deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-15 06:47:21 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Merge branch 'ccu-9693727' of https://github.com/mestew/windows-docs-pr into ccu-9693727

Browse Source
This commit is contained in:
Meghan Stewart 2025-01-30 10:08:13 -08:00
commit 63fc74fa58
90 changed files with 641 additions and 382 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.acrolinx-config.edn
View File

@ -39,7 +39,7 @@ For more information about the exception criteria and exception process, see [Mi
Select the total score link to review all feedback on clarity, consistency, tone, brand, terms, spelling, grammar, readability, and inclusive language. _You should fix all spelling errors regardless of your total score_. Fixing spelling errors helps maintain customer trust in overall content quality.
| Article | Total score<br>(Required: 80) | Words + phrases<br>(Brand, terms) | Correctness<br>(Spelling, grammar) | Clarity<br>(Readability) |
| Article | Total score<br>(Required: 80) | Terminology | Spelling and Grammar| Clarity<br>(Readability) |
|---------|:--------------:|:--------------------:|:------:|:---------:|
"

21
.github/workflows/BuildValidation.yml vendored Normal file
View File

@ -0,0 +1,21 @@
name: PR has no warnings or errors
permissions:
pull-requests: write
statuses: write
on:
issue_comment:
types: [created]
jobs:
build-status:
uses: MicrosoftDocs/microsoft-365-docs/.github/workflows/Shared-BuildValidation.yml@workflows-prod
with:
PayloadJson: ${{ toJSON(github) }}
secrets:
AccessToken: ${{ secrets.GITHUB_TOKEN }}

2
education/windows/federated-sign-in.md
View File

@ -1,7 +1,7 @@
---
title: Configure federated sign-in for Windows devices
description: Learn how federated sign-in in Windows works and how to configure it.
ms.date: 06/03/2024
ms.date: 01/27/2025
ms.topic: how-to
appliesto:
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>

8
windows/client-management/manage-windows-copilot.md
View File

@ -3,7 +3,7 @@ title: Updated Windows and Microsoft 365 Copilot Chat experience
description: Learn about changes to the Copilot in Windows experience for commercial environments and how to configure it for your organization.
ms.topic: overview
ms.subservice: windows-copilot
ms.date: 01/22/2025
ms.date: 01/28/2025
ms.author: mstewart
author: mestew
ms.collection:
@ -59,9 +59,9 @@ For users signing in to new PCs with work or school accounts, the following expe
The update to Microsoft 365 Copilot Chat to offer enterprise data protection is rolling out now.
The shift to Microsoft 365 Copilot Chat is coming soon. Changes will be rolled out to managed PCs starting with the September 2024 optional nonsecurity preview release, and following with the October 2024 monthly security update for all supported versions of Windows 11. These changes will be applied to Windows 10 PCs the month after. This update is replacing the current Copilot in Windows experience.
The Microsoft 365 Copilot app will be automatically enabled after you install the Windows updates listed above if you haven't previously enabled a group policy to prevent the installation of Copilot. The [AppLocker policy](/windows/security/application-security/application-control/app-control-for-business/applocker/applocker-overview) is available to control this Copilot experience before installing these Windows updates mentioned above or any subsequent Windows updates.
The Copilot app will be automatically enabled after you install the Windows updates listed above if you haven't previously enabled a group policy to prevent the installation of Copilot. The [AppLocker policy](/windows/security/application-security/application-control/app-control-for-business/applocker/applocker-overview) is available to control this Copilot experience before installing these Windows updates mentioned above or any subsequent Windows updates.
Note that the Microsoft 365 Copilot app doesn't support Microsoft Entra authentication and users trying to sign in to the app using a Microsoft Entra account will be redirected to https://copilot.cloud.microsoft/ in their default browser. For users authenticating with a Microsoft Entra account, they should access Copilot through the Microsoft 365 Copilot app as the entry point. We recommend you pin Copilot to the navigation bar of the Microsoft 365 Copilot app to enable easy access.
Note that the Copilot app, which is a consumer experience, doesn't support Microsoft Entra authentication and users trying to sign in to the app using a Microsoft Entra account will be redirected to https://copilot.cloud.microsoft/ in their default browser. For users authenticating with a Microsoft Entra account, they should access Copilot through the Microsoft 365 Copilot app as the entry point. We recommend you pin Copilot to the navigation bar of the Microsoft 365 Copilot app to enable easy access.
## Policy information for previous Copilot in Windows (preview) experience
@ -80,7 +80,7 @@ The following policy to manage Copilot in Windows (preview) will be removed in t
You can remove or uninstall the Copilot app from your device by using one of the following methods:
1. Enterprise users can uninstall the Copilot app by going to **Settings** > **Apps** >**Installed Apps**. Select the three dots appearing on the right side of the app and select **Uninstall** from the dropdown list.
1. Enterprise users can uninstall the [Copilot app](https://apps.microsoft.com/detail/9NHT9RB2F4HD), which is a consumer experience, by going to **Settings** > **Apps** >**Installed Apps**. Select the three dots appearing on the right side of the app and select **Uninstall** from the dropdown list.
1. If you are an IT administrator, you can prevent installation of the app or remove the Copilot app using one of the following methods:
1. Prevent installation of the Copilot app:

8
windows/client-management/mdm/bitlocker-csp.md
View File

@ -551,6 +551,10 @@ The possible values for 'zz' are:
- 1 = Store recovery passwords and key packages
- 2 = Store recovery passwords only
For Microsoft Entra hybrid joined devices, the BitLocker recovery password is backed up to both Active Directory and Entra ID.
For Microsoft Entra joined devices, the BitLocker recovery password is backed up to Entra ID.
<!-- Device-FixedDrivesRecoveryOptions-Editable-End -->
<!-- Device-FixedDrivesRecoveryOptions-DFProperties-Begin -->
@ -2092,6 +2096,10 @@ The possible values for 'zz' are:
- 1 = Store recovery passwords and key packages.
- 2 = Store recovery passwords only.
For Microsoft Entra hybrid joined devices, the BitLocker recovery password is backed up to both Active Directory and Entra ID.
For Microsoft Entra joined devices, the BitLocker recovery password is backed up to Entra ID.
<!-- Device-SystemDrivesRecoveryOptions-Editable-End -->
<!-- Device-SystemDrivesRecoveryOptions-DFProperties-Begin -->

4
windows/client-management/mdm/healthattestation-csp.md
View File

@ -1,7 +1,7 @@
---
title: HealthAttestation CSP
description: Learn more about the HealthAttestation CSP.
ms.date: 01/31/2024
ms.date: 01/14/2025
---
<!-- Auto-Generated CSP Document -->
@ -51,7 +51,7 @@ The following list shows the HealthAttestation configuration service provider no
<!-- Device-AttestErrorMessage-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 22H2 with [KB5046732](https://support.microsoft.com/help/5046732) [10.0.22621.4541] and later <br> ✅ Windows 11, version 24H2 with [KB5046617](https://support.microsoft.com/help/5046617) [10.0.26100.2314] and later <br> ✅ Windows Insider Preview |
<!-- Device-AttestErrorMessage-Applicability-End -->
<!-- Device-AttestErrorMessage-OmaUri-Begin -->

4
windows/client-management/mdm/healthattestation-ddf.md
View File

@ -1,7 +1,7 @@
---
title: HealthAttestation DDF file
description: View the XML file containing the device description framework (DDF) for the HealthAttestation configuration service provider.
ms.date: 06/28/2024
ms.date: 01/14/2025
---
<!-- Auto-Generated CSP Document -->
@ -436,7 +436,7 @@ The following XML file contains the device description framework (DDF) for the H
<MIME />
</DFType>
<MSFT:Applicability>
<MSFT:OsBuildVersion>99.9.99999</MSFT:OsBuildVersion>
<MSFT:OsBuildVersion>99.9.99999, 10.0.26100.2314, 10.0.22621.4541</MSFT:OsBuildVersion>
<MSFT:CspVersion>1.4</MSFT:CspVersion>
</MSFT:Applicability>
</DFProperties>

17
windows/client-management/mdm/policies-in-preview.md
View File

@ -1,7 +1,7 @@
---
title: Configuration service provider preview policies
description: Learn more about configuration service provider (CSP) policies that are available for Windows Insider Preview.
ms.date: 11/27/2024
ms.date: 01/14/2025
---
<!-- Auto-Generated CSP Document -->
@ -31,6 +31,7 @@ This article lists the policies that are applicable for Windows Insider Preview
## Connectivity
- [DisableCrossDeviceResume](policy-csp-connectivity.md#disablecrossdeviceresume)
- [UseCellularWhenWiFiPoor](policy-csp-connectivity.md#usecellularwhenwifipoor)
- [DisableCellularSettingsPage](policy-csp-connectivity.md#disablecellularsettingspage)
- [DisableCellularOperatorSettingsPage](policy-csp-connectivity.md#disablecellularoperatorsettingspage)
@ -46,6 +47,10 @@ This article lists the policies that are applicable for Windows Insider Preview
- [DODisallowCacheServerDownloadsOnVPN](policy-csp-deliveryoptimization.md#dodisallowcacheserverdownloadsonvpn)
- [DOVpnKeywords](policy-csp-deliveryoptimization.md#dovpnkeywords)
## DeviceGuard
- [MachineIdentityIsolation](policy-csp-deviceguard.md#machineidentityisolation)
## DevicePreparation CSP
- [PageEnabled](devicepreparation-csp.md#pageenabled)
@ -80,6 +85,12 @@ This article lists the policies that are applicable for Windows Insider Preview
- [AttestErrorMessage](healthattestation-csp.md#attesterrormessage)
## HumanPresence
- [ForcePrivacyScreen](policy-csp-humanpresence.md#forceprivacyscreen)
- [ForcePrivacyScreenDim](policy-csp-humanpresence.md#forceprivacyscreendim)
- [ForcePrivacyScreenNotification](policy-csp-humanpresence.md#forceprivacyscreennotification)
## InternetExplorer
- [AllowLegacyURLFields](policy-csp-internetexplorer.md#allowlegacyurlfields)
@ -115,6 +126,10 @@ This article lists the policies that are applicable for Windows Insider Preview
- [DisablePostLogonProvisioning](passportforwork-csp.md#devicetenantidpoliciesdisablepostlogonprovisioning)
## Printers
- [ConfigureIppTlsCertificatePolicy](policy-csp-printers.md#configureipptlscertificatepolicy)
## Reboot CSP
- [WeeklyRecurrent](reboot-csp.md#scheduleweeklyrecurrent)

57
windows/client-management/mdm/policy-csp-connectivity.md
View File

@ -1,7 +1,7 @@
---
title: Connectivity Policy CSP
description: Learn more about the Connectivity Area in Policy CSP.
ms.date: 11/05/2024
ms.date: 01/14/2025
---
<!-- Auto-Generated CSP Document -->
@ -684,6 +684,61 @@ This policy makes all configurable settings in the 'Cellular' Settings page read
<!-- DisableCellularSettingsPage-End -->
<!-- DisableCrossDeviceResume-Begin -->
## DisableCrossDeviceResume
<!-- DisableCrossDeviceResume-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ❌ Device <br> ✅ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
<!-- DisableCrossDeviceResume-Applicability-End -->
<!-- DisableCrossDeviceResume-OmaUri-Begin -->
```User
./User/Vendor/MSFT/Policy/Config/Connectivity/DisableCrossDeviceResume
```
<!-- DisableCrossDeviceResume-OmaUri-End -->
<!-- DisableCrossDeviceResume-Description-Begin -->
<!-- Description-Source-DDF -->
This policy allows IT admins to turn off CrossDeviceResume feature to continue tasks, such as browsing file, continue using 1P/3P apps that require linking between Phone and PC.
- If you enable this policy setting, the Windows device won't receive any CrossDeviceResume notification.
- If you disable this policy setting, the Windows device will receive notification to resume activity from linked phone.
- If you don't configure this policy setting, the default behavior is that the CrossDeviceResume feature is turned 'ON'. Changes to this policy take effect on reboot.
<!-- DisableCrossDeviceResume-Description-End -->
<!-- DisableCrossDeviceResume-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- DisableCrossDeviceResume-Editable-End -->
<!-- DisableCrossDeviceResume-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `int` |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 0 |
<!-- DisableCrossDeviceResume-DFProperties-End -->
<!-- DisableCrossDeviceResume-AllowedValues-Begin -->
**Allowed values**:
| Value | Description |
|:--|:--|
| 0 (Default) | CrossDeviceResume is Enabled. |
| 1 | CrossDeviceResume is Disabled. |
<!-- DisableCrossDeviceResume-AllowedValues-End -->
<!-- DisableCrossDeviceResume-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- DisableCrossDeviceResume-Examples-End -->
<!-- DisableCrossDeviceResume-End -->
<!-- DisableDownloadingOfPrintDriversOverHTTP-Begin -->
## DisableDownloadingOfPrintDriversOverHTTP

