Merge branch 'main' into do_docs

2025-06-15 18:33:43 +00:00 · 2024-05-24 20:12:15 -06:00
parent 5730390886 37013f24fb
commit 5d1e0c60d0
347 changed files with 3826 additions and 15918 deletions
--- a/windows/deployment/TOC.yml
+++ b/windows/deployment/TOC.yml
@ -112,6 +112,8 @@
              href: update/waas-manage-updates-wsus.md
            - name: Deploy updates with Group Policy
              href: update/waas-wufb-group-policy.md
+            - name: Deploy updates using CSPs and MDM
+              href: update/waas-wufb-csp-mdm.md              
            - name: Update Windows client media with Dynamic Update
              href: update/media-dynamic-update.md
            - name: Migrating and acquiring optional Windows content
@ -138,6 +140,8 @@
              href: update/waas-integrate-wufb.md
            - name: 'Walkthrough: use Group Policy to configure Windows Update for Business'
              href: update/waas-wufb-group-policy.md
+            - name: Deploy updates using CSPs and MDM
+              href: update/waas-wufb-csp-mdm.md
        - name: Windows Update for Business deployment service
          items:
          - name: Windows Update for Business deployment service overview
--- a/windows/deployment/customize-boot-image.md
+++ b/windows/deployment/customize-boot-image.md
@ -1,13 +1,13 @@
 ---
 title: Customize Windows PE boot images
-description: This article describes how to customize a Windows PE (WinPE) boot image including updating with the latest cumulative update, adding drivers, and adding optional components.
+description: This article describes how to customize a Windows PE (WinPE) boot image including updating it with the latest cumulative update, adding drivers, and adding optional components.
 ms.service: windows-client
 ms.localizationpriority: medium
 author: frankroj
 manager: aaroncz
 ms.author: frankroj
 ms.topic: article
-ms.date: 09/05/2023
+ms.date: 05/09/2024
 ms.subservice: itpro-deploy
 appliesto:
  - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>
@ -88,7 +88,8 @@ This walkthrough describes how to customize a Windows PE boot image including up

 > [!NOTE]
 >
-> When updating the boot image in the [ADK for Windows 10, version 2004](/windows-hardware/get-started/adk-install#other-adk-downloads), download the cumulative update for Windows 10 Version 22H2.
+> - When updating the boot image in the [ADK 10.1.25398.1 (September 2023)](/windows-hardware/get-started/adk-install#download-the-adk-101253981-september-2023), download the **Cumulative Update for Microsoft server operating system version 23H2 for x64-based Systems**.
+> - When updating the boot image in the [ADK for Windows 10, version 2004](/windows-hardware/get-started/adk-install#other-adk-downloads), download the **Cumulative Update for Windows 10 Version 22H2**.

 ## Step 3: Backup existing boot image

@ -141,7 +142,7 @@ For more information, see [copy](/windows-server/administration/windows-commands

 > [!IMPORTANT]
 >
-> When using the default `winpe.wim` boot image from the **Windows PE add-on for the Windows ADK**, it's recommended to always have a backed copy of the original unmodified boot image. This allows reverting back to the pristine untouched original boot image in case any issues occur with any iteration of an updated boot image. Additionally, whenever a new cumulative update needs to be applied to a boot image, it's recommended to always start fresh and update from the original boot image with no updates instead of updating a previously updated boot image.
+> When using the default `winpe.wim` boot image from the **Windows PE add-on for the Windows ADK**, it's recommended to always have a backed up copy of the original unmodified boot image. This allows reverting back to the pristine untouched original boot image in case any issues occur with any iteration of an updated boot image. Additionally, whenever a new cumulative update needs to be applied to a boot image, it's recommended to always start fresh and update from the original boot image with no updates instead of updating a previously updated boot image.

 ## Step 4: Mount boot image to mount folder

--- a/windows/deployment/do/delivery-optimization-endpoints.md
+++ b/windows/deployment/do/delivery-optimization-endpoints.md
@ -27,7 +27,7 @@ Use the table below to reference any particular content types or services endpoi

 |Domain Name  |Protocol/Port(s)  | Content Type | Additional Information | Microsoft Connected Cache Version |
 |---------|---------|---------------|-------------------|-----------------|
-| *.b1.download.windowsupdate.com, *.dl.delivery.mp.microsoft.com, *.download.windowsupdate.com, *.au.download.windowsupdate.com, *.au.b1.download.windowsupdate.com, *.tlu.dl.delivery.mp.microsoft.com, *.emdl.ws.microsoft.com, *.ctldl.windowsupdate.com   |  HTTP / 80  | Windows Update </br> Windows Defender </br> Windows Drivers </br> Windows Store | [Complete list](/windows/privacy/manage-windows-2004-endpoints) of endpoints for Windows Update services and payload. | Both |
+| *.b1.download.windowsupdate.com, *.dl.delivery.mp.microsoft.com, *.download.windowsupdate.com, *.au.download.windowsupdate.com, *.au.b1.download.windowsupdate.com, *.tlu.dl.delivery.mp.microsoft.com, *.ctldl.windowsupdate.com   |  HTTP / 80  | Windows Update </br> Windows Defender </br> Windows Drivers </br> Windows Store | [Complete list](/windows/privacy/manage-windows-2004-endpoints) of endpoints for Windows Update services and payload. | Both |
 | *.delivery.mp.microsoft.com  |  HTTP / 80  | Edge Browser | [Complete list](/deployedge/microsoft-edge-security-endpoints) of endpoints for Edge Browser. | Both |
 | *.officecdn.microsoft.com.edgesuite.net, *.officecdn.microsoft.com, *.cdn.office.net |  HTTP / 80  | Office CDN updates | [Complete list](/office365/enterprise/office-365-endpoints) of endpoints for Office CDN updates. | Both |
 | *.manage.microsoft.com, *.swda01.manage.microsoft.com, *.swda02.manage.microsoft.com, *.swdb01.manage.microsoft.com, *.swdb02.manage.microsoft.com, *.swdc01.manage.microsoft.com, *.swdc02.manage.microsoft.com, *.swdd01.manage.microsoft.com, *.swdd02.manage.microsoft.com, *.swda01-mscdn.manage.microsoft.com, *.swda02-mscdn.manage.microsoft.com, *.swdb01-mscdn.manage.microsoft.com, *.swdb02-mscdn.manage.microsoft.com, *.swdc01-mscdn.manage.microsoft.com, *.swdc02-mscdn.manage.microsoft.com, *.swdd01-mscdn.manage.microsoft.com, *.swdd02-mscdn.manage.microsoft.com |  HTTP / 80 </br> HTTPs / 443  | Intune Win32 Apps | [Complete list](/mem/intune/fundamentals/intune-endpoints) of endpoints for Intune Win32 Apps updates. | Both |
--- a/windows/deployment/do/delivery-optimization-workflow.md
+++ b/windows/deployment/do/delivery-optimization-workflow.md
@ -44,10 +44,10 @@ This workflow allows Delivery Optimization to securely and efficiently deliver r
 ## Delivery Optimization service endpoint and data information

