Merge branch 'main' into jgeurten-update-recommended-driver-blocklist

windows/client-management/implement-server-side-mobile-application-management.md

@@ -9,7 +9,7 @@ ms.date: 07/08/2024
 
 Windows Information Protection (WIP) is a lightweight solution for managing company data access and security on personal devices. WIP support is built into Windows.
 
-[!INCLUDE [Deprecate Windows Information Protection](../security/information-protection/windows-information-protection/includes/wip-deprecation.md)]
+[!INCLUDE [Deprecate Windows Information Protection](mdm/includes/wip-deprecation.md)]
 
 ## Integration with Microsoft Entra ID
 
@@ -23,7 +23,7 @@ Regular non administrator users can enroll to MAM.
 
 ## Understand Windows Information Protection
 
-WIP takes advantage of [built-in policies](/windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip) to protect company data on the device. To protect user-owned applications on personal devices, WPJ limits enforcement of WIP policies to [enlightened apps](/windows/security/information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip) and WIP-aware apps. Enlightened apps can differentiate between corporate and personal data, correctly determining which to protect based on WIP policies. WIP-aware apps indicate to Windows that they don't handle personal data, and therefore, it's safe for Windows to protect data on their behalf.
+WIP takes advantage of [built-in policies](/previous-versions/windows/it-pro/windows-10/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip) to protect company data on the device. To protect user-owned applications on personal devices, WPJ limits enforcement of WIP policies to [enlightened apps](/previous-versions/windows/it-pro/windows-10/security/information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip) and WIP-aware apps. Enlightened apps can differentiate between corporate and personal data, correctly determining which to protect based on WIP policies. WIP-aware apps indicate to Windows that they don't handle personal data, and therefore, it's safe for Windows to protect data on their behalf.
 
 To make applications WIP-aware, app developers need to include the following data in the app resource file.
 

windows/client-management/mdm/enterprisedataprotection-csp.md

@@ -1,12 +1,13 @@
 ---
 title: EnterpriseDataProtection CSP
 description: Learn how the EnterpriseDataProtection configuration service provider (CSP) configures Windows Information Protection (formerly, Enterprise Data Protection) settings.
-ms.assetid: E2D4467F-A154-4C00-9208-7798EF3E25B3
 ms.date: 08/09/2017
 ---
 
 # EnterpriseDataProtection CSP
 
+[!INCLUDE [wip-deprecation](includes/wip-deprecation.md)]
+
 The table below shows the applicability of Windows:
 
 |Edition|Windows 10|Windows 11|
@@ -18,12 +19,7 @@ The table below shows the applicability of Windows:
 |Enterprise|Yes|Yes|
 |Education|Yes|Yes|
 
-The EnterpriseDataProtection configuration service provider (CSP) is used to configure settings for Windows Information Protection (WIP), formerly known as Enterprise Data Protection. For more information about WIP, see [Protect your enterprise data using Windows Information Protection (WIP)](/windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip).
-
-> [!NOTE]
-> Starting in July 2022, Microsoft is deprecating Windows Information Protection (WIP) and the APIs that support WIP. Microsoft will continue to support WIP on supported versions of Windows. New versions of Windows won't include new capabilities for WIP, and it won't be supported in future versions of Windows. For more information, see [Announcing sunset of Windows Information Protection](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/announcing-the-sunset-of-windows-information-protection-wip/ba-p/3579282).
->
-> For your data protection needs, Microsoft recommends that you use [Microsoft Purview Information Protection](/microsoft-365/compliance/information-protection) and [Microsoft Purview Data Loss Prevention](/microsoft-365/compliance/dlp-learn-about-dlp). Purview simplifies the configuration set-up and provides an advanced set of capabilities.
+The EnterpriseDataProtection configuration service provider (CSP) is used to configure settings for Windows Information Protection (WIP), formerly known as Enterprise Data Protection. For more information about WIP, see [Protect your enterprise data using Windows Information Protection (WIP)](/previous-versions/windows/it-pro/windows-10/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip).
 
 > [!NOTE]
 > To make Windows Information Protection functional, the AppLocker CSP and the network isolation-specific settings must also be configured. For more information, see [AppLocker CSP](applocker-csp.md) and NetworkIsolation policies in [Policy CSP](policy-configuration-service-provider.md).
@@ -32,8 +28,8 @@ While Windows Information Protection has no hard dependency on VPN, for best res
 
 To learn more about Windows Information Protection, see the following articles:
 
-- [Create a Windows Information Protection (WIP) policy](/windows/security/information-protection/windows-information-protection/overview-create-wip-policy)
-- [General guidance and best practices for Windows Information Protection (WIP)](/windows/security/information-protection/windows-information-protection/guidance-and-best-practices-wip)
+- [Create a Windows Information Protection (WIP) policy](/previous-versions/windows/it-pro/windows-10/security/information-protection/windows-information-protection/overview-create-wip-policy)
+- [General guidance and best practices for Windows Information Protection (WIP)](/previous-versions/windows/it-pro/windows-10/security/information-protection/windows-information-protection/guidance-and-best-practices-wip)
 
 The following example shows the EnterpriseDataProtection CSP in tree format.
 