148
windows/client-management/mdm/policy-csp-deliveryoptimization.md
View File

@ -1,7 +1,7 @@
---
title: DeliveryOptimization Policy CSP
description: Learn more about the DeliveryOptimization Area in Policy CSP.
ms.date: 08/06/2024
ms.date: 01/21/2025
---
<!-- Auto-Generated CSP Document -->
@ -34,11 +34,7 @@ ms.date: 08/06/2024
<!-- DOAbsoluteMaxCacheSize-Description-Begin -->
<!-- Description-Source-ADMX -->
Specifies the maximum size in GB of Delivery Optimization cache.
This policy overrides the DOMaxCacheSize policy.
The value 0 (zero) means "unlimited" cache; Delivery Optimization will clear the cache when the device runs low on disk space.
Specifies the maximum size in GB of Delivery Optimization cache. This policy overrides the MaxCacheSize policy.
<!-- DOAbsoluteMaxCacheSize-Description-End -->
<!-- DOAbsoluteMaxCacheSize-Editable-Begin -->
@ -93,7 +89,7 @@ The value 0 (zero) means "unlimited" cache; Delivery Optimization will clear the
<!-- DOAllowVPNPeerCaching-Description-Begin -->
<!-- Description-Source-DDF-Forced -->
Specifies whether the device is allowed to participate in Peer Caching while connected via VPN to the domain network. This means the device can download from or upload to other domain network devices, either on VPN or on the corporate domain network.
Specifies whether the device, with an active VPN connection, is allowed to participate in P2P or not.
<!-- DOAllowVPNPeerCaching-Description-End -->
<!-- DOAllowVPNPeerCaching-Editable-Begin -->
@ -125,8 +121,8 @@ Specifies whether the device is allowed to participate in Peer Caching while con
| Name | Value |
|:--|:--|
| Name | AllowVPNPeerCaching |
| Friendly Name | Enable Peer Caching while the device connects via VPN |
| Element Name | Enable Peer Caching while the device connects via VPN. |
| Friendly Name | Enable P2P while the device connects via VPN |
| Element Name | Enable P2P while the device connects via VPN. |
| Location | Computer Configuration |
| Path | Windows Components > Delivery Optimization |
| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization |
@ -156,9 +152,7 @@ Specifies whether the device is allowed to participate in Peer Caching while con
<!-- DOCacheHost-Description-Begin -->
<!-- Description-Source-ADMX -->
This policy allows you to set one or more Microsoft Connected Cache servers that will be used by your client(s).
One or more values can be added as either fully qualified domain names (FQDN) or IP addresses. To add multiple values, separate each FQDN or IP address by commas.
Specifies one or more Microsoft Connected Cache servers that will be used by your client(s). One or more values can be added as either fully qualified domain names (FQDN) or IP addresses. To add multiple values, separate each FQDN or IP address by commas.
<!-- DOCacheHost-Description-End -->
<!-- DOCacheHost-Editable-Begin -->
@ -214,17 +208,10 @@ One or more values can be added as either fully qualified domain names (FQDN) or
<!-- DOCacheHostSource-Description-Begin -->
<!-- Description-Source-ADMX -->
This policy allows you to specify how your client(s) can discover Microsoft Connected Cache servers dynamically.
Options available are:
0 = Disable DNS-SD.
1 = DHCP Option 235.
Specifies how your client(s) can discover Microsoft Connected Cache servers dynamically.
1 = DHCP Option 235
2 = DHCP Option 235 Force.
If this policy isn't configured, the client will attempt to automatically find a cache server using DNS-SD. If set to 0, the client won't use DNS-SD to automatically find a cache server. If set to 1 or 2, the client will query DHCP Option ID 235 and use the returned value as the Cache Server Hostname. Option 2 overrides the Cache Server Hostname policy, if configured.
<!-- DOCacheHostSource-Description-End -->
<!-- DOCacheHostSource-Editable-Begin -->
@ -240,10 +227,18 @@ If this policy isn't configured, the client will attempt to automatically find a
|:--|:--|
| Format | `int` |
| Access Type | Add, Delete, Get, Replace |
| Allowed Values | Range: `[0-4294967295]` |
| Default Value | 0 |
<!-- DOCacheHostSource-DFProperties-End -->
<!-- DOCacheHostSource-AllowedValues-Begin -->
**Allowed values**:
| Value | Description |
|:--|:--|
| 1 | DHCP Option 235. |
| 2 | DHCP Option 235 Force. |
<!-- DOCacheHostSource-AllowedValues-End -->
<!-- DOCacheHostSource-GpMapping-Begin -->
**Group policy mapping**:
@ -281,13 +276,7 @@ If this policy isn't configured, the client will attempt to automatically find a
<!-- DODelayBackgroundDownloadFromHttp-Description-Begin -->
<!-- Description-Source-ADMX -->
This policy allows you to delay the use of an HTTP source in a background download that's allowed to use P2P.
After the max delay has reached, the download will resume using HTTP, either downloading the entire payload or complementing the bytes that couldn't be downloaded from Peers.
Note that a download that's waiting for peer sources, will appear to be stuck for the end user.
The recommended value is 1 hour (3600).
For background downloads that use P2P, specifies the time to wait before starting to download from the HTTP source.
<!-- DODelayBackgroundDownloadFromHttp-Description-End -->
<!-- DODelayBackgroundDownloadFromHttp-Editable-Begin -->
@ -311,7 +300,7 @@ The recommended value is 1 hour (3600).
| Name | Value |
|:--|:--|
| Name | DelayBackgroundDownloadFromHttp |
| Friendly Name | Delay background download from http (in secs) |
| Friendly Name | Delay background download from http (in seconds) |
| Element Name | Delay background download from http (in secs) |
| Location | Computer Configuration |
| Path | Windows Components > Delivery Optimization |
@ -342,7 +331,7 @@ The recommended value is 1 hour (3600).
<!-- DODelayCacheServerFallbackBackground-Description-Begin -->
<!-- Description-Source-DDF-Forced -->
Specifies the time in seconds to delay the fallback from Cache Server to the HTTP source for a background content download. Note that the DODelayBackgroundDownloadFromHttp policy takes precedence over this policy to allow downloads from peers first.
For background downloads that use a cache server, specifies the time to wait before falling back to download from the original HTTP source.
<!-- DODelayCacheServerFallbackBackground-Description-End -->
<!-- DODelayCacheServerFallbackBackground-Editable-Begin -->
@ -397,7 +386,7 @@ Specifies the time in seconds to delay the fallback from Cache Server to the HTT
<!-- DODelayCacheServerFallbackForeground-Description-Begin -->
<!-- Description-Source-DDF-Forced -->
Specifies the time in seconds to delay the fallback from Cache Server to the HTTP source for foreground content download. Note that the DODelayForegroundDownloadFromHttp policy takes precedence over this policy to allow downloads from peers first.
For foreground downloads that use a cache server, specifies the time to wait before falling back to download from the original HTTP source.
<!-- DODelayCacheServerFallbackForeground-Description-End -->
<!-- DODelayCacheServerFallbackForeground-Editable-Begin -->
@ -452,13 +441,7 @@ Specifies the time in seconds to delay the fallback from Cache Server to the HTT
<!-- DODelayForegroundDownloadFromHttp-Description-Begin -->
<!-- Description-Source-ADMX -->
This policy allows you to delay the use of an HTTP source in a foreground (interactive) download that's allowed to use P2P.
After the max delay has reached, the download will resume using HTTP, either downloading the entire payload or complementing the bytes that couldn't be downloaded from Peers.
Note that a download that's waiting for peer sources, will appear to be stuck for the end user.
The recommended value is 1 minute (60).
For foreground downloads that use P2P, specifies the time to wait before starting to download from the HTTP source.
<!-- DODelayForegroundDownloadFromHttp-Description-End -->
<!-- DODelayForegroundDownloadFromHttp-Editable-Begin -->
@ -482,7 +465,7 @@ The recommended value is 1 minute (60).
| Name | Value |
|:--|:--|
| Name | DelayForegroundDownloadFromHttp |
| Friendly Name | Delay Foreground download from http (in secs) |
| Friendly Name | Delay Foreground download from http (in seconds) |
| Element Name | Delay Foreground download from http (in secs) |
| Location | Computer Configuration |
| Path | Windows Components > Delivery Optimization |
@ -513,7 +496,7 @@ The recommended value is 1 minute (60).
<!-- DODisallowCacheServerDownloadsOnVPN-Description-Begin -->
<!-- Description-Source-DDF -->
Disallow downloads from Microsoft Connected Cache servers when the device connects via VPN. By default, the device is allowed to download from Microsoft Connected Cache when connected via VPN.
Specify to disallow downloads from Microsoft Connected Cache servers when the device has an active VPN connection. By default, the button is 'Not Set'. This means the device is allowed to download from Microsoft Connected Cache when the device has an active VPN connection. To block these downloads, turn the button on to 'Enabled'.
<!-- DODisallowCacheServerDownloadsOnVPN-Description-End -->
<!-- DODisallowCacheServerDownloadsOnVPN-Editable-Begin -->
@ -535,8 +518,8 @@ Disallow downloads from Microsoft Connected Cache servers when the device connec
| Value | Description |
|:--|:--|
| 0 (Default) | Allowed. |
| 1 | Not allowed. |
| 0 (Default) | Not Set. |
| 1 | Enabled. |
<!-- DODisallowCacheServerDownloadsOnVPN-AllowedValues-End -->
<!-- DODisallowCacheServerDownloadsOnVPN-GpMapping-Begin -->
@ -572,7 +555,7 @@ Disallow downloads from Microsoft Connected Cache servers when the device connec
<!-- DODownloadMode-Description-Begin -->
<!-- Description-Source-DDF-Forced -->
Specifies the download method that Delivery Optimization can use in downloads of Windows Updates, Apps and App updates. The default value is 1.
Specifies the method that Delivery Optimization can use to download content on behalf of various Microsoft products.
<!-- DODownloadMode-Description-End -->
<!-- DODownloadMode-Editable-Begin -->
@ -598,10 +581,10 @@ Specifies the download method that Delivery Optimization can use in downloads of
|:--|:--|
| 0 (Default) | HTTP only, no peering. |
| 1 | HTTP blended with peering behind the same NAT. |
| 2 | When this option is selected, peering will cross NATs. To create a custom group use Group ID in combination with Mode 2. |
| 2 | HTTP blended with peering across a private group. |
| 3 | HTTP blended with Internet peering. |
| 99 | Simple download mode with no peering. Delivery Optimization downloads using HTTP only and doesn't attempt to contact the Delivery Optimization cloud services. Added in Windows 10, version 1607. |
| 100 | Bypass mode. Windows 10: Don't use Delivery Optimization and use BITS instead. Windows 11: Deprecated, use Simple mode instead. |
| 99 | HTTP only, no peering, no use of DO cloud service. |
| 100 | Bypass mode, deprecated in Windows 11. |
<!-- DODownloadMode-AllowedValues-End -->
<!-- DODownloadMode-GpMapping-Begin -->
@ -641,11 +624,7 @@ Specifies the download method that Delivery Optimization can use in downloads of
<!-- DOGroupId-Description-Begin -->
<!-- Description-Source-ADMX -->
Group ID must be set as a GUID. This Policy specifies an arbitrary group ID that the device belongs to.
Use this if you need to create a single group for Local Network Peering for branches that are on different domains or aren't on the same LAN.
Note this is a best effort optimization and shouldn't be relied on for an authentication of identity.
Specifies an arbitrary group ID that the device belongs to. A GUID must be used.
<!-- DOGroupId-Description-End -->
<!-- DOGroupId-Editable-Begin -->
@ -698,7 +677,7 @@ Note this is a best effort optimization and shouldn't be relied on for an authen
<!-- DOGroupIdSource-Description-Begin -->
<!-- Description-Source-DDF-Forced -->
Set this policy to restrict peer selection to a specific source. Available options are: 1 = AD Site, 2 = Authenticated domain SID, 3 = DHCP Option ID, 4 = DNS Suffix, 5 = Microsoft Entra ID. When set, the Group ID will be assigned automatically from the selected source. This policy is ignored if the GroupID policy is also set. The options set in this policy only apply to Group (2) download mode. If Group (2) isn't set as Download mode, this policy will be ignored. For option 3 - DHCP Option ID, the client will query DHCP Option ID 234 and use the returned GUID value as the Group ID. Starting with Windows 10, version 1903, you can use the Microsoft Entra tenant ID as a means to define groups. To do this, set the value of DOGroupIdSource to 5.
Specifies the source of group ID used for peer selection.
<!-- DOGroupIdSource-Description-End -->
<!-- DOGroupIdSource-Editable-Begin -->
@ -722,12 +701,12 @@ Set this policy to restrict peer selection to a specific source. Available optio
| Value | Description |
|:--|:--|
| 0 (Default) | Unset. |
| 0 (Default) | Not Set. |
| 1 | AD site. |
| 2 | Authenticated domain SID. |
| 3 | DHCP user option. |
| 4 | DNS suffix. |
| 5 | Microsoft Entra ID. |
| 3 | DHCP Option ID. |
| 4 | DNS Suffix. |
| 5 | Entra ID Tenant ID. |
<!-- DOGroupIdSource-AllowedValues-End -->
<!-- DOGroupIdSource-GpMapping-Begin -->
@ -768,8 +747,6 @@ Set this policy to restrict peer selection to a specific source. Available optio
<!-- DOMaxBackgroundDownloadBandwidth-Description-Begin -->
<!-- Description-Source-ADMX -->
Specifies the maximum background download bandwidth in KiloBytes/second that the device can use across all concurrent download activities using Delivery Optimization.
The default value 0 (zero) means that Delivery Optimization dynamically adjusts to use the available bandwidth for downloads.
<!-- DOMaxBackgroundDownloadBandwidth-Description-End -->
<!-- DOMaxBackgroundDownloadBandwidth-Editable-Begin -->
@ -824,7 +801,7 @@ The default value 0 (zero) means that Delivery Optimization dynamically adjusts
<!-- DOMaxCacheAge-Description-Begin -->
<!-- Description-Source-DDF-Forced -->
Specifies the maximum time in seconds that each file is held in the Delivery Optimization cache after downloading successfully. The value 0 (zero) means unlimited; Delivery Optimization will hold the files in the cache longer and make the files available for uploads to other devices, as long as the cache size hasn't exceeded. The value 0 is new in Windows 10, version 1607. The default value is 604800 seconds (7 days).
Specifies the maximum time in seconds that each file is held in the Delivery Optimization cache after downloading successfully.
<!-- DOMaxCacheAge-Description-End -->
<!-- DOMaxCacheAge-Editable-Begin -->
@ -879,7 +856,7 @@ Specifies the maximum time in seconds that each file is held in the Delivery Opt
<!-- DOMaxCacheSize-Description-Begin -->
<!-- Description-Source-DDF-Forced -->
Specifies the maximum cache size that Delivery Optimization can utilize, as a percentage of disk size (1-100). The default value is 20.
Specifies the maximum cache size that Delivery Optimization can utilize, as a percentage of the available drive space.
<!-- DOMaxCacheSize-Description-End -->
<!-- DOMaxCacheSize-Editable-Begin -->
@ -935,8 +912,6 @@ Specifies the maximum cache size that Delivery Optimization can utilize, as a pe
<!-- DOMaxForegroundDownloadBandwidth-Description-Begin -->
<!-- Description-Source-ADMX -->
Specifies the maximum foreground download bandwidth in KiloBytes/second that the device can use across all concurrent download activities using Delivery Optimization.
The default value 0 (zero) means that Delivery Optimization dynamically adjusts to use the available bandwidth for downloads.
<!-- DOMaxForegroundDownloadBandwidth-Description-End -->
<!-- DOMaxForegroundDownloadBandwidth-Editable-Begin -->
@ -991,7 +966,7 @@ The default value 0 (zero) means that Delivery Optimization dynamically adjusts
<!-- DOMinBackgroundQos-Description-Begin -->
<!-- Description-Source-DDF-Forced -->
Specifies the minimum download QoS (Quality of Service or speed) in KiloBytes/sec for background downloads. This policy affects the blending of peer and HTTP sources. Delivery Optimization complements the download from the HTTP source to achieve the minimum QoS value set. The default value is 20480 (20 MB/s).
Specifies the minimum download QoS (Quality of Service) in KiloBytes/sec for background downloads.
<!-- DOMinBackgroundQos-Description-End -->
<!-- DOMinBackgroundQos-Editable-Begin -->
@ -1046,11 +1021,7 @@ Specifies the minimum download QoS (Quality of Service or speed) in KiloBytes/se
<!-- DOMinBatteryPercentageAllowedToUpload-Description-Begin -->
<!-- Description-Source-ADMX -->
Specify any value between 1 and 100 (in percentage) to allow the device to upload data to LAN and Group peers while on DC power (Battery).
The recommended value to set if you allow uploads on battery is 40 (for 40%). The device can download from peers while on battery regardless of this policy.
The value 0 means "not-limited"; The cloud service set default value will be used.
Specifies the minimum battery level required for uploading to peers, while on battery power.
<!-- DOMinBatteryPercentageAllowedToUpload-Description-End -->
<!-- DOMinBatteryPercentageAllowedToUpload-Editable-Begin -->
@ -1105,12 +1076,7 @@ The value 0 means "not-limited"; The cloud service set default value will be use
<!-- DOMinDiskSizeAllowedToPeer-Description-Begin -->
<!-- Description-Source-ADMX -->
Specifies the required minimum disk size (capacity in GB) for the device to use Peer Caching. The cloud service set default value will be used.
Recommended values: 64 GB to 256 GB.
> [!NOTE]
> If the DOModifyCacheDrive policy is set, the disk size check will apply to the new working directory specified by this policy.
Specifies the required minimum total disk size in GB for the device to use P2P.
<!-- DOMinDiskSizeAllowedToPeer-Description-End -->
<!-- DOMinDiskSizeAllowedToPeer-Editable-Begin -->
@ -1134,8 +1100,8 @@ Recommended values: 64 GB to 256 GB.
| Name | Value |
|:--|:--|
| Name | MinDiskSizeAllowedToPeer |
| Friendly Name | Minimum disk size allowed to use Peer Caching (in GB) |
| Element Name | Minimum disk size allowed to use Peer Caching (in GB) |
| Friendly Name | Minimum disk size allowed to use P2P (in GB) |
| Element Name | Minimum disk size allowed to use P2P (in GB) |
| Location | Computer Configuration |
| Path | Windows Components > Delivery Optimization |
| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization |
@ -1165,7 +1131,7 @@ Recommended values: 64 GB to 256 GB.
<!-- DOMinFileSizeToCache-Description-Begin -->
<!-- Description-Source-DDF-Forced -->
Specifies the minimum content file size in MB enabled to use Peer Caching. Recommended values: 1 MB to 100,000 MB. The default value is 100 MB.
Specifies the minimum content file size in MB eligible to use P2P.
<!-- DOMinFileSizeToCache-Description-End -->
<!-- DOMinFileSizeToCache-Editable-Begin -->
@ -1189,8 +1155,8 @@ Specifies the minimum content file size in MB enabled to use Peer Caching. Recom
| Name | Value |
|:--|:--|
| Name | MinFileSizeToCache |
| Friendly Name | Minimum Peer Caching Content File Size (in MB) |
| Element Name | Minimum Peer Caching Content File Size (in MB) |
| Friendly Name | Minimum P2P Content File Size (in MB) |
| Element Name | Minimum P2P Content File Size (in MB) |
| Location | Computer Configuration |
| Path | Windows Components > Delivery Optimization |
| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization |
@ -1220,7 +1186,7 @@ Specifies the minimum content file size in MB enabled to use Peer Caching. Recom
<!-- DOMinRAMAllowedToPeer-Description-Begin -->
<!-- Description-Source-DDF-Forced -->
Specifies the minimum RAM size in GB required to use Peer Caching. For example, if the minimum set is 1 GB, then devices with 1 GB or higher available RAM will be allowed to use Peer caching. Recommended values: 1 GB to 4 GB. The default value is 4 GB.
Specifies the minimum total RAM size in GB required to use P2P.
<!-- DOMinRAMAllowedToPeer-Description-End -->
<!-- DOMinRAMAllowedToPeer-Editable-Begin -->
@ -1244,8 +1210,8 @@ Specifies the minimum RAM size in GB required to use Peer Caching. For example,
| Name | Value |
|:--|:--|
| Name | MinRAMAllowedToPeer |
| Friendly Name | Minimum RAM capacity (inclusive) required to enable use of Peer Caching (in GB) |
| Element Name | Minimum RAM capacity (inclusive) required to enable use of Peer Caching (in GB) |
| Friendly Name | Minimum RAM capacity (inclusive) required to enable use of P2P (in GB) |
| Element Name | Minimum RAM capacity (inclusive) required to enable use of P2P (in GB) |
| Location | Computer Configuration |
| Path | Windows Components > Delivery Optimization |
| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization |
@ -1275,9 +1241,7 @@ Specifies the minimum RAM size in GB required to use Peer Caching. For example,
<!-- DOModifyCacheDrive-Description-Begin -->
<!-- Description-Source-ADMX -->
Specifies the drive Delivery Optimization shall use for its cache.
By default, %SystemDrive% is used to store the cache. The drive location can be specified using environment variables, drive letter or using a full path.
Specifies the drive that Delivery Optimization should use for its cache. The drive location can be specified using environment variables, drive letter or using a full path.
<!-- DOModifyCacheDrive-Description-End -->
<!-- DOModifyCacheDrive-Editable-Begin -->
@ -1330,7 +1294,7 @@ By default, %SystemDrive% is used to store the cache. The drive location can be
<!-- DOMonthlyUploadDataCap-Description-Begin -->
<!-- Description-Source-DDF-Forced -->
Specifies the maximum total bytes in GB that Delivery Optimization is allowed to upload to Internet peers in each calendar month. The value 0 (zero) means unlimited; No monthly upload limit's applied if 0 is set. The default value is 5120 (5 TB).
Specifies the maximum bytes in GB that Delivery Optimization is allowed to upload to Internet peers in each calendar month.
<!-- DOMonthlyUploadDataCap-Description-End -->
<!-- DOMonthlyUploadDataCap-Editable-Begin -->
@ -1386,8 +1350,6 @@ Specifies the maximum total bytes in GB that Delivery Optimization is allowed to
<!-- DOPercentageMaxBackgroundBandwidth-Description-Begin -->
<!-- Description-Source-ADMX -->
Specifies the maximum background download bandwidth that Delivery Optimization uses across all concurrent download activities as a percentage of available download bandwidth.
The default value 0 (zero) means that Delivery Optimization dynamically adjusts to use the available bandwidth for background downloads.
<!-- DOPercentageMaxBackgroundBandwidth-Description-End -->
<!-- DOPercentageMaxBackgroundBandwidth-Editable-Begin -->
@ -1445,8 +1407,6 @@ Downloads from LAN peers won't be throttled even when this policy is set.
<!-- DOPercentageMaxForegroundBandwidth-Description-Begin -->
<!-- Description-Source-ADMX -->
Specifies the maximum foreground download bandwidth that Delivery Optimization uses across all concurrent download activities as a percentage of available download bandwidth.
The default value 0 (zero) means that Delivery Optimization dynamically adjusts to use the available bandwidth for foreground downloads.
<!-- DOPercentageMaxForegroundBandwidth-Description-End -->
<!-- DOPercentageMaxForegroundBandwidth-Editable-Begin -->
@ -1501,7 +1461,7 @@ The default value 0 (zero) means that Delivery Optimization dynamically adjusts
<!-- DORestrictPeerSelectionBy-Description-Begin -->
<!-- Description-Source-DDF-Forced -->
Set this policy to restrict peer selection via selected option. Options available are: 1=Subnet mask, 2 = Local discovery (DNS-SD). These options apply to both Download Mode LAN (1) and Group (2).
Specifies to restrict peer selection using the selected method, in addition to the DownloadMode policy.
<!-- DORestrictPeerSelectionBy-Description-End -->
<!-- DORestrictPeerSelectionBy-Editable-Begin -->
@ -1528,7 +1488,7 @@ In Windows 11 the 'Local Peer Discovery' option was introduced to restrict peer
|:--|:--|
| 0 (Default) | None. |
| 1 | Subnet mask. |
| 2 | Local peer discovery (DNS-SD). |
| 2 | Local discovery (DNS-SD). |
<!-- DORestrictPeerSelectionBy-AllowedValues-End -->
<!-- DORestrictPeerSelectionBy-GpMapping-Begin -->
@ -1681,7 +1641,7 @@ This policy allows an IT Admin to define the following details:
<!-- DOVpnKeywords-Description-Begin -->
<!-- Description-Source-ADMX -->
This policy allows you to set one or more keywords used to recognize VPN connections. To add multiple keywords, separate them with commas.
Specifies one or more keywords used to recognize VPN connections. To add multiple keywords, separate each by a comma.
<!-- DOVpnKeywords-Description-End -->
<!-- DOVpnKeywords-Editable-Begin -->