 |Endpoint hostname | Port|Name|Description|Data sent from the computer to the endpoint
-|--------------------------------------------|--------|---------------|-----------------------|------------------------
-| geover-prod.do.dsp.mp.microsoft.com <br> geo-prod.do.dsp.mp.microsoft.com <br> geo.prod.do.dsp.mp.microsoft.com <br> geover.prod.do.dsp.mp.microsoft.com | 443 | Geo | Service used to identify the location of the device in order to direct it to the nearest data center. | **Profile**: The device type (for example, PC or Xbox) <br> **doClientVersion**: The version of the DoSvc client <br> **groupID**: Group the device belongs to (set with DownloadMode = '2' (Group download mode) + groupID group policy / MDM policies)
-| kv\*.prod.do.dsp.mp.microsoft.com | 443| KeyValue | Bootstrap service provides endpoints for all other services and device configs. | **countryCode**: The country or region the client is connected from <br> **doClientVersion**: The version of the DoSvc client <br> **Profile**: The device type (for example, PC or Xbox) <br> **eId**: Client grouping ID <br> **CacheHost**: Cache host ID
-| cp\*.prod.do.dsp.mp.microsoft.com <br> | 443 | Content Policy | Provides content specific policies and as content metadata URLs. | **Profile**: The device type (for example, PC or Xbox) <br> **ContentId**: The content identifier <br> **doClientVersion**: The version of the DoSvc client <br> **countryCode**: The country the client is connected from <br> **altCatalogID**: If ContentID isn't available, use the download URL instead <br> **eID**: Client grouping ID <br> **CacheHost**: Cache host ID
-| disc\*.prod.do.dsp.mp.microsoft.com | 443 | Discovery | Directs clients to a particular instance of the peer matching service (Array), ensuing that clients are collocated by factors, such as content, groupID and external IP. | **Profile**: The device type (for example, PC or Xbox) <br> **ContentID**: The content identifier <br> **doClientVersion**: The version of the DoSvc client <br> **partitionID**: Client partitioning hint <br> **altCatalogID**: If ContentID isn't available, use the download URL instead <br> **eID**: Client grouping ID
-| array\*.prod.do.dsp.mp.microsoft.com | 443 | Arrays | Provides the client with list of peers that have the same content and belong to the same peer group. | **Profile**: The device type (for example, PC or Xbox) <br> **ContentID**: The content identifier <br> **doClientVersion**: The version of the DoSvc client <br> **altCatalogID**: If ContentID isn't available, use the download URL instead <br> **PeerID**:  Identity of the device running DO client <br> **ReportedIp**: The internal / private IP Address <br> **IsBackground**: Is the download interactive or background <br> **Uploaded**: Total bytes uploaded to peers <br> **Downloaded**: Total bytes downloaded from peers <br> **DownloadedCdn**: Total bytes downloaded from CDN <br> **Left**: Bytes left to download <br> **Peers Wanted**: Total number of peers wanted <br> **Group ID**: Group the device belongs to (set via DownloadMode 2 + Group ID GP / MDM policies) <br> **Scope**: The Download mode <br> **UploadedBPS**: The upload speed in bytes per second <br> **DownloadBPS**: The download speed in Bytes per second <br> **eID**: Client grouping ID
-| dl.delivery.mp.microsoft.com <br> emdl.ws.microsoft.com <br> download.windowsupdate.com | 80 | Delivery Optimization metadata file hosting | CDN hostnames for Delivery Optimization content metadata files | Metadata download can come from different hostnames, but it's required for peer to peer.
+|--------------------------------------------|--------|---------------|-----------------------|------------------------|
+| geover-prod.do.dsp.mp.microsoft.com <br> geo-prod.do.dsp.mp.microsoft.com <br> geo.prod.do.dsp.mp.microsoft.com <br> geover.prod.do.dsp.mp.microsoft.com | 443 | Geo | Service used to identify the location of the device in order to direct it to the nearest data center. | **Profile**: The device type (for example, PC or Xbox) <br> **doClientVersion**: The version of the DoSvc client <br> **groupID**: Group the device belongs to (set with DownloadMode = '2' (Group download mode) + groupID group policy / MDM policies) |
+| kv\*.prod.do.dsp.mp.microsoft.com | 443| KeyValue | Bootstrap service provides endpoints for all other services and device configs. | **countryCode**: The country or region the client is connected from <br> **doClientVersion**: The version of the DoSvc client <br> **Profile**: The device type (for example, PC or Xbox) <br> **eId**: Client grouping ID <br> **CacheHost**: Cache host ID |
+| cp\*.prod.do.dsp.mp.microsoft.com <br> | 443 | Content Policy | Provides content specific policies and as content metadata URLs. | **Profile**: The device type (for example, PC or Xbox) <br> **ContentId**: The content identifier <br> **doClientVersion**: The version of the DoSvc client <br> **countryCode**: The country the client is connected from <br> **altCatalogID**: If ContentID isn't available, use the download URL instead <br> **eID**: Client grouping ID <br> **CacheHost**: Cache host ID |
+| disc\*.prod.do.dsp.mp.microsoft.com | 443 | Discovery | Directs clients to a particular instance of the peer matching service (Array), ensuing that clients are collocated by factors, such as content, groupID and external IP. | **Profile**: The device type (for example, PC or Xbox) <br> **ContentID**: The content identifier <br> **doClientVersion**: The version of the DoSvc client <br> **partitionID**: Client partitioning hint <br> **altCatalogID**: If ContentID isn't available, use the download URL instead <br> **eID**: Client grouping ID |
+| array\*.prod.do.dsp.mp.microsoft.com | 443 | Arrays | Provides the client with list of peers that have the same content and belong to the same peer group. | **Profile**: The device type (for example, PC or Xbox) <br> **ContentID**: The content identifier <br> **doClientVersion**: The version of the DoSvc client <br> **altCatalogID**: If ContentID isn't available, use the download URL instead <br> **PeerID**:  Identity of the device running DO client <br> **ReportedIp**: The internal / private IP Address <br> **IsBackground**: Is the download interactive or background <br> **Uploaded**: Total bytes uploaded to peers <br> **Downloaded**: Total bytes downloaded from peers <br> **DownloadedCdn**: Total bytes downloaded from CDN <br> **Left**: Bytes left to download <br> **Peers Wanted**: Total number of peers wanted <br> **Group ID**: Group the device belongs to (set via DownloadMode 2 + Group ID GP / MDM policies) <br> **Scope**: The Download mode <br> **UploadedBPS**: The upload speed in bytes per second <br> **DownloadBPS**: The download speed in Bytes per second <br> **eID**: Client grouping ID |
+| dl.delivery.mp.microsoft.com <br> download.windowsupdate.com | 80 | Delivery Optimization metadata file hosting | CDN hostnames for Delivery Optimization content metadata files | Metadata download can come from different hostnames, but it's required for peer to peer. |  
--- a/windows/deployment/update/media/37063317-admin-center-software-updates.png
+++ b/windows/deployment/update/media/37063317-admin-center-software-updates.png
--- a/windows/deployment/update/prepare-deploy-windows.md
+++ b/windows/deployment/update/prepare-deploy-windows.md
@ -105,7 +105,6 @@ Ensure that devices can reach necessary Windows Update endpoints through the fir
 |Protocol  |Endpoint URL  |
 |---------|---------|
 |TLS 1.2         |  `*.prod.do.dsp.mp.microsoft.com`      |
-|HTTP     | `emdl.ws.microsoft.com`        |
 |HTTP     | `*.dl.delivery.mp.microsoft.com`        |
 |HTTP     |  `*.windowsupdate.com`       |
 |HTTPS     |  `*.delivery.mp.microsoft.com`       |
--- a/windows/deployment/update/waas-manage-updates-wufb.md
+++ b/windows/deployment/update/waas-manage-updates-wufb.md
@ -14,7 +14,7 @@ ms.localizationpriority: medium
 appliesto:
 - ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
 - ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
-ms.date: 11/07/2023
+ms.date: 05/16/2024
 ---

 # What is Windows Update for Business?
@ -112,7 +112,7 @@ Windows Update for Business provides controls to help meet your organization's s

 #### Recommended experience settings

-Features like the smart busy check (which ensure updates don't happen when a user is signed in) and active hours help provide the best experience for end users while keeping devices more secure and up to date. Follow these steps to take advantage of these features:
+Features like active hours help provide the best experience for end users while keeping devices more secure and up to date. Follow these steps to take advantage of these features:

 1. Automatically download, install, and restart (default if no restart policies are set up or enabled).
 1. Use the default notifications.
--- a/windows/deployment/update/waas-restart.md
+++ b/windows/deployment/update/waas-restart.md
@ -113,7 +113,7 @@ Starting in Windows 10 version 1809, you can define which Windows Update notific

 To configure this behavior through MDM, use [**Update/UpdateNotificationLevel**](/windows/client-management/mdm/policy-configuration-service-provider#update-updatenotificationlevel).

-Starting in Windows 11, version 22H2, **Apply only during active hours** was added as an additional option for **Display options for update notifications**. When **Apply only during active hours** is selected, the notifications will only be disabled during active hours when options `1` or `2` are used. To ensure that the device stays updated, a notification will still be shown during active hours if **Apply only during active hours** is selected, and once a deadline has been reached when [Specify deadlines for automatic updates and restarts](wufb-compliancedeadlines.md) is configured. <!--6286260-->
+Starting in Windows 11, version 22H2, **Apply only during active hours** was added as an additional option for **Display options for update notifications**. When **Apply only during active hours** is selected, the notifications will only be disabled during active hours when options `1` or `2` are used. To ensure that the device stays updated, a notification will still be shown during active hours if **Apply only during active hours** is selected, and once a deadline has been reached when [Specify deadlines for automatic updates and restarts](wufb-compliancedeadlines.md) is configured. <!--6286260--> 

 To configure this behavior through MDM, use [**Update/UpdateNotificationLevel**](/windows/client-management/mdm/policy-csp-update#update-NoUpdateNotificationDuringActiveHours).

--- a/windows/deployment/update/waas-wufb-csp-mdm.md
+++ b/windows/deployment/update/waas-wufb-csp-mdm.md
@ -11,7 +11,7 @@ ms.localizationpriority: medium
 appliesto: 
 - ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
 - ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>	
-ms.date: 01/18/2024
+ms.date: 05/16/2024
 ---

 # Walkthrough: Use CSPs and MDMs to configure Windows Update for Business
@ -39,9 +39,9 @@ You can control when updates are applied, for example by deferring when an updat

 Both feature and quality updates are automatically offered to devices that are connected to Windows Update using Windows Update for Business policies. However, you can choose whether you want the devices to additionally receive other Microsoft Updates or drivers that are applicable to that device.

-To enable Microsoft Updates, use [Update/AllowMUUpdateService](/windows/client-management/mdm/policy-csp-update#update-allowmuupdateservice).
+To enable Microsoft Updates, use [Update/AllowMUUpdateService](/windows/client-management/mdm/policy-csp-update#allowmuupdateservice).

