diff --git a/.acrolinx-config.edn b/.acrolinx-config.edn
index 2794193b88..3e58e829a1 100644
--- a/.acrolinx-config.edn
+++ b/.acrolinx-config.edn
@@ -39,7 +39,7 @@ For more information about the exception criteria and exception process, see [Mi
Select the total score link to review all feedback on clarity, consistency, tone, brand, terms, spelling, grammar, readability, and inclusive language. _You should fix all spelling errors regardless of your total score_. Fixing spelling errors helps maintain customer trust in overall content quality.
-| Article | Total score (Required: 80) | Words + phrases (Brand, terms) | Correctness (Spelling, grammar) | Clarity (Readability) |
+| Article | Total score (Required: 80) | Terminology | Spelling and Grammar| Clarity (Readability) |
|---------|:--------------:|:--------------------:|:------:|:---------:|
"
diff --git a/.github/workflows/BuildValidation.yml b/.github/workflows/BuildValidation.yml
new file mode 100644
index 0000000000..e57844b453
--- /dev/null
+++ b/.github/workflows/BuildValidation.yml
@@ -0,0 +1,21 @@
+name: PR has no warnings or errors
+
+permissions:
+ pull-requests: write
+ statuses: write
+
+on:
+ issue_comment:
+ types: [created]
+
+jobs:
+
+ build-status:
+ uses: MicrosoftDocs/microsoft-365-docs/.github/workflows/Shared-BuildValidation.yml@workflows-prod
+ with:
+ PayloadJson: ${{ toJSON(github) }}
+ secrets:
+ AccessToken: ${{ secrets.GITHUB_TOKEN }}
+
+
+
diff --git a/.github/workflows/Stale.yml b/.github/workflows/Stale.yml
index 101ee8ba9c..82b6875e28 100644
--- a/.github/workflows/Stale.yml
+++ b/.github/workflows/Stale.yml
@@ -13,7 +13,7 @@ jobs:
stale:
uses: MicrosoftDocs/microsoft-365-docs/.github/workflows/Shared-Stale.yml@workflows-prod
with:
- RunDebug: true
+ RunDebug: false
RepoVisibility: ${{ github.repository_visibility }}
secrets:
AccessToken: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.openpublishing.build.ps1 b/.openpublishing.build.ps1
deleted file mode 100644
index dd60c684ef..0000000000
--- a/.openpublishing.build.ps1
+++ /dev/null
@@ -1,18 +0,0 @@
-param(
- [string]$buildCorePowershellUrl = "https://opbuildstoragesandbox2.blob.core.windows.net/opps1container/.openpublishing.buildcore.ps1",
- [string]$parameters
-)
-# Main
-$errorActionPreference = 'Stop'
-
-# Step-1 Download buildcore script to local
-echo "download build core script to local with source url: $buildCorePowershellUrl"
-$repositoryRoot = Split-Path -Parent $MyInvocation.MyCommand.Definition
-$buildCorePowershellDestination = "$repositoryRoot\.openpublishing.buildcore.ps1"
-Invoke-WebRequest $buildCorePowershellUrl -OutFile $buildCorePowershellDestination
-
-# Step-2: Run build core
-echo "run build core script with parameters: $parameters"
-$arguments = "-parameters:'$parameters'"
-Invoke-Expression "$buildCorePowershellDestination $arguments"
-exit $LASTEXITCODE
\ No newline at end of file
diff --git a/.openpublishing.publish.config.json b/.openpublishing.publish.config.json
index 0015a87b88..ca6ed75b69 100644
--- a/.openpublishing.publish.config.json
+++ b/.openpublishing.publish.config.json
@@ -251,7 +251,6 @@
".openpublishing.redirection.browsers.json",
".openpublishing.redirection.education.json",
".openpublishing.redirection.json",
- ".openpublishing.redirection.store-for-business.json",
".openpublishing.redirection.windows-application-management.json",
".openpublishing.redirection.windows-client-management.json",
".openpublishing.redirection.windows-configuration.json",
diff --git a/.openpublishing.redirection.store-for-business.json b/.openpublishing.redirection.store-for-business.json
deleted file mode 100644
index f825112907..0000000000
--- a/.openpublishing.redirection.store-for-business.json
+++ /dev/null
@@ -1,299 +0,0 @@
-{
- "redirections": [
- {
- "source_path": "store-for-business/acquire-apps-windows-store-for-business.md",
- "redirect_url": "/microsoft-store/acquire-apps-microsoft-store-for-business",
- "redirect_document_id": false
- },
- {
- "source_path": "store-for-business/add-unsigned-app-to-code-integrity-policy.md",
- "redirect_url": "/windows/security/threat-protection/windows-defender-application-control/deploy-catalog-files-to-support-windows-defender-application-control",
- "redirect_document_id": false
- },
- {
- "source_path": "store-for-business/app-inventory-managemement-windows-store-for-business.md",
- "redirect_url": "/microsoft-store/app-inventory-management-microsoft-store-for-business",
- "redirect_document_id": false
- },
- {
- "source_path": "store-for-business/app-inventory-management-windows-store-for-business.md",
- "redirect_url": "/microsoft-store/app-inventory-management-microsoft-store-for-business",
- "redirect_document_id": false
- },
- {
- "source_path": "store-for-business/apps-in-windows-store-for-business.md",
- "redirect_url": "/microsoft-store/apps-in-microsoft-store-for-business",
- "redirect_document_id": false
- },
- {
- "source_path": "store-for-business/configure-mdm-provider-windows-store-for-business.md",
- "redirect_url": "/microsoft-store/configure-mdm-provider-microsoft-store-for-business",
- "redirect_document_id": false
- },
- {
- "source_path": "store-for-business/device-guard-signing-portal.md",
- "redirect_url": "/windows/security/threat-protection/windows-defender-application-control/use-device-guard-signing-portal-in-microsoft-store-for-business",
- "redirect_document_id": false
- },
- {
- "source_path": "store-for-business/distribute-apps-to-your-employees-windows-store-for-business.md",
- "redirect_url": "/microsoft-store/distribute-apps-to-your-employees-microsoft-store-for-business",
- "redirect_document_id": false
- },
- {
- "source_path": "store-for-business/manage-apps-windows-store-for-business-overview.md",
- "redirect_url": "/microsoft-store/manage-apps-microsoft-store-for-business-overview",
- "redirect_document_id": false
- },
- {
- "source_path": "store-for-business/manage-mpsa-software-microsoft-store-for-business.md",
- "redirect_url": "/microsoft-store/index",
- "redirect_document_id": false
- },
- {
- "source_path": "store-for-business/manage-orders-windows-store-for-business.md",
- "redirect_url": "/microsoft-store/manage-orders-microsoft-store-for-business",
- "redirect_document_id": false
- },
- {
- "source_path": "store-for-business/manage-settings-windows-store-for-business.md",
- "redirect_url": "/microsoft-store/manage-settings-microsoft-store-for-business",
- "redirect_document_id": false
- },
- {
- "source_path": "store-for-business/manage-users-and-groups-windows-store-for-business.md",
- "redirect_url": "/microsoft-store/manage-users-and-groups-microsoft-store-for-business",
- "redirect_document_id": false
- },
- {
- "source_path": "store-for-business/prerequisites-windows-store-for-business.md",
- "redirect_url": "/microsoft-store/prerequisites-microsoft-store-for-business",
- "redirect_document_id": false
- },
- {
- "source_path": "store-for-business/roles-and-permissions-windows-store-for-business.md",
- "redirect_url": "/microsoft-store/roles-and-permissions-microsoft-store-for-business",
- "redirect_document_id": false
- },
- {
- "source_path": "store-for-business/settings-reference-windows-store-for-business.md",
- "redirect_url": "/microsoft-store/settings-reference-microsoft-store-for-business",
- "redirect_document_id": false
- },
- {
- "source_path": "store-for-business/sign-code-integrity-policy-with-device-guard-signing.md",
- "redirect_url": "/windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering",
- "redirect_document_id": false
- },
- {
- "source_path": "store-for-business/sign-up-microsoft-store-for-business.md",
- "redirect_url": "/microsoft-store",
- "redirect_document_id": false
- },
- {
- "source_path": "store-for-business/sign-up-windows-store-for-business-overview.md",
- "redirect_url": "/microsoft-store/sign-up-microsoft-store-for-business-overview",
- "redirect_document_id": false
- },
- {
- "source_path": "store-for-business/sign-up-windows-store-for-business.md",
- "redirect_url": "/microsoft-store/index",
- "redirect_document_id": false
- },
- {
- "source_path": "store-for-business/troubleshoot-windows-store-for-business.md",
- "redirect_url": "/microsoft-store/troubleshoot-microsoft-store-for-business",
- "redirect_document_id": false
- },
- {
- "source_path": "store-for-business/update-windows-store-for-business-account-settings.md",
- "redirect_url": "/microsoft-store/update-microsoft-store-for-business-account-settings",
- "redirect_document_id": false
- },
- {
- "source_path": "store-for-business/windows-store-for-business-overview.md",
- "redirect_url": "/microsoft-store/microsoft-store-for-business-overview",
- "redirect_document_id": false
- },
- {
- "source_path": "store-for-business/work-with-partner-microsoft-store-business.md",
- "redirect_url": "/microsoft-365/commerce/manage-partners",
- "redirect_document_id": false
- },
- {
- "source_path": "store-for-business/acquire-apps-microsoft-store-for-business.md",
- "redirect_url": "/microsoft-365/admin/",
- "redirect_document_id": false
- },
- {
- "source_path": "store-for-business/add-profile-to-devices.md",
- "redirect_url": "/microsoft-365/admin/",
- "redirect_document_id": false
- },
- {
- "source_path": "store-for-business/app-inventory-management-microsoft-store-for-business.md",
- "redirect_url": "/microsoft-365/admin/",
- "redirect_document_id": false
- },
- {
- "source_path": "store-for-business/apps-in-microsoft-store-for-business.md",
- "redirect_url": "/microsoft-365/admin/",
- "redirect_document_id": false
- },
- {
- "source_path": "store-for-business/assign-apps-to-employees.md",
- "redirect_url": "/microsoft-365/admin/",
- "redirect_document_id": false
- },
- {
- "source_path": "store-for-business/billing-payments-overview.md",
- "redirect_url": "/microsoft-365/admin/",
- "redirect_document_id": false
- },
- {
- "source_path": "store-for-business/billing-profile.md",
- "redirect_url": "/microsoft-365/admin/",
- "redirect_document_id": false
- },
- {
- "source_path": "store-for-business/billing-understand-your-invoice-msfb.md",
- "redirect_url": "/microsoft-365/admin/",
- "redirect_document_id": false
- },
- {
- "source_path": "store-for-business/configure-mdm-provider-microsoft-store-for-business.md",
- "redirect_url": "/microsoft-365/admin/",
- "redirect_document_id": false
- },
- {
- "source_path": "store-for-business/distribute-apps-from-your-private-store.md",
- "redirect_url": "/microsoft-365/admin/",
- "redirect_document_id": false
- },
- {
- "source_path": "store-for-business/distribute-apps-to-your-employees-microsoft-store-for-business.md",
- "redirect_url": "/microsoft-365/admin/",
- "redirect_document_id": false
- },
- {
- "source_path": "store-for-business/distribute-apps-with-management-tool.md",
- "redirect_url": "/microsoft-365/admin/",
- "redirect_document_id": false
- },
- {
- "source_path": "store-for-business/distribute-offline-apps.md",
- "redirect_url": "/microsoft-365/admin/",
- "redirect_document_id": false
- },
- {
- "source_path": "store-for-business/find-and-acquire-apps-overview.md",
- "redirect_url": "/microsoft-365/admin/",
- "redirect_document_id": false
- },
- {
- "source_path": "store-for-business/index.md",
- "redirect_url": "/microsoft-365/admin/",
- "redirect_document_id": false
- },
- {
- "source_path": "store-for-business/manage-access-to-private-store.md",
- "redirect_url": "/microsoft-365/admin/",
- "redirect_document_id": false
- },
- {
- "source_path": "store-for-business/manage-apps-microsoft-store-for-business-overview.md",
- "redirect_url": "/microsoft-365/admin/",
- "redirect_document_id": false
- },
- {
- "source_path": "store-for-business/manage-orders-microsoft-store-for-business.md",
- "redirect_url": "/microsoft-365/admin/",
- "redirect_document_id": false
- },
- {
- "source_path": "store-for-business/manage-private-store-settings.md",
- "redirect_url": "/microsoft-365/admin/",
- "redirect_document_id": false
- },
- {
- "source_path": "store-for-business/manage-settings-microsoft-store-for-business.md",
- "redirect_url": "/microsoft-365/admin/",
- "redirect_document_id": false
- },
- {
- "source_path": "store-for-business/manage-users-and-groups-microsoft-store-for-business.md",
- "redirect_url": "/microsoft-365/admin/",
- "redirect_document_id": false
- },
- {
- "source_path": "store-for-business/microsoft-store-for-business-education-powershell-module.md",
- "redirect_url": "/microsoft-365/admin/",
- "redirect_document_id": false
- },
- {
- "source_path": "store-for-business/microsoft-store-for-business-overview.md",
- "redirect_url": "/microsoft-365/admin/",
- "redirect_document_id": false
- },
- {
- "source_path": "store-for-business/notifications-microsoft-store-business.md",
- "redirect_url": "/microsoft-365/admin/",
- "redirect_document_id": false
- },
- {
- "source_path": "store-for-business/payment-methods.md",
- "redirect_url": "/microsoft-365/admin/",
- "redirect_document_id": false
- },
- {
- "source_path": "store-for-business/prerequisites-microsoft-store-for-business.md",
- "redirect_url": "/microsoft-365/admin/",
- "redirect_document_id": false
- },
- {
- "source_path": "store-for-business/release-history-microsoft-store-business-education.md",
- "redirect_url": "/microsoft-365/admin/",
- "redirect_document_id": false
- },
- {
- "source_path": "store-for-business/roles-and-permissions-microsoft-store-for-business.md",
- "redirect_url": "/microsoft-365/admin/",
- "redirect_document_id": false
- },
- {
- "source_path": "store-for-business/settings-reference-microsoft-store-for-business.md",
- "redirect_url": "/microsoft-365/admin/",
- "redirect_document_id": false
- },
- {
- "source_path": "store-for-business/sfb-change-history.md",
- "redirect_url": "/microsoft-365/admin/",
- "redirect_document_id": false
- },
- {
- "source_path": "store-for-business/sign-up-microsoft-store-for-business-overview.md",
- "redirect_url": "/microsoft-365/admin/",
- "redirect_document_id": false
- },
- {
- "source_path": "store-for-business/troubleshoot-microsoft-store-for-business.md",
- "redirect_url": "/microsoft-365/admin/",
- "redirect_document_id": false
- },
- {
- "source_path": "store-for-business/update-microsoft-store-for-business-account-settings.md",
- "redirect_url": "/microsoft-365/admin/",
- "redirect_document_id": false
- },
- {
- "source_path": "store-for-business/whats-new-microsoft-store-business-education.md",
- "redirect_url": "/microsoft-365/admin/",
- "redirect_document_id": false
- },
- {
- "source_path": "store-for-business/working-with-line-of-business-apps.md",
- "redirect_url": "/microsoft-365/admin/",
- "redirect_document_id": false
- }
- ]
-}
diff --git a/.openpublishing.redirection.windows-deployment.json b/.openpublishing.redirection.windows-deployment.json
index 09479f4eca..7efdfec5ae 100644
--- a/.openpublishing.redirection.windows-deployment.json
+++ b/.openpublishing.redirection.windows-deployment.json
@@ -1660,10 +1660,35 @@
"redirect_url": "/previous-versions/windows/it-pro/windows-10/deployment/planning/windows-10-enterprise-faq-itpro",
"redirect_document_id": false
},
+ {
+ "source_path": "windows/deployment/do/mcc-enterprise-appendix.md",
+ "redirect_url": "/windows/deployment/do/mcc-ent-early-preview",
+ "redirect_document_id": false
+ },
+ {
+ "source_path": "windows/deployment/do/mcc-enterprise-deploy.md",
+ "redirect_url": "/windows/deployment/do/mcc-ent-early-preview",
+ "redirect_document_id": false
+ },
+ {
+ "source_path": "windows/deployment/do/mcc-enterprise-prerequisites.md",
