service**:
+    - A system service that helps start apps that require one or more elevated privileges or user rights to run.
+    - The Application Information service helps start such apps by creating a new process for the application with an administrative user's full access token when elevation is required.
+    - Depending on the configured policies, the user might give consent.
+
+- **Elevating an ActiveX install**:
+    - If ActiveX isn't installed, the system checks the UAC slider level.
+    - If ActiveX is installed, the **User Account Control: Switch to the secure desktop when prompting for elevation** Group Policy setting is checked.
+
+- **Check UAC slider level**: UAC has a slider to select from four levels of notification:
+    - **Always notify** will:
+        - Notify you when programs try to install software or make changes to your computer.
+        - Notify you when you make changes to Windows settings.
+        - Freeze other tasks until you respond.
+        - Recommended if you often install new software or visit unfamiliar websites.
+    - **Notify me only when programs try to make changes to my computer** will:
+        - Notify you when programs try to install software or make changes to your computer.
+        - Not notify you when you make changes to Windows settings.
+        - Freeze other tasks until you respond.
+        - Recommended if you don't often install apps or visit unfamiliar websites.
+    - **Notify me only when programs try to make changes to my computer (do not dim my desktop)** will:
+        - Notify you when programs try to install software or make changes to your computer.
+        - Not notify you when you make changes to Windows settings.
+        - Not freeze other tasks until you respond.
+        - Not recommended. Choose this option only if it takes a long time to dim the desktop on your computer.
+    - **Never notify (Disable UAC prompts)** will:
+        - Not notify you when programs try to install software or make changes to your computer.
+        - Not notify you when you make changes to Windows settings.
+        - Not freeze other tasks until you respond.
+        - Not recommended due to security concerns.
+
+- **Secure desktop enabled**: The **User Account Control: Switch to the secure desktop when prompting for elevation** policy setting is checked:
+    - If the secure desktop is enabled, all elevation requests go to the secure desktop regardless of prompt behavior policy settings for administrators and standard users.
+    - If the secure desktop isn't enabled, all elevation requests go to the interactive user's desktop, and the per-user settings for administrators and standard users are used.
+
+- **CreateProcess**:
+    - CreateProcess calls AppCompat, Fusion, and Installer detection to assess if the app requires elevation.
+    - The file is then inspected to determine its requested execution level, which is stored in the application manifest for the file.
+    - CreateProcess fails if the requested execution level specified in the manifest doesn't match the access token and returns an error (ERROR_ELEVATION_REQUIRED) to ShellExecute.
+
+- **AppCompat**:
+    - The AppCompat database stores information in the application compatibility fix entries for an application.
+
+- **Fusion**:
+    - The Fusion database stores information from application manifests that describe the applications.
+    - The manifest schema is updated to add a new requested execution level field.
+
+- **Installer detection**:
+    - Installer detection detects setup files and helps prevent installations from being run without the user's knowledge and consent.
+
+## Kernel
+
+- **Virtualization**: Virtualization technology ensures that noncompliant apps don't silently fail to run or fail in a way that the cause can't be determined. UAC also provides file and registry virtualization and logging for applications that write to protected areas.
+- **File system and registry**: The per-user file and registry virtualization redirects per-computer registry and file write requests to equivalent per-user locations. Read requests are redirected to the virtualized per-user location first and to the per-computer location second.
+
+The slider never turns off UAC completely. If you set it to **Never notify**, it will:
+
+- Keep the UAC service running
+- Cause all elevation request initiated by administrators to be autoapproved without showing a UAC prompt
+- Automatically deny all elevation requests for standard users
+
+> [!IMPORTANT]
+> In order to fully disable UAC, you must disable the policy **User Account Control: Run all administrators in Admin Approval Mode**. Some Universal Windows Platform apps might not work when UAC is disabled.
+
+## Virtualization
+
+Because system administrators in enterprise environments attempt to secure systems, many line-of-business (LOB) applications are designed to use only a standard user access token. As a result, you don't need to replace most apps when UAC is turned on.
+
+Windows includes file and registry virtualization technology for apps that aren't UAC-compliant and that requires an administrator's access token to run correctly. When an administrative app that isn't UAC-compliant attempts to write to a protected folder, such as *Program Files*, UAC gives the app its own virtualized view of the resource it's attempting to change. The virtualized copy is maintained in the user's profile. This strategy creates a separate copy of the virtualized file for each user that runs the noncompliant app.
+
+Most app tasks operate properly by using virtualization features. Although virtualization allows most applications to run, it's a short-term fix and not a long-term solution. App developers should modify their apps to be compliant as soon as possible, rather than relying on file, folder, and registry virtualization.
+
+Virtualization isn't an option in the following scenarios:
+
+- Virtualization doesn't apply to apps that are elevated and run with a full administrative access token
+- Virtualization supports only 32-bit apps. Nonelevated 64-bit apps receive an access denied message when they attempt to acquire a handle (a unique identifier) to a Windows object. Native Windows 64-bit apps are required to be compatible with UAC and to write data into the correct locations
+- Virtualization is disabled if the app includes an app manifest with a requested execution level attribute
+
+## Request execution levels
+
+An app manifest is an XML file that describes and identifies the shared and private side-by-side assemblies that an app should bind to at run time. The app manifest includes entries for UAC app compatibility purposes. Administrative apps that include an entry in the app manifest prompt the user for permission to access the user's access token. Although they lack an entry in the app manifest, most administrative app can run without modification by using app compatibility fixes. App compatibility fixes are database entries that enable applications that aren't UAC-compliant to work properly.
+
+All UAC-compliant apps should have a requested execution level added to the application manifest. If the application requires administrative access to the system, marking the app with a requested execution level of *require administrator* ensures that the system identifies this program as an administrative app, and performs the necessary elevation steps. Requested execution levels specify the privileges required for an app.
+
+## Installer detection technology
+
+Installation programs are apps designed to deploy software. Most installation programs write to system directories and registry keys. These protected system locations are typically writeable only by an administrator in Installer detection technology, which means that standard users don't have sufficient access to install programs. Windows heuristically detects installation programs and requests administrator credentials or approval from the administrator user in order to run with access privileges. Windows also heuristically detects updates and programs that uninstall applications. One of the design goals of UAC is to prevent installations from being run without the user's knowledge and consent because installation programs write to protected areas of the file system and registry.
+
+Installer detection only applies to:
+
+- 32-bit executable files
+- Applications without a requested execution level attribute
+- Interactive processes running as a standard user with UAC enabled
+
+Before a 32-bit process is created, the following attributes are checked to determine whether it's an installer:
+
+- File name includes keywords such as "install," "setup," or "update."
+- Versioning Resource fields contain the following keywords: Vendor, Company Name, Product Name, File Description, Original Filename, Internal Name, and Export Name.
+- Keywords in the side-by-side manifest are embedded in the executable file.
+- Keywords in specific StringTable entries are linked in the executable file.
+- Key attributes in the resource script data are linked in the executable file.
+- Executable file contains targeted sequences of bytes.
+
+> [!NOTE]
+> The keywords and sequences of bytes were derived from common characteristics observed from various installer technologies.
+
+> [!NOTE]
+> The *User Account Control: Detect application installations and prompt for elevation* policy must be enabled for installer detection to detect installation programs. For more information, see [User Account Control settings list](settings-and-configuration.md#user-account-control-settings-list).
--- a/windows/security/application-security/application-control/user-account-control/how-it-works.md
+++ b/windows/security/application-security/application-control/user-account-control/how-it-works.md
@ -2,7 +2,7 @@
 title: How User Account Control works
 description: Learn about User Account Control (UAC) components and how it interacts with the end users.
 ms.topic: concept-article
-ms.date: 03/26/2024
+ms.date: 04/15/2025
 ---

 # How User Account Control works
@ -34,8 +34,8 @@ When a user signs in, the system creates an access token for that user. The acce
 When an administrator logs on, two separate access tokens are created for the user: a *standard user access token* and an *administrator access token*. The standard user access token:

 - Contains the same user-specific information as the administrator access token, but the administrative Windows privileges and SIDs are removed
- It's used to start applications that don't perform administrative tasks (standard user apps)
- It's used to display the desktop by executing the process *explorer.exe*. Explorer.exe is the parent process from which all other user-initiated processes inherit their access token. As a result, all apps run as a standard user unless a user provides consent or credentials to approve an app to use a full administrative access token
+- Is used to start applications that don't perform administrative tasks (standard user apps)
+- Is used to display the desktop by executing the process *explorer.exe*. Explorer.exe is the parent process from which all other user-initiated processes inherit their access token. As a result, all apps run as a standard user unless a user provides consent or credentials to approve an app to use a full administrative access token

 A user that is a member of the Administrators group can sign in, browse the Web, and read e-mail while using a standard user access token. When the administrator needs to perform a task that requires the administrator access token, Windows automatically prompts the user for approval. This prompt is called an *elevation prompt*, and its behavior can be configured via policy or registry.

@ -91,105 +91,8 @@ The elevation process is further secured by directing the prompt to the *secure
 When an executable file requests elevation, the *interactive desktop*, also called the *user desktop*, is switched to the secure desktop. The secure desktop dims the user desktop and displays an elevation prompt that must be responded to before continuing. When the user selects **Yes** or **No**, the desktop switches back to the user desktop.

 > [!NOTE]
-> Starting in **Windows Server 2019**, it's not possible to paste the content of the clipboard on the secure desktop. This is the same behavior of the currently supported Windows client OS versions.
+> Starting in **Windows Server 2019**, it's not possible to paste the content of the clipboard on the secure desktop. This behavior is the same as the currently supported Windows client OS versions.

 Malware can present an imitation of the secure desktop, but when the **User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode** policy setting is set to **Prompt for consent**, the malware doesn't gain elevation if the user selects **Yes** on the imitation. If the policy setting is set to **Prompt for credentials**, malware imitating the credential prompt might be able to gather the credentials from the user. However, the malware doesn't gain elevated privilege and the system has other protections that mitigate malware from taking control of the user interface even with a harvested password.

 While malware could present an imitation of the secure desktop, this issue can't occur unless a user previously installed the malware on the PC. Because processes requiring an administrator access token can't silently install when UAC is enabled, the user must explicitly provide consent by selecting **Yes** or by providing administrator credentials. The specific behavior of the UAC elevation prompt is dependent upon security policies.
-
-## UAC Architecture
-
-The following diagram details the UAC architecture.
-
-:::image type="content" source="images/uac-architecture.gif" alt-text="Diagram that describes the UAC architecture.":::
-
-To better understand each component, review the following tables:
-
-### User
-
-|Component|Description|
-|--- |--- |
-|User performs operation requiring privilege|If the operation changes the file system or registry, Virtualization is called. All other operations call ShellExecute.|
-|ShellExecute|ShellExecute calls CreateProcess. ShellExecute looks for the ERROR_ELEVATION_REQUIRED error from CreateProcess. If it receives the error, ShellExecute calls the Application Information service to attempt to perform the requested task with the elevated prompt.|
-|CreateProcess|If the application requires elevation, CreateProcess rejects the call with ERROR_ELEVATION_REQUIRED.|
-
-### System
-
-|Component|Description|
-|--- |--- |
-|Application Information service|A system service that helps start apps that require one or more elevated privileges or user rights to run, such as local administrative tasks, and apps that require higher integrity levels. The Application Information service helps start such apps by creating a new process for the application with an administrative user's full access token when elevation is required. Depending on the configured policies, the user might give consent.|
-|Elevating an ActiveX install|If ActiveX isn't installed, the system checks the UAC slider level. If ActiveX is installed, the **User Account Control: Switch to the secure desktop when prompting for elevation** Group Policy setting is checked.|
-|Check UAC slider level|UAC has a slider to select from four levels of notification.<ul><li>**Always notify** will:<ul><li>Notify you when programs try to install software or make changes to your computer.</li><li>Notify you when you make changes to Windows settings.</li><li>Freeze other tasks until you respond.</li></ul>Recommended if you often install new software or visit unfamiliar websites.<br></li><li>**Notify me only when programs try to make changes to my computer** will:<ul><li>Notify you when programs try to install software or make changes to your computer.</li><li>Not notify you when you make changes to Windows settings.</li><li>Freeze other tasks until you respond.</li></ul>Recommended if you don't often install apps or visit unfamiliar websites.<br></li><li>**Notify me only when programs try to make changes to my computer (do not dim my desktop)** will:<ul><li>Notify you when programs try to install software or make changes to your computer.</li><li>Not notify you when you make changes to Windows settings.</li><li>Not freeze other tasks until you respond.</li></ul>Not recommended. Choose this only if it takes a long time to dim the desktop on your computer.<br></li><li>**Never notify (Disable UAC prompts)** will:<ul><li>Not notify you when programs try to install software or make changes to your computer.</li><li>Not notify you when you make changes to Windows settings.</li><li>Not freeze other tasks until you respond.</li></ul>Not recommended due to security concerns.|
-|Secure desktop enabled|The **User Account Control: Switch to the secure desktop when prompting for elevation** policy setting is checked: <ul><li>If the secure desktop is enabled, all elevation requests go to the secure desktop regardless of prompt behavior policy settings for administrators and standard users.</li><li>If the secure desktop isn't enabled, all elevation requests go to the interactive user's desktop, and the per-user settings for administrators and standard users are used.|
-|CreateProcess|CreateProcess calls AppCompat, Fusion, and Installer detection to assess if the app requires elevation. The file is then inspected to determine its requested execution level, which is stored in the application manifest for the file. CreateProcess fails if the requested execution level specified in the manifest doesn't match the access token and returns an error (ERROR_ELEVATION_REQUIRED) to ShellExecute.|
-|AppCompat|The AppCompat database stores information in the application compatibility fix entries for an application.|
-|Fusion|The Fusion database stores information from application manifests that describe the applications. The manifest schema is updated to add a new requested execution level field.|
-|Installer detection|Installer detection detects setup files, which helps prevent installations from being run without the user's knowledge and consent.|
-
-### Kernel
-
-|Component|Description|
-|--- |--- |
-|Virtualization|Virtualization technology ensures that noncompliant apps don't silently fail to run or fail in a way that the cause can't be determined. UAC also provides file and registry virtualization and logging for applications that write to protected areas.|
-|File system and registry|The per-user file and registry virtualization redirects per-computer registry and file write requests to equivalent per-user locations. Read requests are redirected to the virtualized per-user location first and to the per-computer location second.|
-
-The slider never turns off UAC completely. If you set it to **Never notify**, it will:
-
- Keep the UAC service running
- Cause all elevation request initiated by administrators to be autoapproved without showing a UAC prompt
- Automatically deny all elevation requests for standard users
-
-> [!IMPORTANT]
-> In order to fully disable UAC you must disable the policy **User Account Control: Run all administrators in Admin Approval Mode**.
-
-> [!WARNING]
-> Some Universal Windows Platform apps may not work when UAC is disabled.
-
-### Virtualization
-
-Because system administrators in enterprise environments attempt to secure systems, many line-of-business (LOB) applications are designed to use only a standard user access token. As a result, you don't need to replace most apps when UAC is turned on.
-
-Windows includes file and registry virtualization technology for apps that aren't UAC-compliant and that requires an administrator's access token to run correctly. When an administrative app that isn't UAC-compliant attempts to write to a protected folder, such as *Program Files*, UAC gives the app its own virtualized view of the resource it's attempting to change. The virtualized copy is maintained in the user's profile. This strategy creates a separate copy of the virtualized file for each user that runs the noncompliant app.
-
-Most app tasks operate properly by using virtualization features. Although virtualization allows most applications to run, it's a short-term fix and not a long-term solution. App developers should modify their apps to be compliant as soon as possible, rather than relying on file, folder, and registry virtualization.
-
-Virtualization isn't an option in the following scenarios:
-
- Virtualization doesn't apply to apps that are elevated and run with a full administrative access token
- Virtualization supports only 32-bit apps. Nonelevated 64-bit apps receive an access denied message when they attempt to acquire a handle (a unique identifier) to a Windows object. Native Windows 64-bit apps are required to be compatible with UAC and to write data into the correct locations
- Virtualization is disabled if the app includes an app manifest with a requested execution level attribute
-
-### Request execution levels
-
-An app manifest is an XML file that describes and identifies the shared and private side-by-side assemblies that an app should bind to at run time. The app manifest includes entries for UAC app compatibility purposes. Administrative apps that include an entry in the app manifest prompt the user for permission to access the user's access token. Although they lack an entry in the app manifest, most administrative app can run without modification by using app compatibility fixes. App compatibility fixes are database entries that enable applications that aren't UAC-compliant to work properly.
-
-All UAC-compliant apps should have a requested execution level added to the application manifest. If the application requires administrative access to the system, marking the app with a requested execution level of *require administrator* ensures that the system identifies this program as an administrative app, and performs the necessary elevation steps. Requested execution levels specify the privileges required for an app.
-
-### Installer detection technology
-
-Installation programs are apps designed to deploy software. Most installation programs write to system directories and registry keys. These protected system locations are typically writeable only by an administrator in Installer detection technology, which means that standard users don't have sufficient access to install programs. Windows heuristically detects installation programs and requests administrator credentials or approval from the administrator user in order to run with access privileges. Windows also heuristically detects updates and programs that uninstall applications. One of the design goals of UAC is to prevent installations from being run without the user's knowledge and consent because installation programs write to protected areas of the file system and registry.
-
-Installer detection only applies to:
-
- 32-bit executable files
- Applications without a requested execution level attribute
- Interactive processes running as a standard user with UAC enabled
-
-Before a 32-bit process is created, the following attributes are checked to determine whether it's an installer:
-
- The file name includes keywords such as "install," "setup," or "update."
- Versioning Resource fields contain the following keywords: Vendor, Company Name, Product Name, File Description, Original Filename, Internal Name, and Export Name.
- Keywords in the side-by-side manifest are embedded in the executable file.
- Keywords in specific StringTable entries are linked in the executable file.
- Key attributes in the resource script data are linked in the executable file.
- There are targeted sequences of bytes within the executable file.
-
-> [!NOTE]
-> The keywords and sequences of bytes were derived from common characteristics observed from various installer technologies.
-
-> [!NOTE]
-> The *User Account Control: Detect application installations and prompt for elevation* policy must be enabled for installer detection to detect installation programs. For more information, see [User Account Control settings list](settings-and-configuration.md#user-account-control-settings-list).
-
-## Next steps
-
-Learn more about [User Account Control settings and configuration](settings-and-configuration.md).
--- a/windows/security/application-security/application-control/user-account-control/index.md
+++ b/windows/security/application-security/application-control/user-account-control/index.md
@ -2,7 +2,7 @@
 title: User Account Control
 description: Learn how User Account Control (UAC) helps to prevent unauthorized changes to Windows devices.
 ms.topic: overview
-ms.date: 03/26/2024
+ms.date: 04/15/2025
 ---