-Drivers are automatically enabled because they're beneficial to device systems. We recommend that you allow the driver policy to allow drivers to be updated on devices (the default), but you can turn off this setting if you prefer to manage drivers manually. If you want to disable driver updates for some reason, use Update/[ExcludeWUDriversInQualityUpdate](/windows/client-management/mdm/policy-csp-update#update-excludewudriversinqualityupdate).
+Drivers are automatically enabled because they're beneficial to device systems. We recommend that you allow the driver policy to allow drivers to be updated on devices (the default), but you can turn off this setting if you prefer to manage drivers manually. If you want to disable driver updates for some reason, use Update/[ExcludeWUDriversInQualityUpdate](/windows/client-management/mdm/policy-csp-update#excludewudriversinqualityupdate).

 We also recommend that you allow Microsoft product updates as discussed previously.

@ -51,20 +51,20 @@ Drivers are automatically enabled because they're beneficial to device systems.

 1. Ensure that you're enrolled in the Windows Insider Program for Business. Windows Insider is a free program available to commercial customers to aid them in their validation of feature updates before they're released. Joining the program enables you to receive updates prior to their release as well as receive emails and content related to what is coming in the next updates. 

-1. For any of test devices you want to install prerelease builds, use [Update/ManagePreviewBuilds](/windows/client-management/mdm/policy-csp-update#update-managepreviewbuilds). Set the option to **Enable preview builds**.
+1. For any of test devices you want to install prerelease builds, use [Update/ManagePreviewBuilds](/windows/client-management/mdm/policy-csp-update#managepreviewbuilds). Set the option to **Enable preview builds**.

-1. Use [Update/BranchReadinessLevel](/windows/client-management/mdm/policy-csp-update#update-branchreadinesslevel) and select one of the preview Builds. Windows Insider Program Slow is the recommended channel for commercial customers who are using prerelease builds for validation.
+1. Use [Update/BranchReadinessLevel](/windows/client-management/mdm/policy-csp-update#branchreadinesslevel) and select one of the preview Builds. Windows Insider Program Slow is the recommended channel for commercial customers who are using prerelease builds for validation.

-1. Additionally, you can defer prerelease feature updates the same way as released updates, by setting a deferral period up to 14 days by using [Update/DeferFeatureUpdatesPeriodInDays](/windows/client-management/mdm/policy-csp-update#update-deferfeatureupdatesperiodindays). If you're testing with Windows Insider Program Slow builds, we recommend that you receive the preview updates to your IT department on day 0, when the update is released, and then have a 7-10 day deferral before rolling out to your group of testers. This schedule helps ensure that if a problem is discovered, you can pause the rollout of the preview update before it reaches your tests.
+1. Additionally, you can defer prerelease feature updates the same way as released updates, by setting a deferral period up to 14 days by using [Update/DeferFeatureUpdatesPeriodInDays](/windows/client-management/mdm/policy-csp-update#deferfeatureupdatesperiodindays). If you're testing with Windows Insider Program Slow builds, we recommend that you receive the preview updates to your IT department on day 0, when the update is released, and then have a 7-10 day deferral before rolling out to your group of testers. This schedule helps ensure that if a problem is discovered, you can pause the rollout of the preview update before it reaches your tests.

 #### I want to manage which released feature update my devices receive

 A Windows Update for Business administrator can defer or pause updates. You can defer feature updates for up to 365 days and defer quality updates for up to 30 days. Deferring simply means that you don't receive the update until it has been released for at least the number of deferral days you specified (offer date = release date + deferral date). You can pause feature or quality updates for up to 35 days from a given start date that you specify.

- To defer a feature update: [Update/DeferFeatureUpdatesPeriodInDays](/windows/client-management/mdm/policy-csp-update#update-deferfeatureupdatesperiodindays)
- To pause a feature update: [Update/PauseFeatureUpdatesStartTime](/windows/client-management/mdm/policy-csp-update#update-pausefeatureupdatesstarttime)
- To defer a quality update: [Update/DeferQualityUpdatesPeriodInDays](/windows/client-management/mdm/policy-csp-update#update-deferqualityupdatesperiodindays)
- To pause a quality update: [Update/PauseQualityUpdatesStartTime](/windows/client-management/mdm/policy-csp-update#update-pausequalityupdatesstarttime)
+- To defer a feature update: [Update/DeferFeatureUpdatesPeriodInDays](/windows/client-management/mdm/policy-csp-update#deferfeatureupdatesperiodindays)
+- To pause a feature update: [Update/PauseFeatureUpdatesStartTime](/windows/client-management/mdm/policy-csp-update#pausefeatureupdatesstarttime)
+- To defer a quality update: [Update/DeferQualityUpdatesPeriodInDays](/windows/client-management/mdm/policy-csp-update#deferqualityupdatesperiodindays)
+- To pause a quality update: [Update/PauseQualityUpdatesStartTime](/windows/client-management/mdm/policy-csp-update#pausequalityupdatesstarttime)

 #### Example

@ -103,42 +103,42 @@ Now all devices are paused from updating for 35 days. When the pause is removed,

 #### I want to stay on a specific version

-If you need a device to stay on a version beyond the point when deferrals on the next version would elapse or if you need to skip a version (for example, update fall release to fall release) use the [Update/TargetReleaseVersion](/windows/client-management/mdm/policy-csp-update#update-targetreleaseversion) (or Deploy Feature Updates Preview in Intune) instead of using feature update deferrals. When you use this policy, specify the version that you want your device(s) to move to or stay on (for example, "1909"). You can find version information at the [Windows 10 Release Information Page](/windows/release-health/release-information).
+If you need a device to stay on a version beyond the point when deferrals on the next version would elapse or if you need to skip a version (for example, update fall release to fall release) use the [Update/TargetReleaseVersion](/windows/client-management/mdm/policy-csp-update#targetreleaseversion) (or Deploy Feature Updates Preview in Intune) instead of using feature update deferrals. When you use this policy, specify the version that you want your device(s) to move to or stay on (for example, "1909"). You can find version information at the [Windows 10 Release Information Page](/windows/release-health/release-information).

 ### Manage how users experience updates

 #### I want to manage when devices download, install, and restart after updates

-We recommended that you allow to update automatically, which is the default behavior. If you don't set an automatic update policy, the device attempts to download, install, and restart at the best times for the user by using built-in intelligence such as intelligent active hours and smart busy check.
+We recommended that you allow to update automatically, which is the default behavior. If you don't set an automatic update policy, the device attempts to download, install, and restart at the best times for the user by using built-in intelligence such as intelligent active hours.

-For more granular control, you can set the maximum period of active hours the user can set with [Update/ActiveHoursMaxRange](/windows/client-management/mdm/policy-csp-update#update-activehoursmaxrange). You could also set specific start and end times for active ours with [Update/ActiveHoursEnd](/windows/client-management/mdm/policy-csp-update#update-activehoursend) and [Update/ActiveHoursStart](/windows/client-management/mdm/policy-csp-update#update-activehoursstart).
+For more granular control, you can set the maximum period of active hours the user can set with [Update/ActiveHoursMaxRange](/windows/client-management/mdm/policy-csp-update#activehoursmaxrange). You could also set specific start and end times for active ours with [Update/ActiveHoursEnd](/windows/client-management/mdm/policy-csp-update#activehoursend) and [Update/ActiveHoursStart](/windows/client-management/mdm/policy-csp-update#activehoursstart).

 It's best to refrain from setting the active hours policy because it's enabled by default when automatic updates aren't disabled and provides a better experience when users can set their own active hours.

-To update outside of the active hours, use [Update/AllowAutoUpdate](/windows/client-management/mdm/policy-csp-update#update-allowautoupdate) with Option 2 (which is the default setting). For even more granular control, consider using automatic updates to schedule the install time, day, or week. To use a schedule, use Option 3, and then set the following policies as appropriate for your plan:
+To update outside of the active hours, use [Update/AllowAutoUpdate](/windows/client-management/mdm/policy-csp-update#allowautoupdate) with Option 2 (which is the default setting). For even more granular control, consider using automatic updates to schedule the install time, day, or week. To use a schedule, use Option 3, and then set the following policies as appropriate for your plan:

- [Update/ScheduledInstallDay](/windows/client-management/mdm/policy-csp-update#update-scheduledinstallday) 
- [Update/ScheduledInstallEveryWeek](/windows/client-management/mdm/policy-csp-update#update-scheduledinstalleveryweek) 
- [Update/ScheduledInstallFirstWeek](/windows/client-management/mdm/policy-csp-update#update-scheduledinstallfirstweek) 
- [Update/ScheduledInstallFourthWeek](/windows/client-management/mdm/policy-csp-update#update-scheduledinstallfourthweek) 
- [Update/ScheduledInstallSecondWeek](/windows/client-management/mdm/policy-csp-update#update-scheduledinstallsecondweek) 
- [Update/ScheduledInstallThirdWeek](/windows/client-management/mdm/policy-csp-update#update-scheduledinstallthirdweek) 
- [Update/ScheduledInstallTime](/windows/client-management/mdm/policy-csp-update#update-scheduledinstalltime)
+- [Update/ScheduledInstallDay](/windows/client-management/mdm/policy-csp-update#scheduledinstallday) 
+- [Update/ScheduledInstallEveryWeek](/windows/client-management/mdm/policy-csp-update#scheduledinstalleveryweek) 
+- [Update/ScheduledInstallFirstWeek](/windows/client-management/mdm/policy-csp-update#scheduledinstallfirstweek) 
+- [Update/ScheduledInstallFourthWeek](/windows/client-management/mdm/policy-csp-update#scheduledinstallfourthweek) 
+- [Update/ScheduledInstallSecondWeek](/windows/client-management/mdm/policy-csp-update#scheduledinstallsecondweek) 
+- [Update/ScheduledInstallThirdWeek](/windows/client-management/mdm/policy-csp-update#scheduledinstallthirdweek) 
+- [Update/ScheduledInstallTime](/windows/client-management/mdm/policy-csp-update#scheduledinstalltime)


 When you set these policies, installation happens automatically at the specified time and the device will restart 15 minutes after installation is complete (unless it's interrupted by the user).