+ "redirect_url": "/windows/deployment/do/mcc-ent-early-preview",
+ "redirect_document_id": false
+ },
+ {
+ "source_path": "windows/deployment/do/mcc-enterprise-update-uninstall.md",
+ "redirect_url": "/windows/deployment/do/mcc-ent-early-preview",
+ "redirect_document_id": false
+ },
{
"source_path": "windows/deployment/planning/windows-10-deployment-considerations.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/deployment/planning/windows-10-deployment-considerations",
"redirect_document_id": false
+ },
+ {
+ "source_path": "windows/deployment/windows-autopatch/monitor/windows-autopatch-reliability-report.md",
+ "redirect_url": "/windows/deployment/windows-autopatch/monitor/windows-autopatch-windows-quality-and-feature-update-reports-overview",
+ "redirect_document_id": false
}
]
}
diff --git a/.openpublishing.redirection.windows-security.json b/.openpublishing.redirection.windows-security.json
index 94caccffcb..52233f5ad0 100644
--- a/.openpublishing.redirection.windows-security.json
+++ b/.openpublishing.redirection.windows-security.json
@@ -5,6 +5,11 @@
"redirect_url": "/windows/security/hardware-security/kernel-dma-protection-for-thunderbolt",
"redirect_document_id": false
},
+ {
+ "source_path": "windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-overview.md",
+ "redirect_url": "/windows/security/application-security/application-isolation/windows-sandbox/index",
+ "redirect_document_id": false
+ },
{
"source_path": "windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md",
"redirect_url": "/windows/security/hardware-security/enable-virtualization-based-protection-of-code-integrity",
@@ -1427,12 +1432,12 @@
},
{
"source_path": "windows/security/identity-protection/installing-digital-certificates-on-windows-10-mobile.md",
- "redirect_url": "https:/support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5",
+ "redirect_url": "https://support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5",
"redirect_document_id": false
},
{
"source_path": "windows/security/identity-protection/password-support-policy.md",
- "redirect_url": "https:/support.microsoft.com/help/4490115",
+ "redirect_url": "https://support.microsoft.com/help/4490115",
"redirect_document_id": false
},
{
@@ -3202,7 +3207,7 @@
},
{
"source_path": "windows/security/threat-protection/device-guard/memory-integrity.md",
- "redirect_url": "https:/support.microsoft.com/windows/core-isolation-e30ed737-17d8-42f3-a2a9-87521df09b78",
+ "redirect_url": "https://support.microsoft.com/windows/core-isolation-e30ed737-17d8-42f3-a2a9-87521df09b78",
"redirect_document_id": false
},
{
@@ -5857,7 +5862,7 @@
},
{
"source_path": "windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md",
- "redirect_url": "https:/feedback.smartscreen.microsoft.com/smartscreenfaq.aspx",
+ "redirect_url": "https://feedback.smartscreen.microsoft.com/smartscreenfaq.aspx",
"redirect_document_id": false
},
{
@@ -6762,12 +6767,12 @@
},
{
"source_path": "windows/security/threat-protection/wannacrypt-ransomware-worm-targets-out-of-date-systems-wdsi.md",
- "redirect_url": "https:/www.microsoft.com/security/blog/2017/05/12/wannacrypt-ransomware-worm-targets-out-of-date-systems/",
+ "redirect_url": "https://www.microsoft.com/security/blog/2017/05/12/wannacrypt-ransomware-worm-targets-out-of-date-systems/",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/windows-10-mobile-security-guide.md",
- "redirect_url": "https:/support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5",
+ "redirect_url": "https://support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5",
"redirect_document_id": false
},
{
@@ -7802,7 +7807,7 @@
},
{
"source_path": "windows/security/threat-protection/windows-defender-application-control/use-device-guard-signing-portal-in-microsoft-store-for-business.md",
- "redirect_url": "https:/aka.ms/AzureCodeSigning",
+ "redirect_url": "https://aka.ms/AzureCodeSigning",
"redirect_document_id": false
},
{
@@ -9322,7 +9327,7 @@
},
{
"source_path": "windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-overview.md",
- "redirect_url": "https:/feedback.smartscreen.microsoft.com/smartscreenfaq.aspx",
+ "redirect_url": "https://feedback.smartscreen.microsoft.com/smartscreenfaq.aspx",
"redirect_document_id": false
},
{
@@ -9937,27 +9942,27 @@
},
{
"source_path": "windows/security/threat-protection/windows-security-configuration-framework/level-1-enterprise-basic-security.md",
- "redirect_url": "https:/github.com/microsoft/SecCon-Framework/blob/master/level-1-enterprise-basic-security.md",
+ "redirect_url": "https://github.com/microsoft/SecCon-Framework/blob/master/level-1-enterprise-basic-security.md",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/windows-security-configuration-framework/level-2-enterprise-enhanced-security.md",
- "redirect_url": "https:/github.com/microsoft/SecCon-Framework/blob/master/level-2-enterprise-enhanced-security.md",
+ "redirect_url": "https://github.com/microsoft/SecCon-Framework/blob/master/level-2-enterprise-enhanced-security.md",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/windows-security-configuration-framework/level-3-enterprise-high-security.md",
- "redirect_url": "https:/github.com/microsoft/SecCon-Framework/blob/master/level-3-enterprise-high-security.md",
+ "redirect_url": "https://github.com/microsoft/SecCon-Framework/blob/master/level-3-enterprise-high-security.md",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/windows-security-configuration-framework/level-4-enterprise-devops-security.md",
- "redirect_url": "https:/github.com/microsoft/SecCon-Framework/blob/master/level-4-enterprise-devops-security.md",
+ "redirect_url": "https://github.com/microsoft/SecCon-Framework/blob/master/level-4-enterprise-devops-security.md",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/windows-security-configuration-framework/level-5-enterprise-administrator-security.md",
- "redirect_url": "https:/github.com/microsoft/SecCon-Framework/blob/master/level-5-enterprise-administrator-security.md",
+ "redirect_url": "https://github.com/microsoft/SecCon-Framework/blob/master/level-5-enterprise-administrator-security.md",
"redirect_document_id": false
},
{
@@ -9967,7 +9972,7 @@
},
{
"source_path": "windows/security/threat-protection/windows-security-configuration-framework/windows-security-configuration-framework.md",
- "redirect_url": "https:/github.com/microsoft/SecCon-Framework/blob/master/windows-security-configuration-framework.md",
+ "redirect_url": "https://github.com/microsoft/SecCon-Framework/blob/master/windows-security-configuration-framework.md",
"redirect_document_id": false
},
{
@@ -9982,7 +9987,47 @@
},
{
"source_path": "windows/security/application-security/application-control/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md",
- "redirect_url": "/windows/security/application-security/application-control/introduction-to-virtualization-based-security-and-appcontrol.md",
+ "redirect_url": "/windows/security/application-security/application-control/introduction-to-virtualization-based-security-and-appcontrol",
+ "redirect_document_id": false
+ },
+ {
+ "source_path": "windows/security/application-security/index.md",
+ "redirect_url": "/windows/security/book/application-security",
+ "redirect_document_id": false
+ },
+ {
+ "source_path": "windows/security/hardware-security/index.md",
+ "redirect_url": "/windows/security/book/hardware-security",
+ "redirect_document_id": false
+ },
+ {
+ "source_path": "windows/security/cloud-services/index.md",
+ "redirect_url": "/windows/security/book/cloud-services",
+ "redirect_document_id": false
+ },
+ {
+ "source_path": "windows/security/identity-protection/index.md",
+ "redirect_url": "/windows/security/book/identity-protection",
+ "redirect_document_id": false
+ },
+ {
+ "source_path": "windows/security/operating-system-security/index.md",
+ "redirect_url": "/windows/security/book/operating-system-security",
+ "redirect_document_id": false
+ },
+ {
+ "source_path": "windows/security/security-foundations/index.md",
+ "redirect_url": "/windows/security/book/security-foundation",
+ "redirect_document_id": false
+ },
+ {
+ "source_path": "windows/security/introduction.md",
+ "redirect_url": "/windows/security/book",
+ "redirect_document_id": false
+ },
+ {
+ "source_path": "windows/security/security-foundations/zero-trust-windows-device-health.md",
+ "redirect_url": "/windows/security/book/security-foundation",
"redirect_document_id": false
}
]
diff --git a/README.md b/README.md
index 98c771d56d..97874f3f91 100644
--- a/README.md
+++ b/README.md
@@ -6,7 +6,7 @@ Anyone who is interested can contribute to the topics. When you contribute, your
### Quickly update an article using GitHub.com
-Contributors who only make infrequent or small updates can edit the file directly on GitHub.com without having to install any additional software. This article shows you how. [This two-minute video](https://www.microsoft.com/videoplayer/embed/RE1XQTG) also covers how to contribute.
+Contributors who only make infrequent or small updates can edit the file directly on GitHub.com without having to install any additional software. This article shows you how. [This two-minute video](https://learn-video.azurefd.net/vod/player?id=b5167c5a-9c69-499b-99ac-e5467882bc92) also covers how to contribute.
1. Make sure you're signed in to GitHub.com with your GitHub account.
2. Browse to the page you want to edit on Microsoft Learn.
diff --git a/education/docfx.json b/education/docfx.json
index cc2b912248..8a348ff39f 100644
--- a/education/docfx.json
+++ b/education/docfx.json
@@ -52,15 +52,18 @@
"titleSuffix": "Windows Education",
"contributors_to_exclude": [
"dstrome2",
- "rjagiewich",
- "American-Dipper",
- "claydetels19",
+ "rjagiewich",
+ "American-Dipper",
+ "claydetels19",
"jborsecnik",
"v-stchambers",
"shdyas",
- "Stacyrch140",
+ "Stacyrch140",
"garycentric",
- "dstrome"
+ "dstrome",
+ "padmagit77",
+ "aditisrivastava07",
+ "Ruchika-mittal01"
]
},
"fileMetadata": {
@@ -77,4 +80,4 @@
"dest": "education",
"markdownEngineName": "markdig"
}
-}
\ No newline at end of file
+}
diff --git a/education/index.yml b/education/index.yml
index 1da8d77fdb..d70de3747c 100644
--- a/education/index.yml
+++ b/education/index.yml
@@ -8,7 +8,7 @@ metadata:
title: Microsoft 365 Education Documentation
description: Learn about product documentation and resources available for school IT administrators, teachers, students, and education app developers.
ms.topic: hub-page
- ms.date: 07/22/2024
+ ms.date: 12/05/2024
productDirectory:
title: For IT admins
diff --git a/education/windows/configure-aad-google-trust.md b/education/windows/configure-aad-google-trust.md
index 54bf350d77..4f9ce1a8ed 100644
--- a/education/windows/configure-aad-google-trust.md
+++ b/education/windows/configure-aad-google-trust.md
@@ -1,7 +1,7 @@
---
-title: Configure federation between Google Workspace and Microsoft Entra ID
+title: Configure Federation Between Google Workspace And Microsoft Entra Id
description: Configuration of a federated trust between Google Workspace and Microsoft Entra ID, with Google Workspace acting as an identity provider (IdP) for Microsoft Entra ID.
-ms.date: 04/10/2024
+ms.date: 12/02/2024
ms.topic: how-to
appliesto:
---
@@ -43,10 +43,10 @@ To test federation, the following prerequisites must be met:
1. In the search results page, hover over the *Microsoft Office 365 - Web (SAML)* app and select **Select**
:::image type="content" source="images/google/google-admin-search-app.png" alt-text="Screenshot showing Google Workspace and the search button for Microsoft Office 365 SAML app.":::
1. On the **Google Identity Provider details** page, select **Download Metadata** and take note of the location where the **IdP metadata** - *GoogleIDPMetadata.xml* - file is saved, as it's used to set up Microsoft Entra ID later
-1. On the **Service provider detail's** page
+1. On the **Service provider detail's** page:
- Select the option **Signed response**
- Verify that the Name ID format is set to **PERSISTENT**
- - Depending on how the Microsoft Entra users have been provisioned in Microsoft Entra ID, you might need to adjust the **Name ID** mapping.\
+ - Depending on how the Microsoft Entra users have been provisioned in Microsoft Entra ID, you might need to adjust the **Name ID** mapping\
If using Google autoprovisioning, select **Basic Information > Primary email**
- Select **Continue**
1. On the **Attribute mapping** page, map the Google attributes to the Microsoft Entra attributes
@@ -139,4 +139,4 @@ From a private browser session, navigate to https://portal.azure.com and sign in
1. The user is redirected to Google Workspace to sign in
1. After Google Workspace authentication, the user is redirected back to Microsoft Entra ID and signed in
-:::image type="content" source="images/google/google-sso.gif" alt-text="A GIF that shows the user authenticating the Azure portal using a Google Workspace federated identity.":::
+ :::image type="content" source="images/google/google-sso.gif" alt-text="A GIF that shows the user authenticating the Azure portal using a Google Workspace federated identity.":::
diff --git a/education/windows/edu-stickers.md b/education/windows/edu-stickers.md
index 889b10b393..bdd5d2761c 100644
--- a/education/windows/edu-stickers.md
+++ b/education/windows/edu-stickers.md
@@ -1,7 +1,7 @@
---
-title: Configure Stickers for Windows 11 SE
+title: Configure Stickers For Windows 11 SE
description: Learn about the Stickers feature and how to configure it via Intune and provisioning package.
-ms.date: 04/10/2024
+ms.date: 12/02/2024
ms.topic: how-to
appliesto:
- ✅ Windows 11 SE
diff --git a/education/windows/edu-themes.md b/education/windows/edu-themes.md
index b0d6efa639..727c1a26bd 100644
--- a/education/windows/edu-themes.md
+++ b/education/windows/edu-themes.md
@@ -1,7 +1,7 @@
---
-title: Configure education themes for Windows 11
+title: Configure Education Themes For Windows 11
description: Learn about education themes for Windows 11 and how to configure them via Intune and provisioning package.
-ms.date: 04/10/2024
+ms.date: 12/02/2024
ms.topic: how-to
appliesto:
- ✅ Windows 11
diff --git a/education/windows/federated-sign-in.md b/education/windows/federated-sign-in.md
index aca908bb45..9a73ef453c 100644
--- a/education/windows/federated-sign-in.md
+++ b/education/windows/federated-sign-in.md
@@ -1,7 +1,7 @@
---
title: Configure federated sign-in for Windows devices
description: Learn how federated sign-in in Windows works and how to configure it.
-ms.date: 06/03/2024
+ms.date: 01/27/2025
ms.topic: how-to
appliesto:
- ✅ Windows 11
diff --git a/education/windows/get-minecraft-for-education.md b/education/windows/get-minecraft-for-education.md
index d5a0cb61fa..8d3050097f 100644
--- a/education/windows/get-minecraft-for-education.md
+++ b/education/windows/get-minecraft-for-education.md
@@ -1,8 +1,8 @@
---
-title: Get and deploy Minecraft Education
+title: Deploy Minecraft Education To Windows Devices
description: Learn how to obtain and distribute Minecraft Education to Windows devices.
ms.topic: how-to
-ms.date: 04/10/2024
+ms.date: 12/5/2024
ms.collection:
- education
- tier2
@@ -48,7 +48,7 @@ To purchase direct licenses:
1. Select the quantity of licenses you'd like to purchase and select **Place Order**
1. After you've purchased licenses, you'll need to [assign Minecraft Education licenses to your users](#assign-minecraft-education-licenses)
-If you need more licenses for Minecraft Education, see [Buy or remove subscription licenses](/microsoft-365/commerce/licenses/buy-licenses).