 # User Account Control overview
--- a/windows/security/application-security/application-control/user-account-control/settings-and-configuration.md
+++ b/windows/security/application-security/application-control/user-account-control/settings-and-configuration.md
@ -1,7 +1,7 @@
 ---
 title: User Account Control settings and configuration
 description: Learn about the User Account Control settings and how to configure them via Intune, CSP, group policy, and registry.
-ms.date: 03/26/2024
+ms.date: 04/15/2025
 ms.topic: how-to
 ---

@ -9,35 +9,74 @@ ms.topic: how-to

 ## User Account Control settings list

-The following table lists the available settings to configure the UAC behavior, and their default values.
+The following list shows the available settings to configure the UAC behavior, and their default values.

-|Setting name| Description|
-|-|-|
-|Admin Approval Mode for the Built-in Administrator account|Controls the behavior of Admin Approval Mode for the built-in Administrator account.<br><br>**Enabled**: The built-in Administrator account uses Admin Approval Mode. By default, any operation that requires elevation of privilege prompts the user to approve the operation.<br>**Disabled (default)**: The built-in Administrator account runs all applications with full administrative privilege.|
-|Allow UIAccess applications to prompt for elevation without using the secure desktop|Controls whether User Interface Accessibility (UIAccess or UIA) programs can automatically disable the secure desktop for elevation prompts used by a standard user.<br><br>**Enabled**: UIA programs, including Remote Assistance, automatically disable the secure desktop for elevation prompts. If you don't disable the **Switch to the secure desktop when prompting for elevation** policy setting, the prompts appear on the interactive user's desktop instead of the secure desktop. This setting allows the remote administrator to provide the appropriate credentials for elevation. This policy setting doesn't change the behavior of the UAC elevation prompt for administrators. If you plan to enable this policy setting, you should also review the effect of the **Behavior of the elevation prompt for standard users** policy setting: if it's' configured as **Automatically deny elevation requests**, elevation requests aren't presented to the user.<br>**Disabled (default)**: The secure desktop can be disabled only by the user of the interactive desktop or by disabling the **Switch to the secure desktop when prompting for elevation** policy setting.|
-|Behavior of the elevation prompt for administrators in Admin Approval Mode|Controls the behavior of the elevation prompt for administrators.<br><br>**Elevate without prompting**: Allows privileged accounts to perform an operation that requires elevation without requiring consent or credentials. **Use this option only in the most constrained environments**.<br>**Prompt for credentials on the secure desktop**: When an operation requires elevation of privilege, the user is prompted on the secure desktop to enter a privileged user name and password. If the user enters valid credentials, the operation continues with the user's highest available privilege.<br>**Prompt for consent on the secure desktop**: When an operation requires elevation of privilege, the user is prompted on the secure desktop to select either Permit or Deny. If the user selects Permit, the operation continues with the user's highest available privilege.<br>**Prompt for credentials**: When an operation requires elevation of privilege, the user is prompted to enter an administrative user name and password. If the user enters valid credentials, the operation continues with the applicable privilege.<br>**Prompt for consent**: When an operation requires elevation of privilege, the user is prompted to select either Permit or Deny. If the user selects Permit, the operation continues with the user's highest available privilege.<br>**Prompt for consent for non-Windows binaries (default)**: When an operation for a non-Microsoft application requires elevation of privilege, the user is prompted on the secure desktop to select either Permit or Deny. If the user selects Permit, the operation continues with the user's highest available privilege.|
-|Behavior of the elevation prompt for standard users|Controls the behavior of the elevation prompt for standard users.<br><br>**Prompt for credentials (default)**: When an operation requires elevation of privilege, the user is prompted to enter an administrative user name and password. If the user enters valid credentials, the operation continues with the applicable privilege.<br>**Automatically deny elevation requests**: When an operation requires elevation of privilege, a configurable access denied error message is displayed. An enterprise that is running desktops as standard user may choose this setting to reduce help desk calls.<br>**Prompt for credentials on the secure desktop** When an operation requires elevation of privilege, the user is prompted on the secure desktop to enter a different user name and password. If the user enters valid credentials, the operation continues with the applicable privilege.|
-|Detect application installations and prompt for elevation|Controls the behavior of application installation detection for the computer.<br><br>**Enabled (default)**: When an app installation package is detected that requires elevation of privilege, the user is prompted to enter an administrative user name and password. If the user enters valid credentials, the operation continues with the applicable privilege.<br>**Disabled**: App installation packages aren't detected and prompted for elevation. Enterprises that are running standard user desktops and use delegated installation technologies, such as Microsoft Intune, should disable this policy setting. In this case, installer detection is unnecessary. |
-|Only elevate executables that are signed and validated|Enforces signature checks for any interactive applications that request elevation of privilege. IT admins can control which applications are allowed to run by adding certificates to the Trusted Publishers certificate store on local devices.<br><br>**Enabled**: Enforces the certificate certification path validation for a given executable file before it's permitted to run.<br>**Disabled (default)**: Doesn't enforce the certificate certification path validation before a given executable file is permitted to run.|
-|Only elevate UIAccess applications that are installed in secure locations|Controls whether applications that request to run with a User Interface Accessibility (UIAccess) integrity level must reside in a secure location in the file system. Secure locations are limited to the following folders:<br>- `%ProgramFiles%`, including subfolders<br>- `%SystemRoot%\system32\`<br>- `%ProgramFiles(x86)%`, including subfolders<br><br><br>**Enabled (default)**: If an app resides in a secure location in the file system, it runs only with UIAccess integrity.<br>**Disabled**: An app runs with UIAccess integrity even if it doesn't reside in a secure location in the file system.<br><br>**Note:** Windows enforces a digital signature check on any interactive apps that requests to run with a UIAccess integrity level regardless of the state of this setting.|
-|Run all administrators in Admin Approval Mode|Controls the behavior of all UAC policy settings.<br><br>**Enabled (default)**: Admin Approval Mode is enabled. This policy must be enabled and related UAC settings configured. The policy allows the built-in Administrator account and members of the Administrators group to run in Admin Approval Mode.<br>**Disabled**: Admin Approval Mode and all related UAC policy settings are disabled. Note: If this policy setting is disabled, **Windows Security** notifies you that the overall security of the operating system is reduced.|
-|Switch to the secure desktop when prompting for elevation|This policy setting controls whether the elevation request prompt is displayed on the interactive user's desktop or the secure desktop.<br><br>**Enabled (default)**: All elevation requests go to the secure desktop regardless of prompt behavior policy settings for administrators and standard users.<br>**Disabled**: All elevation requests go to the interactive user's desktop. Prompt behavior policy settings for administrators and standard users are used.|
-|Virtualize File And Registry Write Failures To Per User Locations|Controls whether application write failures are redirected to defined registry and file system locations. This setting mitigates applications that run as administrator and write run-time application data to `%ProgramFiles%`, `%Windir%`, `%Windir%\system32`, or `HKLM\Software`.<br><br>**Enabled (default)**: App write failures are redirected at run time to defined user locations for both the file system and registry.<br>**Disabled**: Apps that write data to protected locations fail.|
+- **Admin Approval Mode for the built-in Administrator account**: Controls the behavior of Admin Approval Mode for the built-in Administrator account.
+    - **Enabled**: The built-in Administrator account uses Admin Approval Mode. By default, any operation that requires elevation of privilege prompts the user to prove the operation.
+    - **Disabled (default)**: The built-in Administrator account runs all applications with full administrative privilege.
+
+- **Allow UIAccess applications to prompt for elevation without using the secure desktop**: Controls whether User Interface Accessibility (UIAccess or UIA) programs can automatically disable the secure desktop for elevation prompts used by a standard user.
+    - **Enabled**: UIA programs, including Remote Assistance, automatically disable the secure desktop for elevation prompts. If you don't disable the **Switch to the secure desktop when prompting for elevation** policy setting, the prompts appear on the interactive user's desktop instead of the secure desktop. This setting allows the remote administrator to provide the appropriate credentials for elevation. This policy setting doesn't change the behavior of the UAC elevation prompt for administrators. If you plan to enable this policy setting, you should also review the effect of the **Behavior of the elevation prompt for standard users** policy setting; if configured as **Automatically deny elevation requests**, elevation requests aren't presented to the user.
+    - **Disabled (default)**: The secure desktop can be disabled only by the user of the interactive desktop or by disabling the **Switch to the secure desktop when prompting for elevation** policy setting.
+
+- **Behavior of the elevation prompt for administrators in Admin Approval Mode**: Controls the behavior of the elevation prompt for administrators.
+    - **Elevate without prompting**: Allows privileged accounts to perform an operation that requires elevation without requiring consent or credentials. **Use this option only in the most constrained environments**.
+    - **Prompt for credentials on the secure desktop**: When an operation requires elevation of privilege, the user is prompted on the secure desktop to enter a privileged user name and password. If the user enters valid credentials, the operation continues with the user's highest available privilege.
+    - **Prompt for consent on the secure desktop**: When an operation requires elevation of privilege, the user is prompted on the secure desktop to select either Permit or Deny. If the user selects Permit, the operation continues with the user's highest available privilege.
+    - **Prompt for credentials**: When an operation requires elevation of privilege, the user is prompted to enter an administrative user name and password. If the user enters valid credentials, the operation continues with the applicable privilege.
+    - **Prompt for consent**: When an operation requires elevation of privilege, the user is prompted to select either Permit or Deny. If the user selects Permit, the operation continues with the user's highest available privilege.
+    - **Prompt for consent for non-Windows binaries (default)**: When an operation for a non-Microsoft application requires elevation of privilege, the user is prompted on the secure desktop to select either Permit or Deny. If the user selects Permit, the operation continues with the user's highest available privilege.
+
+- **Behavior of the elevation prompt for standard users**: Controls the behavior of the elevation prompt for standard users.
+    - **Prompt for credentials (default)**: When an operation requires elevation of privilege, the user is prompted to enter an administrative user name and password. If the user enters valid credentials, the operation continues with the applicable privilege.
+    - **Automatically deny elevation requests**: When an operation requires elevation of privilege, a configurable access denied error message is displayed. An enterprise that is running desktops as standard user might choose this setting to reduce help desk calls.
+    - **Prompt for credentials on the secure desktop**: When an operation requires elevation of privilege, the user is prompted on the secure desktop to enter a different user name and password. If the user enters valid credentials, the operation continues with the applicable privilege.
+
+- **Detect application installations and prompt for elevation**: Controls the behavior of application installation detection for the computer.
+    - **Enabled (default)**: When an app installation package is detected that requires elevation of privilege, the user is prompted to enter an administrative user name and password. If the user enters valid credentials, the operation continues with the applicable privilege.
+    - **Disabled**: App installation packages aren't detected and prompted for elevation. Enterprises that are running standard user desktops and use delegated installation technologies, such as Microsoft Intune, should disable this policy setting. In this case, installer detection is unnecessary.
+
+- **Only elevate executables that are signed and validated**: Enforces signature checks for any interactive applications that request elevation of privilege. IT admins can control which applications are allowed to run by adding certificates to the Trusted Publishers certificate store on local devices.
+    - **Enabled**: Enforces the certificate certification path validation for a given executable file before it's permitted to run.
+    - **Disabled (default)**: Doesn't enforce the certificate certification path validation before a given executable file is permitted to run.
+
+- **Only elevate UIAccess applications that are installed in secure locations**: Controls whether applications that request to run with a User Interface Accessibility (UIAccess) integrity level must reside in a secure location in the file system.
+
+    - **Enabled (default)**: If an app resides in a secure location in the file system, it runs only with UIAccess integrity.
+    - **Disabled**: An app runs with UIAccess integrity even if it doesn't reside in a secure location in the file system.
+
+    Secure locations are limited to the following folders:
+    - `%ProgramFiles%`, including subfolders
+    - `%SystemRoot%\system32\`
+    - `%ProgramFiles(x86)%`, including subfolders
+
+    > [!NOTE]
+    > Windows enforces a digital signature check on any interactive apps that request to run with a UIAccess integrity level regardless of the state of this setting.
+
+- **Run all administrators in Admin Approval Mode**: Controls the behavior of all UAC policy settings.
+    - **Enabled (default)**: Admin Approval Mode is enabled. This policy must be enabled and related UAC settings configured. The policy allows the built-in Administrator account and members of the Administrators group to run in Admin Approval Mode.
+    - **Disabled**: Admin Approval Mode and all related UAC policy settings are disabled. **Note:** If this policy setting is disabled, **Windows Security** notifies you that the overall security of the operating system is reduced.
+
+- **Switch to the secure desktop when prompting for elevation**: This policy setting controls whether the elevation request prompt is displayed on the interactive user's desktop or the secure desktop.
+    - **Enabled (default)**: All elevation requests go to the secure desktop regardless of prompt behavior policy settings for administrators and standard users.
+    - **Disabled**: All elevation requests go to the interactive user's desktop. Prompt behavior policy settings for administrators and standard users are used.
+
+- **Virtualize File And Registry Write Failures To Per User Locations**: Controls whether application write failures are redirected to defined registry and file system locations. This setting mitigates applications that run as administrator and write run-time application data to `%ProgramFiles%`, `%Windir%`, `%Windir%\system32`, or `HKLM\Software`.
+    - **Enabled (default)**: App write failures are redirected at run time to defined user locations for both the file system and registry.
+    - **Disabled**: Apps that write data to protected locations fail.