@@ -52,13 +48,16 @@ EnterpriseDataProtection
 ----Status
 ```
 
-<a href="" id="--device-vendor-msft-enterprisedataprotection"></a>**./Device/Vendor/MSFT/EnterpriseDataProtection**
+## <a href="" id="--device-vendor-msft-enterprisedataprotection"></a> `./Device/Vendor/MSFT/EnterpriseDataProtection`
+
 The root node for the CSP.
 
-<a href="" id="settings"></a>**Settings**
+### <a href="" id="settings"></a> Settings
+
 The root node for the Windows Information Protection (WIP) configuration settings.
 
-<a href="" id="settings-edpenforcementlevel"></a>**Settings/EDPEnforcementLevel**
+#### <a href="" id="settings-edpenforcementlevel"></a> Settings/EDPEnforcementLevel
+
 Set the WIP enforcement level.
 
 > [!NOTE]
@@ -66,15 +65,16 @@ Set the WIP enforcement level.
 
 The following list shows the supported values:
 
-- 0 (default) – Off / No protection (decrypts previously protected data).
-- 1 – Silent mode (encrypt and audit only).
-- 2 – Allow override mode (encrypt, prompt and allow overrides, and audit).
-- 3 – Hides overrides (encrypt, prompt but hide overrides, and audit).
+- 0 (default) - Off / No protection (decrypts previously protected data).
+- 1 - Silent mode (encrypt and audit only).
+- 2 - Allow override mode (encrypt, prompt and allow overrides, and audit).
+- 3 - Hides overrides (encrypt, prompt but hide overrides, and audit).
 
 Supported operations are Add, Get, Replace, and Delete. Value type is integer.
 
-<a href="" id="settings-enterpriseprotecteddomainnames"></a>**Settings/EnterpriseProtectedDomainNames**
-A list of domains used by the enterprise for its user identities separated by pipes (&quot;|&quot;). The first domain in the list must be the primary enterprise ID, that is, the one representing the managing authority for Windows Information Protection. User identities from one of these domains is considered an enterprise managed account and data associated with it should be protected. For example, the domains for all email accounts owned by the enterprise would be expected to appear in this list. Attempts to change this value will fail when the WIP cleanup is running.
+#### <a href="" id="settings-enterpriseprotecteddomainnames"></a> Settings/EnterpriseProtectedDomainNames
+
+A list of domains used by the enterprise for its user identities separated by pipes (`|`). The first domain in the list must be the primary enterprise ID, that is, the one representing the managing authority for Windows Information Protection. User identities from one of these domains is considered an enterprise managed account and data associated with it should be protected. For example, the domains for all email accounts owned by the enterprise would be expected to appear in this list. Attempts to change this value will fail when the WIP cleanup is running.
 
 Changing the primary enterprise ID isn't supported and may cause unexpected behavior on the client.
 
@@ -89,7 +89,8 @@ Here are the steps to create canonical domain names:
 
 Supported operations are Add, Get, Replace, and Delete. Value type is string.
 
-<a href="" id="settings-allowuserdecryption"></a>**Settings/AllowUserDecryption**
+#### <a href="" id="settings-allowuserdecryption"></a> Settings/AllowUserDecryption
+
 Allows the user to decrypt files. If this is set to 0 (Not Allowed), then the user won't be able to remove protection from enterprise content through the operating system or the application user experiences.
 
 > [!IMPORTANT]
@@ -97,17 +98,18 @@ Allows the user to decrypt files. If this is set to 0 (Not Allowed), then the us
 
 The following list shows the supported values:
 
-- 0 – Not allowed.
-- 1 (default) – Allowed.
+- 0 - Not allowed.
+- 1 (default) - Allowed.
 
 Most restricted value is 0.
 
 Supported operations are Add, Get, Replace, and Delete. Value type is integer.
 
-<a href="" id="settings-datarecoverycertificate"></a>**Settings/DataRecoveryCertificate**
+#### <a href="" id="settings-datarecoverycertificate"></a> Settings/DataRecoveryCertificate
+
 Specifies a recovery certificate that can be used for data recovery of encrypted files. This certificate is the same as the data recovery agent (DRA) certificate for encrypting file system (EFS), only delivered through mobile device management (MDM) instead of Group Policy.
 
-> [!Note]
+> [!NOTE]
 > If this policy and the corresponding Group Policy setting are both configured, the Group Policy setting is enforced.
 
 DRA information from MDM policy must be a serialized binary blob identical to what we expect from GP.
@@ -115,37 +117,37 @@ The binary blob is the serialized version of following structure:
 