-If you don't want to allow any automatic updates prior to the deadline, set [Update/AllowAutoUpdate](/windows/client-management/mdm/policy-csp-update#update-allowautoupdate) to Option 5, which turns off automatic updates.
+If you don't want to allow any automatic updates prior to the deadline, set [Update/AllowAutoUpdate](/windows/client-management/mdm/policy-csp-update#allowautoupdate) to Option 5, which turns off automatic updates.

 #### I want to keep devices secure and compliant with update deadlines

 We recommend that you use set specific deadlines for feature and quality updates to ensure that devices stay secure on Windows 10, version 1709 and later. Deadlines work by enabling you to specify the number of days that can elapse after an update is offered to a device before it must be installed. Also you can set the number of days that can elapse after a pending restart before the user is forced to restart. Use these settings:

- [Update/ConfigureDeadlineForFeatureUpdates](/windows/client-management/mdm/policy-csp-update#update-configuredeadlineforfeatureupdates) 
- [Update/ConfigureDeadlineForQualityUpdates ](/windows/client-management/mdm/policy-csp-update#update-configuredeadlineforqualityupdates)
- [Update/ConfigureDeadlineGracePeriod](/windows/client-management/mdm/policy-csp-update#update-configuredeadlinegraceperiod)
+- [Update/ConfigureDeadlineForFeatureUpdates](/windows/client-management/mdm/policy-csp-update#configuredeadlineforfeatureupdates) 
+- [Update/ConfigureDeadlineForQualityUpdates ](/windows/client-management/mdm/policy-csp-update#configuredeadlineforqualityupdates)
+- [Update/ConfigureDeadlineGracePeriod](/windows/client-management/mdm/policy-csp-update#configuredeadlinegraceperiod)
 - [Update/ConfigureDeadlineGracePeriodForFeatureUpdates](/windows/client-management/mdm/policy-csp-update#configuredeadlinegraceperiodforfeatureupdates)
- [Update/ConfigureDeadlineNoAutoReboot](/windows/client-management/mdm/policy-csp-update#update-configuredeadlinenoautoreboot)
+- [Update/ConfigureDeadlineNoAutoReboot](/windows/client-management/mdm/policy-csp-update#configuredeadlinenoautoreboot)

 These policies also offer an option to opt out of automatic restarts until a deadline is reached by presenting an "engaged restart experience" until the deadline has actually expired. At that point, the device automatically schedules a restart regardless of active hours.

@ -168,11 +168,37 @@ When **Specify deadlines for automatic updates and restarts** is set (For Window

     ![The notification users get for an imminent restart after the deadline.](images/wufb-pastdeadline-restartnow.png)

+#### <a name="user-settings-for-notifications"></a> End user settings for notifications
+<!--8936877-->
+*Applies to:*
+- Windows 11, version 23H2 with [KB5037771](https://support.microsoft.com/help/5037771) or later
+- Windows 11, version 22H2 with [KB5037771](https://support.microsoft.com/help/5037771) or later
+
+Users can set a preference for notifications about pending restarts for updates under **Settings** > **Windows Update** > **Advanced options** > **Notify me when a restart is required to finish updating**. This setting is end-user controlled and not controlled or configurable by IT administrators.
+
+Users have the following options for the **Notify me when a restart is required to finish updating** setting:
+
+- **Off** (default): Once the device enters a pending reboot state for updates, restart notifications are suppressed for 24 hours. During the first 24 hours, automatic restarts can still occur outside of active hours. Typically, users receive fewer notifications about upcoming restarts while the deadline is approaching. 
+    - When the deadline is set for 1 day, users only receive a notification about the deadline and a final nondismissable notification 15 minutes before a forced restart.
+
+- **On**: Users immediately receive a toast notification when the device enters a reboot pending state for updates. Automatic restarts for updates are blocked for 24 hours after the initial notification to give these users time to prepare for a restart. After 24 hours have passed, automatic restarts can occur. This setting is recommended for users who want to be notified about upcoming restarts. 
+   - When the deadline is set for 1 day, an initial notification occurs, automatic restart is blocked for 24 hours, and users receive another notification before the deadline and a final nondismissable notification 15 minutes before a forced restart.
+
+When a deadline is set for 0 days, no matter which option is selected, the only notification users receive is a final nondismissable notification 15 minutes before a forced restart.
+
+The user preference for notifications applies when the following policies for [compliance deadlines](wufb-compliancedeadlines.md) are used:
+
+- [Update/ConfigureDeadlineForFeatureUpdates](/windows/client-management/mdm/policy-csp-update#update-configuredeadlineforfeatureupdates) 
+- [Update/ConfigureDeadlineForQualityUpdates](/windows/client-management/mdm/policy-csp-update#update-configuredeadlineforqualityupdates)
+- [Update/ConfigureDeadlineGracePeriod](/windows/client-management/mdm/policy-csp-update#update-configuredeadlinegraceperiod)
+- [Update/ConfigureDeadlineGracePeriodForFeatureUpdates (Windows 11, version 22H2 or later)](/windows/client-management/mdm/policy-csp-update#configuredeadlinegraceperiodforfeatureupdates)
+- [Update/ConfigureDeadlineNoAutoReboot](/windows/client-management/mdm/policy-csp-update#update-configuredeadlinenoautoreboot) 
+
 #### I want to manage the notifications a user sees

 There are additional settings that affect the notifications.

-We recommend that you use the default notifications as they aim to provide the best user experience while adjusting for the compliance policies that you set. If you do have further needs that aren't met by the default notification settings, you can use the [Update/UpdateNotificationLevel](/windows/client-management/mdm/policy-csp-update#update-updatenotificationlevel) policy with these values:
+We recommend that you use the default notifications as they aim to provide the best user experience while adjusting for the compliance policies that you set. If you do have further needs that aren't met by the default notification settings, you can use the [Update/NoUpdateNotificationsDuringActiveHours](/windows/client-management/mdm/policy-csp-update#NoUpdateNotificationsDuringActiveHours) policy with these values:

 **0** (default) - Use the default Windows Update notifications<br/>
 **1** - Turn off all notifications, excluding restart warnings<br/>
@ -181,16 +207,18 @@ We recommend that you use the default notifications as they aim to provide the b
 > [!NOTE]
 > Option **2** creates a poor experience for personal devices; it's only recommended for kiosk devices where automatic restarts have been disabled.

-Still more options are available in [Update/ScheduleRestartWarning](/windows/client-management/mdm/policy-csp-update#update-schedulerestartwarning). This setting allows you to specify the period for auto restart warning reminder notifications (from 2-24 hours; 4 hours is the default) before the update. You can also specify the period for auto restart imminent warning notifications with [Update/ScheduleImminentRestartWarning](/windows/client-management/mdm/policy-csp-update#update-scheduleimminentrestartwarning) (15-60 minutes is the default). We recommend using the default notifications.
+Still more options are available in [Update/ScheduleRestartWarning](/windows/client-management/mdm/policy-csp-update#schedulerestartwarning). This setting allows you to specify the period for auto restart warning reminder notifications (from 2-24 hours; 4 hours is the default) before the update. You can also specify the period for auto restart imminent warning notifications with [Update/ScheduleImminentRestartWarning](/windows/client-management/mdm/policy-csp-update#scheduleimminentrestartwarning) (15-60 minutes is the default). We recommend using the default notifications.

 #### I want to manage the update settings a user can access

 Every Windows device provides users with various controls they can use to manage Windows Updates. They can access these controls by Search to find Windows Updates or by going selecting **Updates and Security** in **Settings**. We provide the ability to disable a variety of these controls that are accessible to users.
 
-Users with access to update pause settings can prevent both feature and quality updates for 7 days. You can prevent users from pausing updates through the Windows Update settings page by using [Update/SetDisablePauseUXAccess](/windows/client-management/mdm/policy-csp-update#update-setdisablepauseuxaccess).
+Users with access to update pause settings can prevent both feature and quality updates for 7 days. You can prevent users from pausing updates through the Windows Update settings page by using [Update/SetDisablePauseUXAccess](/windows/client-management/mdm/policy-csp-update#setdisablepauseuxaccess).
 When you disable this setting, users see **Some settings are managed by your organization** and the update pause settings are greyed out.