68
windows/client-management/mdm/policy-csp-deviceguard.md
View File

@ -1,7 +1,7 @@
---
title: DeviceGuard Policy CSP
description: Learn more about the DeviceGuard Area in Policy CSP.
ms.date: 01/18/2024
ms.date: 01/14/2025
---
<!-- Auto-Generated CSP Document -->
@ -9,6 +9,8 @@ ms.date: 01/18/2024
<!-- DeviceGuard-Begin -->
# Policy CSP - DeviceGuard
[!INCLUDE [Windows Insider tip](includes/mdm-insider-csp-note.md)]
<!-- DeviceGuard-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- DeviceGuard-Editable-End -->
@ -205,6 +207,70 @@ Credential Guard Configuration: 0 - Turns off CredentialGuard remotely if config
<!-- LsaCfgFlags-End -->
<!-- MachineIdentityIsolation-Begin -->
## MachineIdentityIsolation
<!-- MachineIdentityIsolation-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ❌ Pro <br> ✅ Enterprise <br> ✅ Education <br> ❌ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
<!-- MachineIdentityIsolation-Applicability-End -->
<!-- MachineIdentityIsolation-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/DeviceGuard/MachineIdentityIsolation
```
<!-- MachineIdentityIsolation-OmaUri-End -->
<!-- MachineIdentityIsolation-Description-Begin -->
<!-- Description-Source-DDF-Forced -->
Machine Identity Isolation: 0 - Machine password is only LSASS-bound and stored in $MACHINE.ACC registry key. 1 - Machine password both LSASS-bound and IUM-bound. It's stored in $MACHINE.ACC and $MACHINE.ACC.IUM registry keys. 2 - Machine password is only IUM-bound and stored in $MACHINE.ACC.IUM registry key.
<!-- MachineIdentityIsolation-Description-End -->
<!-- MachineIdentityIsolation-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- MachineIdentityIsolation-Editable-End -->
<!-- MachineIdentityIsolation-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `int` |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 0 |
<!-- MachineIdentityIsolation-DFProperties-End -->
<!-- MachineIdentityIsolation-AllowedValues-Begin -->
**Allowed values**:
| Value | Description |
|:--|:--|
| 0 (Default) | (Disabled) Machine password is only LSASS-bound and stored in $MACHINE.ACC registry key. |
| 1 | (Enabled in audit mode) Machine password both LSASS-bound and IUM-bound. It's stored in $MACHINE.ACC and $MACHINE.ACC.IUM registry keys. |
| 2 | (Enabled in enforcement mode) Machine password is only IUM-bound and stored in $MACHINE.ACC.IUM registry key. |
<!-- MachineIdentityIsolation-AllowedValues-End -->
<!-- MachineIdentityIsolation-GpMapping-Begin -->
**Group policy mapping**:
| Name | Value |
|:--|:--|
| Name | VirtualizationBasedSecurity |
| Friendly Name | Turn On Virtualization Based Security |
| Element Name | Machine Identity Isolation Configuration. |
| Location | Computer Configuration |
| Path | System > Device Guard |
| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\DeviceGuard |
| ADMX File Name | DeviceGuard.admx |
<!-- MachineIdentityIsolation-GpMapping-End -->
<!-- MachineIdentityIsolation-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- MachineIdentityIsolation-Examples-End -->
<!-- MachineIdentityIsolation-End -->
<!-- RequirePlatformSecurityFeatures-Begin -->
## RequirePlatformSecurityFeatures

181
windows/client-management/mdm/policy-csp-humanpresence.md
View File

@ -1,7 +1,7 @@
---
title: HumanPresence Policy CSP
description: Learn more about the HumanPresence Area in Policy CSP.
ms.date: 09/27/2024
ms.date: 01/14/2025
---
<!-- Auto-Generated CSP Document -->
@ -9,6 +9,8 @@ ms.date: 09/27/2024
<!-- HumanPresence-Begin -->
# Policy CSP - HumanPresence
[!INCLUDE [Windows Insider tip](includes/mdm-insider-csp-note.md)]
<!-- HumanPresence-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- HumanPresence-Editable-End -->
@ -526,6 +528,183 @@ Determines the timeout for Lock on Leave forced by the MDM policy. The user will
<!-- ForceLockTimeout-End -->
<!-- ForcePrivacyScreen-Begin -->
## ForcePrivacyScreen
<!-- ForcePrivacyScreen-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ❌ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
<!-- ForcePrivacyScreen-Applicability-End -->
<!-- ForcePrivacyScreen-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/HumanPresence/ForcePrivacyScreen
```
<!-- ForcePrivacyScreen-OmaUri-End -->
<!-- ForcePrivacyScreen-Description-Begin -->
<!-- Description-Source-DDF -->
Determines whether detect when other people are looking at my screen is forced on/off by the MDM policy. The user won't be able to change this setting and the UI will be greyed out.
<!-- ForcePrivacyScreen-Description-End -->
<!-- ForcePrivacyScreen-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- ForcePrivacyScreen-Editable-End -->
<!-- ForcePrivacyScreen-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `int` |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 0 |
<!-- ForcePrivacyScreen-DFProperties-End -->
<!-- ForcePrivacyScreen-AllowedValues-Begin -->
**Allowed values**:
| Value | Description |
|:--|:--|
| 2 | ForcedOff. |
| 1 | ForcedOn. |
| 0 (Default) | DefaultToUserChoice. |
<!-- ForcePrivacyScreen-AllowedValues-End -->
<!-- ForcePrivacyScreen-GpMapping-Begin -->
**Group policy mapping**:
| Name | Value |
|:--|:--|
| Name | ForcePrivacyScreen |
| Path | Sensors > AT > WindowsComponents > HumanPresence |
<!-- ForcePrivacyScreen-GpMapping-End -->
<!-- ForcePrivacyScreen-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- ForcePrivacyScreen-Examples-End -->
<!-- ForcePrivacyScreen-End -->
<!-- ForcePrivacyScreenDim-Begin -->
## ForcePrivacyScreenDim
<!-- ForcePrivacyScreenDim-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ❌ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
<!-- ForcePrivacyScreenDim-Applicability-End -->
<!-- ForcePrivacyScreenDim-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/HumanPresence/ForcePrivacyScreenDim
```
<!-- ForcePrivacyScreenDim-OmaUri-End -->
<!-- ForcePrivacyScreenDim-Description-Begin -->
<!-- Description-Source-DDF -->
Determines whether dim the screen when other people are looking at my screen checkbox is forced checked/unchecked by the MDM policy. The user won't be able to change this setting and the checkbox in the UI will be greyed out.
<!-- ForcePrivacyScreenDim-Description-End -->
<!-- ForcePrivacyScreenDim-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- ForcePrivacyScreenDim-Editable-End -->
<!-- ForcePrivacyScreenDim-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `int` |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 0 |
<!-- ForcePrivacyScreenDim-DFProperties-End -->
<!-- ForcePrivacyScreenDim-AllowedValues-Begin -->
**Allowed values**:
| Value | Description |
|:--|:--|
| 2 | ForcedUnchecked. |
| 1 | ForcedChecked. |
| 0 (Default) | DefaultToUserChoice. |
<!-- ForcePrivacyScreenDim-AllowedValues-End -->
<!-- ForcePrivacyScreenDim-GpMapping-Begin -->
**Group policy mapping**:
| Name | Value |
|:--|:--|
| Name | ForcePrivacyScreenDim |
| Path | Sensors > AT > WindowsComponents > HumanPresence |
<!-- ForcePrivacyScreenDim-GpMapping-End -->
<!-- ForcePrivacyScreenDim-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- ForcePrivacyScreenDim-Examples-End -->
<!-- ForcePrivacyScreenDim-End -->
<!-- ForcePrivacyScreenNotification-Begin -->
## ForcePrivacyScreenNotification
<!-- ForcePrivacyScreenNotification-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ❌ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
<!-- ForcePrivacyScreenNotification-Applicability-End -->
<!-- ForcePrivacyScreenNotification-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/HumanPresence/ForcePrivacyScreenNotification
```
<!-- ForcePrivacyScreenNotification-OmaUri-End -->
<!-- ForcePrivacyScreenNotification-Description-Begin -->
<!-- Description-Source-DDF -->
Determines whether providing alert when people are looking at my screen checkbox is forced checked/unchecked by the MDM policy. The user won't be able to change this setting and the checkbox in the UI will be greyed out.
<!-- ForcePrivacyScreenNotification-Description-End -->
<!-- ForcePrivacyScreenNotification-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- ForcePrivacyScreenNotification-Editable-End -->
<!-- ForcePrivacyScreenNotification-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `int` |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 0 |
<!-- ForcePrivacyScreenNotification-DFProperties-End -->
<!-- ForcePrivacyScreenNotification-AllowedValues-Begin -->
**Allowed values**:
| Value | Description |
|:--|:--|
| 2 | ForcedUnchecked. |
| 1 | ForcedChecked. |
| 0 (Default) | DefaultToUserChoice. |
<!-- ForcePrivacyScreenNotification-AllowedValues-End -->
<!-- ForcePrivacyScreenNotification-GpMapping-Begin -->
**Group policy mapping**:
| Name | Value |
|:--|:--|
| Name | ForcePrivacyScreenNotification |
| Path | Sensors > AT > WindowsComponents > HumanPresence |
<!-- ForcePrivacyScreenNotification-GpMapping-End -->
<!-- ForcePrivacyScreenNotification-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- ForcePrivacyScreenNotification-Examples-End -->
<!-- ForcePrivacyScreenNotification-End -->
<!-- HumanPresence-CspMoreInfo-Begin -->
<!-- Add any additional information about this CSP here. Anything outside this section will get overwritten. -->
<!-- HumanPresence-CspMoreInfo-End -->