+ If you need more licenses for Minecraft Education, see [Buy or remove subscription licenses](/microsoft-365/commerce/licenses/buy-licenses)
### Volume licensing
@@ -88,14 +88,14 @@ You must be a *Global*, *License*, or *User admin* to assign licenses. For more
1. Go to [https://admin.microsoft.com](https://admin.microsoft.com) and sign in with an account that can assign licenses in your organization
1. From the left-hand menu in Microsoft Admin Center, select *Users*
1. From the Users list, select the users you want to add or remove for Minecraft Education access
-1. Add the relevant Minecraft Education, A1 for device or A3/A5 license if it not assigned already
+1. Add the relevant Minecraft Education, A1 for device or A3/A5 license if it is not assigned already
> [!Note]
- > If you add a faculty license, the user will be assigned a *teacher* role in the application and will have elevated permissions.
+ > If you add a faculty license, the user will be assigned a *teacher* role in the application and will have elevated permissions
1. If you've assigned a Microsoft 365 A3 or A5 license, after selecting the product license, ensure to toggle *Minecraft Education* on
> [!Note]
> If you turn off this setting after students have been using Minecraft Education, they will have up to 30 more days to use Minecraft Education before they don't have access
-:::image type="content" source="images/minecraft/admin-center-minecraft-license.png" alt-text="Screenshot of the Microsoft 365 admin center - assignment of a Minecraft Education license to a user." lightbox="images/minecraft/admin-center-minecraft-license.png":::
+ :::image type="content" source="images/minecraft/admin-center-minecraft-license.png" alt-text="Screenshot of the Microsoft 365 admin center - assignment of a Minecraft Education license to a user." lightbox="images/minecraft/admin-center-minecraft-license.png":::
For more information about license assignment, see [Manage Licenses in the Admin Center][EDU-5].
@@ -118,31 +118,31 @@ If you're using Microsoft Intune to manage your devices, follow these steps to d
1. Select **Next**
1. On the *Review + Create* screen, select **Create**
-Intune will install Minecraft Education at the next device check-in, or will make it available in Company Portal for on-demand installs.
+ Intune will install Minecraft Education at the next device check-in, or will make it available in Company Portal for on-demand installs.
-:::image type="content" source="images/minecraft/win11-minecraft-education.png" alt-text="Screenshot of Minecraft Education executing on a Windows 11 device.":::
+ :::image type="content" source="images/minecraft/win11-minecraft-education.png" alt-text="Screenshot of Minecraft Education executing on a Windows 11 device.":::
-For more information how to deploy Minecraft Education, see:
+ For more information how to deploy Minecraft Education, see:
-- [Windows installation guide][EDU-6]
-- [Chromebook installation guide][EDU-7]
-- [iOS installation guide][EDU-8]
-- [macOS installation guide][EDU-9]
+ - [Windows installation guide][EDU-6]
+ - [Chromebook installation guide][EDU-7]
+ - [iOS installation guide][EDU-8]
+ - [macOS installation guide][EDU-9]
-If you're having trouble installing the app, you can get more help on the [Minecraft Education support page][AKA-1].
+ If you're having trouble installing the app, you can get more help on the [Minecraft Education support page][AKA-1].
-
-[EDU-1]: https://educommunity.minecraft.net/hc/articles/360047116432
-[EDU-2]: https://educommunity.minecraft.net/hc/articles/360061371532
-[EDU-3]: https://www.microsoft.com/education/products/office
-[EDU-4]: https://educommunity.minecraft.net/hc/articles/360061369812
-[EDU-6]: https://educommunity.minecraft.net/hc/articles/13106858087956
-[EDU-5]: https://educommunity.minecraft.net/hc/articles/360047118672
-[EDU-7]: https://educommunity.minecraft.net/hc/articles/4404625978516
-[EDU-8]: https://educommunity.minecraft.net/hc/articles/360047556351
-[EDU-9]: https://educommunity.minecraft.net/hc/articles/360047118792
+
+ [EDU-1]: https://educommunity.minecraft.net/hc/articles/360047116432
+ [EDU-2]: https://educommunity.minecraft.net/hc/articles/360061371532
+ [EDU-3]: https://www.microsoft.com/education/products/office
+ [EDU-4]: https://educommunity.minecraft.net/hc/articles/360061369812
+ [EDU-6]: https://educommunity.minecraft.net/hc/articles/13106858087956
+ [EDU-5]: https://educommunity.minecraft.net/hc/articles/360047118672
+ [EDU-7]: https://educommunity.minecraft.net/hc/articles/4404625978516
+ [EDU-8]: https://educommunity.minecraft.net/hc/articles/360047556351
+ [EDU-9]: https://educommunity.minecraft.net/hc/articles/360047118792
-[M365-1]: /microsoft-365/commerce/billing-and-payments/pay-for-your-subscription
-[M365-2]: /microsoft-365/admin/add-users/about-admin-roles
+ [M365-1]: /microsoft-365/commerce/billing-and-payments/pay-for-your-subscription
+ [M365-2]: /microsoft-365/admin/add-users/about-admin-roles
-[AKA-1]: https://aka.ms/minecraftedusupport
+ [AKA-1]: https://aka.ms/minecraftedusupport
diff --git a/education/windows/index.yml b/education/windows/index.yml
index 4bc8fe8393..981e1d8466 100644
--- a/education/windows/index.yml
+++ b/education/windows/index.yml
@@ -12,22 +12,16 @@ metadata:
author: paolomatarazzo
ms.author: paoloma
manager: aaroncz
- ms.date: 07/22/2024
+ ms.date: 10/10/2024
highlightedContent:
items:
- - title: Get started with Windows 11 SE
- itemType: get-started
- url: windows-11-se-overview.md
- - title: Windows 11, version 23H2
+ - title: Windows 11, version 24H2
itemType: whats-new
- url: /windows/whats-new/whats-new-windows-11-version-23h2
+ url: /windows/whats-new/whats-new-windows-11-version-24h2
- title: Explore all Windows trainings and learning paths for IT pros
itemType: learn
url: https://learn.microsoft.com/en-us/training/browse/?products=windows&roles=administrator
- - title: Deploy applications to Windows 11 SE with Intune
- itemType: how-to-guide
- url: /education/windows/tutorial-deploy-apps-winse
productDirectory:
title: Get started
diff --git a/education/windows/suspcs/index.md b/education/windows/suspcs/index.md
index 3e41143df7..34ae3b990a 100644
--- a/education/windows/suspcs/index.md
+++ b/education/windows/suspcs/index.md
@@ -2,7 +2,7 @@
title: Use Set up School PCs app
description: Learn how to use the Set up School PCs app and apply the provisioning package.
ms.topic: how-to
-ms.date: 07/09/2024
+ms.date: 02/25/2025
appliesto:
- ✅ Windows 11
- ✅ Windows 10
diff --git a/education/windows/suspcs/provisioning-package.md b/education/windows/suspcs/provisioning-package.md
index 677b9b7b6f..bde1800fa4 100644
--- a/education/windows/suspcs/provisioning-package.md
+++ b/education/windows/suspcs/provisioning-package.md
@@ -1,7 +1,7 @@
---
-title: What's in Set up School PCs provisioning package
+title: What's In Set up School PCs Provisioning Package
description: Learn about the settings that are configured in the provisioning package created with the Set up School PCs app.
-ms.date: 04/10/2024
+ms.date: 12/02/2024
ms.topic: reference
appliesto:
- ✅ Windows 11
diff --git a/education/windows/suspcs/reference.md b/education/windows/suspcs/reference.md
index 278344c047..3cec502ea5 100644
--- a/education/windows/suspcs/reference.md
+++ b/education/windows/suspcs/reference.md
@@ -1,8 +1,8 @@
---
title: Set up School PCs app technical reference overview
-description: Describes the purpose of the Set up School PCs app for Windows 10 devices.
+description: Describes the purpose of the Set up School PCs app for Windows devices.
ms.topic: overview
-ms.date: 01/16/2024
+ms.date: 10/29/2024
appliesto:
- ✅ Windows 11
- ✅ Windows 10
@@ -12,12 +12,12 @@ appliesto:
The **Set up School PCs** app helps you configure new Windows 10 PCs for school use. The app, which is available for Windows 10 version 1703 and later, configures and saves school-optimized settings, apps, and policies into a single provisioning package. You can then save the package to a USB drive and distribute it to your school PCs.
-If your school uses Microsoft Entra ID or Office 365, the Set up
+If your school uses Microsoft Entra ID or Microsoft 365, the Set up
School PCs app will create a setup file. This file joins the PC to your Microsoft Entra tenant. The app also helps set up PCs for use with or without Internet connectivity.
## Join devices to Microsoft Entra ID
-If your school uses Microsoft Entra ID or Office 365, the Set up School PCs app creates a setup file that joins your PC to your Microsoft Entra ID tenant.
+If your school uses Microsoft Entra ID or Microsoft 365, the Set up School PCs app creates a setup file that joins your PC to your Microsoft Entra ID tenant.
The app also helps set up PCs for use with or without Internet connectivity.
diff --git a/education/windows/take-tests-in-windows.md b/education/windows/take-tests-in-windows.md
index 8c46ac4b93..b43345436f 100644
--- a/education/windows/take-tests-in-windows.md
+++ b/education/windows/take-tests-in-windows.md
@@ -1,7 +1,7 @@
---
title: Take tests and assessments in Windows
description: Learn about the built-in Take a Test app for Windows and how to use it.
-ms.date: 02/29/2024
+ms.date: 11/11/2024
ms.topic: how-to
---
@@ -9,11 +9,11 @@ ms.topic: how-to
Many schools use online testing for formative and summation assessments. It's critical that students use a secure browser that prevents them from using other computer or Internet resources during the test. To help schools with testing, Windows provides an application called **Take a Test**. The application is a secure browser that provides different features to help with testing, and can be configured to only allow access a specific URL or a list of URLs. When using Take a Test, students can't:
-- print, use screen capture, or text suggestions (unless enabled by the teacher or administrator)
-- access other applications
-- change system settings, such as display extension, notifications, updates
-- access Cortana
-- access content copied to the clipboard
+- Print, use screen capture, or text suggestions (unless enabled by the teacher or administrator)
+- Access other applications
+- Change system settings, such as display extension, notifications, updates
+- Access Cortana
+- Access content copied to the clipboard
## How to use Take a Test
@@ -22,7 +22,7 @@ There are different ways to use Take a Test, depending on the use case:
- For lower stakes assessments, such a quick quiz in a class, a teacher can generate a *secure assessment URL* and share it with the students. Students can then open the URL to access the assessment through Take a Test. To learn more, see the next section: [Create a secure assessment link](#create-a-secure-assessment-link)
- For higher stakes assessments, you can configure Windows devices to use a dedicated account for testing and execute Take a Test in a locked-down mode, called **kiosk mode**. Once signed in with the dedicated account, Windows will execute Take a Test in a lock-down mode, preventing the execution of any applications other than Take a Test. For more information, see [Configure Take a Test in kiosk mode](edu-take-a-test-kiosk-mode.md)
-:::image type="content" source="./images/takeatest/flow-chart.png" alt-text="Set up and user flow for the Take a Test app." border="false":::
+ :::image type="content" source="./images/takeatest/flow-chart.png" alt-text="Set up and user flow for the Take a Test app." border="false":::
## Create a secure assessment link
@@ -37,9 +37,9 @@ To create a secure assessment link to the test, there are two options:
For this option, copy the assessment URL and open the web application Customize your assessment URL, where you can:
-- Paste the link to the assessment URL
-- Select the options you want to allow during the test
-- Generate the link by selecting the button Create link
+- Paste the link to the assessment URL.
+- Select the options you want to allow during the test.
+- Generate the link by selecting the button Create link.
This is an ideal option for teachers who want to create a link to a specific assessment and share it with students using OneNote, for example.
@@ -67,7 +67,7 @@ To enable permissive mode, don't include `enforceLockdown` in the schema paramet
## Distribute the secure assessment link
-Once the link is created, it can be distributed through the web, email, OneNote, or any other method of your choosing.
+Once the link is created, it can be distributed through the web, email, OneNote, or any other method of your choice.
For example, you can create and copy the shortcut to the assessment URL to the students' desktop.
@@ -85,4 +85,4 @@ To take the test, have the students open the link.
Teachers can use **Microsoft Forms** to create tests. For more information, see [Create tests using Microsoft Forms](https://support.microsoft.com/en-us/office/create-a-quiz-with-microsoft-forms-a082a018-24a1-48c1-b176-4b3616cdc83d).
-To learn more about the policies and settings set by the Take a Test app, see [Take a Test app technical reference](take-a-test-app-technical.md).
\ No newline at end of file
+To learn more about the policies and settings set by the Take a Test app, see [Take a Test app technical reference](take-a-test-app-technical.md).
diff --git a/education/windows/tutorial-deploy-apps-winse/considerations.md b/education/windows/tutorial-deploy-apps-winse/considerations.md
index 7f2a9f9207..54cb82322a 100644
--- a/education/windows/tutorial-deploy-apps-winse/considerations.md
+++ b/education/windows/tutorial-deploy-apps-winse/considerations.md
@@ -1,7 +1,7 @@
---
-title: Important considerations before deploying apps with managed installer
+title: Important Considerations Before Deploying Apps With Managed Installer For Windows 11 SE
description: Learn about important aspects to consider before deploying apps with managed installer.
-ms.date: 04/10/2024
+ms.date: 12/02/2024
ms.topic: tutorial
appliesto:
- ✅ Windows 11 SE, version 22H2 and later
diff --git a/education/windows/tutorial-deploy-apps-winse/create-policies.md b/education/windows/tutorial-deploy-apps-winse/create-policies.md
index 26e022bbbf..e7fdd29782 100644
--- a/education/windows/tutorial-deploy-apps-winse/create-policies.md
+++ b/education/windows/tutorial-deploy-apps-winse/create-policies.md
@@ -1,7 +1,7 @@
---
-title: Create policies to enable applications
+title: Create Policies To Enable Applications In Windows 11 SE
description: Learn how to create policies to enable the installation and execution of apps on Windows SE.
-ms.date: 04/10/2024
+ms.date: 12/02/2024
ms.topic: tutorial
appliesto:
- ✅ Windows 11 SE, version 22H2 and later
@@ -54,7 +54,7 @@ To create supplemental policies, download and install the [WDAC Policy Wizard][E
The following video provides an overview and explains how to create supplemental policies for apps blocked by the Windows 11 SE base policy.
-> [!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RWWReO]
+> [!VIDEO https://learn-video.azurefd.net/vod/player?id=1eedb284-5592-43e7-9446-ce178953502d]
### Create a supplemental policy for Win32 apps
diff --git a/education/windows/tutorial-deploy-apps-winse/deploy-apps.md b/education/windows/tutorial-deploy-apps-winse/deploy-apps.md
index 62442e2058..4ab613f7f0 100644
--- a/education/windows/tutorial-deploy-apps-winse/deploy-apps.md
+++ b/education/windows/tutorial-deploy-apps-winse/deploy-apps.md
@@ -1,7 +1,7 @@
---
-title: Applications deployment considerations
+title: Applications Deployment Considerations In Windows 11 SE
description: Learn how to deploy different types of applications to Windows 11 SE and some considerations before deploying them.
-ms.date: 04/10/2024
+ms.date: 12/02/2024
ms.topic: tutorial
appliesto:
- ✅ Windows 11 SE, version 22H2 and later
diff --git a/education/windows/tutorial-deploy-apps-winse/deploy-policies.md b/education/windows/tutorial-deploy-apps-winse/deploy-policies.md
index 63f6143853..990f4c894b 100644
--- a/education/windows/tutorial-deploy-apps-winse/deploy-policies.md
+++ b/education/windows/tutorial-deploy-apps-winse/deploy-policies.md
@@ -1,7 +1,7 @@
---
-title: Deploy policies to enable applications
+title: Deploy Policies To Enable Applications In Windows 11 SE
description: Learn how to deploy AppLocker policies to enable apps execution on Windows SE devices.