-If you use Windows Server Update Server (WSUS), you can prevent users from scanning Windows Update. To do this, use [Update/SetDisableUXWUAccess](/windows/client-management/mdm/policy-csp-update#update-setdisableuxwuaccess).
+If you use Windows Server Update Server (WSUS), you can prevent users from scanning Windows Update. To do this, use [Update/SetDisableUXWUAccess](/windows/client-management/mdm/policy-csp-update#setdisableuxwuaccess).
+
+

 #### I want to enable features introduced via servicing that are off by default
 <!--6544872-->
--- a/windows/deployment/update/waas-wufb-group-policy.md
+++ b/windows/deployment/update/waas-wufb-group-policy.md
@ -17,7 +17,7 @@ appliesto:
 - ✅ <a href=https://learn.microsoft.com/windows/release-health/windows-server-release-info target=_blank>Windows Server 2022</a>
 - ✅ <a href=https://learn.microsoft.com/windows/release-health/windows-server-release-info target=_blank>Windows Server 2019</a>
 - ✅ <a href=https://learn.microsoft.com/windows/release-health/windows-server-release-info target=_blank>Windows Server 2016</a>
-ms.date: 02/27/2024
+ms.date: 05/16/2024
 ---

 # Walkthrough: Use Group Policy to configure Windows Update for Business
@ -132,7 +132,7 @@ When you set the target version policy, if you specify a feature update version

 #### I want to manage when devices download, install, and restart after updates

-We recommend that you allow to update automatically--this is the default behavior. If you don't set an automatic update policy, the device will attempt to download, install, and restart at the best times for the user by using built-in intelligence such as intelligent active hours and smart busy check.
+We recommend that you allow to update automatically--this is the default behavior. If you don't set an automatic update policy, the device will attempt to download, install, and restart at the best times for the user by using built-in intelligence such as intelligent active hours.

 For more granular control, you can set the maximum period of active hours the user can set with **Computer Configuration > Administrative Templates > Windows Components > Windows Update > Specify active hours range for auto restart**.

@ -174,6 +174,28 @@ When **Specify deadlines for automatic updates and restarts** is set (For Window

     ![The notification users get for an imminent restart after the deadline.](images/wufb-pastdeadline-restartnow.png)

+
+#### <a name="user-settings-for-notifications"></a> End user settings for notifications
+<!--8936877-->
+*Applies to:*
+- Windows 11, version 23H2 with [KB5037771](https://support.microsoft.com/help/5037771) or later
+- Windows 11, version 22H2 with [KB5037771](https://support.microsoft.com/help/5037771) or later
+
+Users can set a preference for notifications about pending restarts for updates under **Settings** > **Windows Update** > **Advanced options** > **Notify me when a restart is required to finish updating**. This setting is end-user controlled and not controlled or configurable by IT administrators.
+
+Users have the following options for the **Notify me when a restart is required to finish updating** setting:
+
+- **Off** (default): Once the device enters a pending reboot state for updates, restart notifications are suppressed for 24 hours. During the first 24 hours, automatic restarts can still occur outside of active hours. Typically, users receive fewer notifications about upcoming restarts while the deadline is approaching. 
+    - When the deadline is set for 1 day, users only receive a notification about the deadline and a final nondismissable notification 15 minutes before a forced restart.
+
+- **On**: Users immediately receive a toast notification when the device enters a reboot pending state for updates. Automatic restarts for updates are blocked for 24 hours after the initial notification to give these users time to prepare for a restart. After 24 hours have passed, automatic restarts can occur. This setting is recommended for users who want to be notified about upcoming restarts. 
+   - When the deadline is set for 1 day, an initial notification occurs, automatic restart is blocked for 24 hours, and users receive another notification before the deadline and a final nondismissable notification 15 minutes before a forced restart.
+
+When a deadline is set for 0 days, no matter which option is selected, the only notification users receive is a final nondismissable notification 15 minutes before a forced restart.
+
+The user preference for notifications applies when [compliance deadlines](wufb-compliancedeadlines.md) are used. The policy for compliance deadlines is under **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Update** > **Specify deadlines for automatic updates and restarts**.
+
+
 #### I want to manage the notifications a user sees

 There are additional settings that affect the notifications.
--- a/windows/deployment/update/wufb-compliancedeadlines.md
+++ b/windows/deployment/update/wufb-compliancedeadlines.md
@ -12,7 +12,7 @@ manager: aaroncz
 appliesto: 
 - ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
 - ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>	
-ms.date: 10/10/2023
+ms.date: 05/16/2024
 ---
 # Enforcing compliance deadlines for updates

@ -46,6 +46,7 @@ The deadline calculation for both quality and feature updates is based off the t
 The grace period for both quality and feature updates starts its countdown from the time of a pending restart after the installation is complete. As soon as installation is complete and the device reaches pending restart, users are able to schedule restarts during the grace period and Windows can still automatically restart outside of active hours if users choose not to schedule restarts. Once the *effective deadline* is reached, the device tries to restart during active hours. (The effective deadline is whichever is the later of the restart pending date plus the specified deadline or the restart pending date plus the grace period.) Grace periods are useful for users who may be coming back from vacation, or other extended time away from their device, to ensure a forced reboot doesn't occur immediately after they return.

 > [!NOTE]
+> - When these policies are used, [user settings for notifications](waas-wufb-csp-mdm.md#user-settings-for-notifications) are also used on clients running Windows 11, version 22H2 and later.
 > - When **Specify deadlines for automatic updates and restarts** is used, updates will be downloaded and installed as soon as they are offered. 
 > - When **Specify deadlines for automatic updates and restarts** is used, download, installation, and reboot settings stemming from the [Configure Automatic Updates](waas-restart.md#schedule-update-installation) are ignored.

--- a/windows/deployment/update/wufb-reports-admin-center.md
+++ b/windows/deployment/update/wufb-reports-admin-center.md
@ -14,7 +14,7 @@ appliesto:
 - ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>	
 - ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows Update for Business reports</a>	
 - ✅ <a href=https://learn.microsoft.com/microsoft-365/admin/admin-overview/admin-center-overview >Microsoft 365 admin center</a>	
-ms.date: 04/26/2023
+ms.date: 05/08/2024
 ---

 # Microsoft 365 admin center software updates page
--- a/windows/deployment/update/wufb-reports-faq.yml
+++ b/windows/deployment/update/wufb-reports-faq.yml
@ -9,7 +9,7 @@ metadata:
  manager: aaroncz
  author: mestew
  ms.author: mstewart
-  ms.date: 01/26/2024
+  ms.date: 05/07/2024
 title: Frequently Asked Questions about Windows Update for Business reports
 summary: |
  This article answers frequently asked questions about Windows Update for Business reports. <!--7760853-->
@ -20,7 +20,7 @@ summary: |
  - [Is Windows Update for Business reports free?](#is-windows-update-for-business-reports-free)
  - [What Windows versions are supported?](#what-windows-versions-are-supported)

-  **Setup questions**:
+  **Set up questions**:

  - [How do you set up Windows Update for Business reports?](#how-do-you-set-up-windows-update-for-business-reports)
  - [Why is "Waiting for Windows Update for Business reports data" displayed on the page](#why-is--waiting-for-windows-update-for-business-reports-data--displayed-on-the-page)
@ -64,6 +64,8 @@ sections:
      - question: What Windows versions are supported?
        answer: |
          Windows Update for Business reports supports clients running a [supported version of Windows 10 or Windows 11](/windows/release-health/supported-versions-windows-client) Professional, Education, Enterprise, and Enterprise multi-session editions. Windows Update for Business reports only provides data for the standard Desktop Windows client version and isn't currently compatible with Windows Server, Surface Hub, IoT, or other versions.
+          > [!Important]
+          > Currently there is a known issue where Windows Update for Business reports doesn't display data for Enterprise multi-session edition devices. <!--8928451-->

  - name: Setup questions
    questions:
@ -103,7 +105,7 @@ sections:
        answer: |
          Here are some reasons why you may not be seeing devices in reports:

-          - **The device isn't enrolled with Azure Active Directory**: A [prerequisite](wufb-reports-prerequisites.md#azure-and-azure-active-directory) for devices is that they're either [Azure AD joined](/azure/active-directory/devices/concept-azure-ad-join) or [hybrid Azure AD joined](/azure/active-directory/devices/concept-azure-ad-join-hybrid).
+          - **The device isn't enrolled with Microsoft Entra**: A [prerequisite](wufb-reports-prerequisites.md#azure-and-azure-active-directory) for devices is that they're either [Microsoft Entra joined](/azure/active-directory/devices/concept-azure-ad-join) or [hybrid Microsoft Entra joined](/azure/active-directory/devices/concept-azure-ad-join-hybrid).
          - **The device isn't sending data**: It's possible devices aren't sharing data due to a policy being incorrectly configured or a proxy or firewall configuration. Try using the [configuration script](wufb-reports-configuration-script.md) on devices to ensure they're configured properly.
          - **The device isn't active enough**: Clients must be active and connected to the internet to scan against Microsoft Update. Ensure devices are powered on and have been active at least once in the past 28 days.
          - **The workbook has limited the results**: The default limit for rows in Azure workbooks is set to 1000. This limit is to avoid any delay in the load time for the interface. If you noticed that you can't find a specific device, you can export the output in Excel, or open the results in the logs view for the full result by selecting the three dots beside each component.
@ -115,13 +117,13 @@ sections:
          An unknown client state is displayed if there isn't an update record for the device. This state can happen for many reasons, like the device not being active, not being able to scan Windows Update, or it doesn't currently have any update related activity occurring.                 
      - question: What is the difference between OS version and target version?
        answer: |
-          The word *target* in data labels refers to the update version, build or KB the client intends to update to. Typically, the fields starting with *OS*, such as OSbuild and OSversion, represents what the device is currently running.
+          The word *target* in data labels refers to the update version, build, or KB the client intends to update to. Typically, the fields starting with *OS*, such as OSbuild and OSversion, represents what the device is currently running.
      - question: When should I use the UCClient, UCClientUpdateStatus, or UCUpdateAlert tables?
        answer: |
          These tables can be used for the following information:

          - **UCClient**: Represents an individual device's record. It contains data such as the device's name, currently installed build, and the OS Edition. Each device has one record in this table. Use this table to get the overall compliance status of your devices.
-            - To display information for a specific device by Azure AD device ID: </br>
+            - To display information for a specific device by Microsoft Entra device ID: </br>
              `UCClient where AzureADDeviceId contains "01234567-89ab-cdef-0123-456789abcdef"`
            - To display all device records for devices running any Windows 11 OS version:</br>
              `UCClient | where OSVersion contains "Windows 11"`
@ -132,7 +134,7 @@ sections:
            - To display devices that are in the restart required substate:</br>
              `UCClientUpdateStatus |where ClientSubstate =="RestartRequired"`
          
-          - **UCUpdateAlert**: Use this table to understand update failures and act on devices through alert recommendations. This table contains information that needs attention, relative to one device, one update and one deployment (if relevant).  
+          - **UCUpdateAlert**: Use this table to understand update failures and act on devices through alert recommendations. This table contains information that needs attention, relative to one device, one update, and one deployment (if relevant).  
            - To display information about an error code: 
              `UCUpdateAlert|where ErrorCode =="0X8024000b"`
            - To display a count of devices with active alerts by subtype:
--- a/windows/deployment/update/wufb-reports-prerequisites.md
+++ b/windows/deployment/update/wufb-reports-prerequisites.md
@ -11,7 +11,7 @@ manager: aaroncz
 appliesto: 
 - ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
 - ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>	
-ms.date: 12/15/2023
+ms.date: 05/07/2024
 ---

 # Windows Update for Business reports prerequisites
@ -35,11 +35,14 @@ Before you begin the process of adding Windows Update for Business reports to yo

 ## Operating systems and editions

- Windows 11 Professional, Education, Enterprise, and [Enterprise multi-session](/azure/virtual-desktop/windows-10-multisession-faq) editions
- Windows 10 Professional, Education, Enterprise, and [Enterprise multi-session](/azure/virtual-desktop/windows-10-multisession-faq) editions
+- Windows 11 Professional, Education, Enterprise, and Enterprise multi-session editions <!--8928451-->
+- Windows 10 Professional, Education, Enterprise, and Enterprise multi-session editions

 Windows Update for Business reports only provides data for the standard desktop Windows client version and isn't currently compatible with Windows Server, Surface Hub, IoT, or other versions.

+> [!Important]
+> Currently there is a known issue where Windows Update for Business reports doesn't display data for Enterprise multi-session edition devices. <!--8928451, also listed in FAQ-->
+
 ## Windows client servicing channels

 Windows Update for Business reports supports Windows client devices on the following channels:
--- a/windows/deployment/usmt/usmt-loadstate-syntax.md
+++ b/windows/deployment/usmt/usmt-loadstate-syntax.md
@ -6,7 +6,7 @@ manager: aaroncz
 ms.author: frankroj
 ms.service: windows-client
 author: frankroj
-ms.date: 01/09/2024
+ms.date: 04/30/2024
 ms.topic: article
 ms.subservice: itpro-deploy
 appliesto:
@ -127,33 +127,33 @@ The `/uel`, `/ue` and `/ui` options can be used together to migrate only the use

 ## Incompatible command-line options

-The following table indicates which command-line options aren't compatible with the `LoadState.exe` command. If the table entry for a particular combination has a ✔️, the options are compatible, and they can be used together. The ❌ symbol means that the options aren't compatible. For example, the `/nocompress` option can't be used with the `/encrypt` option.
+The following table indicates which command-line options aren't compatible with the `LoadState.exe` command. If the table entry for a particular combination has a ✅, the options are compatible, and they can be used together. The ❌ symbol means that the options aren't compatible. For example, the `/nocompress` option can't be used with the `/encrypt` option.

 | Command-Line Option | /keyfile | /nocompress | /genconfig | /all |
 |--- |--- |--- |--- |--- |
-| **/i** | ✔️ | ✔️ | ✔️ | ✔️ |
-| **/v** | ✔️ | ✔️ | ✔️ | ✔️ |
-| **/nocompress** | ✔️ | N/A | ❌ | ✔️ |
-| **/key** | ❌ | ✔️ | ❌ | ✔️ |
-| **/decrypt** | Required* | ❌ | ❌ | ✔️ |
-| **/keyfile** | N/A | ✔️ | ❌ | ✔️ |
-| **/l** | ✔️ | ✔️ | ✔️ | ✔️ |
-| **/progress** | ✔️ | ✔️ | ❌ | ✔️ |
-| **/r** | ✔️ | ✔️ | ❌ | ✔️ |
-| **/w** | ✔️ | ✔️ | ❌ | ✔️ |
-| **/c** | ✔️ | ✔️ | ❌ | ✔️ |
-| **/p** | ✔️ | ✔️ | ❌ | N/A |
-| **/all** | ✔️ | ✔️ | ❌ | ✔️ |
-| **/ui** | ✔️ | ✔️ | ❌ | ❌ |
-| **/ue** | ✔️ | ✔️ | ❌ | ❌ |
-| **/uel** | ✔️ | ✔️ | ❌ | ❌ |
-| **/genconfig** | ✔️ | ✔️ | N/A | ✔️ |
-| **/config** | ✔️ | ✔️ | ❌ | ✔️ |
-| *StorePath* | ✔️ | ✔️ | ✔️ | ✔️ |
-| **/md** | ✔️ | ✔️ | ✔️ | ✔️ |
-| **/mu** | ✔️ | ✔️ | ✔️ | ✔️ |
-| **/lae** | ✔️ | ✔️ | ✔️ | ✔️ |
-| **/lac** | ✔️ | ✔️ | ✔️ | ✔️ |
+| **/i** | ✅ | ✅ | ✅ | ✅ |
+| **/v** | ✅ | ✅ | ✅ | ✅ |
+| **/nocompress** | ✅ | N/A | ❌ | ✅ |
+| **/key** | ❌ | ✅ | ❌ | ✅ |
+| **/decrypt** | Required* | ❌ | ❌ | ✅ |
+| **/keyfile** | N/A | ✅ | ❌ | ✅ |
+| **/l** | ✅ | ✅ | ✅ | ✅ |
+| **/progress** | ✅ | ✅ | ❌ | ✅ |
+| **/r** | ✅ | ✅ | ❌ | ✅ |
+| **/w** | ✅ | ✅ | ❌ | ✅ |
+| **/c** | ✅ | ✅ | ❌ | ✅ |
+| **/p** | ✅ | ✅ | ❌ | N/A |
+| **/all** | ✅ | ✅ | ❌ | ✅ |
+| **/ui** | ✅ | ✅ | ❌ | ❌ |
+| **/ue** | ✅ | ✅ | ❌ | ❌ |
+| **/uel** | ✅ | ✅ | ❌ | ❌ |
+| **/genconfig** | ✅ | ✅ | N/A | ✅ |
+| **/config** | ✅ | ✅ | ❌ | ✅ |
+| *StorePath* | ✅ | ✅ | ✅ | ✅ |
+| **/md** | ✅ | ✅ | ✅ | ✅ |
+| **/mu** | ✅ | ✅ | ✅ | ✅ |
+| **/lae** | ✅ | ✅ | ✅ | ✅ |
+| **/lac** | ✅ | ✅ | ✅ | ✅ |

 > [!NOTE]
 >
--- a/windows/deployment/usmt/usmt-requirements.md
+++ b/windows/deployment/usmt/usmt-requirements.md
@ -6,7 +6,7 @@ manager: aaroncz
 ms.author: frankroj
 ms.service: windows-client
 author: frankroj
-ms.date: 01/18/2024
+ms.date: 04/30/2024
 ms.topic: article
 ms.subservice: itpro-deploy
 appliesto:
@ -24,10 +24,10 @@ The following table lists the operating systems supported in USMT.

 | Operating<br>Systems | ScanState<br>(Source<br>Device)| LoadState<br>(Destination<br>Device)|
 |--- |--- |--- |
-|Windows 7|✔️|❌|
-|Windows 8|✔️|❌|
-|Windows 10|✔️|✔️|
-|Windows 11|✔️|✔️|
+|Windows 7|✅|❌|
+|Windows 8|✅|❌|
+|Windows 10|✅|✅|
+|Windows 11|✅|✅|

 > [!NOTE]
 >
@ -79,7 +79,7 @@ To open an elevated command prompt:

 ### Specify the `/c` option and \<ErrorControl\> settings in the `Config.xml` file

-USMT fails if it can't migrate a file or setting, unless the `/c` option is specified. When the `/c` option is specified, USMT logs an error each time it encounters a file that is in use that didn't migrate, but the migration isn't be interrupted. In USMT, which types of errors should allow the migration to continue and which should cause the migration to fail can be specified in the `Config.xml` file. For more information about error reporting, and the **\<ErrorControl\>** element, see [Config.xml file](usmt-configxml-file.md#errorcontrol), [Log files](usmt-log-files.md), and [XML elements library](usmt-xml-elements-library.md).
+USMT fails if it can't migrate a file or setting, unless the `/c` option is specified. When the `/c` option is specified, USMT logs an error each time it encounters a file that is in use that didn't migrate, but the migration isn't to be interrupted. In USMT, which types of errors should allow the migration to continue and which should cause the migration to fail can be specified in the `Config.xml` file. For more information about error reporting, and the **\<ErrorControl\>** element, see [Config.xml file](usmt-configxml-file.md#errorcontrol), [Log files](usmt-log-files.md), and [XML elements library](usmt-xml-elements-library.md).