54
windows/client-management/mdm/policy-csp-printers.md
View File

@ -1,7 +1,7 @@
---
title: Printers Policy CSP
description: Learn more about the Printers Area in Policy CSP.
ms.date: 09/27/2024
ms.date: 01/14/2025
---
<!-- Auto-Generated CSP Document -->
@ -11,6 +11,8 @@ ms.date: 09/27/2024
[!INCLUDE [ADMX-backed CSP tip](includes/mdm-admx-csp-note.md)]
[!INCLUDE [Windows Insider tip](includes/mdm-insider-csp-note.md)]
<!-- Printers-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- Printers-Editable-End -->
@ -348,6 +350,56 @@ The following are the supported values:
<!-- ConfigureIppPageCountsPolicy-End -->
<!-- ConfigureIppTlsCertificatePolicy-Begin -->
## ConfigureIppTlsCertificatePolicy
<!-- ConfigureIppTlsCertificatePolicy-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
<!-- ConfigureIppTlsCertificatePolicy-Applicability-End -->
<!-- ConfigureIppTlsCertificatePolicy-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/Printers/ConfigureIppTlsCertificatePolicy
```
<!-- ConfigureIppTlsCertificatePolicy-OmaUri-End -->
<!-- ConfigureIppTlsCertificatePolicy-Description-Begin -->
<!-- Description-Source-Not-Found -->
<!-- ConfigureIppTlsCertificatePolicy-Description-End -->
<!-- ConfigureIppTlsCertificatePolicy-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- ConfigureIppTlsCertificatePolicy-Editable-End -->
<!-- ConfigureIppTlsCertificatePolicy-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `chr` (string) |
| Access Type | Add, Delete, Get, Replace |
<!-- ConfigureIppTlsCertificatePolicy-DFProperties-End -->
<!-- ConfigureIppTlsCertificatePolicy-AdmxBacked-Begin -->
<!-- ADMX-Not-Found -->
[!INCLUDE [ADMX-backed policy note](includes/mdm-admx-policy-note.md)]
**ADMX mapping**:
| Name | Value |
|:--|:--|
| Name | ConfigureIppTlsCertificatePolicy |
| ADMX File Name | Printing.admx |
<!-- ConfigureIppTlsCertificatePolicy-AdmxBacked-End -->
<!-- ConfigureIppTlsCertificatePolicy-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- ConfigureIppTlsCertificatePolicy-Examples-End -->
<!-- ConfigureIppTlsCertificatePolicy-End -->
<!-- ConfigureRedirectionGuardPolicy-Begin -->
## ConfigureRedirectionGuardPolicy

14
windows/client-management/mdm/vpnv2-csp.md
View File

@ -1,7 +1,7 @@
---
title: VPNv2 CSP
description: Learn more about the VPNv2 CSP.
ms.date: 01/18/2024
ms.date: 01/14/2025
---
<!-- Auto-Generated CSP Document -->
@ -863,11 +863,7 @@ Returns the type of App/Id. This value can be either of the following: PackageFa
<!-- Device-{ProfileName}-ByPassForLocal-Description-Begin -->
<!-- Description-Source-DDF -->
False: Don't Bypass for Local traffic.
True: ByPass VPN Interface for Local Traffic.
Optional. When this setting is True, requests to local resources that are available on the same Wi-Fi network as the VPN client can bypass the VPN. For example, if enterprise policy for VPN requires force tunnel for VPN, but enterprise intends to allow the remote user to connect locally to media center in their home, then this option should be set to True. The user can bypass VPN for local subnet traffic. When this is set to False, the setting is disabled and no subnet exceptions are allowed.
Not supported.
<!-- Device-{ProfileName}-ByPassForLocal-Description-End -->
<!-- Device-{ProfileName}-ByPassForLocal-Editable-Begin -->
@ -5160,11 +5156,7 @@ Returns the type of App/Id. This value can be either of the following: PackageFa
<!-- User-{ProfileName}-ByPassForLocal-Description-Begin -->
<!-- Description-Source-DDF -->
False: Don't Bypass for Local traffic.
True: ByPass VPN Interface for Local Traffic.
Optional. When this setting is True, requests to local resources that are available on the same Wi-Fi network as the VPN client can bypass the VPN. For example, if enterprise policy for VPN requires force tunnel for VPN, but enterprise intends to allow the remote user to connect locally to media center in their home, then this option should be set to True. The user can bypass VPN for local subnet traffic. When this is set to False, the setting is disabled and no subnet exceptions are allowed.
Not supported.
<!-- User-{ProfileName}-ByPassForLocal-Description-End -->
<!-- User-{ProfileName}-ByPassForLocal-Editable-Begin -->

12
windows/client-management/mdm/vpnv2-ddf-file.md
View File

@ -1,7 +1,7 @@
---
title: VPNv2 DDF file
description: View the XML file containing the device description framework (DDF) for the VPNv2 configuration service provider.
ms.date: 06/28/2024
ms.date: 01/14/2025
---
<!-- Auto-Generated CSP Document -->
@ -1156,10 +1156,7 @@ The following XML file contains the device description framework (DDF) for the V
<Replace />
</AccessType>
<Description>
False : Do not Bypass for Local traffic
True : ByPass VPN Interface for Local Traffic
Optional. When this setting is True, requests to local resources that are available on the same Wi-Fi network as the VPN client can bypass the VPN. For example, if enterprise policy for VPN requires force tunnel for VPN, but enterprise intends to allow the remote user to connect locally to media center in their home, then this option should be set to True. The user can bypass VPN for local subnet traffic. When this is set to False, the setting is disabled and no subnet exceptions are allowed.
Not supported.
</Description>
<DFFormat>
<bool />
@ -4425,10 +4422,7 @@ A device tunnel profile must be deleted before another device tunnel profile can
<Replace />
</AccessType>
<Description>
False : Do not Bypass for Local traffic
True : ByPass VPN Interface for Local Traffic
Optional. When this setting is True, requests to local resources that are available on the same Wi-Fi network as the VPN client can bypass the VPN. For example, if enterprise policy for VPN requires force tunnel for VPN, but enterprise intends to allow the remote user to connect locally to media center in their home, then this option should be set to True. The user can bypass VPN for local subnet traffic. When this is set to False, the setting is disabled and no subnet exceptions are allowed.
Not supported.
</Description>
<DFFormat>
<bool />

2
windows/client-management/toc.yml
View File

@ -48,7 +48,7 @@ items:
href: enterprise-app-management.md
- name: Manage updates
href: device-update-management.md
- name: Updated Windows and Microsoft Copilot experience
- name: Updated Windows and Microsoft 365 Copilot Chat experience
href: manage-windows-copilot.md
- name: Manage Recall
href: manage-recall.md

2
windows/configuration/taskbar/pinned-apps.md
View File

@ -193,7 +193,7 @@ Alternatively, you can configure devices using a [custom policy][MEM-1] with the
- **Value:** content of the XML file
> [!NOTE]
> The content of the file must be entered as a single line in the `Value` field. Use a text editor to remove any line breaks from the XML file, usually with a function called *join lines*.
> The content of the file must be entered as a single line in the `Value` field. Use a text editor to remove any line breaks from the XML file, usually with a function called *join lines* or *linearize*. If customizations.xml is being modified directly instead of using the WCD editor, the XML brackets need to be escaped / replaced with \&lt; and \&gt; entity encodings. Single and double quote characters do not need to be escaped.
[!INCLUDE [provisioning-package-2](../../../includes/configure/provisioning-package-2.md)]

8
windows/deployment/upgrade/log-files.md
View File

@ -11,7 +11,7 @@ ms.collection:
- highpri
- tier2
ms.subservice: itpro-deploy
ms.date: 01/18/2024
ms.date: 01/29/2025
appliesto:
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10</a>
@ -51,13 +51,13 @@ A `setupact.log` or `setuperr.log` entry includes the following elements:
1. **The date and time** - 2023-09-08 09:20:05
1. **The log level** - Info, Warning, Error, Fatal Error
2. **The log level** - Info, Warning, Error, Fatal Error
1. **The logging component** - CONX, MOUPG, PANTHR, SP, IBSLIB, MIG, DISM, CSI, CBS
3. **The logging component** - CONX, MOUPG, PANTHR, SP, IBSLIB, MIG, DISM, CSI, CBS
The logging components SP (setup platform), MIG (migration engine), and CONX (compatibility information) are useful for troubleshooting Windows Setup errors.
1. **The message** - Operation completed successfully.
4. **The message** - Operation completed successfully.
See the following example:

2
windows/deployment/upgrade/resolve-windows-upgrade-errors.md
View File

@ -8,7 +8,7 @@ ms.localizationpriority: medium
ms.topic: conceptual
ms.service: windows-client
ms.subservice: itpro-deploy
ms.date: 01/18/2024
ms.date: 01/29/2025
appliesto:
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10</a>

4
windows/deployment/upgrade/setupdiag.md
View File

@ -12,7 +12,7 @@ ms.topic: troubleshooting
ms.collection:
- highpri
- tier2
ms.date: 01/18/2024
ms.date: 01/29/2025
appliesto:
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10</a>
@ -479,7 +479,7 @@ Refer to "https://learn.microsoft.com/windows/desktop/Debug/system-error-codes"
"FailureDetails":"Err = 0x00000057, LastOperation = Gather data, scope: EVERYTHING, LastPhase = Downlevel",
"DeviceDriverInfo":null,
"Remediation":[
],
"SetupPhaseInfo":null,
"SetupOperationInfo":null

2
windows/deployment/upgrade/submit-errors.md
View File

@ -8,7 +8,7 @@ author: frankroj
ms.localizationpriority: medium
ms.topic: conceptual
ms.subservice: itpro-deploy
ms.date: 01/18/2024
ms.date: 01/29/2025
appliesto:
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10</a>

4
windows/deployment/upgrade/windows-error-reporting.md
View File

@ -8,7 +8,7 @@ author: frankroj
ms.localizationpriority: medium
ms.topic: conceptual
ms.subservice: itpro-deploy
ms.date: 01/18/2024
ms.date: 01/29/2025
appliesto:
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10</a>
@ -18,7 +18,7 @@ appliesto:
> [!NOTE]
>
> This article is a 300 level article (moderately advanced).
> This article is a 300 level article (moderately advanced).
>
> See [Resolve Windows upgrade errors](resolve-windows-upgrade-errors.md) for a full list of articles in this section.

2
windows/deployment/upgrade/windows-upgrade-paths.md
View File

@ -11,7 +11,7 @@ ms.collection:
- highpri
- tier2
ms.subservice: itpro-deploy
ms.date: 02/13/2024
ms.date: 01/29/2025
appliesto:
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10</a>
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>

2
windows/deployment/usmt/getting-started-with-the-user-state-migration-tool.md
View File

@ -8,7 +8,7 @@ ms.service: windows-client
author: frankroj
ms.topic: conceptual
ms.subservice: itpro-deploy
ms.date: 08/30/2024
ms.date: 01/29/2025
appliesto:
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10</a>

2
windows/deployment/usmt/migrate-application-settings.md
View File

@ -6,7 +6,7 @@ manager: aaroncz
ms.author: frankroj
ms.service: windows-client
author: frankroj
ms.date: 08/30/2024
ms.date: 01/29/2025
ms.topic: conceptual
ms.subservice: itpro-deploy
appliesto:

2
windows/deployment/usmt/migration-store-types-overview.md
View File

@ -6,7 +6,7 @@ manager: aaroncz
ms.author: frankroj
ms.service: windows-client
author: frankroj
ms.date: 01/09/2024
ms.date: 01/29/2025
ms.topic: conceptual
ms.subservice: itpro-deploy
appliesto:

10
windows/deployment/usmt/offline-migration-reference.md
View File

@ -6,7 +6,7 @@ manager: aaroncz
ms.author: frankroj
ms.service: windows-client
author: frankroj
ms.date: 01/09/2024
ms.date: 01/29/2025
ms.topic: conceptual
ms.subservice: itpro-deploy
appliesto:
@ -50,7 +50,7 @@ For exceptions to what can be migrated offline, see [What Does USMT Migrate?](us
## What offline environments are supported?
All currently supported
All currently supported
The following table defines the supported combination of online and offline operating systems in USMT.
@ -183,9 +183,9 @@ The following XML example illustrates some of the elements discussed earlier in
```xml
<offline>
<winDir>
<path>C:\Windows</path>
<path>D:\Windows</path>
<path>E:\</path>
<path>C:\Windows</path>
<path>D:\Windows</path>
<path>E:\</path>
</winDir>
<failOnMultipleWinDir>1</failOnMultipleWinDir>
</offline>