-ms.date: 04/10/2024
+ms.date: 12/02/2024
ms.topic: tutorial
appliesto:
- ✅ Windows 11 SE, version 22H2 and later
diff --git a/education/windows/tutorial-deploy-apps-winse/index.md b/education/windows/tutorial-deploy-apps-winse/index.md
index 1c09685eed..c96283ec0c 100644
--- a/education/windows/tutorial-deploy-apps-winse/index.md
+++ b/education/windows/tutorial-deploy-apps-winse/index.md
@@ -1,7 +1,7 @@
---
-title: Deploy applications to Windows 11 SE with Intune
+title: Deploy Applications To Windows 11 SE With Intune
description: Learn how to deploy applications to Windows 11 SE with Intune and how to validate the apps.
-ms.date: 04/10/2024
+ms.date: 12/02/2024
ms.topic: tutorial
appliesto:
- ✅ Windows 11 SE, version 22H2 and later
diff --git a/education/windows/tutorial-deploy-apps-winse/troubleshoot.md b/education/windows/tutorial-deploy-apps-winse/troubleshoot.md
index 38a3ee9d4c..f23a6c4034 100644
--- a/education/windows/tutorial-deploy-apps-winse/troubleshoot.md
+++ b/education/windows/tutorial-deploy-apps-winse/troubleshoot.md
@@ -1,7 +1,7 @@
---
-title: Troubleshoot app deployment issues in Windows SE
+title: Troubleshoot App Deployment Issues In Windows Se
description: Troubleshoot common issues when deploying apps to Windows SE devices.
-ms.date: 04/10/2024
+ms.date: 12/02/2024
ms.topic: tutorial
appliesto:
- ✅ Windows 11 SE, version 22H2 and later
diff --git a/education/windows/tutorial-deploy-apps-winse/validate-apps.md b/education/windows/tutorial-deploy-apps-winse/validate-apps.md
index 211638de72..4cfa11748b 100644
--- a/education/windows/tutorial-deploy-apps-winse/validate-apps.md
+++ b/education/windows/tutorial-deploy-apps-winse/validate-apps.md
@@ -1,7 +1,7 @@
---
-title: Validate the applications deployed to Windows SE devices
+title: Validate The Applications Deployed To Windows Se Devices
description: Learn how to validate the applications deployed to Windows SE devices via Intune.
-ms.date: 04/10/2024
+ms.date: 12/02/2024
ms.topic: tutorial
appliesto:
- ✅ Windows 11 SE, version 22H2 and later
diff --git a/education/windows/windows-11-se-faq.yml b/education/windows/windows-11-se-faq.yml
index 4a9b022c07..c33dec8686 100644
--- a/education/windows/windows-11-se-faq.yml
+++ b/education/windows/windows-11-se-faq.yml
@@ -1,9 +1,9 @@
### YamlMime:FAQ
metadata:
title: Windows 11 SE Frequently Asked Questions (FAQ)
- description: Use these frequently asked questions (FAQ) to learn important details about Windows 11 SE.
+ description: Use these frequently asked questions (FAQ) to learn important details about Windows 11 SE.
ms.topic: faq
- ms.date: 01/16/2024
+ ms.date: 10/10/2024
appliesto:
- ✅ Windows 11 SE
@@ -30,7 +30,7 @@ sections:
- Express yourself and celebrate accomplishments with the *emoji and GIF panel* and *Stickers*
- name: Deployment
questions:
- - question: Can I load Windows 11 SE on any hardware?
+ - question: Can I load Windows 11 SE on any hardware?
answer: |
Windows 11 SE is only available on devices that are built for education. To learn more, see [Windows 11 SE Overview](/education/windows/windows-11-se-overview).
- question: Can I PXE boot a Windows SE device?
diff --git a/education/windows/windows-11-se-overview.md b/education/windows/windows-11-se-overview.md
index e5fd11df2b..3c0a5f8d93 100644
--- a/education/windows/windows-11-se-overview.md
+++ b/education/windows/windows-11-se-overview.md
@@ -2,7 +2,7 @@
title: Windows 11 SE Overview
description: Learn about Windows 11 SE, and the apps that are included with the operating system.
ms.topic: overview
-ms.date: 01/09/2024
+ms.date: 10/10/2024
appliesto:
- ✅ Windows 11 SE
ms.collection:
@@ -96,9 +96,9 @@ The following applications can also run on Windows 11 SE, and can be deployed us
| `CKAuthenticator` | 3.6+ | `Win32` | `ContentKeeper` |
| `Class Policy` | 116.0.0 | `Win32` | `Class Policy` |
| `Classroom.cloud` | 1.40.0004 | `Win32` | `NetSupport` |
-| `Clipchamp` | 2.5.2. | `Store` | `Microsoft` |
+| `Clipchamp` | 2.5.2. | `Store` | `Microsoft` |
| `CoGat Secure Browser` | 11.0.0.19 | `Win32` | `Riverside Insights` |
-| `ColorVeil` | 4.0.0.175 | `Win32` | `East-Tec` |
+| `ColorVeil` | 4.0.0.175 | `Win32` | `East-Tec` |
| `ContentKeeper Cloud` | 9.01.45 | `Win32` | `ContentKeeper Technologies` |
| `DigiExam` | 14.1.0 | `Win32` | `Digiexam` |
| `Digital Secure testing browser` | 15.0.0 | `Win32` | `Digiexam` |
diff --git a/education/windows/windows-11-se-settings-list.md b/education/windows/windows-11-se-settings-list.md
index 1c973e2035..5e09c2f2d1 100644
--- a/education/windows/windows-11-se-settings-list.md
+++ b/education/windows/windows-11-se-settings-list.md
@@ -2,7 +2,7 @@
title: Windows 11 SE settings list
description: Windows 11 SE automatically configures settings in the operating system. Learn more about the settings you can control and manage, and the settings you can't change.
ms.topic: reference
-ms.date: 05/06/2024
+ms.date: 10/10/2024
appliesto:
- ✅ Windows 11 SE
ms.collection:
diff --git a/includes/iot/supported-os-enterprise-plus.md b/includes/iot/supported-os-enterprise-plus.md
new file mode 100644
index 0000000000..b6c086d649
--- /dev/null
+++ b/includes/iot/supported-os-enterprise-plus.md
@@ -0,0 +1,8 @@
+---
+author: TerryWarwick
+ms.author: twarwick
+ms-topic: include
+ms.date: 09/30/2024
+---
+
+**Supported Editions** ✅ IoT Enterprise LTSC✅ IoT Enterprise✅ Enterprise LTSC✅ Enterprise✅ Education
diff --git a/includes/licensing/_edition-requirements.md b/includes/licensing/_edition-requirements.md
index 9810ebe8bf..19e8e7499f 100644
--- a/includes/licensing/_edition-requirements.md
+++ b/includes/licensing/_edition-requirements.md
@@ -1,11 +1,11 @@
---
author: paolomatarazzo
ms.author: paoloma
-ms.date: 09/18/2023
+ms.date: 11/06/2024
ms.topic: include
---
-| Feature name | Windows Pro | Windows Enterprise | Windows Pro Education/SE | Windows Education |
+| Feature name | Windows Pro | Windows Enterprise/IoT Enterprise | Windows Pro Education | Windows Education |
|:---|:---:|:---:|:---:|:---:|
|**[Access Control (ACL/SACL)](/windows/security/identity-protection/access-control/access-control)**|Yes|Yes|Yes|Yes|
|**[Account Lockout Policy](/windows/security/threat-protection/security-policy-settings/account-lockout-policy)**|Yes|Yes|Yes|Yes|
@@ -13,7 +13,7 @@ ms.topic: include
|**[Always On VPN (device tunnel)](/Windows-server/remote/remote-access/overview-always-on-vpn)**|❌|Yes|❌|Yes|
|**[App containers](/virtualization/windowscontainers/about/)**|Yes|Yes|Yes|Yes|
|**[AppLocker](/windows/security/application-security/application-control/windows-defender-application-control/applocker/applocker-overview)**|Yes|Yes|Yes|Yes|
-|**[Assigned Access (kiosk mode)](/windows/configuration/kiosk-methods)**|Yes|Yes|Yes|Yes|
+|**[Assigned Access (kiosk mode)](/windows/configuration/assigned-access)**|Yes|Yes|Yes|Yes|
|**[Attack surface reduction (ASR)](/microsoft-365/security/defender-endpoint/overview-attack-surface-reduction)**|Yes|Yes|Yes|Yes|
|**[Azure Code Signing](/windows/security/application-security/application-control/windows-defender-application-control/deployment/use-code-signing-for-better-control-and-protection)**|Yes|Yes|Yes|Yes|
|**[BitLocker enablement](/windows/security/operating-system-security/data-protection/bitlocker/)**|Yes|Yes|Yes|Yes|
@@ -32,7 +32,7 @@ ms.topic: include
|**[Federal Information Processing Standard (FIPS) 140 validation](/windows/security/security-foundations/certification/fips-140-validation)**|Yes|Yes|Yes|Yes|
|**[Federated sign-in](/education/windows/federated-sign-in)**|❌|❌|Yes|Yes|
|**[FIDO2 security key](/azure/active-directory/authentication/howto-authentication-passwordless-security-key)**|Yes|Yes|Yes|Yes|
-|**[Hardware-enforced stack protection](https://techcommunity.microsoft.com/t5/windows-os-platform-blog/understanding-hardware-enforced-stack-protection/ba-p/1247815)**|Yes|Yes|Yes|Yes|
+|**[Hardware-enforced stack protection](https://techcommunity.microsoft.com/blog/windowsosplatform/understanding-hardware-enforced-stack-protection/1247815)**|Yes|Yes|Yes|Yes|
|**[Hypervisor-protected Code Integrity (HVCI)](/windows/security/hardware-security/enable-virtualization-based-protection-of-code-integrity)**|Yes|Yes|Yes|Yes|
|**[Kernel Direct Memory Access (DMA) protection](/windows/security/hardware-security/kernel-dma-protection-for-thunderbolt)**|Yes|Yes|Yes|Yes|
|**[Local Security Authority (LSA) Protection](/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection)**|Yes|Yes|Yes|Yes|
@@ -53,7 +53,7 @@ ms.topic: include
|**[OneFuzz service](https://www.microsoft.com/security/blog/2020/09/15/microsoft-onefuzz-framework-open-source-developer-tool-fix-bugs/)**|Yes|Yes|Yes|Yes|
|**Opportunistic Wireless Encryption (OWE)**|Yes|Yes|Yes|Yes|
|**[Passkeys](/windows/security/identity-protection/passkeys)**|Yes|Yes|Yes|Yes|
-|**[Personal data encryption (PDE)](/windows/security/operating-system-security/data-protection/personal-data-encryption/)**|❌|Yes|❌|Yes|
+|**[Personal Data Encryption (PDE)](/windows/security/operating-system-security/data-protection/personal-data-encryption/)**|❌|Yes|❌|Yes|
|**Privacy Resource Usage**|Yes|Yes|Yes|Yes|
|**Privacy Transparency and Controls**|Yes|Yes|Yes|Yes|
|**[Remote Credential Guard](/windows/security/identity-protection/remote-credential-guard)**|Yes|Yes|Yes|Yes|
@@ -84,6 +84,7 @@ ms.topic: include
|**[Windows Firewall](/windows/security/operating-system-security/network-security/windows-firewall)**|Yes|Yes|Yes|Yes|
|**[Windows Hello for Business](/windows/security/identity-protection/hello-for-business/)**|Yes|Yes|Yes|Yes|
|**[Windows Hello for Business Enhanced Security Sign-in (ESS)](/windows-hardware/design/device-experiences/windows-hello-enhanced-sign-in-security)**|Yes|Yes|Yes|Yes|
+|**Windows Hotpatch**|❌|Yes|❌|❌|
|**[Windows LAPS](/windows-server/identity/laps/laps-overview)**|Yes|Yes|Yes|Yes|
|**[Windows passwordless experience](/windows/security/identity-protection/passwordless-experience)**|Yes|Yes|Yes|Yes|
|**[Windows presence sensing](https://support.microsoft.com/windows/managing-presence-sensing-settings-in-windows-11-82285c93-440c-4e15-9081-c9e38c1290bb)**|Yes|Yes|Yes|Yes|
diff --git a/includes/licensing/_licensing-requirements.md b/includes/licensing/_licensing-requirements.md
index 022cbf278b..0ba2e7193a 100644
--- a/includes/licensing/_licensing-requirements.md
+++ b/includes/licensing/_licensing-requirements.md
@@ -5,7 +5,7 @@ ms.date: 11/02/2023
ms.topic: include
---
-|Feature name|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
+|Feature name|Windows Pro/Pro Education|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
|:---|:---:|:---:|:---:|:---:|:---:|
|**[Access Control (ACL/SACL)](/windows/security/identity-protection/access-control/access-control)**|Yes|Yes|Yes|Yes|Yes|
|**[Account Lockout Policy](/windows/security/threat-protection/security-policy-settings/account-lockout-policy)**|Yes|Yes|Yes|Yes|Yes|
@@ -13,7 +13,7 @@ ms.topic: include
|**[Always On VPN (device tunnel)](/Windows-server/remote/remote-access/overview-always-on-vpn)**|❌|Yes|Yes|Yes|Yes|
|**[App containers](/virtualization/windowscontainers/about/)**|Yes|Yes|Yes|Yes|Yes|
|**[AppLocker](/windows/security/application-security/application-control/windows-defender-application-control/applocker/applocker-overview)**|❌|Yes|Yes|Yes|Yes|
-|**[Assigned Access (kiosk mode)](/windows/configuration/kiosk-methods)**|Yes|Yes|Yes|Yes|Yes|
+|**[Assigned Access (kiosk mode)](/windows/configuration/assigned-access)**|Yes|Yes|Yes|Yes|Yes|
|**[Attack surface reduction (ASR)](/microsoft-365/security/defender-endpoint/overview-attack-surface-reduction)**|Yes|Yes|Yes|Yes|Yes|
|**[Azure Code Signing](/windows/security/application-security/application-control/windows-defender-application-control/deployment/use-code-signing-for-better-control-and-protection)**|Yes|Yes|Yes|Yes|Yes|
|**[BitLocker enablement](/windows/security/operating-system-security/data-protection/bitlocker/)**|Yes|Yes|Yes|Yes|Yes|
@@ -53,7 +53,7 @@ ms.topic: include
|**[OneFuzz service](https://www.microsoft.com/security/blog/2020/09/15/microsoft-onefuzz-framework-open-source-developer-tool-fix-bugs/)**|Yes|Yes|Yes|Yes|Yes|
|**Opportunistic Wireless Encryption (OWE)**|Yes|Yes|Yes|Yes|Yes|
|**[Passkeys](/windows/security/identity-protection/passkeys)**|Yes|Yes|Yes|Yes|Yes|
-|**[Personal data encryption (PDE)](/windows/security/operating-system-security/data-protection/personal-data-encryption/)**|❌|Yes|Yes|Yes|Yes|
+|**[Personal Data Encryption (PDE)](/windows/security/operating-system-security/data-protection/personal-data-encryption/)**|❌|Yes|Yes|Yes|Yes|
|**Privacy Resource Usage**|Yes|Yes|Yes|Yes|Yes|
|**Privacy Transparency and Controls**|Yes|Yes|Yes|Yes|Yes|
|**[Remote Credential Guard](/windows/security/identity-protection/remote-credential-guard)**|Yes|Yes|Yes|Yes|Yes|
@@ -84,6 +84,7 @@ ms.topic: include
|**[Windows Firewall](/windows/security/operating-system-security/network-security/windows-firewall)**|Yes|Yes|Yes|Yes|Yes|
|**[Windows Hello for Business](/windows/security/identity-protection/hello-for-business/)**|Yes|Yes|Yes|Yes|Yes|
|**[Windows Hello for Business Enhanced Security Sign-in (ESS)](/windows-hardware/design/device-experiences/windows-hello-enhanced-sign-in-security)**|Yes|Yes|Yes|Yes|Yes|
+|**Windows Hotpatch**|❌|Yes|Yes|❌|❌|
|**[Windows LAPS](/windows-server/identity/laps/laps-overview)**|Yes|Yes|Yes|Yes|Yes|
|**[Windows passwordless experience](/windows/security/identity-protection/passwordless-experience)**|Yes|Yes|Yes|Yes|Yes|
|**[Windows presence sensing](https://support.microsoft.com/windows/managing-presence-sensing-settings-in-windows-11-82285c93-440c-4e15-9081-c9e38c1290bb)**|Yes|Yes|Yes|Yes|Yes|
diff --git a/includes/licensing/assigned-access.md b/includes/licensing/assigned-access.md
index 3a980896b0..30348f5e9d 100644
--- a/includes/licensing/assigned-access.md
+++ b/includes/licensing/assigned-access.md
@@ -20,13 +20,3 @@ The following table lists the Windows editions that support Assigned Access:
|IoT Enterprise LTSC|✅|
|Pro Education|✅|
|Pro|✅|
-
-
\ No newline at end of file
diff --git a/includes/licensing/shell-launcher.md b/includes/licensing/shell-launcher.md
index b44ad3f92b..07418aeb82 100644
--- a/includes/licensing/shell-launcher.md
+++ b/includes/licensing/shell-launcher.md
@@ -20,14 +20,4 @@ The following table lists the Windows editions that support Shell Launcher:
|IoT Enterprise LTSC|✅|
|Pro Education|❌|
|Pro|❌|
-
-
\ No newline at end of file
+|Home|❌|
diff --git a/store-for-business/breadcrumb/toc.yml b/store-for-business/breadcrumb/toc.yml
deleted file mode 100644
index 4b1853471b..0000000000
--- a/store-for-business/breadcrumb/toc.yml
+++ /dev/null
@@ -1,7 +0,0 @@
-- name: Docs
- tocHref: /
- topicHref: /
- items:
- - name: Microsoft Store for Business
- tocHref: /microsoft-store
- topicHref: /microsoft-store/index
\ No newline at end of file
diff --git a/store-for-business/docfx.json b/store-for-business/docfx.json