 ```cpp
 //
-//  Recovery Policy Data Structures
+//  Recovery Policy Data Structures
 //
 
 typedef struct _RECOVERY_POLICY_HEADER {
-    USHORT      MajorRevision;
-    USHORT      MinorRevision;
-    ULONG       RecoveryKeyCount;
+    USHORT      MajorRevision;
+    USHORT      MinorRevision;
+    ULONG       RecoveryKeyCount;
 } RECOVERY_POLICY_HEADER, *PRECOVERY_POLICY_HEADER;
 
-typedef struct _RECOVERY_POLICY_1_1    {
-        RECOVERY_POLICY_HEADER  RecoveryPolicyHeader;
-        RECOVERY_KEY_1_1        RecoveryKeyList[1];
-}   RECOVERY_POLICY_1_1, *PRECOVERY_POLICY_1_1;
+typedef struct _RECOVERY_POLICY_1_1    {
+        RECOVERY_POLICY_HEADER  RecoveryPolicyHeader;
+        RECOVERY_KEY_1_1        RecoveryKeyList[1];
+}   RECOVERY_POLICY_1_1, *PRECOVERY_POLICY_1_1;
 
-#define EFS_RECOVERY_POLICY_MAJOR_REVISION_1   (1)
-#define EFS_RECOVERY_POLICY_MINOR_REVISION_0   (0)
+#define EFS_RECOVERY_POLICY_MAJOR_REVISION_1   (1)
+#define EFS_RECOVERY_POLICY_MINOR_REVISION_0   (0)
 
-#define EFS_RECOVERY_POLICY_MINOR_REVISION_1   (1)
+#define EFS_RECOVERY_POLICY_MINOR_REVISION_1   (1)
 
 ///////////////////////////////////////////////////////////////////////////////
-//                                                                            /
-//  RECOVERY_KEY Data Structure                                               /
-//                                                                            /
+//                                                                            /
+//  RECOVERY_KEY Data Structure                                               /
+//                                                                            /
 ///////////////////////////////////////////////////////////////////////////////
 
 //
 // Current format of recovery data.
 //
 
-typedef struct _RECOVERY_KEY_1_1   {
-        ULONG               TotalLength;
+typedef struct _RECOVERY_KEY_1_1   {
+        ULONG               TotalLength;
         EFS_PUBLIC_KEY_INFO PublicKeyInfo;
 } RECOVERY_KEY_1_1, *PRECOVERY_KEY_1_1;
 
@@ -180,7 +182,7 @@ typedef struct _EFS_PUBLIC_KEY_INFO {
 
             //
             // The following fields contain offsets based at the
-            // beginning of the structure.  Each offset is to
+            // beginning of the structure.  Each offset is to
             // a NULL terminated WCHAR string.
             //
 
@@ -205,16 +207,16 @@ typedef struct _EFS_PUBLIC_KEY_INFO {
 
         struct {
 
-            ULONG CertificateLength;       // in bytes
-            ULONG Certificate;             // offset from start of structure
+            ULONG CertificateLength;       // in bytes
+            ULONG Certificate;             // offset from start of structure
 
         } CertificateInfo;
 
 
         struct {
 
-            ULONG ThumbprintLength;        // in bytes
-            ULONG CertHashData;            // offset from start of structure
+            ULONG ThumbprintLength;        // in bytes
+            ULONG CertHashData;            // offset from start of structure
 
         } CertificateThumbprint;
     };
@@ -238,17 +240,19 @@ For EFSCertificate KeyTag, it's expected to be a DER ENCODED binary certificate.
 
 Supported operations are Add, Get, Replace, and Delete. Value type is base-64 encoded certificate.
 
-<a href="" id="settings-revokeonunenroll"></a>**Settings/RevokeOnUnenroll**
+#### <a href="" id="settings-revokeonunenroll"></a> Settings/RevokeOnUnenroll
+
 This policy controls whether to revoke the Windows Information Protection keys when a device unenrolls from the management service. If set to 0 (Don't revoke keys), the keys won't be revoked and the user will continue to have access to protected files after unenrollment. If the keys aren't revoked, there will be no revoked file cleanup, later. Prior to sending the unenroll command, when you want a device to do a selective wipe when it's unenrolled, then you should explicitly set this policy to 1.
 
 The following list shows the supported values:
 
-- 0 – Don't revoke keys.
-- 1 (default) – Revoke keys.
+- 0 - Don't revoke keys.
+- 1 (default) - Revoke keys.
 