2
windows/deployment/usmt/understanding-migration-xml-files.md
View File

@ -6,7 +6,7 @@ manager: aaroncz
ms.author: frankroj
ms.service: windows-client
author: frankroj
ms.date: 01/09/2024
ms.date: 01/29/2025
ms.topic: conceptual
ms.subservice: itpro-deploy
appliesto:

2
windows/deployment/usmt/usmt-best-practices.md
View File

@ -6,7 +6,7 @@ manager: aaroncz
ms.author: frankroj
ms.service: windows-client
author: frankroj
ms.date: 01/09/2024
ms.date: 01/29/2025
ms.topic: conceptual
ms.subservice: itpro-deploy
appliesto:

2
windows/deployment/usmt/usmt-choose-migration-store-type.md
View File

@ -6,7 +6,7 @@ manager: aaroncz
ms.author: frankroj
ms.service: windows-client
author: frankroj
ms.date: 01/09/2024
ms.date: 01/29/2025
ms.topic: conceptual
ms.subservice: itpro-deploy
appliesto:

2
windows/deployment/usmt/usmt-command-line-syntax.md
View File

@ -6,7 +6,7 @@ manager: aaroncz
ms.author: frankroj
ms.service: windows-client
author: frankroj
ms.date: 01/09/2024
ms.date: 01/29/2025
ms.topic: conceptual
ms.subservice: itpro-deploy
appliesto:

2
windows/deployment/usmt/usmt-common-migration-scenarios.md
View File

@ -6,7 +6,7 @@ manager: aaroncz
ms.author: frankroj
ms.service: windows-client
author: frankroj
ms.date: 01/09/2024
ms.date: 01/29/2025
ms.topic: conceptual
ms.subservice: itpro-deploy
appliesto:

4
windows/deployment/usmt/usmt-configxml-file.md
View File

@ -6,7 +6,7 @@ manager: aaroncz
ms.author: frankroj
ms.service: windows-client
author: frankroj
ms.date: 01/09/2024
ms.date: 01/29/2025
ms.topic: conceptual
ms.subservice: itpro-deploy
appliesto:
@ -496,7 +496,7 @@ The following sample `Config.xml` file contains detailed examples about items th
</changeGroup>
</mappings>
</localGroups>
-->
</ProfileControl>
</Configuration>

16
windows/deployment/usmt/usmt-conflicts-and-precedence.md
View File

@ -6,7 +6,7 @@ manager: aaroncz
ms.author: frankroj
ms.service: windows-client
author: frankroj
ms.date: 01/09/2024
ms.date: 01/29/2025
ms.topic: conceptual
ms.subservice: itpro-deploy
appliesto:
@ -79,7 +79,7 @@ Specifying `migrate="no"` in the `Config.xml` file is the same as deleting the c
<objectSet>
<pattern type="File">%CSIDL_PERSONAL%\* [*.doc] </pattern>
</objectSet>
</include>
</include>
```
### How does USMT process each component in an .xml file with multiple components?
@ -116,7 +116,7 @@ In the following example, mp3 files aren't excluded from the migration. The mp3
<objectSet>
<pattern type="File"> C:\* [*.mp3]</pattern>
</objectSet>
</exclude>
</exclude>
```
### \<include\> and \<exclude\> rules precedence examples
@ -185,11 +185,11 @@ The destination computer contains the following files:
A custom **.xml** file contains the following code:
```xml
<include>
<objectSet>
<pattern type="File">c:\data\* [*]</pattern>
</objectSet>
</include>
<include>
<objectSet>
<pattern type="File">c:\data\* [*]</pattern>
</objectSet>
</include>
```
For this example, the following information describes the resulting behavior if the code is added to the custom **.xml** file.

10
windows/deployment/usmt/usmt-custom-xml-examples.md
View File

@ -8,7 +8,7 @@ ms.service: windows-client
author: frankroj
ms.topic: conceptual
ms.subservice: itpro-deploy
ms.date: 01/09/2024
ms.date: 01/29/2025
appliesto:
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10</a>
@ -120,7 +120,7 @@ The following sample is a custom **.xml** file named `CustomFile.xml` that migra
<component type="Documents" context="User">
<displayName>My Video</displayName>
<role role="Data">
<detects>
<detects>
<detect>
<condition>MigXmlHelper.DoesObjectExist("File","%CSIDL_MYVIDEO%")</condition>
</detect>
@ -251,8 +251,8 @@ The behavior for this custom **.xml** file is described within the `<displayName
<rules>
<include>
<objectSet>
<script>MigXmlHelper.GenerateDrivePatterns ("\Requests\* [*] ", "Fixed")</script>
<script>MigXmlHelper.GenerateDrivePatterns ("*\Requests\* [*] ", "Fixed")</script>
<script>MigXmlHelper.GenerateDrivePatterns ("\Requests\* [*] ", "Fixed")</script>
<script>MigXmlHelper.GenerateDrivePatterns ("*\Requests\* [*] ", "Fixed")</script>
</objectSet>
</include>
</rules>
@ -264,7 +264,7 @@ The behavior for this custom **.xml** file is described within the `<displayName
<role role="Data">
<rules>
<include>
<objectSet>
<objectSet>
<pattern type="File"> C:\*\Presentations\* [*]</pattern>
<pattern type="File"> C:\Presentations\* [*]</pattern>
</objectSet>

2
windows/deployment/usmt/usmt-customize-xml-files.md
View File

@ -6,7 +6,7 @@ manager: aaroncz
ms.author: frankroj
ms.service: windows-client
author: frankroj
ms.date: 01/09/2024
ms.date: 01/29/2025
ms.topic: conceptual
ms.subservice: itpro-deploy
appliesto:

2
windows/deployment/usmt/usmt-determine-what-to-migrate.md
View File

@ -6,7 +6,7 @@ manager: aaroncz
ms.author: frankroj
ms.service: windows-client
author: frankroj
ms.date: 01/09/2024
ms.date: 01/29/2025
ms.topic: conceptual
ms.subservice: itpro-deploy
appliesto:

2
windows/deployment/usmt/usmt-estimate-migration-store-size.md
View File

@ -6,7 +6,7 @@ manager: aaroncz
ms.author: frankroj
ms.service: windows-client
author: frankroj
ms.date: 01/09/2024
ms.date: 01/29/2025
ms.topic: conceptual
ms.subservice: itpro-deploy
appliesto:

2
windows/deployment/usmt/usmt-exclude-files-and-settings.md
View File

@ -6,7 +6,7 @@ manager: aaroncz
ms.author: frankroj
ms.service: windows-client
author: frankroj
ms.date: 01/09/2024
ms.date: 01/29/2025
ms.topic: conceptual
ms.subservice: itpro-deploy
appliesto:

2
windows/deployment/usmt/usmt-extract-files-from-a-compressed-migration-store.md
View File

@ -6,7 +6,7 @@ manager: aaroncz
ms.author: frankroj
ms.service: windows-client
author: frankroj
ms.date: 01/09/2024
ms.date: 01/29/2025
ms.topic: conceptual
ms.subservice: itpro-deploy
appliesto:

48
windows/deployment/usmt/usmt-faq.yml
View File

@ -11,12 +11,12 @@ metadata:
ms.mktglfcycl: deploy
ms.sitesec: library
audience: itpro
ms.date: 01/09/2024
ms.date: 01/29/2025
ms.topic: faq
title: Frequently Asked Questions
summary: |
**Applies to:**
- Windows 11
- Windows 10
@ -30,13 +30,13 @@ sections:
How much space is needed on the destination computer?
answer: |
The destination computer needs enough available space for the following items:
- Operating system
- Applications
- Uncompressed store
- question: |
Can the files and settings be stored directly on the destination computer or is a server needed?
answer: |
@ -47,13 +47,13 @@ sections:
- Directly on the destination computer.
To store it directly on the destination computer:
1. Create and share the directory `C:\store` on the destination computer.
1. Run the **ScanState** tool on the source computer and save the files and settings to `\\<DestinationComputerName>\store`
1. Run the **LoadState** tool on the destination computer and specify `C:\store` as the store location.
- question: |
Can data be migrated between operating systems with different languages?
answer: |
@ -80,7 +80,7 @@ sections:
How can a folder or a certain type of file be excluded from the migration?
answer: |
The **\<unconditionalExclude\>** element can be used to globally exclude data from the migration. For example, this element can be used to exclude all MP3 files on the computer or to exclude all files from `C:\UserData`. This element excludes objects regardless of any other **\<include\>** rules that are in the **.xml** files. For an example, see **\<unconditionalExclude\>** in the [Exclude files and settings](usmt-exclude-files-and-settings.md) article. For the syntax of this element, see [XML elements library](usmt-xml-elements-library.md).
- question: |
What happens to files that were located on a drive that don't exist on the destination computer?
answer: |
@ -91,22 +91,22 @@ sections:
- C:\\ is the system drive on the destination computer.
the file is migrated to `C:\data\File.pst`. This behavior holds true even when **\<locationModify\>** rules attempt to move data to a drive that doesn't exist on the destination computer.
- name: USMT .xml Files
questions:
- question: |
Where are there examples of USMT **.xml** files?
answer: |
The following articles include examples of USMT **.xml** files:
- [Exclude files and settings](usmt-exclude-files-and-settings.md)
- [Reroute files and settings](usmt-reroute-files-and-settings.md)
- [Include files and settings](usmt-include-files-and-settings.md)
- [Custom XML examples](usmt-custom-xml-examples.md)
- question: |
Can custom **.xml** files that were written for USMT 5.0 be used?
answer: |
@ -121,9 +121,9 @@ sections:
Why must the **.xml** files be included with both the `ScanState.exe` and `LoadState.exe` commands?
answer: |
The **.xml** files aren't copied to the store as in previous versions of USMT. Because the **ScanState** and **LoadState** tools need the **.xml** files to control the migration, the same set of **.xml** files must be specified for the `ScanState.exe` and `LoadState.exe` commands. If a particular set of mig\*.xml files were used in the **ScanState** tool, either called through the `/auto` option, or individually through the `/i` option, then the same option should be used to call the exact same mig\*.xml files in the **LoadState** tool. However, the `Config.xml` file doesn't need to be specified, unless files and settings that were migrated to the store need to be excluded. For example, the **Documents** folder might be migrated to the store, but not to the destination computer. To do this type of migration, modify the `Config.xml` file and specify the updated file with the `LoadState.exe` command. **LoadState** migrates only the desired files and settings.
If an **.xml** file is excluded from the `LoadState.exe` command, then all of the data in the store that was migrated with the missing **.xml** files are migrated. However, the migration rules that were specified for the `ScanState.exe` command don't apply. For example, if a `MigApp.xml` file that has a rerouting rule such as `MigsysHelperFunction.RelativeMove("c:\data", "%CSIDL_PERSONAL%")` is excluded, USMT doesn't reroute the files. Instead, it migrates them to `C:\data`.
- question: |
Which files can be modified and specified on the command line?
answer: |
@ -133,20 +133,20 @@ sections:
What happens if the **.xml** files aren't specified on the command line?
answer: |
- **ScanState**
If no files are specified with the `ScanState.exe` command, all user accounts and default operating system components are migrated.
- **LoadState**
If no files are specified with the `LoadState.exe` command, all data that is in the store is migrated. However, any target-specific migration rules that were specified in **.xml** files with the `ScanState.exe` command doesn't apply. For example, if a `MigApp.xml` file that has a rerouting rule such as `MigsysHelperFunction.RelativeMove("c:\data", "%CSIDL_PERSONAL%")` is excluded, USMT doesn't reroute the files. Instead, it migrates them to `C:\data`.
- name: Conflicts and Precedence
questions:
- question: |
What happens when there are conflicting XML rules or conflicting objects on the destination computer?
answer: |
For more information, see [Conflicts and precedence](usmt-conflicts-and-precedence.md).
additionalContent: |

18
windows/deployment/usmt/usmt-general-conventions.md
View File

@ -6,7 +6,7 @@ manager: aaroncz
ms.author: frankroj
ms.service: windows-client
author: frankroj
ms.date: 01/09/2024
ms.date: 01/29/2025
ms.topic: conceptual
ms.subservice: itpro-deploy
appliesto:
@ -73,21 +73,21 @@ The XML helper functions in the [XML elements library](usmt-xml-elements-library
The encoded location is composed of the node part, optionally followed by the leaf enclosed in square brackets. This format makes a clear distinction between nodes and leaves.
For example, specify the file
`C:\Windows\Notepad.exe`
as
**c:\\Windows\[Notepad.exe\]**
Similarly, specify the directory
`C:\Windows\System32`
as
**c:\\Windows\\System32**
Note the absence of the **\[\]** characters in second example.
The registry is represented in a similar way. The default value of a registry key is represented as an empty **\[\]** construct. For example, the default value for the `HKLM\SOFTWARE\MyKey` registry key is **HKLM\\SOFTWARE\\MyKey\[\]**.

2
windows/deployment/usmt/usmt-hard-link-migration-store.md
View File

@ -6,7 +6,7 @@ manager: aaroncz
ms.author: frankroj
ms.service: windows-client
author: frankroj
ms.date: 01/09/2024
ms.date: 01/29/2025
ms.topic: conceptual
ms.subservice: itpro-deploy
appliesto:

4
windows/deployment/usmt/usmt-how-it-works.md
View File

@ -8,7 +8,7 @@ ms.service: windows-client
author: frankroj
ms.topic: conceptual
ms.subservice: itpro-deploy
ms.date: 01/09/2024
ms.date: 01/29/2025
appliesto:
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10</a>
@ -33,7 +33,7 @@ When the **ScanState** tool runs on the source computer, it goes through the fol
There are three types of components:
- Components that migrate the operating system settings.
- Components that migrate application settings.
- Components that migrate users' files.