deleted file mode 100644
index e29e3bfdae..0000000000
--- a/store-for-business/docfx.json
+++ /dev/null
@@ -1,81 +0,0 @@
-{
- "build": {
- "content": [
- {
- "files": [
- "**/*.md",
- "**/**.yml"
- ],
- "exclude": [
- "**/obj/**",
- "**/includes/**",
- "README.md",
- "LICENSE",
- "LICENSE-CODE",
- "ThirdPartyNotices"
- ]
- }
- ],
- "resource": [
- {
- "files": [
- "**/*.png",
- "**/*.jpg"
- ],
- "exclude": [
- "**/obj/**",
- "**/includes/**"
- ]
- }
- ],
- "overwrite": [],
- "externalReference": [],
- "globalMetadata": {
- "recommendations": true,
- "adobe-target": true,
- "ms.collection": [
- "tier2"
- ],
- "breadcrumb_path": "/microsoft-store/breadcrumb/toc.json",
- "uhfHeaderId": "MSDocsHeader-Archive",
- "is_archived": true,
- "is_retired": true,
- "ROBOTS": "NOINDEX,NOFOLLOW",
- "ms.author": "trudyha",
- "audience": "ITPro",
- "ms.service": "store-for-business",
- "ms.topic": "article",
- "ms.date": "05/09/2017",
- "searchScope": [
- "Store"
- ],
- "feedback_system": "None",
- "hideEdit": true,
- "_op_documentIdPathDepotMapping": {
- "./": {
- "depot_name": "MSDN.store-for-business",
- "folder_relative_path_in_docset": "./"
- }
- },
- "contributors_to_exclude": [
- "dstrome2",
- "rjagiewich",
- "American-Dipper",
- "claydetels19",
- "jborsecnik",
- "v-stchambers",
- "shdyas",
- "Stacyrch140",
- "garycentric",
- "dstrome",
- "alekyaj",
- "aditisrivastava07",
- "padmagit77"
- ]
- },
- "fileMetadata": {},
- "template": [],
- "dest": "store-for-business",
- "markdownEngineName": "markdig"
- }
-}
diff --git a/windows/application-management/enterprise-background-activity-controls.md b/windows/application-management/enterprise-background-activity-controls.md
index 73dbb919ae..2a00963aef 100644
--- a/windows/application-management/enterprise-background-activity-controls.md
+++ b/windows/application-management/enterprise-background-activity-controls.md
@@ -5,7 +5,7 @@ author: aczechowski
ms.author: aaroncz
manager: aaroncz
ms.date: 10/03/2017
-ms.topic: conceptual
+ms.topic: article
ms.service: windows-client
ms.subservice: itpro-apps
ms.localizationpriority: medium
diff --git a/windows/application-management/index.yml b/windows/application-management/index.yml
index ae406114d7..2fe6bc1844 100644
--- a/windows/application-management/index.yml
+++ b/windows/application-management/index.yml
@@ -9,7 +9,7 @@ metadata:
author: aczechowski
ms.author: aaroncz
manager: aaroncz
- ms.date: 06/28/2024
+ ms.date: 09/27/2024
ms.topic: landing-page
ms.service: windows-client
ms.subservice: itpro-apps
diff --git a/windows/application-management/per-user-services-in-windows.md b/windows/application-management/per-user-services-in-windows.md
index 9e6cefb8ae..f1cf07572c 100644
--- a/windows/application-management/per-user-services-in-windows.md
+++ b/windows/application-management/per-user-services-in-windows.md
@@ -4,7 +4,7 @@ description: Learn about per-user services, how to change the template service s
author: aczechowski
ms.author: aaroncz
manager: aaroncz
-ms.date: 12/22/2023
+ms.date: 10/01/2024
ms.topic: how-to
ms.service: windows-client
ms.subservice: itpro-apps
@@ -99,7 +99,7 @@ $services = Get-Service
foreach ( $service in $services ) {
# For each specific service, check if the service type property includes the 64 bit using the bitwise AND operator (-band).
# If the result equals the flag value, then the service is a per-user service.
- if ( ( $service.ServiceType -band $flag ) -eq $flag ) {
+ if ( ( $service.ServiceType -band $flag ) -eq $flag ) {
# When a per-user service is found, then add that service object to the results array.
$serviceList += $service
}
@@ -229,14 +229,14 @@ If you can't use group policy preferences to manage the per-user services, you c
1. The following example includes multiple commands that disable the specified Windows services by changing their **Start** value in the Windows Registry to `4`:
-```cmd
-REG.EXE ADD HKLM\System\CurrentControlSet\Services\CDPUserSvc /v Start /t REG_DWORD /d 4 /f
-REG.EXE ADD HKLM\System\CurrentControlSet\Services\OneSyncSvc /v Start /t REG_DWORD /d 4 /f
-REG.EXE ADD HKLM\System\CurrentControlSet\Services\PimIndexMaintenanceSvc /v Start /t REG_DWORD /d 4 /f
-REG.EXE ADD HKLM\System\CurrentControlSet\Services\UnistoreSvc /v Start /t REG_DWORD /d 4 /f
-REG.EXE ADD HKLM\System\CurrentControlSet\Services\UserDataSvc /v Start /t REG_DWORD /d 4 /f
-REG.EXE ADD HKLM\System\CurrentControlSet\Services\WpnUserService /v Start /t REG_DWORD /d 4 /f
-```
+ ```cmd
+ REG.EXE ADD HKLM\System\CurrentControlSet\Services\CDPUserSvc /v Start /t REG_DWORD /d 4 /f
+ REG.EXE ADD HKLM\System\CurrentControlSet\Services\OneSyncSvc /v Start /t REG_DWORD /d 4 /f
+ REG.EXE ADD HKLM\System\CurrentControlSet\Services\PimIndexMaintenanceSvc /v Start /t REG_DWORD /d 4 /f
+ REG.EXE ADD HKLM\System\CurrentControlSet\Services\UnistoreSvc /v Start /t REG_DWORD /d 4 /f
+ REG.EXE ADD HKLM\System\CurrentControlSet\Services\UserDataSvc /v Start /t REG_DWORD /d 4 /f
+ REG.EXE ADD HKLM\System\CurrentControlSet\Services\WpnUserService /v Start /t REG_DWORD /d 4 /f
+ ```
#### Example 2: Use the Registry Editor user interface to edit the registry
@@ -248,7 +248,7 @@ REG.EXE ADD HKLM\System\CurrentControlSet\Services\WpnUserService /v Start /t RE
1. Change the **Value data** to `4`.
-:::image type="content" source="media/regedit-change-service-startup-type.png" alt-text="Screenshot of the Registry Editor open to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CDPSvc and highlighting the Start value set to 4.":::
+ :::image type="content" source="media/regedit-change-service-startup-type.png" alt-text="Screenshot of the Registry Editor open to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CDPSvc and highlighting the Start value set to 4.":::
#### Example 3: Prevent the creation of per-user services
diff --git a/windows/application-management/private-app-repository-mdm-company-portal-windows-11.md b/windows/application-management/private-app-repository-mdm-company-portal-windows-11.md
index 65f0231016..c7c06cff12 100644
--- a/windows/application-management/private-app-repository-mdm-company-portal-windows-11.md
+++ b/windows/application-management/private-app-repository-mdm-company-portal-windows-11.md
@@ -5,7 +5,7 @@ author: aczechowski
ms.author: aaroncz
manager: aaroncz
ms.date: 09/03/2023
-ms.topic: conceptual
+ms.topic: article
ms.service: windows-client
ms.subservice: itpro-apps
ms.localizationpriority: medium
diff --git a/windows/application-management/sideload-apps-in-windows.md b/windows/application-management/sideload-apps-in-windows.md
index 3779938afc..8daf6b4e76 100644
--- a/windows/application-management/sideload-apps-in-windows.md
+++ b/windows/application-management/sideload-apps-in-windows.md
@@ -4,7 +4,7 @@ description: Learn how to sideload line-of-business (LOB) apps in Windows client
author: aczechowski
ms.author: aaroncz
manager: aaroncz
-ms.date: 12/22/2023
+ms.date: 09/27/2024
ms.topic: how-to
ms.service: windows-client
ms.subservice: itpro-apps
diff --git a/windows/client-management/azure-active-directory-integration-with-mdm.md b/windows/client-management/azure-active-directory-integration-with-mdm.md
index eefc2151ab..7b70ff0a60 100644
--- a/windows/client-management/azure-active-directory-integration-with-mdm.md
+++ b/windows/client-management/azure-active-directory-integration-with-mdm.md
@@ -1,7 +1,7 @@
---
title: Microsoft Entra integration with MDM
description: Microsoft Entra ID is the world's largest enterprise cloud identity management service.
-ms.topic: conceptual
+ms.topic: integration
ms.collection:
- highpri
- tier2
diff --git a/windows/client-management/azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal.md b/windows/client-management/azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal.md
index aca40777f6..2b977fd6b9 100644
--- a/windows/client-management/azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal.md
+++ b/windows/client-management/azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal.md
@@ -1,7 +1,7 @@
---
title: Automatic MDM enrollment in the Intune admin center
description: Automatic MDM enrollment in the Intune admin center
-ms.topic: conceptual
+ms.topic: article
ms.date: 07/08/2024
---
diff --git a/windows/client-management/bulk-enrollment-using-windows-provisioning-tool.md b/windows/client-management/bulk-enrollment-using-windows-provisioning-tool.md
index c248120cff..6ddf688ccc 100644
--- a/windows/client-management/bulk-enrollment-using-windows-provisioning-tool.md
+++ b/windows/client-management/bulk-enrollment-using-windows-provisioning-tool.md
@@ -1,7 +1,7 @@
---
title: Bulk enrollment
description: Bulk enrollment is an efficient way to set up an MDM server to manage a large number of devices without the need to reimage the devices.
-ms.topic: conceptual
+ms.topic: how-to
ms.date: 07/08/2024
---
diff --git a/windows/client-management/certificate-authentication-device-enrollment.md b/windows/client-management/certificate-authentication-device-enrollment.md
index 2cea712e44..fb2030f3b1 100644
--- a/windows/client-management/certificate-authentication-device-enrollment.md
+++ b/windows/client-management/certificate-authentication-device-enrollment.md
@@ -1,7 +1,7 @@
---
title: Certificate authentication device enrollment
description: This section provides an example of the mobile device enrollment protocol using certificate authentication policy.
-ms.topic: conceptual
+ms.topic: how-to
ms.date: 07/08/2024
---
diff --git a/windows/client-management/certificate-renewal-windows-mdm.md b/windows/client-management/certificate-renewal-windows-mdm.md
index 66d42a4d90..8123971c28 100644
--- a/windows/client-management/certificate-renewal-windows-mdm.md
+++ b/windows/client-management/certificate-renewal-windows-mdm.md
@@ -1,7 +1,7 @@
---
title: Certificate Renewal
description: Learn how to find all the resources that you need to provide continuous access to client certificates.
-ms.topic: conceptual
+ms.topic: how-to
ms.date: 07/08/2024
---
diff --git a/windows/client-management/client-tools/administrative-tools-in-windows.md b/windows/client-management/client-tools/administrative-tools-in-windows.md
index 785eb740cc..7e095632aa 100644
--- a/windows/client-management/client-tools/administrative-tools-in-windows.md
+++ b/windows/client-management/client-tools/administrative-tools-in-windows.md
@@ -2,7 +2,7 @@
title: Windows Tools
description: The folders for Windows Tools and Administrative Tools are folders in the Control Panel that contain tools for system administrators and advanced users.
ms.date: 07/01/2024
-ms.topic: conceptual
+ms.topic: article
zone_pivot_groups: windows-versions-11-10
ms.collection:
- essentials-manage
diff --git a/windows/client-management/client-tools/change-default-removal-policy-external-storage-media.md b/windows/client-management/client-tools/change-default-removal-policy-external-storage-media.md
index 725c23927a..dcc696bef2 100644
--- a/windows/client-management/client-tools/change-default-removal-policy-external-storage-media.md
+++ b/windows/client-management/client-tools/change-default-removal-policy-external-storage-media.md
@@ -2,7 +2,7 @@
title: Windows default media removal policy
description: Manage default media removal policy in Windows.
ms.date: 07/01/2024
-ms.topic: conceptual
+ms.topic: how-to
---
# Manage default media removal policy
diff --git a/windows/client-management/client-tools/connect-to-remote-aadj-pc.md b/windows/client-management/client-tools/connect-to-remote-aadj-pc.md
index c08492c201..ec535d0f88 100644
--- a/windows/client-management/client-tools/connect-to-remote-aadj-pc.md
+++ b/windows/client-management/client-tools/connect-to-remote-aadj-pc.md
@@ -3,7 +3,7 @@ title: Connect to remote Microsoft Entra joined device
description: Learn how to use Remote Desktop Connection to connect to a Microsoft Entra joined device.
ms.localizationpriority: medium
ms.date: 07/01/2024
-ms.topic: conceptual
+ms.topic: how-to
ms.collection:
- highpri
- tier2
diff --git a/windows/client-management/client-tools/manage-device-installation-with-group-policy.md b/windows/client-management/client-tools/manage-device-installation-with-group-policy.md
index 052dc9e72a..8c545751a6 100644
--- a/windows/client-management/client-tools/manage-device-installation-with-group-policy.md
+++ b/windows/client-management/client-tools/manage-device-installation-with-group-policy.md
@@ -2,7 +2,7 @@
title: Manage Device Installation with Group Policy
description: Find out how to manage Device Installation Restrictions with Group Policy.
ms.date: 07/01/2024
-ms.topic: conceptual
+ms.topic: how-to
---
# Manage Device Installation with Group Policy
diff --git a/windows/client-management/client-tools/manage-settings-app-with-group-policy.md b/windows/client-management/client-tools/manage-settings-app-with-group-policy.md
index fb091f005b..b96a1bb4ac 100644
--- a/windows/client-management/client-tools/manage-settings-app-with-group-policy.md
+++ b/windows/client-management/client-tools/manage-settings-app-with-group-policy.md
@@ -2,7 +2,7 @@
title: Manage the Settings app with Group Policy
description: Find out how to manage the Settings app with Group Policy so you can hide specific pages from users.
ms.date: 07/01/2024
-ms.topic: conceptual
+ms.topic: how-to
---
# Manage the Settings app with Group Policy
diff --git a/windows/client-management/client-tools/mandatory-user-profile.md b/windows/client-management/client-tools/mandatory-user-profile.md
index 5e64dd2f66..6313cbca68 100644
--- a/windows/client-management/client-tools/mandatory-user-profile.md
+++ b/windows/client-management/client-tools/mandatory-user-profile.md
@@ -2,7 +2,7 @@
title: Create mandatory user profiles
description: A mandatory user profile is a special type of preconfigured roaming user profile that administrators can use to specify settings for users.
ms.date: 07/01/2024
-ms.topic: conceptual
+ms.topic: how-to
---
# Create mandatory user profiles
diff --git a/windows/client-management/client-tools/quick-assist.md b/windows/client-management/client-tools/quick-assist.md
index 91ab1b998a..2123212ab0 100644
--- a/windows/client-management/client-tools/quick-assist.md
+++ b/windows/client-management/client-tools/quick-assist.md
@@ -2,7 +2,7 @@
title: Use Quick Assist to help users
description: Learn how IT Pros can use Quick Assist to help users.
ms.date: 07/01/2024
-ms.topic: conceptual
+ms.topic: how-to
ms.collection:
- highpri
- tier1
diff --git a/windows/client-management/client-tools/windows-libraries.md b/windows/client-management/client-tools/windows-libraries.md
index 65a263719f..9efea447c0 100644
--- a/windows/client-management/client-tools/windows-libraries.md
+++ b/windows/client-management/client-tools/windows-libraries.md
@@ -1,7 +1,7 @@
---
title: Windows Libraries
description: All about Windows Libraries, which are containers for users' content, such as Documents and Pictures.