 Supported operations are Add, Get, Replace, and Delete. Value type is integer.
 
-<a href="" id="settings-revokeonmdmhandoff"></a>**Settings/RevokeOnMDMHandoff**
+#### <a href="" id="settings-revokeonmdmhandoff"></a> Settings/RevokeOnMDMHandoff
+
 Added in Windows 10, version 1703. This policy controls whether to revoke the Windows Information Protection keys when a device upgrades from mobile application management (MAM) to MDM. If set to 0 (Don't revoke keys), the keys won't be revoked and the user will continue to have access to protected files after upgrade. This setting is recommended if the MDM service is configured with the same WIP EnterpriseID as the MAM service.
 
 - 0 - Don't revoke keys.
@@ -256,25 +260,29 @@ Added in Windows 10, version 1703. This policy controls whether to revoke the Wi
 
 Supported operations are Add, Get, Replace, and Delete. Value type is integer.
 
-<a href="" id="settings-rmstemplateidforedp"></a>**Settings/RMSTemplateIDForEDP**
+#### <a href="" id="settings-rmstemplateidforedp"></a> Settings/RMSTemplateIDForEDP
+
 TemplateID GUID to use for Rights Management Service (RMS) encryption. The RMS template allows the IT admin to configure the details about who has access to RMS-protected file and how long they have access.
 
 Supported operations are Add, Get, Replace, and Delete. Value type is string (GUID).
 
-<a href="" id="settings-allowazurermsforedp"></a>**Settings/AllowAzureRMSForEDP**
+#### <a href="" id="settings-allowazurermsforedp"></a> Settings/AllowAzureRMSForEDP
+
 Specifies whether to allow Azure RMS encryption for Windows Information Protection.
 
-- 0 (default) – Don't use RMS.
-- 1 – Use RMS.
+- 0 (default) - Don't use RMS.
+- 1 - Use RMS.
 
 Supported operations are Add, Get, Replace, and Delete. Value type is integer.
 
-<a href="" id="settings-smbautoencryptedfileextensions"></a>**Settings/SMBAutoEncryptedFileExtensions**
+#### <a href="" id="settings-smbautoencryptedfileextensions"></a> Settings/SMBAutoEncryptedFileExtensions
+
 Added in Windows 10, version 1703. Specifies a list of file extensions, so that files with these extensions are encrypted when copying from a Server Message Block (SMB) share within the corporate boundary as defined in the Policy CSP nodes for [NetworkIsolation/EnterpriseIPRange](policy-csp-networkisolation.md) and [NetworkIsolation/EnterpriseNetworkDomainNames](policy-csp-networkisolation.md). Use semicolon (;) delimiter in the list.
 When this policy isn't specified, the existing auto-encryption behavior is applied.  When this policy is configured, only files with the extensions in the list will be encrypted.
 Supported operations are Add, Get, Replace and Delete. Value type is string.
 
-<a href="" id="settings-edpshowicons"></a>**Settings/EDPShowIcons**
+#### <a href="" id="settings-edpshowicons"></a> Settings/EDPShowIcons
+
 Determines whether overlays are added to icons for WIP protected files in Explorer and enterprise only app tiles on the **Start** menu. Starting in Windows 10, version 1703 this setting also configures the visibility of the Windows Information Protection icon in the title bar of a WIP-protected app.
 The following list shows the supported values:
 
@@ -283,7 +291,8 @@ The following list shows the supported values:
 
 Supported operations are Add, Get, Replace, and Delete. Value type is integer.
 
-<a href="" id="status"></a>**Status**
+### <a href="" id="status"></a> Status
+
 A read-only bit mask that indicates the current state of Windows Information Protection on the Device. The MDM service can use this value to determine the current overall state of WIP. WIP is only on (bit 0 = 1) if WIP mandatory policies and WIP AppLocker settings are configured.
 
 Suggested values:
@@ -310,8 +319,8 @@ Bits 2 and 4 are reserved for future use.
 
 Supported operation is Get. Value type is integer.
 
-## Related topics
+## Related articles
 
 [Configuration service provider reference](index.yml)
 
-
+[Protect your enterprise data using Windows Information Protection (WIP)](/previous-versions/windows/it-pro/windows-10/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip)

windows/client-management/mdm/surfacehub-csp.md

@@ -1,7 +1,7 @@
 ---
 title: SurfaceHub CSP
 description: Learn more about the SurfaceHub CSP.
-ms.date: 08/06/2024
+ms.date: 08/16/2024
 ---
 
 <!-- Auto-Generated CSP Document -->
@@ -84,6 +84,7 @@ The following list shows the SurfaceHub configuration service provider nodes:
     - [SleepTimeout](#propertiessleeptimeout)
     - [SurfaceHubMeetingMode](#propertiessurfacehubmeetingmode)
     - [VtcAppPackageId](#propertiesvtcapppackageid)
+  - [UpdateBootManager](#updatebootmanager)
 <!-- SurfaceHub-Tree-End -->
 
 <!-- Device-DeviceAccount-Begin -->
@@ -2878,6 +2879,55 @@ App name.
 