 ## User Account Control configuration

 To configure UAC, you can use:

- Microsoft Intune/MDM
+- Microsoft Intune
+- CSP
 - Group policy
 - Registry

 The following instructions provide details how to configure your devices. Select the option that best suits your needs.

-
-#### [:::image type="icon" source="../../../images/icons/intune.svg" border="false"::: **Intune/CSP**](#tab/intune)
-
-### Configure UAC with a Settings catalog policy
+#### [:::image type="icon" source="../../../images/icons/intune.svg"::: **Intune**](#tab/intune)

 To configure devices using Microsoft Intune, [create a **Settings catalog** policy][MEM-2], and use the settings listed under the category **`Local Policies Security Options`**:

@ -45,21 +84,23 @@ To configure devices using Microsoft Intune, [create a **Settings catalog** poli

 Assign the policy to a security group that contains as members the devices or users that you want to configure.

-Alternatively, you can configure devices using a [custom policy][MEM-1] with the [LocalPoliciesSecurityOptions Policy CSP][WIN-1].\
-The policy settings are located under: `./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions`.
+#### [:::image type="icon" source="../../../images/icons/csp.svg"::: **CSP**](#tab/csp)
+
+You can configure devices using the [LocalPoliciesSecurityOptions Policy CSP][WIN-1].
+
+|Setting|CSP Name|
+|--|--|
+| Admin Approval Mode for the built-in Administrator account |  `UserAccountControl_UseAdminApprovalMode`|
+| Allow UIAccess applications to prompt for elevation without using the secure desktop | `UserAccountControl_AllowUIAccessApplicationsToPromptForElevation` |
+| Behavior of the elevation prompt for administrators in Admin Approval Mode |  `UserAccountControl_BehaviorOfTheElevationPromptForAdministrators`|
+| Behavior of the elevation prompt for standard users | `UserAccountControl_BehaviorOfTheElevationPromptForStandardUsers`|
+| Detect application installations and prompt for elevation | `UserAccountControl_DetectApplicationInstallationsAndPromptForElevation`|
+| Only elevate executables that are signed and validated | `UserAccountControl_OnlyElevateExecutableFilesThatAreSignedAndValidated`|
+| Only elevate UIAccess applications that are installed in secure locations | `UserAccountControl_OnlyElevateUIAccessApplicationsThatAreInstalledInSecureLocations`|
+| Run all administrators in Admin Approval Mode | `UserAccountControl_RunAllAdministratorsInAdminApprovalMode`|
+| Switch to the secure desktop when prompting for elevation | `UserAccountControl_SwitchToTheSecureDesktopWhenPromptingForElevation`|
+| Virtualize file and registry write failures to per-user locations | `UserAccountControl_VirtualizeFileAndRegistryWriteFailuresToPerUserLocations`|

-|Setting|
-| - |
-| **Setting name**: Admin Approval Mode for the built-in Administrator account<br>**Policy CSP name**: `UserAccountControl_UseAdminApprovalMode`|
-| **Setting name**: Allow UIAccess applications to prompt for elevation without using the secure desktop<br>**Policy CSP name**: `UserAccountControl_AllowUIAccessApplicationsToPromptForElevation`|
-| **Setting name**: Behavior of the elevation prompt for administrators in Admin Approval Mode<br>**Policy CSP name**: `UserAccountControl_BehaviorOfTheElevationPromptForAdministrators`|
-| **Setting name**: Behavior of the elevation prompt for standard users<br>**Policy CSP name**: `UserAccountControl_BehaviorOfTheElevationPromptForStandardUsers`|
-| **Setting name**: Detect application installations and prompt for elevation<br>**Policy CSP name**: `UserAccountControl_DetectApplicationInstallationsAndPromptForElevation`|
-| **Setting name**: Only elevate executables that are signed and validated<br>**Policy CSP name**: `UserAccountControl_OnlyElevateExecutableFilesThatAreSignedAndValidated`|
-| **Setting name**: Only elevate UIAccess applications that are installed in secure locations<br>**Policy CSP name**: `UserAccountControl_OnlyElevateUIAccessApplicationsThatAreInstalledInSecureLocations`|
-| **Setting name**: Run all administrators in Admin Approval Mode<br>**Policy CSP name**: `UserAccountControl_RunAllAdministratorsInAdminApprovalMode`|
-| **Setting name**: Switch to the secure desktop when prompting for elevation<br>**Policy CSP name**: `UserAccountControl_SwitchToTheSecureDesktopWhenPromptingForElevation`|
-| **Setting name**: Virtualize file and registry write failures to per-user locations<br>**Policy CSP name**: `UserAccountControl_VirtualizeFileAndRegistryWriteFailuresToPerUserLocations`|

 #### [:::image type="icon" source="../../../images/icons/group-policy.svg" border="false"::: **GPO**](#tab/gpo)

--- a/windows/security/application-security/application-isolation/microsoft-defender-application-guard/configure-md-app-guard.md
+++ b/windows/security/application-security/application-isolation/microsoft-defender-application-guard/configure-md-app-guard.md
@ -2,7 +2,7 @@
 title: Configure the Group Policy settings for Microsoft Defender Application Guard
 description: Learn about the available Group Policy settings for Microsoft Defender Application Guard.
 ms.localizationpriority: medium
-ms.date: 07/11/2024
+ms.date: 04/15/2025
 ms.topic: how-to
 ---

--- a/windows/security/application-security/application-isolation/microsoft-defender-application-guard/faq-md-app-guard.yml
+++ b/windows/security/application-security/application-isolation/microsoft-defender-application-guard/faq-md-app-guard.yml
@ -4,7 +4,7 @@ metadata:
  description: Learn about the commonly asked questions and answers for Microsoft Defender Application Guard.
  ms.localizationpriority: medium
  ms.topic: faq
-  ms.date: 07/11/2024
+  ms.date: 04/15/2025
 title: Frequently asked questions - Microsoft Defender Application Guard
 summary: |

--- a/windows/security/application-security/application-isolation/microsoft-defender-application-guard/install-md-app-guard.md
+++ b/windows/security/application-security/application-isolation/microsoft-defender-application-guard/install-md-app-guard.md
@ -1,7 +1,7 @@
 ---
 title: Enable hardware-based isolation for Microsoft Edge
 description: Learn about the Microsoft Defender Application Guard modes (Standalone or Enterprise-managed), and how to install Application Guard in your enterprise.
-ms.date: 07/11/2024
+ms.date: 04/15/2025
 ms.topic: how-to
 ---

--- a/windows/security/application-security/application-isolation/microsoft-defender-application-guard/md-app-guard-overview.md
+++ b/windows/security/application-security/application-isolation/microsoft-defender-application-guard/md-app-guard-overview.md
@ -1,7 +1,7 @@
 ---
 title: Microsoft Defender Application Guard
 description: Learn about Microsoft Defender Application Guard and how it helps combat malicious content and malware out on the Internet.
-ms.date: 07/11/2024
+ms.date: 04/15/2025
 ms.topic: overview
 ---

--- a/windows/security/application-security/application-isolation/microsoft-defender-application-guard/reqs-md-app-guard.md
+++ b/windows/security/application-security/application-isolation/microsoft-defender-application-guard/reqs-md-app-guard.md
@ -3,7 +3,7 @@ title: System requirements for Microsoft Defender Application Guard
 description: Learn about the system requirements for installing and running Microsoft Defender Application Guard.
 ms.topic: overview
 ms.localizationpriority: medium
-ms.date: 07/11/2024
+ms.date: 04/15/2025
 ---

 # System requirements for Microsoft Defender Application Guard
--- a/windows/security/application-security/application-isolation/microsoft-defender-application-guard/test-scenarios-md-app-guard.md
+++ b/windows/security/application-security/application-isolation/microsoft-defender-application-guard/test-scenarios-md-app-guard.md
@ -2,7 +2,7 @@
 title: Testing scenarios with Microsoft Defender Application Guard
 description: Suggested testing scenarios for Microsoft Defender Application Guard, showing how it works in both Standalone and Enterprise-managed mode.
 ms.localizationpriority: medium
-ms.date: 07/11/2024
+ms.date: 04/15/2025
 ms.topic: article
 ---

--- a/windows/security/hardware-security/pluton/microsoft-pluton-security-processor.md
+++ b/windows/security/hardware-security/pluton/microsoft-pluton-security-processor.md
@ -2,7 +2,7 @@
 title: Microsoft Pluton security processor
 description: Learn more about Microsoft Pluton security processor
 ms.topic: article
-ms.date: 07/10/2024
+ms.date: 04/15/2025
 ---

 # Microsoft Pluton security processor
@ -23,19 +23,19 @@ Pluton is built on proven technology used in Xbox and Azure Sphere, and provides

 Pluton is built with the goal of providing customers with better end-to-end security experiences. It does so by doing three things:

-1. **Zero-trust security and reliability**: Customer security scenarios often span devices and cloud services. Windows PCs and services like Microsoft Entra and Intune need to work harmoniously together to provide frictionless security. Pluton is designed, built and maintained in close collaboration with teams across Microsoft to ensure that customers get both high security and reliability.
-1. **Innovation**: Pluton platform and the functionality it provides is informed by customer feedback and Microsoft’s threat intelligence. As an example, Pluton platforms in 2024 AMD and Intel systems will start to use a Rust-based firmware foundation given the importance of memory safety.
-1. **Continuous improvement**: Pluton platform supports loading new firmware delivered through operating system updates. This functionality is supported alongside the typical mechanism of UEFI capsule updates that update the Pluton firmware that is resident on the system’s SPI flash and loaded during early system boot. The additional support for dynamically loading valid new Pluton firmware through operating system updates facilitates continuous improvements both for bug fixes and new features.
+1. **Zero-trust security and reliability**: Customer security scenarios often span devices and cloud services. Windows PCs and services like Microsoft Entra and Intune need to work harmoniously together to provide frictionless security. Pluton is designed, built, and maintained in close collaboration with teams across Microsoft to ensure that customers get both high security and reliability.
+1. **Innovation**: Pluton platform and the functionality it provides is informed by customer feedback and Microsoft's threat intelligence. As an example, Pluton platforms in 2024 AMD and Intel systems will start to use a Rust-based firmware foundation given the importance of memory safety.
+1. **Continuous improvement**: Pluton platform supports loading new firmware delivered through operating system updates. This functionality is supported alongside the typical mechanism of UEFI capsule updates that update the Pluton firmware that is resident on the system's SPI flash and loaded during early system boot. The additional support for dynamically loading valid new Pluton firmware through operating system updates facilitates continuous improvements both for bug fixes and new features.

 ### A practical example: zero-trust security with device-based conditional access policies

-An increasingly important zero-trust workflow is conditional access – gating access to resources like Sharepoint documents based on verifying whether requests are coming from a valid, healthy source. Microsoft Intune, for example, supports different workflows for conditional access including [device-based conditional access](/mem/intune/protect/create-conditional-access-intune) which allows organizations to set policies that ensure that managed devices are healthy and compliant before granting access to the organization’s apps and services. 
+An increasingly important zero-trust workflow is conditional access – gating access to resources like Sharepoint documents based on verifying whether requests are coming from a valid, healthy source. Microsoft Intune, for example, supports different workflows for conditional access including [device-based conditional access](/mem/intune/protect/create-conditional-access-intune) which allows organizations to set policies that ensure that managed devices are healthy and compliant before granting access to the organization's apps and services.

-To ensure that Intune gets an accurate picture about the device’s health as part of enforcing these policies, ideally it has tamper-resistant logs on the state of the relevant security capabilities. This is where hardware security is critical as any malicious software running on the device could attempt to provide false signals to the service. One of the core benefits of a hardware security technology like the TPM, is that it has a tamper-resistant log of the state of the system. Services can cryptographically validate that logs and the associated system state reported by the TPM truly come from the TPM. 
+To ensure that Intune gets an accurate picture about the device's health as part of enforcing these policies, ideally it has tamper-resistant logs on the state of the relevant security capabilities. This is where hardware security is critical as any malicious software running on the device could attempt to provide false signals to the service. One of the core benefits of a hardware security technology like the TPM, is that it has a tamper-resistant log of the state of the system. Services can cryptographically validate that logs and the associated system state reported by the TPM truly come from the TPM.