-ms.topic: conceptual
+ms.topic: concept-article
ms.date: 07/01/2024
---
diff --git a/windows/client-management/client-tools/windows-version-search.md b/windows/client-management/client-tools/windows-version-search.md
index 2c34266131..579d7155d0 100644
--- a/windows/client-management/client-tools/windows-version-search.md
+++ b/windows/client-management/client-tools/windows-version-search.md
@@ -2,7 +2,7 @@
title: What version of Windows am I running?
description: Discover which version of Windows you're running to determine whether or not your device is enrolled in the Long-Term Servicing Channel or General Availability Channel.
ms.date: 07/01/2024
-ms.topic: conceptual
+ms.topic: how-to
---
# What version of Windows am I running?
diff --git a/windows/client-management/config-lock.md b/windows/client-management/config-lock.md
index f497c86712..bdf2eb1540 100644
--- a/windows/client-management/config-lock.md
+++ b/windows/client-management/config-lock.md
@@ -1,7 +1,7 @@
---
title: Secured-core configuration lock
description: A secured-core PC (SCPC) feature that prevents configuration drift from secured-core PC features caused by unintentional misconfiguration.
-ms.topic: conceptual
+ms.topic: article
ms.date: 07/08/2024
appliesto:
- ✅ Windows 11
diff --git a/windows/client-management/declared-configuration.md b/windows/client-management/declared-configuration.md
index a0a28f91ae..ec20778da6 100644
--- a/windows/client-management/declared-configuration.md
+++ b/windows/client-management/declared-configuration.md
@@ -121,7 +121,7 @@ If the processing of declared configuration document fails, the errors are logge
- If the Document ID doesn't match between the `` and inside DeclaredConfiguration document, Admin event log shows an error message similar to:
- `MDM Declared Configuration: End document parsing from CSP: Document Id: (DCA000B5-397D-40A1-AABF-40B25078A7F91), Scenario: (MSFTVPN), Version: (A0), Enrollment Id: (DAD70CC2-365B-450D-A8AB-2EB23F4300CC), Current User: (S-1-5-21-3436249567-4017981746-3373817415-1001), Schema: (1.0), Download URL: (), Scope: (0x1), Enroll Type: (0x1A), File size: (0xDE2), CSP Count: (0x1), URI Count: (0xF), Action Requested: (0x0), Model: (0x1), Result:(0x8000FFFF) Catastrophic failure.`
+ `MDM Declared Configuration: End document parsing from CSP: Document Id: (DCA000B5-397D-40A1-AABF-40B25078A7F91), Scenario: (MSFTVPN), Version: (A0), Enrollment Id: (DAD70CC2-365B-450D-A8AB-2EB23F4300CC), Current User: (S-1-5-21-1004336348-1177238915-682003330-1234), Schema: (1.0), Download URL: (), Scope: (0x1), Enroll Type: (0x1A), File size: (0xDE2), CSP Count: (0x1), URI Count: (0xF), Action Requested: (0x0), Model: (0x1), Result:(0x8000FFFF) Catastrophic failure.`
- Any typo in the OMA-URI results in a failure. In this example, `TrafficFilterList` is specified instead of `TrafficFilterLists`, and Admin event log shows an error message similar to:
@@ -129,4 +129,4 @@ If the processing of declared configuration document fails, the errors are logge
There's also another warning message in operational channel:
- `MDM Declared Configuration: Function (DeclaredConfigurationExtension_PolicyCSPConfigureGivenCurrentDoc) operation (ErrorAtDocLevel: one or more CSPs failed) failed with (Unknown Win32 Error code: 0x82d00007)`
\ No newline at end of file
+ `MDM Declared Configuration: Function (DeclaredConfigurationExtension_PolicyCSPConfigureGivenCurrentDoc) operation (ErrorAtDocLevel: one or more CSPs failed) failed with (Unknown Win32 Error code: 0x82d00007).`
diff --git a/windows/client-management/device-update-management.md b/windows/client-management/device-update-management.md
index 5f61783f99..4a33972765 100644
--- a/windows/client-management/device-update-management.md
+++ b/windows/client-management/device-update-management.md
@@ -1,7 +1,7 @@
---
title: Mobile device management MDM for device updates
description: Windows provides several APIs to help mobile device management (MDM) solutions manage updates. Learn how to use these APIs to implement update management.
-ms.topic: conceptual
+ms.topic: article
ms.date: 07/08/2024
ms.collection:
- highpri
diff --git a/windows/client-management/disconnecting-from-mdm-unenrollment.md b/windows/client-management/disconnecting-from-mdm-unenrollment.md
index cfc52d7c69..39ad4a5693 100644
--- a/windows/client-management/disconnecting-from-mdm-unenrollment.md
+++ b/windows/client-management/disconnecting-from-mdm-unenrollment.md
@@ -1,7 +1,7 @@
---
title: Disconnecting from the management infrastructure (unenrollment)
description: Disconnecting is initiated either locally by the user using a phone or remotely by the IT admin using management server.
-ms.topic: conceptual
+ms.topic: article
ms.date: 07/08/2024
---
diff --git a/windows/client-management/enable-admx-backed-policies-in-mdm.md b/windows/client-management/enable-admx-backed-policies-in-mdm.md
index db0f36a085..39777e659b 100644
--- a/windows/client-management/enable-admx-backed-policies-in-mdm.md
+++ b/windows/client-management/enable-admx-backed-policies-in-mdm.md
@@ -1,7 +1,7 @@
---
title: Enable ADMX policies in MDM
description: Use this step-by-step guide to configure a selected set of Group Policy administrative templates (ADMX policies) in Mobile Device Management (MDM).
-ms.topic: conceptual
+ms.topic: how-to
ms.localizationpriority: medium
ms.date: 07/08/2024
---
diff --git a/windows/client-management/enroll-a-windows-10-device-automatically-using-group-policy.md b/windows/client-management/enroll-a-windows-10-device-automatically-using-group-policy.md
index 409c283821..ea24cc6e80 100644
--- a/windows/client-management/enroll-a-windows-10-device-automatically-using-group-policy.md
+++ b/windows/client-management/enroll-a-windows-10-device-automatically-using-group-policy.md
@@ -1,7 +1,7 @@
---
title: Enroll a Windows device automatically using Group Policy
description: Learn how to use a Group Policy to trigger autoenrollment to MDM for Active Directory (AD) domain-joined devices.
-ms.topic: conceptual
+ms.topic: how-to
ms.date: 07/08/2024
ms.collection:
- highpri
diff --git a/windows/client-management/enterprise-app-management.md b/windows/client-management/enterprise-app-management.md
index 71b7fe55b9..589b1b90c1 100644
--- a/windows/client-management/enterprise-app-management.md
+++ b/windows/client-management/enterprise-app-management.md
@@ -1,7 +1,7 @@
---
title: Enterprise app management
description: This article covers one of the key mobile device management (MDM) features for managing the lifecycle of apps across Windows devices.
-ms.topic: conceptual
+ms.topic: article
ms.date: 07/08/2024
---
diff --git a/windows/client-management/esim-enterprise-management.md b/windows/client-management/esim-enterprise-management.md
index 2a28981591..db582151c3 100644
--- a/windows/client-management/esim-enterprise-management.md
+++ b/windows/client-management/esim-enterprise-management.md
@@ -2,7 +2,7 @@
title: eSIM Enterprise Management
description: Learn how Mobile Device Management (MDM) Providers support the eSIM Profile Management Solution on Windows.
ms.localizationpriority: medium
-ms.topic: conceptual
+ms.topic: article
ms.date: 07/08/2024
---
diff --git a/windows/client-management/federated-authentication-device-enrollment.md b/windows/client-management/federated-authentication-device-enrollment.md
index 32b2fef7ef..6ae40cab14 100644
--- a/windows/client-management/federated-authentication-device-enrollment.md
+++ b/windows/client-management/federated-authentication-device-enrollment.md
@@ -1,7 +1,7 @@
---
title: Federated authentication device enrollment
description: This section provides an example of the mobile device enrollment protocol using federated authentication policy.
-ms.topic: conceptual
+ms.topic: article
ms.date: 07/08/2024
---
diff --git a/windows/client-management/images/8908044-recall-search.png b/windows/client-management/images/8908044-recall-search.png
new file mode 100644
index 0000000000..16ec5fda8b
Binary files /dev/null and b/windows/client-management/images/8908044-recall-search.png differ
diff --git a/windows/client-management/images/8908044-recall.png b/windows/client-management/images/8908044-recall.png
deleted file mode 100644
index 92c93c46cb..0000000000
Binary files a/windows/client-management/images/8908044-recall.png and /dev/null differ
diff --git a/windows/client-management/images/9598546-copilot-key-settings.png b/windows/client-management/images/9598546-copilot-key-settings.png
new file mode 100644
index 0000000000..e4c6e3ed8d
Binary files /dev/null and b/windows/client-management/images/9598546-copilot-key-settings.png differ
diff --git a/windows/client-management/implement-server-side-mobile-application-management.md b/windows/client-management/implement-server-side-mobile-application-management.md
index f5969415ed..1e0c5d005e 100644
--- a/windows/client-management/implement-server-side-mobile-application-management.md
+++ b/windows/client-management/implement-server-side-mobile-application-management.md
@@ -1,7 +1,7 @@
---
title: Support for Windows Information Protection (WIP) on Windows
description: Learn about implementing the Windows version of Windows Information Protection (WIP), which is a lightweight solution for managing company data access and security on personal devices.
-ms.topic: conceptual
+ms.topic: how-to
ms.date: 07/08/2024
---
diff --git a/windows/client-management/manage-recall.md b/windows/client-management/manage-recall.md
index 82a405289c..f8a052962b 100644
--- a/windows/client-management/manage-recall.md
+++ b/windows/client-management/manage-recall.md
@@ -1,9 +1,9 @@
---
title: Manage Recall for Windows clients
-description: Learn how to manage Recall for commercial environments using MDM and group policy. Learn about Recall features.
+description: Learn how to manage Recall for commercial environments and about Recall features.
ms.topic: how-to
ms.subservice: windows-copilot
-ms.date: 06/13/2024
+ms.date: 11/22/2024
ms.author: mstewart
author: mestew
ms.collection:
@@ -18,72 +18,161 @@ appliesto:
>**Looking for consumer information?** See [Retrace your steps with Recall](https://support.microsoft.com/windows/retrace-your-steps-with-recall-aa03f8a0-a78b-4b3e-b0a1-2eb8ac48701c).
-Recall allows you to search across time to find the content you need. Just describe how you remember it, and Recall retrieves the moment you saw it. Recall takes snapshots of your screen and stores them in a timeline. Snapshots are taken every five seconds while content on the screen is different from the previous snapshot. Snapshots are locally stored and locally analyzed on your PC. Recall's analysis allows you to search for content, including both images and text, using natural language.
+Recall (preview) allows users to search locally saved and locally analyzed snapshots of their screen using natural language. By default, Recall is disabled and removed on managed devices. IT admins can choose if they want to allow Recall to be used in their organizations and users, on their own, won't be able to enable it on their managed device if the Allow Recall policy is disabled. IT admins, on their own, can't start saving snapshots for end users. Recall is an opt-in experience that requires end user consent to save snapshots. Users can choose to enable or disable saving snapshots for themselves anytime. IT admins can only set policies that give users the option to enable saving snapshots and configure certain policies for Recall.
+
+This article provides information about Recall and how to manage it in a commercial environment.
> [!NOTE]
-> Recall is coming soon through a post-launch Windows update. See [aka.ms/copilotpluspcs](https://aka.ms/copilotpluspcs).
+> - Recall is now available in preview to Copilot+ PCs through the Windows Insider Program. For more information, see [Previewing Recall with Click to Do on Copilot+ PCs with Windows Insiders in the Dev Channel](https://blogs.windows.com/windows-insider/2024/11/22/previewing-recall-with-click-to-do-on-copilot-pcs-with-windows-insiders-in-the-dev-channel/).
+> - In-market commercial devices are defined as devices with an Enterprise (ENT) or Education (EDU) SKU or any premium SKU device that is managed by an IT administrator (whether via Microsoft Endpoint Manager or other endpoint management solution), has a volume license key, or is joined to a domain. Commercial devices during Out of Box Experience (OOBE) are defined as those with ENT or EDU SKU or any premium SKU device that has a volume license key or is Microsoft Entra joined.
+> - Recall is optimized for select languages English, Chinese (simplified), French, German, Japanese, and Spanish. Content-based and storage limitations apply. For more information, see [https://aka.ms/copilotpluspcs](https://aka.ms/copilotpluspcs).
-When Recall opens the snapshot a user selected, it enables screenray, which runs on top of the saved snapshot. Screenray analyzes what's in the snapshot and allows users to interact with individual elements in the snapshot. For instance, users can copy text from the snapshot or send pictures from the snapshot to an app that supports `jpeg` files.
+## What is Recall?
-:::image type="content" source="images/8908044-recall.png" alt-text="Screenshot of Recall with search results displayed for a query about a restaurant that the user's friend sent them." lightbox="images/8908044-recall.png":::
+Recall (preview) allows you to search across time to find the content you need. Just describe how you remember it, and Recall retrieves the moment you saw it. Snapshots are taken periodically while content on the screen is different from the previous snapshot. The snapshots of your screen are organized into a timeline. Snapshots are locally stored and locally analyzed on your PC. Recall's analysis allows you to search for content, including both images and text, using natural language.
+
+When Recall opens a snapshot you selected, it enables Click to Do, which runs on top of the saved snapshot. Click to Do analyzes what's in the snapshot and allows you to interact with individual elements in the snapshot. For instance, you can copy text from the snapshot or send pictures from the snapshot to an app that supports `jpeg` files.
+
+:::image type="content" border="true" source="images/8908044-recall-search.png" alt-text="Screenshot of Recall with search results displayed for a query for a presentation with a red barn." lightbox="images/8908044-recall-search.png":::
+
+### Recall security and privacy architecture
+
+Privacy and security are built into Recall's design. With Copilot+ PCs, you get powerful AI that runs locally on the device. No internet or cloud connections are required or used to save and analyze snapshots. Snapshots aren't sent to Microsoft. Recall AI processing occurs locally, and snapshots are securely stored on the local device only.