 <!-- Device-Properties-VtcAppPackageId-End -->
 
+<!-- Device-UpdateBootManager-Begin -->
+## UpdateBootManager
+
+<!-- Device-UpdateBootManager-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 22H2 [10.0.19045] and later |
+<!-- Device-UpdateBootManager-Applicability-End -->
+
+<!-- Device-UpdateBootManager-OmaUri-Begin -->
+```Device
+./Vendor/MSFT/SurfaceHub/UpdateBootManager
+```
+<!-- Device-UpdateBootManager-OmaUri-End -->
+
+<!-- Device-UpdateBootManager-Description-Begin -->
+<!-- Description-Source-DDF -->
+Enables new boot manager usage.
+<!-- Device-UpdateBootManager-Description-End -->
+
+<!-- Device-UpdateBootManager-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- Device-UpdateBootManager-Editable-End -->
+
+<!-- Device-UpdateBootManager-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `int` |
+| Access Type | Get, Replace |
+| Default Value  | 0 |
+<!-- Device-UpdateBootManager-DFProperties-End -->
+
+<!-- Device-UpdateBootManager-AllowedValues-Begin -->
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 (Default) | Disable new boot manager. |
+| 320 | Enable new boot manager. |
+<!-- Device-UpdateBootManager-AllowedValues-End -->
+
+<!-- Device-UpdateBootManager-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- Device-UpdateBootManager-Examples-End -->
+
+<!-- Device-UpdateBootManager-End -->
+
 <!-- SurfaceHub-CspMoreInfo-Begin -->
 <!-- Add any additional information about this CSP here. Anything outside this section will get overwritten. -->
 <!-- SurfaceHub-CspMoreInfo-End -->

windows/client-management/mdm/surfacehub-ddf-file.md

@@ -1,7 +1,7 @@
 ---
 title: SurfaceHub DDF file
 description: View the XML file containing the device description framework (DDF) for the SurfaceHub configuration service provider.
-ms.date: 04/22/2024
+ms.date: 08/16/2024
 ---
 
 <!-- Auto-Generated CSP Document -->
@@ -1574,6 +1574,43 @@ The following XML file contains the device description framework (DDF) for the S
         </DFProperties>
       </Node>
     </Node>
+    <Node>
+      <NodeName>UpdateBootManager</NodeName>
+      <DFProperties>
+        <AccessType>
+          <Get />
+          <Replace />
+        </AccessType>
+        <Description>Enables new boot manager usage.</Description>
+        <DefaultValue>0</DefaultValue>
+        <DFFormat>
+          <int />
+        </DFFormat>
+        <Occurrence>
+          <One />
+        </Occurrence>
+        <Scope>
+          <Permanent />
+        </Scope>
+        <DFType>
+          <MIME>text/plain</MIME>
+        </DFType>
+        <MSFT:Applicability>
+          <MSFT:OsBuildVersion>10.0.19045</MSFT:OsBuildVersion>
+          <MSFT:CspVersion>1.0</MSFT:CspVersion>
+        </MSFT:Applicability>
+        <MSFT:AllowedValues ValueType="ENUM">
+          <MSFT:Enum>
+            <MSFT:Value>0</MSFT:Value>
+            <MSFT:ValueDescription>Disable new boot manager</MSFT:ValueDescription>
+          </MSFT:Enum>
+          <MSFT:Enum>
+            <MSFT:Value>320</MSFT:Value>
+            <MSFT:ValueDescription>Enable new boot manager</MSFT:ValueDescription>
+          </MSFT:Enum>
+        </MSFT:AllowedValues>
+      </DFProperties>
+    </Node>
     <Node>
       <NodeName>Management</NodeName>
       <DFProperties>

windows/configuration/accessibility/index.md

@@ -1,8 +1,9 @@
 ---
 title: Windows accessibility for IT pros
 description: Basic guidance for IT administrators on accessibility features available in Windows client.
-ms.date: 07/25/2024
+ms.date: 08/22/2024
 ms.topic: concept-article
+ms.subservice: accessibility
 ms.collection: tier1
 ---
 