-For the end-to-end scenario to be truly successful at scale, the hardware-based security is not enough. Since access to enterprise assets is being gated based on security settings that are being reported by the TPM logs, it is critical that these logs are available reliably. Zero-trust security essentially requires high reliability. 
+For the end-to-end scenario to be truly successful at scale, the hardware-based security isn't enough. Since access to enterprise assets is being gated based on security settings that are being reported by the TPM logs, it's critical that these logs are available reliably. Zero-trust security essentially requires high reliability.

-With Pluton, when it is configured as the TPM for the system, customers using conditional access get the benefits of Pluton’s security architecture and implementation with the reliability that comes from the tight integration and collaboration between Pluton and other Microsoft components and services.
+With Pluton, when it's configured as the TPM for the system, customers using conditional access get the benefits of Pluton's security architecture and implementation with the reliability that comes from the tight integration and collaboration between Pluton and other Microsoft components and services.


 ## Microsoft Pluton security architecture overview
--- a/windows/security/hardware-security/pluton/pluton-as-tpm.md
+++ b/windows/security/hardware-security/pluton/pluton-as-tpm.md
@ -2,7 +2,7 @@
 title: Microsoft Pluton as Trusted Platform Module (TPM 2.0)
 description: Learn more about Microsoft Pluton security processor as Trusted Platform Module (TPM 2.0)
 ms.topic: article
-ms.date: 07/10/2024
+ms.date: 04/15/2025
 ---

 # Microsoft Pluton as Trusted Platform Module
--- a/windows/security/identity-protection/credential-guard/considerations-known-issues.md
+++ b/windows/security/identity-protection/credential-guard/considerations-known-issues.md
@ -1,5 +1,5 @@
 ---
-ms.date: 02/25/2025
+ms.date: 04/22/2025
 title: Considerations and known issues when using Credential Guard
 description: Considerations, recommendations, and known issues when using Credential Guard.
 ms.topic: troubleshooting
@ -112,6 +112,12 @@ When data protected with user DPAPI is unusable, then the user loses access to a

 **Workaround:** Users can resolve the problem by connecting their device to the domain and rebooting or using their Encrypting File System Data Recovery Agent certificate. For more information about Encrypting File System Data Recovery Agent certificate, see [Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](/previous-versions/windows/it-pro/windows-10/security/information-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate).

+### Azure Virtual Machines lose access to the data protected by Credential Guard after deallocation
+
+When an Azure Virtual Machine is deallocated, the underlying hardware is released, causing the keys protected by the TPM to become inaccessible. Consequently, any data protected by those keys also becomes inaccessible.
+
+For more information, see [States and billing status of Azure Virtual Machines](/azure/virtual-machines/states-billing#power-states-and-billing).
+
 ## Known issues

 Credential Guard blocks certain authentication capabilities. Applications that require such capabilities won't function when Credential Guard is enabled.
--- a/windows/security/identity-protection/hello-for-business/includes/expiration.md
+++ b/windows/security/identity-protection/hello-for-business/includes/expiration.md
@ -15,3 +15,12 @@ The default value is 0.
 |--|--|
 | **CSP** | `./Device/Vendor/MSFT/PassportForWork/{TenantId}/Policies/PINComplexity/`[devicetenantidpoliciespincomplexityexpiration](/windows/client-management/mdm/passportforwork-csp#devicetenantidpoliciespincomplexityexpiration)<br><br>`./User/Vendor/MSFT/PassportForWork/{TenantId}/Policies/PINComplexity/`[usertenantidpoliciespincomplexityexpiration](/windows/client-management/mdm/passportforwork-csp#usertenantidpoliciespincomplexityexpiration) |
 | **GPO** | **Computer Configuration** > **Administrative Templates** > **System** > **PIN Complexity**|
+
+> [!NOTE]
+> Starting with Windows 11, version 23H2, Windows Hello uses Virtualization-based security (VBS) to isolate credentials on devices that support [Enhanced Security Settings (ESS)](/windows-hardware/design/device-experiences/windows-hello-enhanced-sign-in-security).
+>
+> Starting with Windows 11, version 24H2, Windows Hello uses VBS to isolate credentials on all devices that have VBS enabled.
+>
+> On such devices, PIN expiration is not supported.
+
+
--- a/windows/security/identity-protection/hello-for-business/includes/history.md
+++ b/windows/security/identity-protection/hello-for-business/includes/history.md
@ -18,3 +18,10 @@ The default value is 0.
 |--|--|
 | **CSP** | `./Device/Vendor/MSFT/PassportForWork/{TenantId}/Policies/PINComplexity/`[devicetenantidpoliciespincomplexityhistory](/windows/client-management/mdm/passportforwork-csp#devicetenantidpoliciespincomplexityhistory)<br><br>`./User/Vendor/MSFT/PassportForWork/{TenantId}/Policies/PINComplexity/`[usertenantidpoliciespincomplexityhistory](/windows/client-management/mdm/passportforwork-csp#usertenantidpoliciespincomplexityhistory) |
 | **GPO** | **Computer Configuration** > **Administrative Templates** > **System** > **PIN Complexity** |
+
+> [!NOTE]
+> Starting with Windows 11, version 23H2, Windows Hello uses Virtualization-based security (VBS) to isolate credentials on devices that support [Enhanced Security Settings (ESS)](/windows-hardware/design/device-experiences/windows-hello-enhanced-sign-in-security).
+>
+> Starting with Windows 11, version 24H2, Windows Hello uses VBS to isolate credentials on all devices that have VBS enabled.
+>
+> On such devices, PIN history is not supported.
--- a/windows/security/images/icons/csp.svg
+++ b/windows/security/images/icons/csp.svg
@ -0,0 +1,10 @@
+<svg width="18" height="18" viewBox="0 0 18 18" fill="none" xmlns="http://www.w3.org/2000/svg">
+<g clip-path="url(#clip0_461_479)">
+<path d="M9.01098 0.225006C9.67158 0.23262 10.3296 0.30894 10.9743 0.452742C11.2558 0.515517 11.4663 0.750165 11.4982 1.03677L11.6514 2.41094C11.7208 3.04188 12.2535 3.51976 12.8885 3.52043C13.0593 3.5207 13.2281 3.48515 13.3859 3.41535L14.6464 2.86161C14.9086 2.74644 15.215 2.80923 15.4106 3.01826C16.3216 3.99118 17 5.15804 17.3949 6.43103C17.4801 6.70553 17.3821 7.00383 17.1508 7.17436L16.0334 7.99795C15.7146 8.23213 15.5264 8.60401 15.5264 8.99956C15.5264 9.39502 15.7146 9.7669 16.0341 10.0016L17.1524 10.8255C17.3838 10.9959 17.4819 11.2943 17.3967 11.5689C17.002 12.8417 16.3239 14.0084 15.4135 14.9815C15.218 15.1905 14.9119 15.2535 14.6498 15.1385L13.3841 14.5841C13.0219 14.4256 12.6061 14.4488 12.2639 14.6466C11.9217 14.8443 11.694 15.1931 11.6505 15.5859L11.4983 16.96C11.4669 17.2433 11.261 17.4764 10.9836 17.5424C9.68004 17.8525 8.32185 17.8525 7.01823 17.5424C6.74092 17.4764 6.53495 17.2433 6.50356 16.96L6.35162 15.588C6.30699 15.1959 6.07891 14.8482 5.73698 14.6511C5.39506 14.454 4.97988 14.4309 4.61898 14.5885L3.35301 15.143C3.0908 15.258 2.78463 15.195 2.5891 14.9858C1.67816 14.0117 1.00007 12.8435 0.605881 11.5693C0.520975 11.2949 0.619075 10.9967 0.850366 10.8264L1.96936 10.002C2.28809 9.7678 2.47632 9.39592 2.47632 9.00046C2.47632 8.60491 2.28809 8.23303 1.96894 7.99858L0.850645 7.17557C0.619021 7.00511 0.520831 6.70661 0.606034 6.43193C1.00091 5.15894 1.67935 3.99208 2.59032 3.01916C2.78603 2.81013 3.09235 2.74734 3.35452 2.86251L4.61486 3.41615C4.97751 3.57531 5.39442 3.55127 5.73819 3.35043C6.08048 3.15189 6.30836 2.8028 6.35235 2.40988L6.50542 1.03677C6.53739 0.750021 6.74807 0.515292 7.02972 0.452652C7.67529 0.309084 8.334 0.232791 9.01098 0.225006ZM8.99973 6.29996C7.50852 6.29996 6.29973 7.5088 6.29973 9.00001C6.29973 10.4911 7.50852 11.7 8.99973 11.7C10.4909 11.7 11.6997 10.4911 11.6997 9.00001C11.6997 7.5088 10.4909 6.29996 8.99973 6.29996Z" fill="#0883D9"/>
+</g>
+<defs>
+<clipPath id="clip0_461_479">
+<rect width="18" height="18" fill="white"/>
+</clipPath>
+</defs>
+</svg>
--- a/windows/security/operating-system-security/data-protection/bitlocker/network-unlock.md
+++ b/windows/security/operating-system-security/data-protection/bitlocker/network-unlock.md
@ -139,7 +139,7 @@ To enroll a certificate from an existing certificate authority:
 1. Select **All Tasks** > **Request New Certificate**
 1. When the Certificate Enrollment wizard opens, select **Next**
 1. Select **Active Directory Enrollment Policy**
-1. Choose the certificate template that was created for Network Unlock on the domain controller. Then select **Enroll**
+1. Choose the certificate template that was created for Network Unlock on the domain controller. In case the message "More information is required to enroll for this certificate. Click here to configure settings." is shown, click on it. On the new window, in **Subject** tab, under **Alternative names**, select **DNS** and set the FQDN of the WDS server. Save the changes by clicking **OK** and then select **Enroll**
 1. When prompted for more information, select **Subject Name** and provide a friendly name value. The friendly name should include information for the domain or organizational unit for the certificate For example: *BitLocker Network Unlock Certificate for Contoso domain*
 1. Create the certificate. Ensure the certificate appears in the **Personal** folder
 1. Export the public key certificate for Network Unlock:
--- a/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-account-protection.md
+++ b/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-account-protection.md
@ -1,7 +1,7 @@
 ---
 title: Account protection in Windows Security
 description: Use the Account protection section to manage security for your account and sign in to Microsoft.
-ms.date: 06/27/2024
+ms.date: 04/15/2025
 ms.topic: how-to
 ---

@ -19,10 +19,8 @@ You can also choose to hide the section from users of the device, if you don't w

 You can choose to hide the entire section by using Group Policy. When hidden, this section doesn't appear on the home page of **Windows Security**, and its icon isn't shown on the navigation bar on the side.

-You can only configure these settings by using Group Policy.
-
 > [!IMPORTANT]
-> You must have Windows 10, version 1803 or later. The ADMX/ADML template files for earlier versions of Windows do not include these Group Policy settings.
+> You must have Windows 10, version 1803 or later. The ADMX/ADML template files for earlier versions of Windows don't include these Group Policy settings.

 1. On your Group Policy management machine, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)). Right-click the Group Policy Object (GPO) you want to configure and select  **Edit**.
 1. In the **Group Policy Management Editor**, go to **Computer configuration** and select **Administrative templates**.
@ -31,6 +29,6 @@ You can only configure these settings by using Group Policy.
 1. [Deploy the updated GPO as you normally do](/windows/win32/srvnodes/group-policy).

 > [!NOTE]
-> If you hide all sections then **Windows Security** will show a restricted interface, as in the following screenshot:
+> If you hide all sections, then **Windows Security** shows a restricted interface, as in the following screenshot:
 >
 > ![Screenshot of the Windows Security with all sections hidden by Group Policy.](images/wdsc-all-hide.png)
--- a/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-app-browser-control.md
+++ b/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-app-browser-control.md
@ -1,7 +1,7 @@
 ---
 title: App & browser control in Windows Security
 description: Use the App & browser control section to see and configure Windows Defender SmartScreen and Exploit protection settings.
-ms.date: 06/27/2024
+ms.date: 04/15/2025
 ms.topic: how-to
 ---

@ -11,31 +11,27 @@ The **App and browser control** section contains information and settings for Wi

 In Windows 10, version 1709 and later, the section also provides configuration options for Exploit protection. You can prevent users from modifying these specific options with Group Policy. IT administrators can get more information at [Exploit protection](/microsoft-365/security/defender-endpoint/exploit-protection).

-You can also choose to hide the section from users of the machine. This option can be useful if you don't want users in your organization to see or have access to user-configured options for the features shown in the section.
+You can also choose to hide the section from users of the machine. This option can be useful if you don't want users in your organization to have access to user-configured options for the features shown in the section.

 ## Prevent users from making changes to the Exploit protection area in the App & browser control section

-You can prevent users from modifying settings in the Exploit protection area. The settings are either greyed out or don't appear if you enable this setting. Users still have access to other settings in the App & browser control section, such as those settings for Windows Defender SmartScreen, unless those options are separately.
-
-You can only prevent users from modifying Exploit protection settings by using Group Policy.
+You can prevent users from modifying settings in the Exploit protection area. The settings are either grayed out or don't appear if you enable this setting. Users still have access to other settings in the App & browser control section, such as those settings for Windows Defender SmartScreen, unless those options are separately.

 > [!IMPORTANT]
-> You must have Windows 10, version 1709 or later. The ADMX/ADML template files for earlier versions of Windows do not include these Group Policy settings.
+> You must have Windows 10, version 1709 or later. The ADMX/ADML template files for earlier versions of Windows don't include these Group Policy settings.

 1. On your Group Policy management machine, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)). Right-click the Group Policy Object (GPO) you want to configure and select **Edit**.
 2. In the **Group Policy Management Editor**, go to **Computer configuration**, select **Policies** and then **Administrative templates**.
 3. Expand the tree to **Windows components > Windows Security > App and browser protection**.
-4. Open the **Prevent users from modifying settings** setting and set it to **Enabled**. Select **OK**.
+4. Select the **Prevent users from modifying settings** setting and set it to **Enabled**. Select **OK**.
 5. [Deploy](/windows/win32/srvnodes/group-policy) the updated GPO as you normally do.

 ## Hide the App & browser control section

-You can choose to hide the entire section by using Group Policy. The section won't appear on the home page of **Windows Security**, and its icon won't be shown on the navigation bar on the side.
-
-This section can be hidden only by using Group Policy.
+You can choose to hide the entire section by using Group Policy. When hidden, this section doesn't appear on the home page of **Windows Security**, and its icon isn't shown on the navigation bar on the side.