2
windows/deployment/usmt/usmt-how-to.md
View File

@ -6,7 +6,7 @@ manager: aaroncz
ms.author: frankroj
ms.service: windows-client
author: frankroj
ms.date: 01/09/2024
ms.date: 01/29/2025
ms.topic: conceptual
ms.subservice: itpro-deploy
appliesto:

2
windows/deployment/usmt/usmt-identify-application-settings.md
View File

@ -6,7 +6,7 @@ manager: aaroncz
ms.author: frankroj
ms.service: windows-client
author: frankroj
ms.date: 01/09/2024
ms.date: 01/29/2025
ms.topic: conceptual
ms.subservice: itpro-deploy
appliesto:

2
windows/deployment/usmt/usmt-identify-file-types-files-and-folders.md
View File

@ -6,7 +6,7 @@ manager: aaroncz
ms.author: frankroj
ms.service: windows-client
author: frankroj
ms.date: 01/09/2024
ms.date: 01/29/2025
ms.topic: conceptual
ms.subservice: itpro-deploy
appliesto:

2
windows/deployment/usmt/usmt-identify-operating-system-settings.md
View File

@ -6,7 +6,7 @@ manager: aaroncz
ms.author: frankroj
ms.service: windows-client
author: frankroj
ms.date: 01/09/2024
ms.date: 01/29/2025
ms.topic: conceptual
ms.subservice: itpro-deploy
appliesto:

2
windows/deployment/usmt/usmt-identify-users.md
View File

@ -9,7 +9,7 @@ author: frankroj
ms.topic: conceptual
ms.localizationpriority: medium
ms.subservice: itpro-deploy
ms.date: 01/09/2024
ms.date: 01/29/2025
appliesto:
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10</a>

14
windows/deployment/usmt/usmt-include-files-and-settings.md
View File

@ -6,7 +6,7 @@ manager: aaroncz
ms.author: frankroj
ms.service: windows-client
author: frankroj
ms.date: 01/09/2024
ms.date: 01/29/2025
ms.topic: conceptual
ms.subservice: itpro-deploy
appliesto:
@ -25,12 +25,12 @@ The following **.xml** file migrates a single registry key.
```xml
<migration urlid="http://www.microsoft.com/migration/1.0/migxmlext/test">
<component type="Application" context="System">
<displayName>Component to migrate only registry value string</displayName>
<displayName>Component to migrate only registry value string</displayName>
<role role="Settings">
<rules>
<include>
<objectSet>
<pattern type="Registry">HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache [Persistent]</pattern>
<pattern type="Registry">HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache [Persistent]</pattern>
</objectSet>
</include>
</rules>
@ -95,8 +95,8 @@ The following **.xml** file migrates all files and subfolders of the `Engineerin
<rules>
<include>
<objectSet>
<script>MigXmlHelper.GenerateDrivePatterns ("\EngineeringDrafts\* [*] ", "Fixed")</script>
<script>MigXmlHelper.GenerateDrivePatterns ("*\EngineeringDrafts\* [*] ", "Fixed")</script>
<script>MigXmlHelper.GenerateDrivePatterns ("\EngineeringDrafts\* [*] ", "Fixed")</script>
<script>MigXmlHelper.GenerateDrivePatterns ("*\EngineeringDrafts\* [*] ", "Fixed")</script>
</objectSet>
</include>
</rules>
@ -114,7 +114,7 @@ The following **.xml** file migrates all files and subfolders of the `Engineerin
<role role="Data">
<rules>
<include>
<objectSet>
<objectSet>
<pattern type="File"> C:\*\EngineeringDrafts\* [*]</pattern>
<pattern type="File"> C:\EngineeringDrafts\* [*]</pattern>
</objectSet>
@ -149,7 +149,7 @@ The following **.xml** file migrates `.mp3` files located in the specified drive
</rules>
</role>
</component>
</migration>
</migration>
```
## Migrate a specific file

2
windows/deployment/usmt/usmt-loadstate-syntax.md
View File

@ -6,7 +6,7 @@ manager: aaroncz
ms.author: frankroj
ms.service: windows-client
author: frankroj
ms.date: 04/30/2024
ms.date: 01/29/2025
ms.topic: conceptual
ms.subservice: itpro-deploy
appliesto:

2
windows/deployment/usmt/usmt-log-files.md
View File

@ -6,7 +6,7 @@ manager: aaroncz
ms.author: frankroj
ms.service: windows-client
author: frankroj
ms.date: 01/09/2024
ms.date: 01/29/2025
ms.topic: conceptual
ms.subservice: itpro-deploy
appliesto:

2
windows/deployment/usmt/usmt-migrate-efs-files-and-certificates.md
View File

@ -6,7 +6,7 @@ manager: aaroncz
ms.author: frankroj
ms.service: windows-client
author: frankroj
ms.date: 01/09/2024
ms.date: 01/29/2025
ms.topic: conceptual
ms.subservice: itpro-deploy
appliesto:

2
windows/deployment/usmt/usmt-migrate-user-accounts.md
View File

@ -6,7 +6,7 @@ manager: aaroncz
ms.author: frankroj
ms.service: windows-client
author: frankroj
ms.date: 01/09/2024
ms.date: 01/29/2025
ms.topic: conceptual
ms.subservice: itpro-deploy
appliesto:

2
windows/deployment/usmt/usmt-migration-store-encryption.md
View File

@ -6,7 +6,7 @@ manager: aaroncz
ms.author: frankroj
ms.service: windows-client
author: frankroj
ms.date: 01/09/2024
ms.date: 01/29/2025
ms.topic: conceptual
ms.subservice: itpro-deploy
appliesto:

2
windows/deployment/usmt/usmt-overview.md
View File

@ -7,7 +7,7 @@ author: frankroj
ms.reviewer: kevinmi,warrenw
manager: aaroncz
ms.author: frankroj
ms.date: 01/09/2024
ms.date: 01/29/2025
ms.topic: overview
ms.collection:
- highpri

2
windows/deployment/usmt/usmt-plan-your-migration.md
View File

@ -6,7 +6,7 @@ manager: aaroncz
ms.author: frankroj
ms.service: windows-client
author: frankroj
ms.date: 01/09/2024
ms.date: 01/29/2025
ms.topic: conceptual
ms.subservice: itpro-deploy
appliesto:

2
windows/deployment/usmt/usmt-recognized-environment-variables.md
View File

@ -7,7 +7,7 @@ ms.reviewer: kevinmi,warrenw
manager: aaroncz
ms.author: frankroj
author: frankroj
ms.date: 01/09/2024
ms.date: 01/29/2025
ms.topic: conceptual
ms.collection:
- highpri

2
windows/deployment/usmt/usmt-reference.md
View File

@ -6,7 +6,7 @@ manager: aaroncz
ms.author: frankroj
ms.service: windows-client
author: frankroj
ms.date: 01/09/2024
ms.date: 01/29/2025
ms.topic: conceptual
ms.subservice: itpro-deploy
appliesto:

2
windows/deployment/usmt/usmt-requirements.md
View File

@ -6,7 +6,7 @@ manager: aaroncz
ms.author: frankroj
ms.service: windows-client
author: frankroj
ms.date: 04/30/2024
ms.date: 01/29/2025
ms.topic: conceptual
ms.subservice: itpro-deploy
appliesto:

8
windows/deployment/usmt/usmt-reroute-files-and-settings.md
View File

@ -6,7 +6,7 @@ manager: aaroncz
ms.author: frankroj
ms.service: windows-client
author: frankroj
ms.date: 01/09/2024
ms.date: 01/29/2025
ms.topic: conceptual
ms.subservice: itpro-deploy
appliesto:
@ -70,7 +70,7 @@ The following custom **.xml** file reroutes **.mp3** files located in the fixed
</rules>
</role>
</component>
</migration>
</migration>
```
## Reroute a specific file
@ -83,8 +83,8 @@ The following custom **.xml** file migrates the `Sample.doc` file from `C:\Engin
<displayName>Sample.doc into the Documents folder</displayName>
<role role="Data">
<rules>
<include>
<objectSet>
<include>
<objectSet>
<pattern type="File"> C:\EngineeringDrafts\ [Sample.doc]</pattern>
</objectSet>
</include>

4
windows/deployment/usmt/usmt-resources.md
View File

@ -6,7 +6,7 @@ manager: aaroncz
ms.author: frankroj
ms.service: windows-client
author: frankroj
ms.date: 01/09/2024
ms.date: 01/29/2025
ms.topic: conceptual
ms.subservice: itpro-deploy
appliesto:
@ -23,7 +23,7 @@ appliesto:
- Microsoft Visual Studio
- The User State Migration Tool (USMT) XML schema (the `MigXML.xsd` file) can be used to validate the migration **.xml** files using an XML authoring tool such as Microsoft Visual Studio.
For more information about how to use the schema with an XML authoring environment, see the environment's documentation.
- [Ask the Directory Services Team blog](https://techcommunity.microsoft.com/t5/ask-the-directory-services-team/bg-p/AskDS).

2
windows/deployment/usmt/usmt-scanstate-syntax.md
View File

@ -6,7 +6,7 @@ manager: aaroncz
ms.author: frankroj
ms.service: windows-client
author: frankroj
ms.date: 04/30/2024
ms.date: 01/29/2025
ms.topic: conceptual
ms.subservice: itpro-deploy
appliesto:

2
windows/deployment/usmt/usmt-technical-reference.md
View File

@ -6,7 +6,7 @@ manager: aaroncz
ms.author: frankroj
ms.service: windows-client
author: frankroj
ms.date: 01/09/2024
ms.date: 01/29/2025
ms.topic: conceptual
ms.subservice: itpro-deploy
appliesto:

2
windows/deployment/usmt/usmt-test-your-migration.md
View File

@ -6,7 +6,7 @@ manager: aaroncz
ms.author: frankroj
ms.service: windows-client
author: frankroj
ms.date: 01/09/2024
ms.date: 01/29/2025
ms.topic: conceptual
ms.subservice: itpro-deploy
appliesto:

2
windows/deployment/usmt/usmt-topics.md
View File

@ -6,7 +6,7 @@ manager: aaroncz
ms.author: frankroj
ms.service: windows-client
author: frankroj
ms.date: 01/09/2024
ms.date: 01/29/2025
ms.topic: conceptual
ms.subservice: itpro-deploy
appliesto:

2
windows/deployment/usmt/usmt-troubleshooting.md
View File

@ -6,7 +6,7 @@ manager: aaroncz
ms.author: frankroj
ms.service: windows-client
author: frankroj
ms.date: 01/09/2024
ms.date: 01/29/2025
ms.topic: conceptual
ms.subservice: itpro-deploy
appliesto:

2
windows/deployment/usmt/usmt-utilities.md
View File

@ -6,7 +6,7 @@ manager: aaroncz
ms.author: frankroj
ms.service: windows-client
author: frankroj
ms.date: 01/09/2024
ms.date: 01/29/2025
ms.topic: conceptual
ms.subservice: itpro-deploy
appliesto:

2
windows/deployment/usmt/usmt-what-does-usmt-migrate.md
View File

@ -6,7 +6,7 @@ manager: aaroncz
ms.author: frankroj
ms.service: windows-client
author: frankroj
ms.date: 01/18/2024
ms.date: 01/29/2025
ms.topic: conceptual
ms.subservice: itpro-deploy
appliesto:

44
windows/deployment/usmt/usmt-xml-elements-library.md
View File

@ -6,7 +6,7 @@ manager: aaroncz
ms.author: frankroj
ms.service: windows-client
author: frankroj
ms.date: 01/09/2024
ms.date: 01/29/2025
ms.topic: conceptual
ms.subservice: itpro-deploy
appliesto:
@ -95,7 +95,7 @@ The following example is from the `MigApp.xml` file:
<location type="Registry">%HklmWowSoftware%\Microsoft\Office\16.0\Common\Migration\Office [Lang]</location>
<attributes>DWORD</attributes>
<bytes>00000000</bytes>
</object>
</object>
```
## \<bytes\>
@ -127,7 +127,7 @@ The following example is from the `MigApp.xml` file:
<location type="Registry">%HklmWowSoftware%\Microsoft\Office\16.0\Common\Migration\Office [Lang]</location>
<attributes>DWORD</attributes>
<bytes>00000000</bytes>
</object>
</object>
```
## \<commandLine\>
@ -1070,10 +1070,10 @@ Example:
</externalProcess>
</rules>
</role>
<!-- Migrate
<!-- Migrate
all doc files from the system
all power point files
all visio design files
all visio design files
all my c++ program files -->
<extensions>
<extension>DOC</extension>
@ -1126,18 +1126,18 @@ Syntax:
For example, to migrate all \*.doc files from the source computer, specifying the following code under the **\<component\>** element:
```xml
<extensions>
<extension>doc</extension>
<extensions>
<extensions>
<extension>doc</extension>
<extensions>
```
is the same as specifying the following code below the **\<rules\>** element:
```xml
<include>
<objectSet>
<script>MigXmlHelper.GenerateDrivePatterns ("* [*.doc]", "Fixed")</script>
</objectSet>
<include>
<objectSet>
<script>MigXmlHelper.GenerateDrivePatterns ("* [*.doc]", "Fixed")</script>
</objectSet>
</include>
```
@ -1202,7 +1202,7 @@ The following example is from the `MigUser.xml` file:
<path type="File">%CSIDL_MYVIDEO%</path>
</paths>
<role role="Data">
<detects>
<detects>
<detect>
<condition>MigXmlHelper.DoesObjectExist("File","%CSIDL_MYVIDEO%")</condition>
</detect>
@ -1702,11 +1702,11 @@ The following example is from the `MigUser.xml` file:
<path type="File">%CSIDL_MYMUSIC%</path>
</paths>
<role role="Data">
<detects>
<detects>
<detect>
<condition>MigXmlHelper.DoesObjectExist("File","%CSIDL_MYMUSIC%")</condition>
</detect>
</detects>
</detects>
<rules>
<include filter='MigXmlHelper.IgnoreIrrelevantLinks()'>
<objectSet>
@ -1846,11 +1846,11 @@ The following example is from the `MigUser.xml` file. For more examples, see the
<path type="File">%CSIDL_STARTMENU%</path>
</paths>
<role role="Settings">
<detects>
<detects>
<detect>
<condition>MigXmlHelper.DoesObjectExist("File","%CSIDL_STARTMENU%")</condition>
</detect>
</detects>
</detects>
<rules>
<include filter='MigXmlHelper.IgnoreIrrelevantLinks()'>
<objectSet>
@ -1901,11 +1901,11 @@ The following example is from the `MigUser.xml` file:
<path type="File">%CSIDL_MYMUSIC%</path>
</paths>
<role role="Data">
<detects>
<detects>
<detect>
<condition>MigXmlHelper.DoesObjectExist("File","%CSIDL_MYMUSIC%")</condition>
</detect>
</detects>
</detects>
<rules>
<include filter='MigXmlHelper.IgnoreIrrelevantLinks()'>
<objectSet>
@ -1969,7 +1969,7 @@ Examples:
To migrate the Sample.doc file from any drive on the source computer, use **\<script\>** as follows. If multiple files exist with the same name, all such files get migrated.
```xml
<script>MigXmlHelper.GenerateDrivePatterns("* [sample.doc]", "Fixed")</script>
<script>MigXmlHelper.GenerateDrivePatterns("* [sample.doc]", "Fixed")</script>
```
For more examples of how to use this element, see [Exclude Files and Settings](usmt-exclude-files-and-settings.md), [Reroute Files and Settings](usmt-reroute-files-and-settings.md), and [Custom XML Examples](usmt-custom-xml-examples.md).
@ -2171,7 +2171,7 @@ For example:
```xml
<variable name="QuickTime5or6DataSys">
<text>%CSIDL_COMMON_APPDATA%\QuickTime</text>
<text>%CSIDL_COMMON_APPDATA%\QuickTime</text>
</variable>
```
@ -2204,7 +2204,7 @@ The following **.xml** file excludes all `.mp3` files from migration. For additi
<unconditionalExclude>
<objectSet>
<script>MigXmlHelper.GenerateDrivePatterns ("* [*.mp3]", "Fixed")</script>
</objectSet>
</objectSet>
</unconditionalExclude>
</rules>
</role>

2
windows/deployment/usmt/usmt-xml-reference.md
View File

@ -6,7 +6,7 @@ manager: aaroncz
ms.author: frankroj
ms.service: windows-client
author: frankroj
ms.date: 01/09/2024
ms.date: 01/29/2025
ms.topic: conceptual
ms.subservice: itpro-deploy
appliesto:

2
windows/deployment/usmt/verify-the-condition-of-a-compressed-migration-store.md
View File

@ -6,7 +6,7 @@ manager: aaroncz
ms.author: frankroj
ms.service: windows-client
author: frankroj
ms.date: 01/09/2024
ms.date: 01/29/2025
ms.topic: conceptual
ms.subservice: itpro-deploy
appliesto:

2
windows/deployment/usmt/xml-file-requirements.md
View File

@ -6,7 +6,7 @@ manager: aaroncz
ms.author: frankroj
ms.service: windows-client
author: frankroj
ms.date: 01/09/2024
ms.date: 01/29/2025
ms.topic: conceptual
ms.subservice: itpro-deploy
appliesto:

6
windows/deployment/windows-autopatch/manage/windows-autopatch-hotpatch-updates.md
View File

@ -40,9 +40,9 @@ VBS must be turned on for a device to be offered Hotpatch updates. For informati
### Arm 64 devices must disable compiled hybrid PE usage (CHPE) (Arm 64 CPU Only)
This requirement only applies to Arm 64 CPU devices when using Hotpatch updates. Hotpatch updates aren't compatible with servicing CHPE OS binaries located in the `%SystemRoot%\SyChpe32` folder. To ensure all the Hotpatch updates are applied, you must set the CHPE disable flag and restart the device to disable CHPE usage. You only need to set this flag one time. The registry setting remains applied through updates. To disable CHPE, set the following registry key:
Path: `**HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management**`
Key value: `**HotPatchRestrictions=1**`
This requirement only applies to Arm 64 CPU devices when using Hotpatch updates. Hotpatch updates aren't compatible with servicing CHPE OS binaries located in the `%SystemRoot%\SyChpe32` folder. To ensure all the Hotpatch updates are applied, you must set the CHPE disable flag and restart the device to disable CHPE usage. You only need to set this flag one time. The registry setting remains applied through updates. To disable CHPE, create and/or set the following DWORD registry key:
Path: `HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management`
DWORD key value: HotPatchRestrictions=1
> [!IMPORTANT]
> This setting is required because it forces the operating system to use the emulation x86-only binaries instead of CHPE binaries on Arm 64 devices. CHPE binaries include native Arm 64 code to improve performance, excluding the CHPE binaries might affect performance or compatibility. Be sure to test application compatibility and performance before rolling out Hotpatch updates widely on Arm 64 CPU based devices.

4
windows/security/application-security/application-control/app-control-for-business/design/applications-that-can-bypass-appcontrol.md
View File

@ -49,7 +49,7 @@ Unless your use scenarios explicitly require them, Microsoft recommends that you
- texttransform.exe
- visualuiaverifynative.exe
- system.management.automation.dll
- webclnt.dll/davsvc.dll
- webclnt.dll/davsvc.dll<sup>3</sup>
- wfc.exe
- windbg.exe
- wmic.exe
@ -62,6 +62,8 @@ Unless your use scenarios explicitly require them, Microsoft recommends that you
<sup>2</sup> If you're using your reference system in a development context and use msbuild.exe to build managed applications, we recommend that you allow msbuild.exe in your code integrity policies. Otherwise, we recommend that you block msbuild.exe.
<sup>3</sup> If you block WebDAV DLLs, we recommend that you also disable the **WebClient** service using a group policy or MDM policies.
<sup>*</sup> Microsoft recognizes the efforts of people in the security community who help us protect customers through responsible vulnerability disclosure, and extends thanks to the following people:
<br />

3
windows/security/docfx.json
View File

@ -142,9 +142,10 @@
"✅ <a href=\"https://learn.microsoft.com/windows/release-health/windows-server-release-info\" target=\"_blank\">Windows Server 2019</a>",
"✅ <a href=\"https://learn.microsoft.com/windows/release-health/windows-server-release-info\" target=\"_blank\">Windows Server 2016</a>"
],
"application-security/application-control/windows-defender-application-control/**/*.md": [
"application-security/application-control/app-control-for-business/**/*.md": [
"✅ <a href=\"https://learn.microsoft.com/windows/release-health/supported-versions-windows-client\" target=\"_blank\">Windows 11</a>",
"✅ <a href=\"https://learn.microsoft.com/windows/release-health/supported-versions-windows-client\" target=\"_blank\">Windows 10</a>",
"✅ <a href=\"https://learn.microsoft.com/windows/release-health/windows-server-release-info\" target=\"_blank\">Windows Server 2025</a>",
"✅ <a href=\"https://learn.microsoft.com/windows/release-health/windows-server-release-info\" target=\"_blank\">Windows Server 2022</a>",
"✅ <a href=\"https://learn.microsoft.com/windows/release-health/windows-server-release-info\" target=\"_blank\">Windows Server 2019</a>",
"✅ <a href=\"https://learn.microsoft.com/windows/release-health/windows-server-release-info\" target=\"_blank\">Windows Server 2016</a>"

2
windows/security/identity-protection/hello-for-business/rdp-sign-in.md
View File

@ -1,7 +1,7 @@
---
title: Remote Desktop sign-in with Windows Hello for Business
description: Learn how to configure Remote Desktop (RDP) sign-in with Windows Hello for Business.
ms.date: 06/11/2024
ms.date: 01/27/2025
ms.topic: how-to
---

2
windows/security/operating-system-security/network-security/vpn/how-to-configure-diffie-hellman-protocol-over-ikev2-vpn-connections.md
View File

@ -1,7 +1,7 @@
---
title: How to configure cryptographic settings for IKEv2 VPN connections
description: Learn how to update the IKEv2 cryptographic settings of VPN servers and clients by running VPN cmdlets to secure connections.
ms.date: 05/06/2024
ms.date: 01/27/2025
ms.topic: how-to
---

2
windows/security/operating-system-security/network-security/vpn/how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md
View File

@ -1,7 +1,7 @@
---
title: How to use single sign-on (SSO) over VPN and Wi-Fi connections
description: Explains requirements to enable single sign-on (SSO) to on-premises domain resources over WiFi or VPN connections.
ms.date: 05/06/2024
ms.date: 01/27/2025
ms.topic: how-to
---

13
windows/security/operating-system-security/network-security/vpn/vpn-authentication.md
View File

@ -1,7 +1,7 @@
---
title: VPN authentication options
description: Learn about the EAP authentication methods that Windows supports in VPNs to provide secure authentication using username/password and certificate-based methods.
ms.date: 05/06/2024
ms.date: 01/27/2025
ms.topic: concept-article
---
@ -80,14 +80,3 @@ The following image shows the field for EAP XML in a Microsoft Intune VPN profil
:::image type="content" source="images/vpn-eap-xml.png" alt-text="Screenshot showing EAP XML configuration in Intune profile.":::
## Related topics
- [VPN technical guide](vpn-guide.md)
- [VPN connection types](vpn-connection-type.md)
- [VPN routing decisions](vpn-routing.md)
- [VPN and conditional access](vpn-conditional-access.md)
- [VPN name resolution](vpn-name-resolution.md)
- [VPN auto-triggered profile options](vpn-auto-trigger-profile.md)
- [VPN security features](vpn-security-features.md)
- [VPN profile options](vpn-profile-options.md)
- [Extensible Authentication Protocol (EAP) for network access](/windows-server/networking/technologies/extensible-authentication-protocol/network-access)

13
windows/security/operating-system-security/network-security/vpn/vpn-auto-trigger-profile.md
View File

@ -1,7 +1,7 @@
---
title: VPN auto-triggered profile options
description: With auto-triggered VPN profile options, Windows can automatically establish a VPN connection based on IT admin-defined rules. Learn about the types of auto-trigger rules that you can create for VPN connections.
ms.date: 05/06/2024
ms.date: 01/27/2025
ms.topic: how-to
---
@ -77,14 +77,3 @@ See [VPN profile options](vpn-profile-options.md) and [VPNv2 CSP](/windows/clien
The following image shows associating apps to a VPN connection in a VPN Profile configuration policy using Microsoft Intune.
:::image type="content" source="images/vpn-app-trigger.png" alt-text="Creation of VPN profile in Intune: application association options." lightbox="images/vpn-app-trigger.png":::
## Related articles
- [VPN technical guide](vpn-guide.md)
- [VPN connection types](vpn-connection-type.md)
- [VPN routing decisions](vpn-routing.md)
- [VPN authentication options](vpn-authentication.md)
- [VPN and conditional access](vpn-conditional-access.md)
- [VPN name resolution](vpn-name-resolution.md)
- [VPN security features](vpn-security-features.md)
- [VPN profile options](vpn-profile-options.md)

23
windows/security/operating-system-security/network-security/vpn/vpn-conditional-access.md
View File

@ -1,7 +1,7 @@
---
title: VPN and conditional access
description: Learn how to integrate the VPN client with the Conditional Access platform, and how to create access rules for Microsoft Entra connected apps.
ms.date: 05/06/2024
ms.date: 01/27/2025
ms.topic: how-to
---
@ -19,7 +19,7 @@ Conditional Access Platform components used for Device Compliance include the fo
- [Windows Health Attestation Service](../../system-security/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md) (optional)
- Microsoft Entra Certificate Authority - It's a requirement that the client certificate used for the cloud-based device compliance solution be issued by a Microsoft Entra ID-based Certificate Authority (CA). A Microsoft Entra CA is essentially a mini-CA cloud tenant in Azure. The Microsoft Entra CA can't be configured as part of an on-premises Enterprise CA.
See also [Always On VPN deployment for Windows Server and Windows 10](/windows-server/remote/remote-access/vpn/always-on-vpn/deploy/always-on-vpn-deploy).
- Microsoft Entra ID-issued short-lived certificates - When a VPN connection attempt is made, the Microsoft Entra Token Broker on the local device communicates with Microsoft Entra ID, which then checks for health based on compliance rules. If compliant, Microsoft Entra ID sends back a short-lived certificate that is used to authenticate the VPN. Note that certificate authentication methods such as EAP-TLS can be used. When the client reconnects and determines that the certificate has expired, the client will again check with Microsoft Entra ID for health validation before a new certificate is issued.
- Microsoft Entra ID-issued short-lived certificates - When a VPN connection attempt is made, the Microsoft Entra Token Broker on the local device communicates with Microsoft Entra ID, which then checks for health based on compliance rules. If compliant, Microsoft Entra ID sends back a short-lived certificate that is used to authenticate the VPN. Certificate authentication methods such as EAP-TLS can be used. When the client reconnects and determines that the certificate has expired, the client will again check with Microsoft Entra ID for health validation before a new certificate is issued.