windows/configuration/images/icons/notification.svg

@@ -1,3 +0,0 @@
-<svg width="16" height="17" viewBox="0 0 16 17" fill="none" xmlns="http://www.w3.org/2000/svg">
-<path d="M4.71289 13.625H2.33105C2.03809 13.625 1.75684 13.5664 1.4873 13.4492C1.22363 13.3262 0.989258 13.165 0.78418 12.9658C0.584961 12.7607 0.423828 12.5264 0.300781 12.2627C0.183594 11.9932 0.125 11.7119 0.125 11.4189V2.33105C0.125 2.03809 0.183594 1.75977 0.300781 1.49609C0.423828 1.22656 0.584961 0.992188 0.78418 0.792969C0.989258 0.587891 1.22363 0.426758 1.4873 0.30957C1.75684 0.186523 2.03809 0.125 2.33105 0.125H13.6689C13.9619 0.125 14.2402 0.186523 14.5039 0.30957C14.7734 0.426758 15.0078 0.587891 15.207 0.792969C15.4121 0.992188 15.5732 1.22656 15.6904 1.49609C15.8135 1.75977 15.875 2.03809 15.875 2.33105V11.4189C15.875 11.7236 15.8135 12.0107 15.6904 12.2803C15.5674 12.5439 15.4033 12.7754 15.1982 12.9746C14.9932 13.1738 14.7529 13.332 14.4775 13.4492C14.208 13.5664 13.9238 13.625 13.625 13.625H11.2871L8.42188 16.8154C8.31055 16.9385 8.16992 17 8 17C7.83008 17 7.68945 16.9385 7.57812 16.8154L4.71289 13.625ZM14.75 11.375V2.375C14.75 2.22266 14.7207 2.0791 14.6621 1.94434C14.6035 1.80371 14.5215 1.68359 14.416 1.58398C14.3164 1.47852 14.1963 1.39648 14.0557 1.33789C13.9209 1.2793 13.7773 1.25 13.625 1.25H2.375C2.2168 1.25 2.07031 1.2793 1.93555 1.33789C1.80078 1.39648 1.68066 1.47852 1.5752 1.58398C1.47559 1.68359 1.39648 1.80078 1.33789 1.93555C1.2793 2.07031 1.25 2.2168 1.25 2.375V11.375C1.25 11.5332 1.2793 11.6826 1.33789 11.8232C1.39648 11.958 1.47559 12.0752 1.5752 12.1748C1.6748 12.2744 1.79199 12.3535 1.92676 12.4121C2.06738 12.4707 2.2168 12.5 2.375 12.5H4.95898C5.04102 12.5 5.11719 12.5146 5.1875 12.5439C5.26367 12.5732 5.32812 12.6201 5.38086 12.6846L8 15.5938L10.6191 12.6846C10.6719 12.6201 10.7334 12.5732 10.8037 12.5439C10.8799 12.5146 10.959 12.5 11.041 12.5H13.625C13.7832 12.5 13.9297 12.4707 14.0645 12.4121C14.1992 12.3535 14.3164 12.2744 14.416 12.1748C14.5215 12.0693 14.6035 11.9492 14.6621 11.8145C14.7207 11.6797 14.75 11.5332 14.75 11.375Z" fill="#0883D9"/>
-</svg>

windows/deployment/TOC.yml

@@ -1,3 +1,4 @@
+items:
 - name: Deploy and update Windows client
   href: index.yml
   items:
@@ -367,10 +368,6 @@
           href: do/waas-delivery-optimization-reference.md?context=/windows/deployment/context/context
         - name: FoD and language packs for WSUS and Configuration Manager
           href: update/fod-and-lang-packs.md
-        - name: Windows client in S mode
-          href: s-mode.md
-        - name: Switch to Windows client Pro or Enterprise from S mode
-          href: windows-10-pro-in-s-mode.md
         - name: Windows client deployment tools
           items:
             - name: Windows client deployment scenarios and tools
@@ -494,63 +491,7 @@
                         - name: USMT Resources
                           href: usmt/usmt-resources.md
 