 > [!IMPORTANT]
-> You must have Windows 10, version 1709 or later. The ADMX/ADML template files for earlier versions of Windows do not include these Group Policy settings.
+> You must have Windows 10, version 1709 or later. The ADMX/ADML template files for earlier versions of Windows don't include these Group Policy settings.

 1. On your Group Policy management machine, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)). Right-click the Group Policy Object you want to configure and select **Edit**.
 2. In the **Group Policy Management Editor** go to **Computer configuration**, select **Policies** and then **Administrative templates**.
@ -44,6 +40,6 @@ This section can be hidden only by using Group Policy.
 5. [Deploy](/windows/win32/srvnodes/group-policy) the updated GPO as you normally do.

 > [!NOTE]
-> If you hide all sections then **Windows Security** will show a restricted interface, as in the following screenshot:
+> If you hide all sections, then **Windows Security** shows a restricted interface, as in the following screenshot:
 >
 > ![Windows Security with all sections hidden by Group Policy.](images/wdsc-all-hide.png)
--- a/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-customize-contact-information.md
+++ b/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-customize-contact-information.md
@ -1,7 +1,7 @@
 ---
 title: Customize Windows Security contact information in Windows Security
 description: Provide information to your users on how to contact your IT department when a security issue occurs
-ms.date: 06/27/2024
+ms.date: 04/15/2025
 ms.topic: how-to
 ---

@ -33,10 +33,6 @@ There are two stages to using the contact card and customized notifications. Fir
 1. Enable the contact card and the customized notifications by configuring two separate Group Policy settings. They both use the same source of information (explained in Steps 5 and 6). You can enable both, or select one or the other:

    1. To enable the contact card, open the **Configure customized contact information** setting and set it to **Enabled**. Select **OK**.
-
-        > [!NOTE]
-        > This can only be done in Group Policy.
-
    1. To enable the customized notifications, open the **Configure customized notifications** setting and set it to **Enabled**. Select **OK**.

 1. After you enable the contact card or the customized notifications (or both), you must configure the **Specify contact company name** to **Enabled**. Enter your company or organization's name in the field in the **Options** section. Select **OK**.
@ -57,4 +53,4 @@ To enable the customized notifications and add the contact information in Intune
 - [Settings for the Windows Security experience profile in Microsoft Intune](/mem/intune/protect/antivirus-security-experience-windows-settings).

 > [!IMPORTANT]
-> You must specify the contact company name and at least one contact method - email, phone number, or website URL. If you do not specify the contact name and a contact method the customization will not apply, the contact card will not show, and notifications will not be customized.
+> You must specify the contact company name and at least one contact method - email, phone number, or website URL. If you don't specify the contact name and a contact method, the contact card isn't visible, and notifications aren't customized.
--- a/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-device-performance-health.md
+++ b/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-device-performance-health.md
@ -1,7 +1,7 @@
 ---
 title: Device & performance health in Windows Security
 description: Use the Device & performance health section to see the status of the machine and note any storage, update, battery, driver, or hardware configuration issues
-ms.date: 06/27/2024
+ms.date: 04/15/2025
 ms.topic: how-to
 ---

@ -10,16 +10,14 @@ ms.topic: how-to

 The **Device performance & health** section contains information about hardware, devices, and drivers related to the machine.

-This section can be hidden from users of the machine. This option can be useful if you don't want users in your organization to see or have access to user-configured options for the features shown in the section.
+This section can be hidden from users of the machine. This option can be useful if you don't want users in your organization to have access to user-configured options for the features shown in the section.

 ## Hide the Device performance & health section

-You can choose to hide the entire section by using Group Policy. The section won't appear on the home page of **Windows Security**, and its icon won't be shown on the navigation bar on the side.
-
-This section can be hidden only by using Group Policy.
+You can choose to hide the entire section by using Group Policy. When hidden, this section doesn't appear on the home page of **Windows Security**, and its icon isn't shown on the navigation bar on the side.

 > [!IMPORTANT]
-> You must have Windows 10, version 1709 or later. The ADMX/ADML template files for earlier versions of Windows do not include these Group Policy settings.
+> You must have Windows 10, version 1709 or later. The ADMX/ADML template files for earlier versions of Windows don't include these Group Policy settings.

 1. On your Group Policy management machine, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)). Right-click the Group Policy Object (GPO) you want to configure and select **Edit**.
 1. In **Group Policy Management Editor**, go to **Computer configuration** and select **Administrative templates**.
@ -28,6 +26,6 @@ This section can be hidden only by using Group Policy.
 1. [Deploy](/windows/win32/srvnodes/group-policy) the updated GPO as you normally do.

 > [!NOTE]
-> If you hide all sections then **Windows Security** will show a restricted interface, as in the following screenshot:
+> If you hide all sections, then **Windows Security** shows a restricted interface, as in the following screenshot:
 >
 > ![Screenshot of the Windows Security with all sections hidden by Group Policy.](images/wdsc-all-hide.png)
--- a/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-device-security.md
+++ b/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-device-security.md
@ -1,7 +1,7 @@
 ---
 title: Device security in Windows Security
 description: Use the Device security section to manage security built into your device, including Virtualization-based security.
-ms.date: 06/27/2024
+ms.date: 04/15/2025
 ms.topic: how-to
 ---

@ -9,14 +9,14 @@ ms.topic: how-to

 The **Device security** section contains information and settings for built-in device security.

-You can choose to hide the section from users of the machine. This option can be useful if you don't want users in your organization to see or have access to user-configured options for the features shown in the section.
+You can choose to hide the section from users of the machine. This option can be useful if you don't want users in your organization to have access to user-configured options for the features shown in the section.

 ## Hide the Device security section

-You can choose to hide the entire section by using Group Policy. The section won't appear on the home page of **Windows Security**, and its icon won't be shown on the navigation bar on the side. You can hide the device security section by using Group Policy only.
+You can choose to hide the entire section by using Group Policy. When hidden, this section doesn't appear on the home page of **Windows Security**, and its icon isn't shown on the navigation bar on the side.

 > [!IMPORTANT]
-> You must have Windows 10, version 1803 or later. The ADMX/ADML template files for earlier versions of Windows do not include these Group Policy settings.
+> You must have Windows 10, version 1803 or later. The ADMX/ADML template files for earlier versions of Windows don't include these Group Policy settings.

 1. On your Group Policy management machine, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)). Right-click the Group Policy Object (GPO) you want to configure and select **Edit**.
 1. In **Group Policy Management Editor**, go to **Computer configuration** and then select **Administrative templates**.
@ -25,7 +25,7 @@ You can choose to hide the entire section by using Group Policy. The section won
 1. [Deploy](/windows/win32/srvnodes/group-policy) the updated GPO as you normally do.

 > [!NOTE]
-> If you hide all sections then **Windows Security** will show a restricted interface, as in the following screenshot:
+> If you hide all sections, then **Windows Security** shows a restricted interface, as in the following screenshot:
 >
 > ![Screenshot of the Windows Security with all sections hidden by Group Policy.](images/wdsc-all-hide.png)

@ -34,7 +34,7 @@ You can choose to hide the entire section by using Group Policy. The section won
 If you don't want users to be able to select the **Clear TPM** button in **Windows Security**, you can disable it.

 > [!IMPORTANT]
-> You must have Windows 10, version 1809 or later. The ADMX/ADML template files for earlier versions of Windows do not include these Group Policy settings.
+> You must have Windows 10, version 1809 or later. The ADMX/ADML template files for earlier versions of Windows don't include these Group Policy settings.

 1. On your Group Policy management computer, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)). Right-click the Group Policy Object you want to configure and select **Edit**.
 1. In **Group Policy Management Editor**, go to **Computer configuration** and then select **Administrative templates**.
--- a/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-family-options.md
+++ b/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-family-options.md
@ -1,7 +1,7 @@
 ---
 title: Family options in Windows Security
 description: Learn how to hide the Family options section of Windows Security for enterprise environments. Family options aren't intended for business environments.
-ms.date: 06/27/2024
+ms.date: 04/15/2025
 ms.topic: how-to
 ---

@ -15,12 +15,10 @@ This section can be hidden from users of the machine. This option can be useful

 ## Hide the Family options section

-You can choose to hide the entire section by using Group Policy. The section won't appear on the home page of **Windows Security**, and its icon won't be shown on the navigation bar on the side.
-
-This section can be hidden only by using Group Policy.
+You can choose to hide the entire section by using Group Policy. When hidden, this section doesn't appear on the home page of **Windows Security**, and its icon isn't shown on the navigation bar on the side.

 > [!IMPORTANT]
-> You must have Windows 10, version 1709 or later. The ADMX/ADML template files for earlier versions of Windows do not include these Group Policy settings.
+> You must have Windows 10, version 1709 or later. The ADMX/ADML template files for earlier versions of Windows don't include these Group Policy settings.

 1. On your Group Policy management machine, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)). Right-click the Group Policy Object (GPO) you want to configure and select **Edit**.
 1. In **Group Policy Management Editor**, go to **Computer configuration** and select **Administrative templates**.
@ -29,6 +27,6 @@ This section can be hidden only by using Group Policy.
 1. [Deploy](/windows/win32/srvnodes/group-policy) the updated GPO as you normally do.

 > [!NOTE]
-> If you hide all sections then **Windows Security** will show a restricted interface, as in the following screenshot:
+> If you hide all sections, then **Windows Security** shows a restricted interface, as in the following screenshot:
 >
 > ![Screenshot of the Windows Security with all sections hidden by Group Policy.](images/wdsc-all-hide.png)
--- a/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-firewall-network-protection.md
+++ b/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-firewall-network-protection.md
@ -1,7 +1,7 @@
 ---
 title: Firewall and network protection in Windows Security
 description: Use the Firewall & network protection section to see the status of and make changes to firewalls and network connections for the machine.
-ms.date: 06/27/2024
+ms.date: 04/15/2025
 ms.topic: how-to
 ---

@ -9,16 +9,14 @@ ms.topic: how-to

 The **Firewall & network protection** section contains information about the firewalls and network connections used by the machine, including the status of Windows Firewall and any other non-Microsoft firewalls. IT administrators and IT pros can get configuration guidance from the [Windows Firewall with Advanced Security documentation library](../../network-security/windows-firewall/index.md).

-This section can be hidden from users of the machine. This information is useful if you don't want users in your organization to see or have access to user-configured options for the features shown in the section.
+This section can be hidden from users of the machine. This information is useful if you don't want users in your organization to have access to user-configured options for the features shown in the section.

 ## Hide the Firewall & network protection section

-You can choose to hide the entire section by using Group Policy. The section won't appear on the home page of **Windows Security**, and its icon won't be shown on the navigation bar on the side.
-
-This section can be hidden only by using Group Policy.
+You can choose to hide the entire section by using Group Policy. When hidden, this section doesn't appear on the home page of **Windows Security**, and its icon isn't shown on the navigation bar on the side.

 > [!IMPORTANT]
-> You must have Windows 10, version 1709 or later. The ADMX/ADML template files for earlier versions of Windows do not include these Group Policy settings.
+> You must have Windows 10, version 1709 or later. The ADMX/ADML template files for earlier versions of Windows don't include these Group Policy settings.

 1. On your Group Policy management machine, open the Group Policy Management Console. Right-click the Group Policy Object (GPO) you want to configure and select **Edit**.
 1. In **Group Policy Management Editor**, go to **Computer configuration** and select **Administrative templates**.
@ -27,6 +25,6 @@ This section can be hidden only by using Group Policy.
 1. [Deploy](/windows/win32/srvnodes/group-policy) the updated GPO as you normally do.

 > [!NOTE]
-> If you hide all sections then **Windows Security** will show a restricted interface, as in the following screenshot:
+> If you hide all sections, then **Windows Security** shows a restricted interface, as in the following screenshot:
 >
 > ![Screenshot of the Windows Security with all sections hidden by Group Policy.](images/wdsc-all-hide.png)
--- a/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-hide-notifications.md
+++ b/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-hide-notifications.md
@ -1,7 +1,7 @@
 ---
 title: Hide notifications from Windows Security
 description: Prevent Windows Security notifications from appearing on user endpoints
-ms.date: 06/27/2024
+ms.date: 04/15/2025
 ms.topic: how-to
 ---

@ -9,7 +9,7 @@ ms.topic: how-to

 **Windows Security** is used by many Windows security features to provide notifications about the health and security of the machine. These include notifications about firewalls, antivirus products, Windows Defender SmartScreen, and others.

-In some cases, it may not be appropriate to show these notifications, for example, if you want to hide regular status updates, or if you want to hide all notifications to the users in your organization.
+In some cases, it might not be appropriate to show these notifications, for example, if you want to hide regular status updates, or if you want to hide all notifications to the users in your organization.

 There are two levels to hiding notifications:

@ -18,16 +18,12 @@ There are two levels to hiding notifications:

 If you set **Hide all notifications** to **Enabled**, changing the **Hide non-critical notifications** setting has no effect.

-You can only use Group Policy to change these settings.
-
 ## Use Group Policy to hide noncritical notifications

 You can hide notifications that describe regular events related to the health and security of the machine. These notifications are the ones that don't require an action from the machine's user. It can be useful to hide these notifications if you find they're too numerous or you have other status reporting on a larger scale (such as Windows Update for Business reports or Microsoft Configuration Manager reporting).

-These notifications can be hidden only by using Group Policy.
-
 > [!IMPORTANT]
-> You must have Windows 10, version 1903 or higher. The ADMX/ADML template files for earlier versions of Windows do not include these Group Policy settings.
+> You must have Windows 10, version 1903 or higher. The ADMX/ADML template files for earlier versions of Windows don't include these Group Policy settings.

 1. Download the latest [Administrative Templates (.admx) for Windows 10, v2004](https://www.microsoft.com/download/101445).
 1. On your Group Policy management machine, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)). Right-click the Group Policy Object (GPO) you want to configure and select **Edit**.
@ -38,20 +34,14 @@ These notifications can be hidden only by using Group Policy.

 ## Use Group Policy to hide all notifications

-You can hide all notifications that are sourced from **Windows Security**. This option may be useful if you don't want users of the machines from inadvertently modifying settings, running antivirus scans, or otherwise performing security-related actions without your input.
-
-These notifications can be hidden only by using Group Policy.
+You can hide all notifications that are sourced from **Windows Security**. This option might be useful if you don't want users of the machines from inadvertently modifying settings, running antivirus scans, or otherwise performing security-related actions without your input.

 > [!IMPORTANT]
-> You must have Windows 10, version 1903 or higher. The ADMX/ADML template files for earlier versions of Windows do not include these Group Policy settings.
+> You must have Windows 10, version 1903 or higher. The ADMX/ADML template files for earlier versions of Windows don't include these Group Policy settings.