+
+Recall doesn't share snapshots with other users that are signed into Windows on the same device and IT admins can't access or view the snapshots on end-user devices. Microsoft can't access or view the snapshots. Recall requires users to confirm their identity with [Windows Hello](https://support.microsoft.com/windows/configure-windows-hello-dae28983-8242-bb2a-d3d1-87c9d265a5f0) before it launches and before accessing snapshots. At least one biometric sign-in option must be enabled for Windows Hello, either facial recognition or a fingerprint, to launch and use Recall. Before snapshots start getting saved to the device, users need to open Recall and authenticate. Recall takes advantage of just in time decryption protected by [Hello Enhanced Sign-in Security (ESS)](/windows-hardware/design/device-experiences/windows-hello-enhanced-sign-in-security). Snapshots and any associated information in the vector database are always encrypted. Encryption keys are protected via Trusted Platform Module (TPM), which is tied to the user's Windows Hello ESS identity, and can be used by operations within a secure environment called a [Virtualization-based Security Enclave (VBS Enclave)](/windows/win32/trusted-execution/vbs-enclaves). This means that other users can't access these keys and thus can't decrypt this information. Device Encryption or BitLocker are enabled by default on Windows 11. For more information, see [Recall security and privacy architecture in the Windows Experience Blog](https://blogs.windows.com/windowsexperience/?p=179096).
+
+When using Recall, the **Sensitive information filtering** setting is enabled by default to help ensure your data's confidentiality. This feature operates directly on your device, utilizing the NPU and the Microsoft Classification Engine (MCE) - the same technology leveraged by [Microsoft Purview](/purview/purview) for detecting and labeling sensitive information. When this setting is enabled, snapshots won't be saved when potentially sensitive information is detected. Most importantly, the sensitive information remains on the device at all times, regardless of whether the **Sensitive information filtering** setting is enabled or disabled. For more information about the types of potentially sensitive information, see [Reference for sensitive information filtering in Recall](recall-sensitive-information-filtering.md).
+
+In keeping with Microsoft's commitment to data privacy and security, all saved images and processed data are kept on the device and processed locally. However, Click to Do allows users to choose if they want to perform additional actions on their content.
+
+Click to Do allows users to choose to get more information about their selected content online. When users choose one of the following Click to Do actions, the selected content is sent to the online provider from the local device to complete the request:
+
+- **Search the web**: Sends the selected content to the default search engine of the default browser
+- **Open website**: Opens the selected website in the default browser
+- **Visual search with Bing**: Sends the selected content to Bing visual search using the default browser.
+
+When you choose to send info from Click to Do to an app, like Paint, Click to Do will temporarily save this info in order to complete the transfer. Click to Do creates a temporary file in the following location:
+
+- `C:\Users\[username]\AppData\Local\Temp`
+
+Temporary files may also be saved when you choose send feedback. These temporary files aren't saved long term. Click to Do doesn't keep any content from your screen after completing the requested action, but some basic telemetry is gathered to keep Click to Do secure, up to date, and working.
## System requirements
-Recall has the following minimum system requirements:
-- A [Copilot+ PC](https://www.microsoft.com/windows/business/devices/copilot-plus-pcs#copilot-plus-pcs)
+Recall has the following minimum requirements:
+
+- A [Copilot+ PC](https://www.microsoft.com/windows/business/devices/copilot-plus-pcs#copilot-plus-pcs) that meets the [Secured-core standard](/windows-hardware/design/device-experiences/oem-highly-secure-11)
+- 40 TOPs NPU ([neural processing unit](https://support.microsoft.com/windows/all-about-neural-processing-units-npus-e77a5637-7705-4915-96c8-0c6a975f9db4))
- 16 GB RAM
- 8 logical processors
- 256 GB storage capacity
- To enable Recall, you need at least 50 GB of space free
- - Snapshot capture automatically pauses once the device has less than 25 GB of disk space
+ - Saving snapshots automatically pauses once the device has less than 25 GB of storage space
+- Users need to enable Device Encryption or BitLocker
+- Users need to enroll into [Windows Hello Enhanced Sign-in Security](/windows-hardware/design/device-experiences/windows-hello-enhanced-sign-in-security) with at least one biometric sign-in option enabled in order to authenticate.
## Supported browsers
-Users need a supported browser for Recall to [filter websites](#user-controlled-settings-for-recall) and to automatically filter private browsing activity. Supported browsers, and their capabilities include:
+Users need a supported browser for Recall to [filter websites](#app-and-website-filtering-policies) and to automatically filter private browsing activity. Supported browsers, and their capabilities include:
-- **Microsoft Edge**: blocks websites and filters private browsing activity
-- **Firefox**: blocks websites and filters private browsing activity
-- **Opera**: blocks websites and filters private browsing activity
-- **Google Chrome**: blocks websites and filters private browsing activity
-- **Chromium based browsers** (124 or later): For Chromium-based browsers not listed above, filters private browsing activity only, doesn't block specific websites
+- **Microsoft Edge**: filters specified websites and filters private browsing activity
+- **Firefox**: filters specified websites and filters private browsing activity
+- **Opera**: filtered specified websites and filters private browsing activity
+- **Google Chrome**: filters specified websites and filters private browsing activity
+- **Chromium based browsers** (124 or later): For Chromium-based browsers not listed, filters private browsing activity only, doesn't filter specific websites
## Configure policies for Recall
-Organizations that aren't ready to use AI for historical analysis can disable it until they're ready with the **Turn off saving snapshots for Windows** policy. If snapshots were previously saved on a device, they'll be deleted when this policy is enabled. The following policy allows you to disable analysis of user content:
+By default, Recall is removed on commercially managed devices. If you want to allow Recall to be available for users in your organization and allow them to choose to save snapshots, you need to configure both the **Allow Recall to be enabled** and **Turn off saving snapshots for Windows** policies. Policies for Recall fall into the following general areas:
+
+- [Allow Recall and snapshots policies](#allow-recall-and-snapshots-policies)
+- [Storage policies](#storage-policies)
+- [App and website filtering policies](#app-and-website-filtering-policies)
+
+
+### Allow Recall and snapshots policies
+
+The **Allow Recall to be enabled** policy setting allows you to determine whether the Recall optional component is available for end users to enable on their device. By default, Recall is disabled and removed for managed devices. Recall isn't available on managed devices by default, and individual users can't enable Recall on their own. If you disable this policy, the Recall component will be in disabled state and the bits for Recall will be removed from the device. If snapshots were previously saved on the device, they'll be deleted when this policy is disabled. Removing Recall requires a device restart. If the policy is enabled, end users will have Recall available on their device. Depending on the state of the DisableAIDataAnalysis policy (Turn off saving snapshots for use with Recall), end users will be able to choose if they want to save snapshots of their screen and use Recall to find things they've seen on their device.
| | Setting |
|---|---|
-| **CSP** | ./User/Vendor/MSFT/Policy/Config/WindowsAI/[DisableAIDataAnalysis](mdm/policy-csp-windowsai.md#disableaidataanalysis) |
-| **Group policy** | User Configuration > Administrative Templates > Windows Components > Windows AI > **Turn off saving snapshots for Windows** |
-
-## Limitations
-
-In two specific scenarios, Recall captures snapshots that include InPrivate windows, blocked apps, and blocked websites. If Recall gets launched, or the **Now** option is selected in Recall, then a snapshot is taken even when InPrivate windows, blocked apps, and blocked websites are displayed. However, Recall doesn't save these snapshots. If you choose to send the information from this snapshot to another app, a temp file is created in `C:\Users\[username]\AppData\Local\Temp` to share the content. The temporary file is deleted once the content is transferred over the app you selected to use.
-
-## User controlled settings for Recall
-
-The following options are user controlled in Recall from the **Settings** > **Privacy & Security** > **Recall & Snapshots** page:
-
-- Website filtering
-- App filtering
-- Storage allocation
- - When the storage limit is reached, the oldest snapshots are deleted first.
-- Deleting snapshots
- - Delete all snapshots
- - Delete snapshots within a specific time frame
+| **CSP** | ./Device/Vendor/MSFT/Policy/Config/WindowsAI/[AllowRecallEnablement](mdm/policy-csp-windowsai.md#allowrecallenablement) |
+| **Group policy** | Computer Configuration > Administrative Templates > Windows Components > Windows AI > **Allow Recall to be enabled** |
-### Storage allocation
+The **Turn off saving snapshots for Windows** policy allows you to give the users the choice to save snapshots of their screen for use with Recall. Administrators can't enable saving snapshots on behalf of their users. The choice to enable saving snapshots requires individual user opt-in consent. By default, snapshots won't be saved for use with Recall. If snapshots were previously saved on a device, they'll be deleted when this policy is enabled. If you set this policy to disabled, end users will have a choice to save snapshots of their screen and use Recall to find things they've seen on their device.
-The amount of disk space users can allocate to Recall varies depending on how much storage the device has. The following chart shows the storage space options for Recall:
-
-| Device storage capacity | Storage allocation options for Recall |
+| | Setting |
|---|---|
-| 256 GB | 25 GB (default), 10 GB |
-| 512 GB | 75 GB (default), 50 GB, 25 GB |
-| 1 TB, or more | 150 GB (default), 100 GB, 75 GB, 50 GB, 25 GB |
+| **CSP** | ./Device/Vendor/MSFT/Policy/Config/WindowsAI/[DisableAIDataAnalysis](mdm/policy-csp-windowsai.md#disableaidataanalysis) ./User/Vendor/MSFT/Policy/Config/WindowsAI/[DisableAIDataAnalysis](mdm/policy-csp-windowsai.md#disableaidataanalysis)|
+| **Group policy** | Computer Configuration > Administrative Templates > Windows Components > Windows AI > **Turn off saving snapshots for Windows** User Configuration > Administrative Templates > Windows Components > Windows AI > **Turn off saving snapshots for Windows** |
+### Storage policies
+
+You can define how much disk space Recall can use by using the **Set maximum storage for snapshots used by Recall** policy. You can set the maximum amount of disk space for snapshots to be 10, 25, 50, 75, 100, or 150 GB. When the storage limit is reached, the oldest snapshots are deleted first. When this setting isn't configured, the OS configures the storage allocation for snapshots based on the device storage capacity. 25 GB is allocated when the device storage capacity is 256 GB. 75 GB is allocated when the device storage capacity is 512 GB. 150 GB is allocated when the device storage capacity is 1 TB or higher.
+
+| | Setting |
+|---|---|
+| **CSP** | ./Device/Vendor/MSFT/Policy/Config/WindowsAI/[SetMaximumStorageSpaceForRecallSnapshots](mdm/policy-csp-windowsai.md#setmaximumstoragespaceforrecallsnapshots) ./User/Vendor/MSFT/Policy/Config/WindowsAI/[SetMaximumStorageSpaceForRecallSnapshots](mdm/policy-csp-windowsai.md#setmaximumstoragespaceforrecallsnapshots)|
+| **Group policy** | Computer Configuration > Administrative Templates > Windows Components > Windows AI > **Set maximum storage for snapshots used by Recall** User Configuration > Administrative Templates > Windows Components > Windows AI > **Set maximum storage for snapshots used by Recall** |
+
+You can define how long snapshots can be retained on the device by using the **Set maximum duration for storing snapshots used by Recall** policy. You can configure the maximum storage duration to be 30, 60, 90, or 180 days. If the policy isn't configured, snapshots aren't deleted until the maximum storage allocation is reached, and then the oldest snapshots are deleted first.
+
+| | Setting |
+|---|---|
+| **CSP** | ./Device/Vendor/MSFT/Policy/Config/WindowsAI/[SetMaximumStorageDurationForRecallSnapshots](mdm/policy-csp-windowsai.md#setmaximumstoragedurationforrecallsnapshots) ./User/Vendor/MSFT/Policy/Config/WindowsAI/[SetMaximumStorageDurationForRecallSnapshots](mdm/policy-csp-windowsai.md#setmaximumstoragedurationforrecallsnapshots)|
+| **Group policy** | Computer Configuration > Administrative Templates > Windows Components > Windows AI > **Set maximum storage for snapshots used by Recall** User Configuration > Administrative Templates > Windows Components > Windows AI > **Set maximum duration for storing snapshots used by Recall** |
+
+
+### App and website filtering policies
+
+You can filter both apps and websites from being saved in snapshots. Users are able to add to these filter lists from the **Recall & Snapshots** settings page. Some remote desktop connection clients are filtered by default from snapshots. For more information, see the [Remote desktop connection clients filtered from snapshots](#remote-desktop-connection-clients-filtered-from-snapshots) section.
+
+To filter websites from being saved in snapshots, use the **Set a list of URIs to be filtered from snapshots for Recall** policy. Define the list using a semicolon to separate URIs. Make sure you include the URL scheme such as `http://`, `file://`, `https://www.`. Sites local to a supported browser like `edge://`, or `chrome://`, are filtered by default. For example: `https://www.Contoso.com;https://www.WoodgroveBank.com;https://www.Adatum.com`
+
+> [!NOTE]
+> - Private browsing activity is filtered by default when using [supported web browsers](#supported-browsers).
+> - Be aware that websites are filtered when they are in the foreground or are in the currently opened tab of a supported browser. Parts of filtered websites can still appear in snapshots such as embedded content, the browser's history, or an opened tab that isn't in the foreground.
+> - Filtering doesn't prevent browsers, internet service providers (ISPs), websites, organizations, or others from knowing that the website was accessed and building a history.
+> - Changes to this policy take effect after device restart.
+
+| | Setting |
+|---|---|
+| **CSP** | ./Device/Vendor/MSFT/Policy/Config/WindowsAI/[SetDenyUriListForRecall](mdm/policy-csp-windowsai.md#setdenyurilistforrecall) ./User/Vendor/MSFT/Policy/Config/WindowsAI/[SetDenyUriListForRecall](mdm/policy-csp-windowsai.md#setdenyurilistforrecall)|
+| **Group policy** | Computer Configuration > Administrative Templates > Windows Components > Windows AI > **>Set a list of URIs to be filtered from snapshots for Recall** User Configuration > Administrative Templates > Windows Components > Windows AI > **>Set a list of URIs to be filtered from snapshots for Recall** |
+
+
+**Set a list of apps to be filtered from snapshots for Recall** policy allows you to filter apps from being saved in snapshots. Define the list using a semicolon to separate apps. The list can include Application User Model IDs (AUMID) or the name of the executable file. For example: `code.exe;Microsoft. WindowsNotepad_8wekyb3d8bbwe!App;ms-teams.exe`
+
+> [!Note]
+> - Like other Windows apps, such as the Snipping Tool, Recall won't store digital rights management (DRM) content.
+> - Changes to this policy take effect after device restart.
+
+| | Setting |
+|---|---|
+| **CSP** | ./Device/Vendor/MSFT/Policy/Config/WindowsAI/[SetDenyAppListForRecall](mdm/policy-csp-windowsai.md#setdenyapplistforrecall) ./User/Vendor/MSFT/Policy/Config/WindowsAI/[SetDenyAppListForRecall](mdm/policy-csp-windowsai.md#setdenyapplistforrecall)|
+| **Group policy** | Computer Configuration > Administrative Templates > Windows Components > Windows AI > **Set a list of apps to be filtered from snapshots for Recall** User Configuration > Administrative Templates > Windows Components > Windows AI > **Set a list of apps to be filtered from snapshots for Recall**|
+
+
+#### Remote desktop connection clients filtered from snapshots
+
+Snapshots won't be saved when remote desktop connection clients are used. The following remote desktop connection clients are filtered from snapshots:
+
+ - [Remote Desktop Connection (mstsc.exe)](/windows-server/administration/windows-commands/mstsc)
+ - [VMConnect.exe](/windows-server/virtualization/hyper-v/learn-more/hyper-v-virtual-machine-connect)
+ - [Microsoft Remote Desktop from the Microsoft Store](/windows-server/remote/remote-desktop-services/clients/windows) is saved in snapshots. To prevent the app from being saved in snapshots, add it to the app filtering list.