 ## LoadState

--- a/windows/deployment/usmt/usmt-scanstate-syntax.md
+++ b/windows/deployment/usmt/usmt-scanstate-syntax.md
@ -6,7 +6,7 @@ manager: aaroncz
 ms.author: frankroj
 ms.service: windows-client
 author: frankroj
-ms.date: 01/09/2024
+ms.date: 04/30/2024
 ms.topic: article
 ms.subservice: itpro-deploy
 appliesto:
@ -85,7 +85,7 @@ There are several benefits to running the `ScanState.exe` command on an offline
 - **Improved success of migration.**

  The migration success rate is increased because:
-  
+
  - Files aren't locked for editing while offline.
  - WinPE provides administrator access to files in the offline Windows file system, eliminating the need for administrator-level access to the online system.

@ -197,33 +197,33 @@ For more information, see [Migrate EFS Files and Certificates](usmt-migrate-efs-

 ## Incompatible command-line options

-The following table indicates which command-line options aren't compatible with the `ScanState.exe` command. If the table entry for a particular combination has a ✔️, the options are compatible and they can be used together. The ❌ symbol means that the options aren't compatible. For example, the `/nocompress` option can't be used with the `/encrypt` option.
+The following table indicates which command-line options aren't compatible with the `ScanState.exe` command. If the table entry for a particular combination has a ✅, the options are compatible and they can be used together. The ❌ symbol means that the options aren't compatible. For example, the `/nocompress` option can't be used with the `/encrypt` option.

 |Command-Line Option|/keyfile|/nocompress|/genconfig|/all|
 |--- |--- |--- |--- |--- |
-|**/i**| ✔️ | ✔️ | ✔️ | ✔️ |
-|**/o**| ✔️ | ✔️ | ✔️ | ✔️ |
-|**/v**| ✔️ | ✔️ | ✔️ | ✔️ |
-|**/nocompress**| ✔️ | ✔️ | ✔️ |N/A|
-|**/localonly**| ✔️ | ✔️ | ❌ | ✔️ |
-|**/key**| ❌ | ✔️ | ❌ | ✔️ |
-|**/encrypt**|Required*| ❌ | ❌ | ✔️ |
-|**/keyfile**|N/A| ✔️ | ❌ | ✔️ |
-|**/l**| ✔️ | ✔️ | ✔️ | ✔️ |
-|**/listfiles**| ✔️ | ✔️ | ❌ | ✔️ |
-|**/progress**| ✔️ | ✔️ | ❌ | ✔️ |
-|**/r**| ✔️ | ✔️ | ❌ | ✔️ |
-|**/w**| ✔️ | ✔️ | ❌ | ✔️ |
-|**/c**| ✔️ | ✔️ | ❌ | ✔️ |
-|**/p**| ✔️ | ✔️ | ❌ |N/A|
-|**/all**| ✔️ | ✔️ | ❌ | ✔️ |
-|**/ui**| ✔️ | ✔️ | ❌ | ❌ |
-|**/ue**| ✔️ | ✔️ | ❌ | ❌ |
-|**/uel**| ✔️ | ✔️ | ❌ | ❌ |
-|**/efs**:*\<option\>*| ✔️ | ✔️ | ❌ | ✔️ |
-|**/genconfig**| ✔️ | ✔️ |N/A| ✔️ |
-|**/config**| ✔️ | ✔️ | ❌ | ✔️ |
-|*\<StorePath\>*| ✔️ | ✔️ | ❌ | ✔️ |
+|**/i**| ✅ | ✅ | ✅ | ✅ |
+|**/o**| ✅ | ✅ | ✅ | ✅ |
+|**/v**| ✅ | ✅ | ✅ | ✅ |
+|**/nocompress**| ✅ | ✅ | ✅ |N/A|
+|**/localonly**| ✅ | ✅ | ❌ | ✅ |
+|**/key**| ❌ | ✅ | ❌ | ✅ |
+|**/encrypt**|Required*| ❌ | ❌ | ✅ |
+|**/keyfile**|N/A| ✅ | ❌ | ✅ |
+|**/l**| ✅ | ✅ | ✅ | ✅ |
+|**/listfiles**| ✅ | ✅ | ❌ | ✅ |
+|**/progress**| ✅ | ✅ | ❌ | ✅ |
+|**/r**| ✅ | ✅ | ❌ | ✅ |
+|**/w**| ✅ | ✅ | ❌ | ✅ |
+|**/c**| ✅ | ✅ | ❌ | ✅ |
+|**/p**| ✅ | ✅ | ❌ |N/A|
+|**/all**| ✅ | ✅ | ❌ | ✅ |
+|**/ui**| ✅ | ✅ | ❌ | ❌ |
+|**/ue**| ✅ | ✅ | ❌ | ❌ |
+|**/uel**| ✅ | ✅ | ❌ | ❌ |
+|**/efs**:*\<option\>*| ✅ | ✅ | ❌ | ✅ |
+|**/genconfig**| ✅ | ✅ |N/A| ✅ |
+|**/config**| ✅ | ✅ | ❌ | ✅ |
+|*\<StorePath\>*| ✅ | ✅ | ❌ | ✅ |

 > [!NOTE]
 >
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-update-overview.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-update-overview.md
@ -1,7 +1,7 @@
 ---
 title: Windows quality updates overview with Autopatch groups experience
 description: This article explains how Windows quality updates are managed with Autopatch groups
-ms.date: 01/22/2024
+ms.date: 05/24/2024
 ms.service: windows-client
 ms.subservice: itpro-updates
 ms.topic: conceptual
@ -63,12 +63,9 @@ The service level objective for each of these states is calculated as:
 > [!IMPORTANT]
 > Windows Autopatch supports registering [Windows 10 Long-Term Servicing Channel (LTSC)](/windows/whats-new/ltsc/) devices that are being currently serviced by the [Windows LTSC](/windows/release-health/release-information). The service only supports managing the [Windows quality updates](../operate/windows-autopatch-windows-quality-update-overview.md) workload for devices currently serviced by the LTSC. Windows Update for Business service and Windows Autopatch don't offer Windows feature updates for devices that are part of the LTSC. You must either use [LTSC media](https://www.microsoft.com/evalcenter/evaluate-windows-10-enterprise) or the [Configuration Manager Operating System Deployment capabilities to perform an in-place upgrade](/windows/deployment/deploy-windows-cm/upgrade-to-windows-10-with-configuration-manager) for Windows devices that are part of the LTSC.

-## Import Update rings for Windows 10 and later (public preview)
+## Import Update rings for Windows 10 and later

-> [!IMPORTANT]
-> This feature is in **public preview**. It's being actively developed, and might not be complete.
-
-You can import your organization's existing Intune Update rings for Windows 10 and later into Windows Autopatch. Importing your organization's Update rings provides the benefits of the Windows Autopatch's reporting and device readiness without the need to redeploy, or change your organization's existing update rings. 
+You can import your organization's existing Intune Update rings for Windows 10 and later into Windows Autopatch. Importing your organization's Update rings provides the benefits of the Windows Autopatch's reporting and device readiness without the need to redeploy, or change your organization's existing update rings.

 Imported rings automatically register all targeted devices into Windows Autopatch. For more information about device registration, see the [device registration workflow diagram](../deploy/windows-autopatch-device-registration-overview.md#detailed-device-registration-workflow-diagram).

@ -78,36 +75,36 @@ Imported rings automatically register all targeted devices into Windows Autopatc
 > [!NOTE]
 > Device registration failures don't affect your existing update schedule or targeting. However, devices that fail to register might affect Windows Autopatch's ability to provide reporting and insights. Any conflicts should be resolved as needed. For additional assistance, [submit a support request](../operate/windows-autopatch-support-request.md).

-### Import Update rings for Windows 10 and later
+### To import Update rings for Windows 10 and later

 **To import Update rings for Windows 10 and later:**

-1. Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). 
-2. Select **Devices** from the left navigation menu. 
-3. Under the **Windows Autopatch** section, select **Release management**. 
-4. In the **Release management** blade, go to the **Release schedule** tab and select **Windows quality updates**. 
-5. Select **Import Update rings for Windows 10 and later**. 
-6. Select the existing rings you would like to import. 
+1. Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
+2. Select **Devices** from the left navigation menu.
+3. Under the **Windows Autopatch** section, select **Release management**.
+4. In the **Release management** blade, go to the **Release schedule** tab and select **Windows quality updates**.
+5. Select **Import Update rings for Windows 10 and later**.
+6. Select the existing rings you would like to import.
 7. Select **Import**.