 1. On your Group Policy management machine, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)). Right-click the Group Policy Object you want to configure and select **Edit**.
 1. In **Group Policy Management Editor**, go to **Computer configuration** and select **Administrative templates**.
-1. Expand the tree to **Windows components > Windows Security > Notifications**. For Windows 10 version 1803 and below, the path would be **Windows components > Windows Defender Security Center > Notifications**.
-
-    > [!NOTE]
-    > For Windows 10 version 2004 and above the path would be **Windows components > Windows Security > Notifications**.
-
+1. Expand the tree to **Windows components > Windows Security > Notifications**.
 1. Open the **Hide all notifications** setting and set it to **Enabled**. Select **OK**.
 1. [Deploy](/windows/win32/srvnodes/group-policy) the updated GPO as you normally do.

@ -72,49 +62,49 @@ These notifications can be hidden only by using Group Policy.

 ## Notifications

-| Purpose | Notification text | Toast Identifier | Critical? |Notification Toggle|
-|---------|------------------|-------------|-----------|---------|
-| Network isolation | Your IT administrator has caused Windows Defender to disconnect your device. Contact IT help desk. | SENSE_ISOLATION | Yes |Firewall and network protection notification|
-| Network isolation customized | _Company name_ has caused Windows Defender to disconnect your device. Contact IT help desk _phone number_, _email address_, _url_. | SENSE_ISOLATION_CUSTOM (body) | Yes |Firewall and network protection notification|
-| Restricted access | Your IT administrator has caused Windows Defender to limit actions on this device. Some apps may not function as expected. Contact IT help desk. | SENSE_PROCESS_RESTRICTION | Yes |Firewall and network protection notification|
-| Restricted access customized | _Company_ has caused Windows Defender to limit actions on this device. Some apps may not function as expected. Contact IT help desk. | SENSE_PROCESS_RESTRICTION_CUSTOM (body) | Yes |Firewall and network protection notification|
-| HVCI, driver compat check fails (upon trying to enable) | There may be an incompatibility on your device. | HVCI_ENABLE_FAILURE | Yes |Firewall and network protection notification|
-| HVCI, reboot needed to enable | The recent change to your protection settings requires a restart of your device. | HVCI_ENABLE_SUCCESS | Yes |Firewall and network protection notification|
-| Item skipped in scan, due to exclusion setting, or network scanning disabled by admin | The Microsoft Defender Antivirus scan skipped an item due to exclusion or network scanning settings. | ITEM_SKIPPED | Yes |Virus & threat protection notification|
-| Remediation failure | Microsoft Defender Antivirus couldn't completely resolve potential threats. | CLEAN_FAILED | Yes |Virus & threat protection notification|
-| Follow-up action (restart & scan) | Microsoft Defender Antivirus found _threat_ in _file name_. Restart and scan your device. Restart and scan | MANUALSTEPS_REQUIRED | Yes |Virus & threat protection notification|
-| Follow-up action (restart) | Microsoft Defender Antivirus found _threat_ in _file_. Restart your device. | WDAV_REBOOT | Yes |Virus & threat protection notification|
-| Follow-up action (Full scan) | Microsoft Defender Antivirus found _threat_ in _file_. Run a full scan of your device. | FULLSCAN_REQUIRED | Yes |Virus & threat protection notification|
-| Sample submission prompt | Review files that Windows Defender will send to Microsoft. Sending this information can improve how Microsoft Defender Antivirus helps protect your device. | SAMPLE_SUBMISSION_REQUIRED | Yes |Virus & threat protection notification|
-| OS support ending warning | Support for your version of Windows is ending. When this support ends, Microsoft Defender Antivirus won't be supported, and your device might be at risk. | SUPPORT_ENDING | Yes |Virus & threat protection notification|
-| OS support ended, device at risk | Support for your version of Windows has ended. Microsoft Defender Antivirus is no longer supported, and your device might be at risk. | SUPPORT_ENDED _and_ SUPPORT_ENDED_NO_DEFENDER | Yes |Virus & threat protection notification|
-| Summary notification, items found | Microsoft Defender Antivirus successfully took action on _n_ threats since your last summary. Your device was scanned _n_ times. | RECAP_FOUND_THREATS_SCANNED | No |Virus & threat protection notification|
-| Summary notification, items found, no scan count | Microsoft Defender Antivirus successfully took action on _n_ threats since your last summary. | RECAP_FOUND_THREATS | No |Virus & threat protection notification|
-| Summary notification, **no** items found, scans performed | Microsoft Defender Antivirus didn't find any threats since your last summary. Your device was scanned _n_ times. | RECAP_NO THREATS_SCANNED | No |Virus & threat protection notification|
-| Summary notification, **no** items found, no scans | Microsoft Defender Antivirus didn't find any threats since your last summary. | RECAP_NO_THREATS | No |Virus & threat protection notification|
-| Scan finished, manual, threats found | Microsoft Defender Antivirus scanned your device at _timestamp_ on _date_, and took action against threats. | RECENT_SCAN_FOUND_THREATS | No |Virus & threat protection notification|
-| Scan finished, manual, **no** threats found | Microsoft Defender Antivirus scanned your device at _timestamp_ on _date_. No threats were found. | RECENT_SCAN_NO_THREATS | No |Virus & threat protection notification|
-| Threat found | Microsoft Defender Antivirus found threats. Get details. | CRITICAL | No |Virus & threat protection notification|
-| LPS on notification | Microsoft Defender Antivirus is periodically scanning your device. You're also using another antivirus program for active protection. | PERIODIC_SCANNING_ON | No |Virus & threat protection notification|
-| Long running BaFS | Your IT administrator  requires a security scan of this item. The scan could take up to _n_ seconds. | BAFS | No |Firewall and network protection notification|
-| Long running BaFS customized | _Company_ requires a security scan of this item. The scan could take up to _n_ seconds. | BAFS_DETECTED_CUSTOM (body) | No |Firewall and network protection notification|
-| Sense detection | This application was removed because it was blocked by your IT security settings | WDAV_SENSE_DETECTED | No |Firewall and network protection notification|
-| Sense detection customized | This application was removed because it was blocked by your IT security settings | WDAV_SENSE_DETECTED_CUSTOM (body) | No |Firewall and network protection notification|
-| Ransomware specific detection | Microsoft Defender Antivirus has detected threats, which may include ransomware. | WDAV_RANSOMWARE_DETECTED | No |Virus & threat protection notification|
-| ASR (HIPS) block | Your IT administrator caused Windows Defender Security Center to block this action. Contact your IT help desk. | HIPS_ASR_BLOCKED | No |Firewall and network protection notification|
-| ASR (HIPS) block customized | _Company_ caused Windows Defender Security Center to block this action. Contact your IT help desk. | HIPS_ASR_BLOCKED_CUSTOM (body) | No |Firewall and network protection notification|
-| CFA (FolderGuard) block | Controlled folder access blocked _process_ from making changes to the folder _path_ | FOLDERGUARD_BLOCKED | No |Firewall and network protection notification|
-| Network protect (HIPS) network block customized | _Company_ caused Windows Defender Security Center to block this network connection. Contact your IT help desk. | HIPS_NETWORK_BLOCKED_CUSTOM (body) | No |Firewall and network protection notification|
-| Network protection (HIPS) network block | Your IT administrator caused Windows Defender Security Center to block this network connection. Contact your IT help desk. | HIPS_NETWORK_BLOCKED | No |Firewall and network protection notification|
-| PUA detection, not blocked | Your settings cause the detection of any app that might perform unwanted actions on your computer. | PUA_DETECTED | No |Firewall and network protection notification|
-| PUA notification | Your IT settings caused Microsoft Defender Antivirus to block an app that may potentially perform unwanted actions on your device. | PUA_BLOCKED | No |Firewall and network protection notification|
-| PUA notification, customized | _Company_ caused Microsoft Defender Antivirus to block an app that may potentially perform unwanted actions on your device. | PUA_BLOCKED_CUSTOM (body) | No |Firewall and network protection notification|
-| Network isolation ended |  |  | No |Firewall and network protection notification|
-| Network isolation ended, customized |  |  | No |Firewall and network protection notification|
-| Restricted access ended |  |  | No |Firewall and network protection notification|
-| Restricted access ended, customized |  |  | No |Firewall and network protection notification|
-| Dynamic lock on, but bluetooth off |  |  | No |Account protection notification|
-| Dynamic lock on, bluetooth on, but device unpaired |  |  | No |Account protection notification|
-| Dynamic lock on, bluetooth on, but unable to detect device |  |  | No |Account protection notification|
-| NoPa or federated no hello |  |  | No |Account protection notification|
-| NoPa or federated hello broken |  |  | No |Account protection notification|
+| Purpose                                                                               | Notification text                                                                                                                                           | Toast Identifier                              | Critical? | Notification Toggle                          |
+|---------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------|-----------|----------------------------------------------|
+| Network isolation                                                                     | Your IT administrator has caused Windows Defender to disconnect your device. Contact IT help desk.                                                          | SENSE_ISOLATION                               | Yes       | Firewall and network protection notification |
+| Network isolation customized                                                          | _Company name_ has caused Windows Defender to disconnect your device. Contact IT help desk _phone number_, _email address_, _url_.                          | SENSE_ISOLATION_CUSTOM (body)                 | Yes       | Firewall and network protection notification |
+| Restricted access                                                                     | Your IT administrator has caused Windows Defender to limit actions on this device. Some apps may not function as expected. Contact IT help desk.            | SENSE_PROCESS_RESTRICTION                     | Yes       | Firewall and network protection notification |
+| Restricted access customized                                                          | _Company_ has caused Windows Defender to limit actions on this device. Some apps may not function as expected. Contact IT help desk.                        | SENSE_PROCESS_RESTRICTION_CUSTOM (body)       | Yes       | Firewall and network protection notification |
+| HVCI, driver compat check fails (upon trying to enable)                               | There may be an incompatibility on your device.                                                                                                             | HVCI_ENABLE_FAILURE                           | Yes       | Firewall and network protection notification |
+| HVCI, reboot needed to enable                                                         | The recent change to your protection settings requires a restart of your device.                                                                            | HVCI_ENABLE_SUCCESS                           | Yes       | Firewall and network protection notification |
+| Item skipped in scan, due to exclusion setting, or network scanning disabled by admin | The Microsoft Defender Antivirus scan skipped an item due to exclusion or network scanning settings.                                                        | ITEM_SKIPPED                                  | Yes       | Virus & threat protection notification       |
+| Remediation failure                                                                   | Microsoft Defender Antivirus couldn't completely resolve potential threats.                                                                                 | CLEAN_FAILED                                  | Yes       | Virus & threat protection notification       |
+| Follow-up action (restart & scan)                                                     | Microsoft Defender Antivirus found _threat_ in _file name_. Restart and scan your device. Restart and scan                                                  | MANUALSTEPS_REQUIRED                          | Yes       | Virus & threat protection notification       |
+| Follow-up action (restart)                                                            | Microsoft Defender Antivirus found _threat_ in _file_. Restart your device.                                                                                 | WDAV_REBOOT                                   | Yes       | Virus & threat protection notification       |
+| Follow-up action (Full scan)                                                          | Microsoft Defender Antivirus found _threat_ in _file_. Run a full scan of your device.                                                                      | FULLSCAN_REQUIRED                             | Yes       | Virus & threat protection notification       |
+| Sample submission prompt                                                              | Review files that Windows Defender will send to Microsoft. Sending this information can improve how Microsoft Defender Antivirus helps protect your device. | SAMPLE_SUBMISSION_REQUIRED                    | Yes       | Virus & threat protection notification       |
+| OS support ending warning                                                             | Support for your version of Windows is ending. When this support ends, Microsoft Defender Antivirus won't be supported, and your device might be at risk.   | SUPPORT_ENDING                                | Yes       | Virus & threat protection notification       |
+| OS support ended, device at risk                                                      | Support for your version of Windows has ended. Microsoft Defender Antivirus is no longer supported, and your device might be at risk.                       | SUPPORT_ENDED _and_ SUPPORT_ENDED_NO_DEFENDER | Yes       | Virus & threat protection notification       |
+| Summary notification, items found                                                     | Microsoft Defender Antivirus successfully took action on _n_ threats since your last summary. Your device was scanned _n_ times.                            | RECAP_FOUND_THREATS_SCANNED                   | No        | Virus & threat protection notification       |
+| Summary notification, items found, no scan count                                      | Microsoft Defender Antivirus successfully took action on _n_ threats since your last summary.                                                               | RECAP_FOUND_THREATS                           | No        | Virus & threat protection notification       |
+| Summary notification, **no** items found, scans performed                             | Microsoft Defender Antivirus didn't find any threats since your last summary. Your device was scanned _n_ times.                                            | RECAP_NO THREATS_SCANNED                      | No        | Virus & threat protection notification       |
+| Summary notification, **no** items found, no scans                                    | Microsoft Defender Antivirus didn't find any threats since your last summary.                                                                               | RECAP_NO_THREATS                              | No        | Virus & threat protection notification       |
+| Scan finished, manual, threats found                                                  | Microsoft Defender Antivirus scanned your device at _timestamp_ on _date_, and took action against threats.                                                 | RECENT_SCAN_FOUND_THREATS                     | No        | Virus & threat protection notification       |
+| Scan finished, manual, **no** threats found                                           | Microsoft Defender Antivirus scanned your device at _timestamp_ on _date_. No threats were found.                                                           | RECENT_SCAN_NO_THREATS                        | No        | Virus & threat protection notification       |
+| Threat found                                                                          | Microsoft Defender Antivirus found threats. Get details.                                                                                                    | CRITICAL                                      | No        | Virus & threat protection notification       |
+| LPS on notification                                                                   | Microsoft Defender Antivirus is periodically scanning your device. You're also using another antivirus program for active protection.                       | PERIODIC_SCANNING_ON                          | No        | Virus & threat protection notification       |
+| Long running BaFS                                                                     | Your IT administrator  requires a security scan of this item. The scan could take up to _n_ seconds.                                                        | BAFS                                          | No        | Firewall and network protection notification |
+| Long running BaFS customized                                                          | _Company_ requires a security scan of this item. The scan could take up to _n_ seconds.                                                                     | BAFS_DETECTED_CUSTOM (body)                   | No        | Firewall and network protection notification |
+| Sense detection                                                                       | This application was removed because it was blocked by your IT security settings                                                                            | WDAV_SENSE_DETECTED                           | No        | Firewall and network protection notification |
+| Sense detection customized                                                            | This application was removed because it was blocked by your IT security settings                                                                            | WDAV_SENSE_DETECTED_CUSTOM (body)             | No        | Firewall and network protection notification |
+| Ransomware specific detection                                                         | Microsoft Defender Antivirus has detected threats, which may include ransomware.                                                                            | WDAV_RANSOMWARE_DETECTED                      | No        | Virus & threat protection notification       |
+| ASR (HIPS) block                                                                      | Your IT administrator caused Windows Defender Security Center to block this action. Contact your IT help desk.                                              | HIPS_ASR_BLOCKED                              | No        | Firewall and network protection notification |
+| ASR (HIPS) block customized                                                           | _Company_ caused Windows Defender Security Center to block this action. Contact your IT help desk.                                                          | HIPS_ASR_BLOCKED_CUSTOM (body)                | No        | Firewall and network protection notification |
+| CFA (FolderGuard) block                                                               | Controlled folder access blocked _process_ from making changes to the folder _path_                                                                         | FOLDERGUARD_BLOCKED                           | No        | Firewall and network protection notification |
+| Network protect (HIPS) network block customized                                       | _Company_ caused Windows Defender Security Center to block this network connection. Contact your IT help desk.                                              | HIPS_NETWORK_BLOCKED_CUSTOM (body)            | No        | Firewall and network protection notification |
+| Network protection (HIPS) network block                                               | Your IT administrator caused Windows Defender Security Center to block this network connection. Contact your IT help desk.                                  | HIPS_NETWORK_BLOCKED                          | No        | Firewall and network protection notification |
+| PUA detection, not blocked                                                            | Your settings cause the detection of any app that might perform unwanted actions on your computer.                                                          | PUA_DETECTED                                  | No        | Firewall and network protection notification |
+| PUA notification                                                                      | Your IT settings caused Microsoft Defender Antivirus to block an app that may potentially perform unwanted actions on your device.                          | PUA_BLOCKED                                   | No        | Firewall and network protection notification |
+| PUA notification, customized                                                          | _Company_ caused Microsoft Defender Antivirus to block an app that may potentially perform unwanted actions on your device.                                 | PUA_BLOCKED_CUSTOM (body)                     | No        | Firewall and network protection notification |
+| Network isolation ended                                                               |                                                                                                                                                             |                                               | No        | Firewall and network protection notification |
+| Network isolation ended, customized                                                   |                                                                                                                                                             |                                               | No        | Firewall and network protection notification |
+| Restricted access ended                                                               |                                                                                                                                                             |                                               | No        | Firewall and network protection notification |
+| Restricted access ended, customized                                                   |                                                                                                                                                             |                                               | No        | Firewall and network protection notification |
+| Dynamic lock on, but bluetooth off                                                    |                                                                                                                                                             |                                               | No        | Account protection notification              |
+| Dynamic lock on, bluetooth on, but device unpaired                                    |                                                                                                                                                             |                                               | No        | Account protection notification              |
+| Dynamic lock on, bluetooth on, but unable to detect device                            |                                                                                                                                                             |                                               | No        | Account protection notification              |
+| NoPa or federated no hello                                                            |                                                                                                                                                             |                                               | No        | Account protection notification              |
+| NoPa or federated hello broken                                                        |                                                                                                                                                             |                                               | No        | Account protection notification              |
--- a/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-virus-threat-protection.md
+++ b/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-virus-threat-protection.md
@ -1,13 +1,13 @@
 ---
 title: Virus and threat protection in Windows Security
 description: Use the Virus & threat protection section to see and configure Microsoft Defender Antivirus, Controlled folder access, and 3rd-party antivirus products.
-ms.date: 06/27/2024
+ms.date: 04/15/2025
 ms.topic: how-to
 ---