-            - name: Application Compatibility Toolkit (ACT) Technical Reference
-              items:
-                - name: SUA User's Guide
-                  items:
-                  - name: Overview
-                    href: planning/sua-users-guide.md
-                  - name: Use the SUA Wizard
-                    href: planning/using-the-sua-wizard.md
-                  - name: Use the SUA Tool
-                    href: planning/using-the-sua-tool.md
-                  - name: Tabs on the SUA Tool Interface
-                    href: planning/tabs-on-the-sua-tool-interface.md
-                  - name: Show Messages Generated by the SUA Tool
-                    href: planning/showing-messages-generated-by-the-sua-tool.md
-                  - name: Apply Filters to Data in the SUA Tool
-                    href: planning/applying-filters-to-data-in-the-sua-tool.md
-                  - name: Fix apps using the SUA Tool
-                    href: planning/fixing-applications-by-using-the-sua-tool.md
-                - name: Compatibility Fixes for Windows 10, Windows 8, Windows 7, and Windows Vista
-                  href: planning/compatibility-fixes-for-windows-8-windows-7-and-windows-vista.md
-                - name: Compatibility Administrator User's Guide
-                  items:
-                  - name: Overview
-                    href: planning/compatibility-administrator-users-guide.md
-                  - name: Use the Compatibility Administrator Tool
-                    href: planning/using-the-compatibility-administrator-tool.md
-                  - name: Available Data Types and Operators in Compatibility Administrator
-                    href: planning/available-data-types-and-operators-in-compatibility-administrator.md
-                  - name: Search for Fixed Applications in Compatibility Administrator
-                    href: planning/searching-for-fixed-applications-in-compatibility-administrator.md
-                  - name: Search for Installed Compatibility Fixes with the Query Tool in Compatibility Administrator
-                    href: planning/searching-for-installed-compatibility-fixes-with-the-query-tool-in-compatibility-administrator.md
-                  - name: Create a Custom Compatibility Fix in Compatibility Administrator
-                    href: planning/creating-a-custom-compatibility-fix-in-compatibility-administrator.md
-                  - name: Create a Custom Compatibility Mode in Compatibility Administrator
-                    href: planning/creating-a-custom-compatibility-mode-in-compatibility-administrator.md
-                  - name: Create an AppHelp Message in Compatibility Administrator
-                    href: planning/creating-an-apphelp-message-in-compatibility-administrator.md
-                  - name: View the Events Screen in Compatibility Administrator
-                    href: planning/viewing-the-events-screen-in-compatibility-administrator.md
-                  - name: Enable and Disable Compatibility Fixes in Compatibility Administrator
-                    href: planning/enabling-and-disabling-compatibility-fixes-in-compatibility-administrator.md
-                  - name: Install and Uninstall Custom Compatibility Databases in Compatibility Administrator
-                    href: planning/installing-and-uninstalling-custom-compatibility-databases-in-compatibility-administrator.md
-                - name: Manage Application-Compatibility Fixes and Custom Fix Databases
-                  items:
-                  - name: Overview
-                    href: planning/managing-application-compatibility-fixes-and-custom-fix-databases.md
-                  - name: Understand and Use Compatibility Fixes
-                    href: planning/understanding-and-using-compatibility-fixes.md
-                  - name: Compatibility Fix Database Management Strategies and Deployment
-                    href: planning/compatibility-fix-database-management-strategies-and-deployment.md
-                  - name: Test Your Application Mitigation Packages
-                    href: planning/testing-your-application-mitigation-packages.md
-                  - name: Use the Sdbinst.exe Command-Line Tool
-                    href: planning/using-the-sdbinstexe-command-line-tool.md
         - name: Add fonts in Windows
           href: windows-missing-fonts.md
         - name: Customize Windows PE boot images
-          href: customize-boot-image.md
+          href: customize-boot-image.md

windows/deployment/customize-boot-image.md

@@ -7,7 +7,7 @@ author: frankroj
 manager: aaroncz
 ms.author: frankroj
 ms.topic: conceptual
-ms.date: 05/09/2024
+ms.date: 08/16/2024
 ms.subservice: itpro-deploy
 appliesto:
   - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>
@@ -25,6 +25,10 @@ The Windows PE (WinPE) boot images that are included with the Windows ADK have a
 
 Microsoft recommends updating Windows PE boot images with the latest cumulative update for maximum security and protection. The latest cumulative updates may also resolve known issues. For example, the Windows PE boot image can be updated with the latest cumulative update to address the BlackLotus UEFI bootkit vulnerability as documented in [KB5025885: How to manage the Windows Boot Manager revocations for Secure Boot changes associated with CVE-2023-24932](https://prod.support.services.microsoft.com/topic/kb5025885-how-to-manage-the-windows-boot-manager-revocations-for-secure-boot-changes-associated-with-cve-2023-24932-41a975df-beb2-40c1-99a3-b3ff139f832d) and [CVE-2023-24932](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-24932).
 
+> [!TIP]
+>
+> The boot images from the [ADK 10.1.26100.1 (May 2024)](/windows-hardware/get-started/adk-install) and later already contain the cumulative update to address the BlackLotus UEFI bootkit vulnerability.
+
 This walkthrough describes how to customize a Windows PE boot image including updating with the latest cumulative update, adding drivers, and adding optional components. Additionally this walkthrough goes over how customizations in boot images affect several different popular products that utilize boot images, such as Microsoft Configuration Manager, Microsoft Deployment Toolkit (MDT), and Windows Deployment Services (WDS).
 