 ### Remove an imported Update ring for Windows 10 and later

 **To remove an Imported Update rings for Windows 10 and later:**

-1. Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). 
-2. Select **Devices** from the left navigation menu. 
-3. Under the **Windows Autopatch** section, select **Release management**. 
-4. In the **Release management** blade, go to the **Release schedule** tab and select **Windows quality updates**. 
-5. Select the Update rings for Windows 10 and later you would like to remove. 
+1. Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
+2. Select **Devices** from the left navigation menu.
+3. Under the **Windows Autopatch** section, select **Release management**.
+4. In the **Release management** blade, go to the **Release schedule** tab and select **Windows quality updates**.
+5. Select the Update rings for Windows 10 and later you would like to remove.
 6. Select the **horizontal ellipses (...)** and select **Remove**.

 ### Known limitations

-The following Windows Autopatch features aren't available with imported Intune Update rings: 
+The following Windows Autopatch features aren't available with imported Intune Update rings:

- Autopatch groups and features dependent on Autopatch groups 
+- Autopatch groups and features dependent on Autopatch groups
 - Moving devices in between deployment rings in devices
- Automated deployment ring remediation functions 
+- Automated deployment ring remediation functions
 - Policy health and remediation

 ## Release management
--- a/windows/deployment/windows-autopatch/overview/windows-autopatch-faq.yml
+++ b/windows/deployment/windows-autopatch/overview/windows-autopatch-faq.yml
@ -95,11 +95,11 @@ sections:
      - question: What happens if there's an issue with an update?
        answer: |
          Autopatch relies on the following capabilities to help resolve update issues:
-          - Pausing and resuming: For more information about pausing and resuming updates, see [pausing and resuming Windows quality updates](../operate/windows-autopatch-windows-quality-update-overview.md#pausing-and-resuming-a-release).
+          - Pausing and resuming: For more information about pausing and resuming updates, see [pausing and resuming Windows quality updates](../operate/windows-autopatch-windows-quality-update-overview.md#pause-and-resume-a-release).
          - Rollback: For more information about Microsoft 365 Apps for enterprise, see [Update controls for Microsoft 365 Apps for enterprise](../operate/windows-autopatch-microsoft-365-apps-enterprise.md#microsoft-365-apps-for-enterprise-update-controls).
      - question: Can I permanently pause a Windows feature update deployment?
        answer: |
-          Yes. Windows Autopatch provides a [permanent pause of a feature update deployment](../operate/windows-autopatch-windows-feature-update-overview.md#pausing-and-resuming-a-release).
+          Yes. Windows Autopatch provides a [permanent pause of a feature update deployment](../operate/windows-autopatch-groups-manage-windows-feature-update-release.md#pause-and-resume-a-release).
      - question: Will Windows quality updates be released more quickly after vulnerabilities are identified, or what is the regular cadence of updates?
        answer: |
          For zero-day threats, Autopatch will have an [expedited release cadence](../operate/windows-autopatch-windows-quality-update-overview.md#expedited-releases). For normal updates Autopatch, uses a [regular release cadence](../operate/windows-autopatch-wqu-overview.md#windows-quality-update-releases) starting with devices in the Test ring and completing with general rollout to the Broad ring.
--- a/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2024.md
+++ b/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2024.md
@ -44,7 +44,7 @@ Minor corrections such as typos, style, or formatting issues aren't listed.

 | Article | Description |
 | ----- | ----- |
-| [Windows quality updates overview](../operate/windows-autopatch-groups-windows-quality-update-overview.md) | Added [Import Update rings for Windows 10 and later](../operate/windows-autopatch-groups-windows-quality-update-overview.md#import-update-rings-for-windows-10-and-later-public-preview) |
+| [Windows quality updates overview](../operate/windows-autopatch-groups-windows-quality-update-overview.md) | Added [Import Update rings for Windows 10 and later](../operate/windows-autopatch-groups-windows-quality-update-overview.md#import-update-rings-for-windows-10-and-later) |
 | [Windows quality updates overview](../operate/windows-autopatch-groups-windows-quality-update-overview.md#service-level-objective) | Updated the Service level objective, added the Service level objective calculation. |
 | [Prerequisites](../prepare/windows-autopatch-prerequisites.md#more-about-licenses) | Added more E3 and E5 licenses to the [More about licenses](../prepare/windows-autopatch-prerequisites.md#more-about-licenses) section. |

--- a/windows/deployment/windows-enterprise-e3-overview.md
+++ b/windows/deployment/windows-enterprise-e3-overview.md
@ -68,7 +68,7 @@ Windows Enterprise edition has many features that are unavailable in Windows Pro
 |Device Guard|This feature is a combination of hardware and software security features that allows only trusted applications to run on a device. Even if an attacker manages to get control of the Windows kernel, they're much less likely to run executable code. Device Guard can use virtualization-based security (VBS) in Windows Enterprise edition to isolate the Code Integrity service from the Windows kernel itself. With VBS, even if malware gains access to the kernel, the effects can be severely limited, because the hypervisor can prevent the malware from executing code.<br><br>Device Guard protects in the following ways:<li>Helps protect against malware<li>Helps protect the Windows system core from vulnerability and zero-day exploits<li>Allows only trusted apps to run<br><br>For more information, see [Introduction to Device Guard](/windows/security/application-security/application-control/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control).|
 |AppLocker management|This feature helps IT pros determine which applications and files users can run on a device. The applications and files that can be managed include executable files, scripts, Windows Installer files, dynamic-link libraries (DLLs), packaged apps, and packaged app installers.<br><br>For more information, see [AppLocker](/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview).|
 |Application Virtualization (App-V)|This feature makes applications available to end users without installing the applications directly on users' devices. App-V transforms applications into centrally managed services that are never installed and don't conflict with other applications. This feature also helps ensure that applications are kept current with the latest security updates.<br><br>For more information, see [Getting started with App-V for Windows client](/windows/application-management/app-v/appv-getting-started).|
-|User Experience Virtualization (UE-V)|With this feature, user-customized Windows and application settings can be captured and stored on a centrally managed network file share.<br><br>When users sign in, their personalized settings are applied to their work session, regardless of which device or virtual desktop infrastructure (VDI) sessions they sign into.<br><br>UE-V provides the following features:<li>Specify which application and Windows settings synchronize across user devices<li>Deliver the settings anytime and anywhere users work throughout the enterprise<li>Create custom templates for line-of-business applications<li>Recover settings after hardware replacement or upgrade, or after reimaging a virtual machine to its initial state<br><br>For more information, see [User Experience Virtualization (UE-V) overview](/windows/configuration/ue-v/uev-for-windows).|
+|User Experience Virtualization (UE-V)|With this feature, user-customized Windows and application settings can be captured and stored on a centrally managed network file share.<br><br>When users sign in, their personalized settings are applied to their work session, regardless of which device or virtual desktop infrastructure (VDI) sessions they sign into.<br><br>UE-V provides the following features:<li>Specify which application and Windows settings synchronize across user devices<li>Deliver the settings anytime and anywhere users work throughout the enterprise<li>Create custom templates for line-of-business applications<li>Recover settings after hardware replacement or upgrade, or after reimaging a virtual machine to its initial state<br><br>For more information, see [User Experience Virtualization (UE-V) overview](/microsoft-desktop-optimization-pack/ue-v/uev-for-windows).|
 |Managed User Experience|This feature helps customize and lock down a Windows device's user interface to restrict it to a specific task. For example, a device can be configured for a controlled scenario such as a kiosk or classroom device. The user experience would be automatically reset once a user signs off. Access to services such as the Windows Store can also be restricted. For Windows 10, Start layout options can also be managed, such as:<li>Removing and preventing access to the Shut Down, Restart, Sleep, and Hibernate commands<li>Removing Log Off (the User tile) from the Start menu<li>Removing frequent programs from the Start menu<li>Removing the All Programs list from the Start menu<li>Preventing users from customizing their Start screen<li>Forcing Start menu to be either full-screen size or menu size<li>Preventing changes to Taskbar and Start menu settings|

 ## Deployment of Windows Enterprise E3 licenses
@ -166,9 +166,9 @@ UE-V requires server and client-side components that need to be downloaded, acti

 For more information about deploying UE-V, see the following resources:

- [User Experience Virtualization (UE-V) overview](/windows/configuration/ue-v/uev-for-windows)
- [Get Started with UE-V](/windows/configuration/ue-v/uev-getting-started)
- [Prepare a UE-V Deployment](/windows/configuration/ue-v/uev-prepare-for-deployment)
+- [User Experience Virtualization (UE-V) overview](/microsoft-desktop-optimization-pack/ue-v/uev-for-windows)
+- [Get Started with UE-V](/microsoft-desktop-optimization-pack/ue-v/uev-getting-started)
+- [Prepare a UE-V Deployment](/microsoft-desktop-optimization-pack/ue-v/uev-prepare-for-deployment)

 ### Managed User Experience