 # Virus and threat protection

-The **Virus & threat protection** section contains information and settings for antivirus protection from Microsoft Defender Antivirus and third-party antivirus products. These settings include Controlled folder access settings to prevent unknown apps from changing files in protected folders, plus Microsoft OneDrive configuration to help you recover from a ransomware attack. This area also notifies users and provides recovery instructions if there's a ransomware attack.
+The **Virus & threat protection** section contains information and settings for antivirus protection from Microsoft Defender Antivirus and non-Microsoft antivirus products. These settings include Controlled folder access settings to prevent unknown apps from changing files in protected folders, plus Microsoft OneDrive configuration to help you recover from a ransomware attack. This area also notifies users and provides recovery instructions if there's a ransomware attack.

 IT administrators and IT pros can get more configuration information from these articles:

@ -22,12 +22,10 @@ You can hide the **Virus & threat protection** section or the **Ransomware prote

 ## Hide the Virus & threat protection section

-You can choose to hide the entire section by using Group Policy. The section won't appear on the home page of **Windows Security**, and its icon won't be shown on the navigation bar on the side.
-
-This section can be hidden only by using Group Policy.
+You can choose to hide the entire section by using Group Policy. When hidden, this section doesn't appear on the home page of **Windows Security**, and its icon isn't shown on the navigation bar on the side.

 > [!IMPORTANT]
-> You must have Windows 10, version 1709 or later. The ADMX/ADML template files for earlier versions of Windows do not include these Group Policy settings.
+> You must have Windows 10, version 1709 or later. The ADMX/ADML template files for earlier versions of Windows don't include these Group Policy settings.

 1. On your Group Policy management machine, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)). Right-click the Group Policy Object (GPO) you want to configure and select **Edit**.
 1. In **Group Policy Management Editor**, go to **Computer configuration** and select **Administrative templates**.
@ -36,18 +34,16 @@ This section can be hidden only by using Group Policy.
 1. [Deploy](/windows/win32/srvnodes/group-policy) the updated GPO as you normally do.

 > [!NOTE]
-> If you hide all sections then **Windows Security** will show a restricted interface, as in the following screenshot:
+> If you hide all sections, then **Windows Security** shows a restricted interface, as in the following screenshot:
 >
 > ![Screenshot of the Windows Security with all sections hidden by Group Policy.](images/wdsc-all-hide.png)

 ## Hide the Ransomware protection area

-You can choose to hide the **Ransomware protection** area by using Group Policy. The area won't appear on the **Virus & threat protection** section of **Windows Security**.
-
-This area can be hidden only by using Group Policy.
+You can choose to hide the **Ransomware protection** area by using Group Policy. When hidden, this area doesn't appear on the **Virus & threat protection** section of **Windows Security**.

 > [!IMPORTANT]
-> You must have Windows 10, version 1709 or later. The ADMX/ADML template files for earlier versions of Windows do not include these Group Policy settings.
+> You must have Windows 10, version 1709 or later. The ADMX/ADML template files for earlier versions of Windows don't include these Group Policy settings.

 1. On your Group Policy management machine, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)). Right-click the Group Policy Object you want to configure and select **Edit**.
 1. In **Group Policy Management Editor**, go to **Computer configuration** and select **Administrative templates**.
--- a/windows/security/operating-system-security/system-security/windows-defender-security-center/windows-defender-security-center.md
+++ b/windows/security/operating-system-security/system-security/windows-defender-security-center/windows-defender-security-center.md
@ -1,7 +1,7 @@
 ---
 title: Windows Security
 description: Windows Security brings together common Windows security features into one place.
-ms.date: 06/27/2024
+ms.date: 04/15/2025
 ms.topic: article
 ---

@ -15,7 +15,7 @@ This article describes **Windows Security** settings, and provides information o
 ![Screenshot of the Windows Security showing that the device is protected and five icons for each of the features.](images/security-center-home.png)

 > [!NOTE]
-> **Windows Security** is a client interface on Windows 10, version 1703 and later. It is not the Microsoft Defender Security Center web portal console that is used to review and manage [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/).
+> **Windows Security** is a client interface on Windows 10, version 1703 and later. It isn't the Microsoft Defender Security Center web portal console that is used to review and manage [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/).

 You can't uninstall **Windows Security**, but you can do one of the following actions:

@ -34,7 +34,7 @@ For more information about each section, options for configuring the sections, a
 - [Family options](wdsc-family-options.md), which include access to parental controls along with tips and information for keeping kids safe online.

 > [!NOTE]
-> If you hide all sections then **Windows Security** will show a restricted interface, as in the following screenshot:
+> If you hide all sections, then **Windows Security** shows a restricted interface, as in the following screenshot:
 >
 > ![Windows Security with all sections hidden by group policy.](images/wdsc-all-hide.png)

@ -53,27 +53,18 @@ For more information about each section, options for configuring the sections, a
    ![Screenshot of Windows Settings showing the different areas available in the Windows Security.](images/settings-windows-defender-security-center-areas.png)

 > [!NOTE]
-> Settings configured with management tools, such as group policy, Microsoft Intune, or Microsoft Configuration Manager, will generally take precedence over the settings in the Windows Security.
+> Settings configured with management tools, such as group policy, Microsoft Intune, or Microsoft Configuration Manager, take precedence over the settings in the Windows Security.

 ## How Windows Security works with Windows security features

 > [!IMPORTANT]
 > **Microsoft Defender Antivirus** and **Windows Security** use similarly named services for specific purposes.
 >
-> The **Windows Security** uses the Windows Security Service (*SecurityHealthService* or *Windows Security Health Service*), which in turn utilizes the Windows Security Center Service (*wscsvc*). This service makes sure that **Windows Security** provides the most up-to-date information about the protection status on the endpoint. This information includes protection offered by third-party antivirus products, Windows Defender Firewall, third-party firewalls, and other security protection.
+> The **Windows Security** uses the Windows Security Service (*SecurityHealthService* or *Windows Security Health Service*), which in turn utilizes the Windows Security Center Service (*wscsvc*). This service makes sure that **Windows Security** provides the most up-to-date information about the protection status on the endpoint. This information includes protection offered by third-party antivirus products, Windows Firewall, third-party firewalls, and other security protection.
 >
-> These services don't affect the state of Microsoft Defender Antivirus. Disabling or modifying these services won't disable Microsoft Defender Antivirus. It will lead to a lowered protection state on the endpoint, even if you're using a third-party antivirus product.
+> These services don't affect the state of Microsoft Defender Antivirus. Disabling or modifying these services doesn't disable Microsoft Defender Antivirus. It leads to a lowered protection state on the endpoint, even if you're using a third-party antivirus product.
 >
-> Microsoft Defender Antivirus will be [disabled automatically when a third-party antivirus product is installed and kept up to date](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-compatibility).
->
-> Disabling the Windows Security Center Service won't disable Microsoft Defender Antivirus or [Windows Defender Firewall](../../network-security/windows-firewall/index.md).
-
-> [!WARNING]
-> If you disable the Windows Security Center Service, or configure its associated group policy settings to prevent it from starting or running, **Windows Security** may display stale or inaccurate information about any antivirus or firewall products you have installed on the device.
->
-> It may also prevent Microsoft Defender Antivirus from enabling itself if you have an old or outdated third-party antivirus, or if you uninstall any third-party antivirus products you may have previously installed.
->
-> This will significantly lower the protection of your device and could lead to malware infection.
+> Microsoft Defender Antivirus is [disabled automatically when a third-party antivirus product is installed and kept up to date](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-compatibility).

 **Windows Security** operates as a separate app or process from each of the individual features, and displays notifications through the Action Center.

@ -82,6 +73,11 @@ It acts as a collector or single place to see the status and perform some config
 If you disable any of the individual features, it prevents that feature from reporting its status in **Windows Security**. For example, if you disable a feature through group policy or other management tools, such as Microsoft Configuration Manager, **Windows Security** itself still runs and shows status for the other security features.

 > [!IMPORTANT]
-> If you individually disable any of the services, it won't disable the other services or **Windows Security** itself.
+> If you individually disable any of the services, it doesn't disable the other services or **Windows Security** itself.

 For example, [using a third-party antivirus disables Microsoft Defender Antivirus](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-compatibility). However, **Windows Security** still runs, shows its icon in the taskbar, and displays information about the other features, such as Windows Defender SmartScreen and Windows Firewall.
+
+> [!WARNING]
+> Disabling the Windows Security Center Service doesn't disable Microsoft Defender Antivirus or [Windows Firewall](../../network-security/windows-firewall/index.md). If you disable the Windows Security Center Service, or configure its associated group policy settings to prevent it from starting or running, **Windows Security** might display stale or inaccurate information about any antivirus or firewall products installed on the device.
+>
+> It may also prevent Microsoft Defender Antivirus from enabling itself if you have an old or outdated third-party antivirus, or if you uninstall any third-party antivirus products you might have previously installed. This will significantly lower the protection of your device and could lead to malware infection.
--- a/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/available-settings.md
+++ b/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/available-settings.md
@ -1,7 +1,7 @@
 ---
 title: Available Microsoft Defender SmartScreen settings
 description: A list of all available settings for Microsoft Defender SmartScreen using Group Policy and mobile device management (MDM) settings.
-ms.date: 10/10/2024
+ms.date: 04/15/2025
 ms.topic: reference
 ---

@ -42,16 +42,16 @@ By default, Microsoft Defender SmartScreen lets users bypass warnings. Unfortuna

 To better help you protect your organization, we recommend turning on and using these specific Microsoft Defender SmartScreen Group Policy and MDM settings.

-|Group Policy setting|Recommendation|
-|--- |--- |
-|Administrative Templates > Windows Components > Microsoft Edge > Configure Windows Defender SmartScreen|**Enable.**  Turns on Microsoft Defender SmartScreen.|
-|Administrative Templates > Windows Components > Microsoft Edge > Prevent bypassing Windows Defender SmartScreen prompts for sites|**Enable.**  Stops users from ignoring warning messages and continuing to a potentially malicious website.|
-|Administrative Templates > Windows Components > Explorer > Configure Windows Defender SmartScreen|**Enable with the Warn and prevent bypass option.**  Stops users from ignoring warning messages about malicious files downloaded from the Internet.|
+| Group Policy setting | Recommendation |
+|--|--|
+| Administrative Templates > Windows Components > Microsoft Edge > Configure Windows Defender SmartScreen | **Enable.**  Turns on Microsoft Defender SmartScreen. |
+| Administrative Templates > Windows Components > Microsoft Edge > Prevent bypassing Windows Defender SmartScreen prompts for sites | **Enable.**  Stops users from ignoring warning messages and continuing to a potentially malicious website. |
+| Administrative Templates > Windows Components > Explorer > Configure Windows Defender SmartScreen | **Enable with the Warn and prevent bypass option.**  Stops users from ignoring warning messages about malicious files downloaded from the Internet. |

-|MDM setting|Recommendation|
-|--- |--- |
-|Browser/AllowSmartScreen|**1.**  Turns on Microsoft Defender SmartScreen.|
-|Browser/PreventSmartScreenPromptOverride|**1.**  Stops users from ignoring warning messages and continuing to a potentially malicious website.|
-|Browser/PreventSmartScreenPromptOverrideForFiles|**1.**  Stops users from ignoring warning messages and continuing to download potentially malicious files.|
-|SmartScreen/EnableSmartScreenInShell|**1.**  Turns on Microsoft Defender SmartScreen in Windows.<br/><br/>Requires at least Windows 10, version 1703.|
-|SmartScreen/PreventOverrideForFilesInShell|**1.**  Stops users from ignoring warning messages about malicious files downloaded from the Internet.<br/><br/>Requires at least Windows 10, version 1703.|
+| MDM setting | Recommendation |
+|--|--|
+| Browser/AllowSmartScreen | **1.**  Turns on Microsoft Defender SmartScreen. |
+| Browser/PreventSmartScreenPromptOverride | **1.**  Stops users from ignoring warning messages and continuing to a potentially malicious website. |
+| Browser/PreventSmartScreenPromptOverrideForFiles | **1.**  Stops users from ignoring warning messages and continuing to download potentially malicious files. |
+| SmartScreen/EnableSmartScreenInShell | **1.**  Turns on Microsoft Defender SmartScreen in Windows.<br/><br/>Requires at least Windows 10, version 1703. |
+| SmartScreen/PreventOverrideForFilesInShell | **1.**  Stops users from ignoring warning messages about malicious files downloaded from the Internet.<br/><br/>Requires at least Windows 10, version 1703. |
--- a/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/enhanced-phishing-protection.md
+++ b/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/enhanced-phishing-protection.md
@ -1,7 +1,7 @@
 ---
 title: Enhanced Phishing Protection in Microsoft Defender SmartScreen
 description: Learn how Enhanced Phishing Protection for Microsoft Defender SmartScreen helps protect Microsoft school or work passwords against phishing and unsafe usage on sites and apps.
-ms.date: 07/10/2024
+ms.date: 04/15/2025
 ms.topic: article
 appliesto:
 - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11, version 22H2</a>
@ -19,7 +19,7 @@ If a user signs into Windows using a password, Enhanced Phishing Protection work
 - If users type their work or school password into a website or app that SmartScreen finds suspicious, Enhanced Phishing Protection can automatically collect information from that website or app to help identify security threats. For example, the content displayed, sounds played, and application memory.