 ## Prerequisites
@@ -78,6 +82,10 @@ This walkthrough describes how to customize a Windows PE boot image including up
 
 1. When searching the [Microsoft Update Catalog](https://catalog.update.microsoft.com/) site, use the search term `"<year>-<month> cumulative update for windows <x>"` where `year` is the four-digit current year, `<month>` is the two-digit current month, and `<x>` is the version of Windows that Windows PE is based on. Make sure to include the quotes (`"`). For example, to search for the latest cumulative update for Windows 11 in August 2023, use the search term `"2023-08 cumulative update for Windows 11"`, again making sure to include the quotes. If the cumulative update hasn't been released yet for the current month, then search for the previous month.
 
+    > [!TIP]
+    >
+    > The boot images in the **ADK 10.1.25398.1 (September 2023)** are based off **Microsoft server operating system, version 22H2 for x64-based Systems**. Make sure to update the search term appropriately.
+
 1. Once the cumulative update has been found, download the appropriate version for the version and architecture of Windows that matches the Windows PE boot image. For example, if the version of the Windows PE boot image is Windows 11 22H2 64-bit, then download the **Cumulative Update for Windows 11 Version 22H2 for x64-based Systems** version of the update.
 
 1. Store the downloaded cumulative update in a known location for later use, for example `C:\Updates`.
@@ -662,6 +670,10 @@ This step doesn't update or change the boot image. However, it makes sure that t
 
 In particular, this step is needed when addressing the BlackLotus UEFI bootkit vulnerability as documented in [KB5025885: How to manage the Windows Boot Manager revocations for Secure Boot changes associated with CVE-2023-24932](https://prod.support.services.microsoft.com/topic/kb5025885-how-to-manage-the-windows-boot-manager-revocations-for-secure-boot-changes-associated-with-cve-2023-24932-41a975df-beb2-40c1-99a3-b3ff139f832d) and [CVE-2023-24932](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-24932).
 
+> [!TIP]
+>
+> The boot images from the [ADK 10.1.26100.1 (May 2024)](/windows-hardware/get-started/adk-install) and later already contain the cumulative update to address the BlackLotus UEFI bootkit vulnerability.
+
 > [!NOTE]
 >
 > **Microsoft Configuration Manager** and **Windows Deployment Services (WDS)** automatically extract the bootmgr boot files from the boot images when the boot images are updated in these products. They don't use the bootmgr boot files from the Windows ADK.
@@ -902,7 +914,7 @@ For more information, see [Modify a Windows image using DISM: Unmounting an imag
 
 ## Step 13: Update boot image in products that utilize it (if applicable)
 
-After the default `winpe.wim` boot image from the Windows ADK has been updated, additional steps usually need to take place in the product(s) that utilize the boot image. The following links contain information on how to update the boot image for several popular products that utilize boot images:
+After the default `winpe.wim` boot image from the Windows ADK has been updated, additional steps usually need to take place in the products that utilize the boot image. The following links contain information on how to update the boot image for several popular products that utilize boot images:
 
 - [Microsoft Configuration Manager](#updating-the-boot-image-in-configuration-manager)
 - [Microsoft Deployment Toolkit (MDT)](#updating-the-boot-image-and-boot-media-in-mdt)
@@ -1112,10 +1124,10 @@ For more information, see [wdsutil stop-server](/windows-server/administration/w
 
 In the following boot image replacement scenario for WDS:
 
-- The boot image modified as part of this guide is outside of the `<RemoteInstall>` folder. For example, the `winpe.wim` boot image that comes with the Windows ADK
-- An existing boot image in WDS is being replaced with the updated boot image
+- The boot image modified as part of this guide is outside of the `<RemoteInstall>` folder. For example, the `winpe.wim` boot image that comes with the Windows ADK.
+- An existing boot image in WDS is being replaced with the updated boot image.
 
-then follow these steps to update the boot image in WDS:
+Follow these steps to update the boot image in WDS:
 
 1. Replace the existing boot image in WDS with the modified boot image using the following command lines:
 
@@ -1194,7 +1206,7 @@ In the following boot image scenario for WDS:
 - The boot image modified as part of this guide is outside of the `<RemoteInstall>` folder. For example, the `winpe.wim` boot image that comes with the Windows ADK
 - The updated boot image is being added as a new boot image in WDS
 
-then follow these steps to add the boot image in WDS:
+Follow these steps to add the boot image in WDS:
 
 1. Add the updated boot image to WDS using the following command lines:
 

windows/deployment/deploy-enterprise-licenses.md

@@ -6,7 +6,7 @@ author: kaushika-msft
 manager: cshepard
 ms.reviewer: nganguly
 ms.service: windows-client
-ms.subservice: itpro-fundamentals
+ms.subservice: activation
 ms.localizationpriority: medium
 ms.topic: how-to
 ms.date: 03/04/2024