- [Microsoft Intune device compliance policies](/mem/intune/protect/device-compliance-get-started): Cloud-based device compliance uses Microsoft Intune Compliance Policies, which are capable of querying the device state and define compliance rules for the following, among other things.
- Antivirus status
- Auto-update status and update compliance
@ -35,7 +35,7 @@ The following client-side components are also required:
## VPN device compliance
At this time, the Microsoft Entra certificates issued to users don't contain a CRL Distribution Point (CDP) and aren't suitable for Key Distribution Centers (KDCs) to issue Kerberos tokens. For users to gain access to on-premises resources such as files on a network share, client authentication certificates must be deployed to the Windows profiles of the users, and their VPNv2 profiles must contain the &lt;SSO&gt; section.
At this time, the Microsoft Entra certificates issued to users don't contain a CRL Distribution Point (CDP) and aren't suitable for Key Distribution Centers (KDCs) to issue Kerberos tokens. For users to gain access to on-premises resources such as files on a network share, client authentication certificates must be deployed to the Windows profiles of the users, and their VPNv2 profiles must contain the `<SSO>` section.
Server-side infrastructure requirements to support VPN device compliance include:
@ -60,8 +60,8 @@ Two client-side configuration service providers are leveraged for VPN device com
- Upon request, forward the Health Attestation Certificate (received from HAS) and related runtime information to the MDM server for verification
> [!NOTE]
> It's required that certificates used for obtaining Kerberos tickets to be issued from an on-premises CA, and that SSO to be enabled in the user's VPN profile. This will enable the user to access on-premises resources.
> In the case of AzureAD-only joined devices (not hybrid joined devices), if the user certificate issued by the on-premises CA has the user UPN from AzureAD in Subject and SAN (Subject Alternative Name), the VPN profile must be modified to ensure that the client does not cache the credentials used for VPN authentication. To do this, after deploying the VPN profile to the client, modify the *Rasphone.pbk* on the client by changing the entry **UseRasCredentials** from 1 (default) to 0 (zero).
> It's required that certificates used for obtaining Kerberos tickets to be issued from an on-premises CA, and that SSO to be enabled in the user's VPN profile. This allows the user to access on-premises resources.
> In the case of Microsoft Entra joined devices (not hybrid joined devices), if the user certificate issued by the on-premises CA has the user UPN from Microsoft Entra in Subject and SAN (Subject Alternative Name), the VPN profile must be modified to ensure that the client doesn't cache the credentials used for VPN authentication. To do this, after deploying the VPN profile to the client, modify the *Rasphone.pbk* on the client by changing the entry **UseRasCredentials** from 1 (default) to 0 (zero).
## Client connection flow
@ -71,7 +71,7 @@ The VPN client side connection flow works as follows:
When a VPNv2 Profile is configured with \<DeviceCompliance> \<Enabled>true<\/Enabled> the VPN client uses this connection flow:
1. The VPN client calls into Windows 10's or Windows 11's Microsoft Entra Token Broker, identifying itself as a VPN client.
1. The VPN client calls into Windows 10 or Windows 11 Microsoft Entra Token Broker, identifying itself as a VPN client.
1. The Microsoft Entra Token Broker authenticates to Microsoft Entra ID and provides it with information about the device trying to connect. The Microsoft Entra Server checks if the device is in compliance with the policies.
1. If compliant, Microsoft Entra ID requests a short-lived certificate.
1. Microsoft Entra ID pushes down a short-lived certificate to the Certificate Store via the Token Broker. The Token Broker then returns control back over to the VPN client for further connection processing.
@ -92,14 +92,3 @@ See [VPN profile options](vpn-profile-options.md) and [VPNv2 CSP](/windows/clien
- [Tip of the Day: The Conditional Access Framework and Device Compliance for VPN (Part 2)](/archive/blogs/tip_of_the_day/tip-of-the-day-the-conditional-access-framework-and-device-compliance-for-vpn-part-2)
- [Tip of the Day: The Conditional Access Framework and Device Compliance for VPN (Part 3)](/archive/blogs/tip_of_the_day/tip-of-the-day-the-conditional-access-framework-and-device-compliance-for-vpn-part-3)
- [Tip of the Day: The Conditional Access Framework and Device Compliance for VPN (Part 4)](/archive/blogs/tip_of_the_day/tip-of-the-day-the-conditional-access-framework-and-device-compliance-for-vpn-part-4)
## Related articles
- [VPN technical guide](vpn-guide.md)
- [VPN connection types](vpn-connection-type.md)
- [VPN routing decisions](vpn-routing.md)
- [VPN authentication options](vpn-authentication.md)
- [VPN name resolution](vpn-name-resolution.md)
- [VPN auto-triggered profile options](vpn-auto-trigger-profile.md)
- [VPN security features](vpn-security-features.md)
- [VPN profile options](vpn-profile-options.md)

12
windows/security/operating-system-security/network-security/vpn/vpn-connection-type.md
View File

@ -1,7 +1,7 @@
---
title: VPN connection types
description: Learn about Windows VPN platform clients and the VPN connection-type features that can be configured.
ms.date: 05/06/2024
ms.date: 01/27/2025
ms.topic: concept-article
---
@ -46,13 +46,3 @@ In Intune, you can also include custom XML for non-Microsoft plug-in profiles:
> [!div class="mx-imgBorder"]
> ![Custom XML.](images/vpn-custom-xml-intune.png)
## Related articles
- [VPN technical guide](vpn-guide.md)
- [VPN routing decisions](vpn-routing.md)
- [VPN authentication options](vpn-authentication.md)
- [VPN and conditional access](vpn-conditional-access.md)
- [VPN name resolution](vpn-name-resolution.md)
- [VPN auto-triggered profile options](vpn-auto-trigger-profile.md)
- [VPN security features](vpn-security-features.md)
- [VPN profile options](vpn-profile-options.md)

2
windows/security/operating-system-security/network-security/vpn/vpn-guide.md
View File

@ -1,7 +1,7 @@
---
title: Windows VPN technical guide
description: Learn how to plan and configure Windows devices for your organization's VPN solution.
ms.date: 05/06/2024
ms.date: 01/27/2025
ms.topic: overview
---

13
windows/security/operating-system-security/network-security/vpn/vpn-name-resolution.md
View File

@ -1,7 +1,7 @@
---
title: VPN name resolution
description: Learn how name resolution works when using a VPN connection.
ms.date: 05/06/2024
ms.date: 01/27/2025
ms.topic: concept-article
---
@ -58,14 +58,3 @@ The fields in **Add or edit DNS rule** in the Intune profile correspond to the X
| **Name** | **VPNv2/*ProfileName*/DomainNameInformationList/*dniRowId*/DomainName** |
| **Servers (comma separated)** | **VPNv2/*ProfileName*/DomainNameInformationList/*dniRowId*/DnsServers** |
| **Proxy server** | **VPNv2/*ProfileName*/DomainNameInformationList/*dniRowId*/WebServers** |
## Related articles
- [VPN technical guide](vpn-guide.md)
- [VPN connection types](vpn-connection-type.md)
- [VPN routing decisions](vpn-routing.md)
- [VPN authentication options](vpn-authentication.md)
- [VPN and conditional access](vpn-conditional-access.md)
- [VPN auto-triggered profile options](vpn-auto-trigger-profile.md)
- [VPN security features](vpn-security-features.md)
- [VPN profile options](vpn-profile-options.md)

2
windows/security/operating-system-security/network-security/vpn/vpn-office-365-optimization.md
View File

@ -2,7 +2,7 @@
title: Optimize Microsoft 365 traffic for remote workers with the Windows VPN client
description: Learn how to optimize Microsoft 365 traffic for remote workers with the Windows VPN client
ms.topic: how-to
ms.date: 05/06/2024
ms.date: 01/27/2025
---
# Optimize Microsoft 365 traffic for remote workers with the Windows VPN client

12
windows/security/operating-system-security/network-security/vpn/vpn-profile-options.md
View File

@ -1,7 +1,7 @@
---
title: VPN profile options
description: Windows adds Virtual Private Network (VPN) profile options to help manage how users connect. VPNs give users secure remote access to the company network.
ms.date: 05/06/2024
ms.date: 01/27/2025
ms.topic: how-to
---
@ -316,13 +316,3 @@ After you configure the settings that you want using ProfileXML, you can create
- [VPNv2 configuration service provider (CSP) reference](/windows/client-management/mdm/vpnv2-csp)
- [How to Create VPN Profiles in Configuration Manager](/previous-versions/system-center/system-center-2012-R2/dn261200(v=technet.10))
## Related articles
- [VPN technical guide](vpn-guide.md)
- [VPN connection types](vpn-connection-type.md)
- [VPN routing decisions](vpn-routing.md)
- [VPN authentication options](vpn-authentication.md)
- [VPN and conditional access](vpn-conditional-access.md)
- [VPN name resolution](vpn-name-resolution.md)
- [VPN auto-triggered profile options](vpn-auto-trigger-profile.md)
- [VPN security features](vpn-security-features.md)

13
windows/security/operating-system-security/network-security/vpn/vpn-routing.md
View File

@ -1,5 +1,5 @@
---
ms.date: 05/06/2024
ms.date: 01/27/2025
title: VPN routing decisions
description: Learn about approaches that either send all data through a VPN or only selected data. The one you choose impacts capacity planning and security expectations.
ms.topic: concept-article
@ -43,14 +43,3 @@ When you configure a VPN profile in Microsoft Intune, you can enable split tunne
![split tunnel.](images/vpn-split.png)
Once enabled, you can add the routes that should use the VPN connection.
## Related articles
- [VPN technical guide](vpn-guide.md)
- [VPN connection types](vpn-connection-type.md)
- [VPN authentication options](vpn-authentication.md)
- [VPN and conditional access](vpn-conditional-access.md)
- [VPN name resolution](vpn-name-resolution.md)
- [VPN auto-triggered profile options](vpn-auto-trigger-profile.md)
- [VPN security features](vpn-security-features.md)
- [VPN profile options](vpn-profile-options.md)

13
windows/security/operating-system-security/network-security/vpn/vpn-security-features.md
View File

@ -1,7 +1,7 @@
---
title: VPN security features
description: Learn about security features for VPN, including LockDown VPN and traffic filters.
ms.date: 05/06/2024
ms.date: 01/27/2025
ms.topic: concept-article
---
@ -55,14 +55,3 @@ A VPN profile configured with LockDown secures the device to only allow network
> [!CAUTION]
> Be careful when deploying LockDown VPN, as the resultant connection won't be able to send or receive any network traffic without the VPN connection being established.
## Related articles
- [VPN technical guide](vpn-guide.md)
- [VPN connection types](vpn-connection-type.md)
- [VPN routing decisions](vpn-routing.md)
- [VPN authentication options](vpn-authentication.md)
- [VPN and conditional access](vpn-conditional-access.md)
- [VPN name resolution](vpn-name-resolution.md)
- [VPN auto-triggered profile options](vpn-auto-trigger-profile.md)
- [VPN profile options](vpn-profile-options.md)

4
windows/whats-new/deprecated-features.md
View File

@ -1,7 +1,7 @@
---
title: Deprecated features in the Windows client
description: Review the list of features that Microsoft is no longer actively developing in Windows 10 and Windows 11.
ms.date: 12/12/2024
ms.date: 01/24/2025
ms.service: windows-client
ms.subservice: itpro-fundamentals
ms.localizationpriority: medium
@ -57,7 +57,7 @@ The features in this article are no longer being actively developed, and might b
| NPLogonNotify and NPPasswordChangeNotify APIs <!--8787264--> | Starting in Windows 11, version 24H2, the inclusion of password payload in MPR notifications is set to disabled by default through group policy in [NPLogonNotify](/windows/win32/api/npapi/nf-npapi-nplogonnotify) and [NPPasswordChangeNotify](/windows/win32/api/npapi/nf-npapi-nppasswordchangenotify) APIs. The APIs may be removed in a future release. The primary reason for disabling this feature is to enhance security. When enabled, these APIs allow the caller to retrieve a user's password, presenting potential risks for password exposure and harvesting by malicious users. To include password payload in MPR notifications, set the [EnableMPRNotifications](/windows/client-management/mdm/policy-csp-windowslogon#enablemprnotifications) policy to `enabled`.| March 2024 |
| TLS server authentication certificates using RSA keys with key lengths shorter than 2048 bits <!--8644149-->| Support for certificates using RSA keys with key lengths shorter than 2048 bits will be deprecated. Internet standards and regulatory bodies disallowed the use of 1024-bit keys in 2013, recommending specifically that RSA keys should have a key length of 2048 bits or longer. For more information, see [Transitioning of Cryptographic Algorithms and Key Sizes - Discussion Paper (nist.gov)](https://csrc.nist.gov/CSRC/media/Projects/Key-Management/documents/transitions/Transitioning_CryptoAlgos_070209.pdf). This deprecation focuses on ensuring that all RSA certificates used for TLS server authentication must have key lengths greater than or equal to 2048 bits to be considered valid by Windows. </br></br> TLS certificates issued by enterprise or test certification authorities (CA) aren't impacted with this change. However, we recommend that they be updated to RSA keys greater than or equal to 2048 bits as a security best practice. This change is necessary to preserve security of Windows customers using certificates for authentication and cryptographic purposes.| March 2024|
| Test Base <!--8790681--> | [Test Base for Microsoft 365](/microsoft-365/test-base/overview), an Azure cloud service for application testing, is deprecated. The service will be retired in the future and will be no longer available for use after retirement. | March 2024 |
| Windows Mixed Reality <!--8412877--> | [Windows Mixed Reality](/windows/mixed-reality/enthusiast-guide/before-you-start) is deprecated and will be removed in Windows 11, version 24H2. This deprecation includes the [Mixed Reality Portal](/windows/mixed-reality/enthusiast-guide/install-windows-mixed-reality) app, [Windows Mixed Reality for SteamVR](/windows/mixed-reality/enthusiast-guide/using-steamvr-with-windows-mixed-reality), and Steam VR Beta.Existing Windows Mixed Reality devices will continue to work with Steam through November 2026, if users remain on their current released version of Windows 11, version 23H2. After November 2026, Windows Mixed Reality will no longer receive security updates, nonsecurity updates, bug fixes, technical support, or online technical content updates.</br> </br>This deprecation doesn't affect HoloLens. We remain committed to HoloLens and our enterprise customers. | December 2023 |
| Windows Mixed Reality <!--8412877, 9720344--> | [Windows Mixed Reality](/windows/mixed-reality/enthusiast-guide/before-you-start) is deprecated and will be removed in Windows 11, version 24H2. This deprecation includes the [Mixed Reality Portal](/windows/mixed-reality/enthusiast-guide/install-windows-mixed-reality) app, [Windows Mixed Reality for SteamVR](/windows/mixed-reality/enthusiast-guide/using-steamvr-with-windows-mixed-reality), and Steam VR Beta.Existing Windows Mixed Reality devices will continue to work with Steam through November 2026, if users remain on their current released version of Windows 11, version 23H2. After November 2026, Windows Mixed Reality will no longer receive security updates, nonsecurity updates, bug fixes, technical support, or online technical content updates. | December 2023 |
| Microsoft Defender Application Guard for Edge <!--8591267-->| [Microsoft Defender Application Guard](/windows/security/application-security/application-isolation/microsoft-defender-application-guard/md-app-guard-overview), including the [Windows Isolated App Launcher APIs](/windows/win32/api/isolatedapplauncher/), is deprecated for Microsoft Edge for Business and [will no longer be updated](feature-lifecycle.md). To learn more about Edge for Business security capabilities, see [Microsoft Edge security for your business](/deployedge/ms-edge-security-for-business). </br></br> **[Update - October 2024]**: Starting with Windows 11, version 24H2, Microsoft Defender Application Guard, including the [Windows Isolated App Launcher APIs](/windows/win32/api/isolatedapplauncher/), is no longer available. <br><br>**[Update - April 2024]**: Because Application Guard is deprecated there will not be a migration to Edge Manifest V3. The corresponding extensions and associated Windows Store app will not be available after May 2024. This affects the following browsers: *Application Guard Extension - Chrome* and *Application Guard Extension - Firefox*. If you want to block unprotected browsers until you are ready to retire MDAG usage in your enterprise, we recommend using AppLocker policies or [Microsoft Edge management service](/deployedge/microsoft-edge-management-service). For more information, see [Microsoft Edge and Microsoft Defender Application Guard](/deployedge/microsoft-edge-security-windows-defender-application-guard). <!--8932292-->| December 2023 |
| Legacy console mode <!-- 8577271 -->| The [legacy console mode](/windows/console/legacymode) is deprecated and no longer being updated. In future Windows releases, it will be available as an optional [Feature on Demand](/windows-hardware/manufacture/desktop/features-on-demand-v2--capabilities). This feature won't be installed by default. | December 2023 |
| Windows speech recognition <!--8396142-->| [Windows speech recognition](https://support.microsoft.com/windows/83ff75bd-63eb-0b6c-18d4-6fae94050571) is deprecated and is no longer being developed. This feature is being replaced with [voice access](https://support.microsoft.com/topic/4dcd23ee-f1b9-4fd1-bacc-862ab611f55d). Voice access is available for Windows 11, version 22H2, or later devices. Currently, voice access supports five English locales: English - US, English - UK, English - India, English - New Zealand, English - Canada, and English - Australia. For more information, see [Setup voice access](https://support.microsoft.com/topic/set-up-voice-access-9fc44e29-12bf-4d86-bc4e-e9bb69df9a0e). | December 2023 |