 > [!NOTE]
-> When a user signs in to a device using a Windows Hello for Business PIN or biometric, Enhanced Phishing Protection does not alert the user or send events to [Microsoft Defender for Endpoint (MDE)](/microsoft-365/security/defender-endpoint/).
+> When a user signs in to a device using a Windows Hello for Business PIN or biometric, Enhanced Phishing Protection doesn't alert the user or send events to [Microsoft Defender for Endpoint (MDE)](/microsoft-365/security/defender-endpoint/).

 ## Benefits of Enhanced Phishing Protection in Microsoft Defender SmartScreen

@ -37,7 +37,7 @@ Enhanced Phishing Protection provides robust phishing protections for work or sc

 ## Configure Enhanced Phishing Protection for your organization

-Enhanced Phishing Protection can be configured via Microsoft Intune, Group Policy Objects (GPO) or Configuration Service Providers (CSP) with an MDM service. These settings are available to configure your devices using either Microsoft Intune, GPO, or CSP.
+Enhanced Phishing Protection can be configured via Microsoft Intune, Group Policy Objects (GPO), or Configuration Service Providers (CSP) with an MDM service. These settings are available to configure your devices using either Microsoft Intune, GPO, or CSP.

 | Setting | Description |
 |--|--|
@ -65,17 +65,7 @@ To configure devices using Microsoft Intune, create a [**Settings catalog** poli

 Assign the policy to a security group that contains as members the devices or users that you want to configure.

-#### [:::image type="icon" source="../../../images/icons/group-policy.svg"::: **GPO**](#tab/gpo)
-
-Enhanced Phishing Protection can be configured using the following group policy settings found under **Administrative Templates > Windows Components > Windows Defender SmartScreen > Enhanced Phishing Protection**:
-
- Automatic Data Collection
- Service Enabled
- Notify Malicious
- Notify Password Reuse
- Notify Unsafe App
-
-#### [:::image type="icon" source="../../../images/icons/gear.svg"::: **CSP**](#tab/csp)
+#### [:::image type="icon" source="../../../images/icons/csp.svg"::: **CSP**](#tab/csp)

 Enhanced Phishing Protection can be configured using the [WebThreatDefense CSP][WIN-1].

@ -87,11 +77,21 @@ Enhanced Phishing Protection can be configured using the [WebThreatDefense CSP][
 | **NotifyUnsafeApp**         | `./Device/Vendor/MSFT/Policy/Config/WebThreatDefense/NotifyUnsafeApp`         | Integer   |
 | **ServiceEnabled**          | `./Device/Vendor/MSFT/Policy/Config/WebThreatDefense/ServiceEnabled`          | Integer   |

+#### [:::image type="icon" source="../../../images/icons/group-policy.svg"::: **GPO**](#tab/gpo)
+
+Enhanced Phishing Protection can be configured using the following group policy settings found under **Administrative Templates > Windows Components > Windows Defender SmartScreen > Enhanced Phishing Protection**:
+
+- Automatic Data Collection
+- Service Enabled
+- Notify Malicious
+- Notify Password Reuse
+- Notify Unsafe App
+
 ---

 ### Recommended settings for your organization

-By default, Enhanced Phishing Protection is deployed in audit mode, preventing notifications to the users for any protection scenarios. In audit mode, Enhanced Phishing Protection captures unsafe password entry events and sends diagnostic data through Microsoft Defender. Users aren't warned if they enter their work or school password into a phishing site, if they reuse their password, or if they unsafely store their password in applications. Because of this possibility, it's recommended that you configure Enhanced Phishing Protection to warn users during all protection scenarios.
+By default, Enhanced Phishing Protection is deployed in audit mode, preventing notifications to the users for any protection scenarios. In audit mode, Enhanced Phishing Protection captures unsafe password entry events and sends diagnostic data through Microsoft Defender. Users aren't warned if they enter their work or school password into a phishing site, if they reuse their password, or if they unsafely store their password in applications. Because of this possibility, we recommend that you configure Enhanced Phishing Protection to warn users during all protection scenarios.

 | Setting                   | Default Value                                                                                              | Recommendation                                                                                                                                                                                                        |
 |---------------------------|------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
@ -113,6 +113,16 @@ To better help you protect your organization, we recommend turning on and using
 | Notify Password Reuse     | **Enabled**       |
 | Notify Unsafe App         | **Enabled**       |

+#### [:::image type="icon" source="../../../images/icons/csp.svg"::: **CSP**](#tab/csp)
+
+| MDM setting             | Recommended value |
+|-------------------------|-------------------|
+| AutomaticDataCollection | **1**             |
+| ServiceEnabled          | **1**             |
+| NotifyMalicious         | **1**             |
+| NotifyPasswordReuse     | **1**             |
+| NotifyUnsafeApp         | **1**             |
+
 #### [:::image type="icon" source="../../../images/icons/group-policy.svg"::: **GPO**](#tab/gpo)

 | Group Policy setting      | Recommended value |
@ -123,16 +133,6 @@ To better help you protect your organization, we recommend turning on and using
 | Notify Password Reuse     | **Enabled**       |
 | Notify Unsafe App         | **Enabled**       |

-#### [:::image type="icon" source="../../../images/icons/gear.svg"::: **CSP**](#tab/csp)
-
-| MDM setting             | Recommended value |
-|-------------------------|-------------------|
-| AutomaticDataCollection | **1**             |
-| ServiceEnabled          | **1**             |
-| NotifyMalicious         | **1**             |
-| NotifyPasswordReuse     | **1**             |
-| NotifyUnsafeApp         | **1**             |
-
 ---

 ## Related articles
--- a/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/index.md
+++ b/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/index.md
@ -1,7 +1,7 @@
 ---
 title: Microsoft Defender SmartScreen overview
 description: Learn how Microsoft Defender SmartScreen protects against phishing or malware websites and applications, and the downloading of potentially malicious files.
-ms.date: 07/10/2024
+ms.date: 04/15/2025
 ms.topic: overview
 appliesto:
 - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>
@ -35,7 +35,7 @@ Microsoft Defender SmartScreen provide an early warning system against websites
 - **Blocking URLs associated with potentially unwanted applications:** In Microsoft Edge (based on Chromium), SmartScreen blocks URLs associated with potentially unwanted applications, or PUAs. For more information on blocking URLs associated with PUAs, see [Detect and block potentially unwanted applications](/microsoft-365/security/defender-endpoint/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus).

 > [!IMPORTANT]
-> SmartScreen protects against malicious files from the internet. It does not protect against malicious files on internal locations or network shares, such as shared folders with UNC paths or SMB/CIFS shares.
+> SmartScreen protects against malicious files from the internet. It doesn't protect against malicious files on internal locations or network shares, such as shared folders with UNC paths or SMB/CIFS shares.

 [!INCLUDE [microsoft-defender-smartscreen](../../../../../includes/licensing/microsoft-defender-smartscreen.md)]

--- a/windows/whats-new/deprecated-features.md
+++ b/windows/whats-new/deprecated-features.md
@ -47,6 +47,7 @@ The features in this article are no longer being actively developed, and might b

 | Feature | Details and mitigation  | Deprecation announced |
 |---|---|---|
+| VBS enclaves for Windows 11, version 23H2 and earlier <!--9693593-->| [VBS enclaves](/windows/win32/trusted-execution/vbs-enclaves) are being deprecated on Windows 11, version 23H2 and earlier versions of Windows. Support for VBS enclaves will continue for Windows 11, version 24H2 and later. </br> </br> VBS enclaves are being [deprecated on Windows Server 2022](/windows-server/get-started/removed-deprecated-features-windows-server) and earlier versions of Windows Server. Support for VBS enclaves will continue for Windows Server 2025 and later. | April 2025 |
 | Windows UWP Map control and Windows Maps platform APIs <!--9853556--> | The [Windows UWP Map control](/uwp/api/windows.ui.xaml.controls.maps) and [Windows Maps platform APIs](/uwp/api/windows.services.maps) within Windows have been deprecated as of April 8, 2025. The Maps UWP Control and Maps platform support within Windows will continue to function but will not be updated. For more information, see [Resources for deprecated features](deprecated-features-resources.md#windows-uwp-map-control-and-windows-maps-platform-apis). | April 8, 2025 |
 | Line printer daemon (LPR/LPD) <!--9787121--> | Deprecation reminder: [The line printer daemon protocol (LPR/LPD) was deprecated](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831568(v=ws.11)#printing) starting in Windows Server 2012. As removal of the line printer daemon protocol nears, we'd like to remind customers to ensure their environments are prepared for removal. When these features are eventually removed, clients that print to a server using this protocol, such as UNIX clients, will not be able to connect or print. Instead, UNIX clients should use IPP. Windows clients can connect to UNIX shared printers using the [Windows Standard Port Monitor](/troubleshoot/windows-server/printing/standard-port-monitor-for-tcpip).  | [Original announcement: Windows Server 2012](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831568(v=ws.11)#printing) </br> <br> Courtesy reminder: February 2025 |
 | Location History <!--9798092--> | We are deprecating and removing the Location History feature, an [API](/uwp/api/windows.devices.geolocation.geolocator.getgeopositionhistoryasync) that allowed Cortana to access 24 hours of device history when location was enabled. With the removal of the Location History feature, location data will no longer be saved locally and the corresponding settings will also be removed from the **Privacy & Security** > **Location** page in **Settings**. | February 2025 |
--- a/windows/whats-new/extended-security-updates.md
+++ b/windows/whats-new/extended-security-updates.md
@ -8,7 +8,7 @@ author: mestew
 manager: aaroncz
 ms.localizationpriority: medium
 ms.topic: article
-ms.date: 03/18/2025
+ms.date: 04/14/2025
 ms.collection:
  - highpri
  - tier2
@ -23,6 +23,8 @@ The Windows 10 Extended Security Updates (ESU) program gives customers the optio

 Individuals or organizations who elect to continue using Windows 10 after support ends on October 14, 2025, will have the option of enrolling their PCs into a paid ESU subscription. The ESU program enables PCs to continue to receive critical and important security updates through an annual subscription service after support ends. The [Microsoft Security Response Center](https://msrc.microsoft.com/) defines the [severity rating for security updates](https://www.microsoft.com/msrc/security-update-severity-rating-system).

+> [!Note]
+> Looking for consumer information? For individuals or Windows 10 Home customers, more information about Extended Security Updates for Windows 10 is available in the frequently asked questions section of the [End of support for Windows 10](https://www.microsoft.com/windows/end-of-support) page. <!--10013381-->

 ## Device prerequisites

@ -45,7 +47,19 @@ The following are frequently asked questions about the ESU program for Windows 1

 ### How much does ESU cost?

-Extended Security Updates for organizations and businesses on Windows 10 can be purchased today through the Microsoft Volume Licensing Program, at $61 USD per device for Year One. For more information, see [When to use Windows 10 Extended Security Updates](https://techcommunity.microsoft.com/blog/windows-itpro-blog/when-to-use-windows-10-extended-security-updates/4102628). The price doubles every consecutive year, for a maximum of three years. ESU is available at no additional cost for Windows 10 virtual machines running in Windows 365 or Azure Virtual Desktop. Additionally, Windows 10 endpoints connecting to Windows 365 Cloud PCs will be entitled to the ESU for up to three years, with an active Windows 365 subscription license. For more information about Windows 365, see [What is Windows 365?](/windows-365/overview).
+Extended Security Updates for organizations and businesses on Windows 10 can be purchased today through the Microsoft Volume Licensing Program, at $61 USD per device for Year One. For more information, see [When to use Windows 10 Extended Security Updates](https://techcommunity.microsoft.com/blog/windows-itpro-blog/when-to-use-windows-10-extended-security-updates/4102628). The price doubles every consecutive year, for a maximum of three years. ESU is available at no additional cost for Windows 10 virtual machines in the following services:
+
+- [Windows 365](/windows-365/overview) 
+- [Azure Virtual Desktop](/azure/virtual-desktop/overview)
+- [Azure virtual machines](/azure/virtual-machines/overview)
+- [Azure Dedicated Host](/azure/virtual-machines/dedicated-hosts)
+- [Azure VMware Solution](/azure/azure-vmware/introduction)
+- [Nutanix Cloud Clusters on Azure](/azure/baremetal-infrastructure/workloads/nc2-on-azure/about-nc2-on-azure)
+- [Azure Local](/azure/azure-local/overview) (Azure Local is the new name for Azure Stack HCI)
+- [Azure Stack Hub](/azure-stack/operator/azure-stack-overview)
+- [Azure Stack Edge](/azure/databox-online/)
+
+Additionally, Windows 10 endpoints connecting to Windows 365 Cloud PCs will be entitled to the ESU for up to three years, with an active Windows 365 subscription license. For more information about Windows 365, see [What is Windows 365?](/windows-365/overview).

 For individuals or Windows 10 Home customers, Extended Security Updates for Windows 10 will be available for purchase at $30 for one year.