+ - [Azure Virtual Desktop (MSI)](/azure/virtual-desktop/users/connect-windows)
+ - [Azure Virtual Desktop apps from the Microsoft Store](/azure/virtual-desktop/users/connect-remote-desktop-client) are saved in snapshots. To prevent these apps from being saved in snapshots, add them to the app filtering list.
+ - [Remote applications integrated locally (RAIL)](/openspecs/windows_protocols/ms-rdperp/485e6f6d-2401-4a9c-9330-46454f0c5aba) windows
+ - [Windows App from the Microsoft Store](/windows-app/get-started-connect-devices-desktops-apps) is saved in snapshots. To prevent the app from being saved in snapshots, add it to the app filtering list.
+
+
+
+
+## Information for developers
+
+If you're a developer and want to launch Recall, you can call the `ms-recall` protocol URI. When you call this URI, Recall opens and takes a snapshot of the screen, which is the default behavior for when Recall is launched. For more information about using Recall in your Windows app, see [Recall overview](/windows/ai/apis/recall) in the Windows AI API documentation.
## Microsoft's commitment to responsible AI
@@ -91,6 +180,10 @@ Microsoft has been on a responsible AI journey since 2017, when we defined our p
Recall uses optical character recognition (OCR), local to the PC, to analyze snapshots and facilitate search. For more information about OCR, see [Transparency note and use cases for OCR](/legal/cognitive-services/computer-vision/ocr-transparency-note). For more information about privacy and security, see [Privacy and control over your Recall experience](https://support.microsoft.com/windows/privacy-and-control-over-your-recall-experience-d404f672-7647-41e5-886c-a3c59680af15).
-## Information for developers
-
-If you're a developer and want to launch Recall, you can call the `ms-recall` protocol URI. When you call this, Recall opens and takes a snapshot of the screen, which is the default behavior for when Recall is launched. For more information about using Recall in your Windows app, see [Recall overview](/windows/ai/apis/recall) in the Windows AI API documentation.
+## Related links
+- [Policy CSP - WindowsAI](/windows/client-management/mdm/policy-csp-windowsai)
+- [Update on Recall security and privacy architecture](https://blogs.windows.com/windowsexperience/2024/09/27/update-on-recall-security-and-privacy-architecture/)
+- [Retrace your steps with Recall](https://support.microsoft.com/windows/aa03f8a0-a78b-4b3e-b0a1-2eb8ac48701c)
+- [Privacy and control over your Recall experience](https://support.microsoft.com/windows/d404f672-7647-41e5-886c-a3c59680af15)
+- [Click to Do in Recall](https://support.microsoft.com/topic/967304a8-32d1-4812-a904-fad59b5e6abf)
+- [Previewing Recall with Click to Do on Copilot+ PCs with Windows Insiders in the Dev Channel](https://blogs.windows.com/windows-insider/2024/11/22/previewing-recall-with-click-to-do-on-copilot-pcs-with-windows-insiders-in-the-dev-channel/)
diff --git a/windows/client-management/manage-windows-10-in-your-organization-modern-management.md b/windows/client-management/manage-windows-10-in-your-organization-modern-management.md
index a43167be49..475dfb0985 100644
--- a/windows/client-management/manage-windows-10-in-your-organization-modern-management.md
+++ b/windows/client-management/manage-windows-10-in-your-organization-modern-management.md
@@ -3,7 +3,7 @@ title: Manage Windows devices in your organization - transitioning to modern man
description: This article offers strategies for deploying and managing Windows devices, including deploying Windows in a mixed environment.
ms.localizationpriority: medium
ms.date: 07/08/2024
-ms.topic: conceptual
+ms.topic: article
---
# Manage Windows devices in your organization - transitioning to modern management
diff --git a/windows/client-management/manage-windows-copilot.md b/windows/client-management/manage-windows-copilot.md
index d48ca50d9a..655fdb09e4 100644
--- a/windows/client-management/manage-windows-copilot.md
+++ b/windows/client-management/manage-windows-copilot.md
@@ -1,9 +1,9 @@
---
-title: Updated Windows and Microsoft Copilot experience
+title: Updated Windows and Microsoft 365 Copilot Chat experience
description: Learn about changes to the Copilot in Windows experience for commercial environments and how to configure it for your organization.
ms.topic: overview
ms.subservice: windows-copilot
-ms.date: 09/18/2024
+ms.date: 01/28/2025
ms.author: mstewart
author: mestew
ms.collection:
@@ -13,62 +13,62 @@ appliesto:
- ✅ Windows 11, version 22H2 or later
---
-# Updated Windows and Microsoft Copilot experience
+# Updated Windows and Microsoft 365 Copilot Chat experience
->**Looking for consumer information?** See [Welcome to Copilot in Windows](https://support.microsoft.com/topic/675708af-8c16-4675-afeb-85a5a476ccb0).
+>**Looking for consumer information?** See [Welcome to Copilot on Windows](https://support.microsoft.com/topic/675708af-8c16-4675-afeb-85a5a476ccb0). **Looking for more information on Microsoft 365 Copilot Chat experiences?** See [Understanding the different Microsoft 365 Copilot Chat experiences](https://support.microsoft.com/topic/cfff4791-694a-4d90-9c9c-1eb3fb28e842).
## Enhanced data protection with enterprise data protection
-The Copilot experience on Windows is changing to enhance data security, privacy, compliance, and simplify the user experience, for users signed in with a Microsoft Entra work or school account. [Microsoft Copilot will offer enterprise data protection](https://techcommunity.microsoft.com/t5/copilot-for-microsoft-365/updates-to-microsoft-copilot-to-bring-enterprise-data-protection/ba-p/4217152) at no additional cost and redirect users to a new simplified interface designed for work and education. [Enterprise data protection (EDP)](/copilot/microsoft-365/enterprise-data-protection) refers to controls and commitments, under the Data Protection Addendum and Product Terms, that apply to customer data for users of Copilot for Microsoft 365 and Microsoft Copilot. This means that security, privacy, compliance controls and commitments available for Copilot for Microsoft 365 will extend to Microsoft Copilot prompts and responses. Prompts and responses are protected by the same terms and commitments that are widely trusted by our customers - not only for Copilot for Microsoft 365, but also for emails in Exchange and files in SharePoint. This is an improvement on top of the previous commercial data protection (CDP) promise. This update is rolling out now. For more information, see the [Microsoft Copilot updates and enterprise data protection FAQ](/copilot/edpfaq).
+The Copilot experience on Windows is changing to enhance data security, privacy, compliance, and simplify the user experience, for users signed in with a Microsoft Entra work or school account. [Microsoft 365 Copilot Chat](https://techcommunity.microsoft.com/t5/copilot-for-microsoft-365/updates-to-microsoft-copilot-to-bring-enterprise-data-protection/ba-p/4217152) is available at no additional cost and it redirects users to a new simplified interface designed for work and education. [Enterprise data protection (EDP)](/copilot/microsoft-365/enterprise-data-protection) refers to controls and commitments, under the Data Protection Addendum and Product Terms, that apply to customer data for users of Microsoft 365 Copilot and Microsoft 365 Copilot Chat. This means that security, privacy, compliance controls and commitments available for Microsoft 365 Copilot will extend to Microsoft 365 Copilot Chat prompts and responses. Prompts and responses are protected by the same terms and commitments that are widely trusted by our customers. This is an improvement on top of the previous commercial data protection (CDP) promise. This update is rolling out now. For more information, see the [Microsoft 365 Copilot Chat updates and enterprise data protection FAQ](/copilot/edpfaq).
> [!IMPORTANT]
> To streamline the user experience, updates to the Copilot entry points in Windows are being made for users. **Copilot in Windows (preview) will be removed from Windows**. The experience will slightly vary depending on whether your organization has already opted into using Copilot in Windows (preview) or not.
## Copilot in Windows (preview) isn't enabled
-If your organization hasn't enabled Copilot in Windows (preview), your existing preferences are respected. Neither the Microsoft Copilot app nor the Microsoft 365 app are pinned to the taskbar. To prepare for the eventual removal of the [Copilot in Windows policy](/windows/client-management/mdm/policy-csp-windowsai#turnoffwindowscopilot), admins should [set Microsoft Copilot pinning options](/copilot/microsoft-365/pin-copilot) in the Microsoft 365 admin center.
+If your organization hasn't enabled Copilot in Windows (preview), your existing preferences are respected. Neither Microsoft 365 Copilot Chat or the Microsoft 365 Copilot app (formerly the Microsoft 365 app) are pinned to the taskbar. To prepare for the eventual removal of the [Copilot in Windows policy](/windows/client-management/mdm/policy-csp-windowsai#turnoffwindowscopilot), admins should [set pinning options](/copilot/microsoft-365/pin-copilot) in the Microsoft 365 admin center.
> [!NOTE]
> Although we won't be pinning any app to the taskbar by default, IT has the capability to use policies to enforce their preferred app pinning.
## Copilot in Windows (preview) is enabled
-If you had previously activated Copilot in Windows (in preview) for your workforce, we want to thank you for your enthusiasm. To provide the best Copilot experience for your employees moving forward, and support greater efficiency and productivity, we won't automatically pin the Microsoft 365 app to the taskbar in Windows. Rather, we'll ensure that you have control over how you enable the Copilot experience within your organization. Our focus remains on empowering IT to seamlessly manage AI experiences and adopt those experiences at a pace that suits your organizational needs.
+If you had previously activated Copilot in Windows (in preview) for your workforce, we want to thank you for your enthusiasm. To provide the best Copilot experience for your users moving forward, and support greater efficiency and productivity, we won't automatically pin the Microsoft 365 Copilot app to the taskbar in Windows. Rather, we ensure that you have control over how you enable the Copilot experience within your organization. Our focus remains on empowering IT to seamlessly manage AI experiences and adopt those experiences at a pace that suits your organizational needs.
-If you have already activated Copilot in Windows (preview) - and want your users to have uninterrupted access to Copilot on the taskbar after the update - use the [configuration options](/windows/configuration/taskbar/?pivots=windows-11) to pin the Microsoft 365 app to the taskbar as Copilot in Windows (preview) icon will be removed from the taskbar.
+If you have already activated Copilot in Windows (preview) - and want your users to have uninterrupted access to Copilot on the taskbar after the update - use the [configuration options](/windows/configuration/taskbar/?pivots=windows-11) to pin the Microsoft 365 Copilot app to the taskbar as Copilot in Windows (preview) icon will be removed from the taskbar.
## Users signing in to new PCs with Microsoft Entra accounts
For users signing in to new PCs with work or school accounts, the following experience occurs:
-- The Microsoft 365 app is pinned to the taskbar - this is the app comes preinstalled with Windows and includes convenient access to Office apps such as Word, PowerPoint, etc.
-- Users that have the Microsoft 365 Copilot license will have Microsoft Copilot pinned by default inside the Microsoft 365 app.
-- Within the Microsoft 365 app, the Microsoft Copilot icon is situated next to the home button.
- - Microsoft Copilot (`web` grounding chat) isn't the same as Microsoft 365 Copilot (`web` and `work` scope), which is a separate add-on license.
- - Microsoft Copilot is available at no additional cost to customers with a Microsoft Entra account. Microsoft Copilot is the entry point for Copilot at work. While the Copilot chat experience helps users ground their conversations in web data, Microsoft 365 Copilot allows users to incorporate both web and work data they have access to into their conversations by switching between work and web modes in Business Chat.
- - For users with the Microsoft 365 Copilot license, they can toggle between the web grounding-based chat capabilities of Microsoft Copilot and the work scoped chat capabilities of Microsoft 365 Copilot.
-- Customers that don't have a license for Microsoft 365 Copilot are asked if they want to pin Microsoft Copilot to ensure they have easy access to Copilot. To set the default behavior, admins should [set Microsoft Copilot pinning options](/copilot/microsoft-365/pin-copilot) in the Microsoft 365 admin center.
-- If admins elect not to pin Copilot and indicate that users may be asked, users will be asked to pin it themselves in the Microsoft 365 app, Outlook, and Teams.
-- If admins elect not to pin Microsoft Copilot and indicate that users may not be asked, Microsoft Copilot won't be available via the Microsoft 365 app, Outlook, or Teams. Users will have access to Microsoft Copilot from unless that URL is blocked by the IT admin.
-- If the admins make no selection, users will be asked to pin Microsoft Copilot by themselves for easy access.
+- The Microsoft 365 Copilot app is pinned to the taskbar - this is the app comes preinstalled with Windows and includes convenient access to Office apps such as Word, PowerPoint, etc.
+- Users that have the Microsoft 365 Copilot license have Microsoft 365 Copilot Chat pinned by default inside the Microsoft 365 Copilot app.
+- Within the Microsoft 365 Copilot app, the Microsoft 365 Copilot Chat icon is situated next to the home button.
+ - Microsoft 365 Copilot Chat (`web` grounding chat) isn't the same as Microsoft 365 Copilot (`web` and `work` scope), which is a separate add-on license.
+ - Microsoft 365 Copilot Chat is available at no additional cost to customers with a Microsoft Entra account. Microsoft 365 Copilot Chat is the entry point for Copilot at work. While the Copilot chat experience helps users ground their conversations in web data, Microsoft 365 Copilot allows users to incorporate both web and work data they have access to into their conversations by switching between work and web modes in Business Chat.
+ - For users with the Microsoft 365 Copilot license, they can toggle between the web grounding-based chat capabilities of Microsoft 365 Copilot Chat and the work scoped chat capabilities of Microsoft 365 Copilot.
+- Customers that don't have a license for Microsoft 365 Copilot are asked if they want to pin Microsoft 365 Copilot Chat to ensure they have easy access to Copilot. To set the default behavior, admins should [set taskbar pinning options](/copilot/microsoft-365/pin-copilot) in the Microsoft 365 admin center.
+- If admins elect not to pin Copilot and indicate that users can be asked, users will be asked to pin it themselves in the Microsoft 365 Copilot app, Outlook, and Teams.
+- If admins elect not to pin Microsoft 365 Copilot Chat and indicate that users can't be asked, Microsoft 365 Copilot Chat won't be available via the Microsoft 365 Copilot app, Outlook, or Teams. Users have access to Microsoft 365 Copilot Chat from unless that URL is blocked by the IT admin.
+- If the admins make no selection, users will be asked to pin Microsoft 365 Copilot Chat by themselves for easy access.
## When will this happen?
-The update to Microsoft Copilot to offer enterprise data protection is rolling out now.
-
-The shift to the Microsoft 365 app as the entry point for Microsoft Copilot is coming soon. Changes will be rolled out to managed PCs starting with the optional nonsecurity preview release on September 24, 2024, and following with the monthly security update release on October 8 for all supported versions of Windows 11. These changes will be applied to Windows 10 PCs the month after. This update is replacing the current Copilot in Windows experience.
-
-> [!IMPORTANT]
-> Want to get started? You can enable the Microsoft Copilot experience for your users now by using the [TurnOffWindowsCopilot](/windows/client-management/mdm/policy-csp-windowsai#turnoffwindowscopilot) policy and pin the Microsoft 365 app using the existing policies for taskbar pinning.
+The update to Microsoft 365 Copilot Chat to offer enterprise data protection is rolling out now.
+The shift to Microsoft 365 Copilot Chat is coming soon. Changes will be rolled out to managed PCs starting with the September 2024 optional nonsecurity preview release, and following with the October 2024 monthly security update for all supported versions of Windows 11. These changes will be applied to Windows 10 PCs the month after. This update is replacing the current Copilot in Windows experience.
+
+The Copilot app will be automatically enabled after you install the Windows updates listed above if you haven't previously enabled a group policy to prevent the installation of Copilot. The [AppLocker policy](/windows/security/application-security/application-control/app-control-for-business/applocker/applocker-overview) is available to control this Copilot experience before installing these Windows updates mentioned above or any subsequent Windows updates.
+
+Note that the Copilot app, which is a consumer experience, doesn't support Microsoft Entra authentication and users trying to sign in to the app using a Microsoft Entra account will be redirected to https://copilot.cloud.microsoft/ in their default browser. For users authenticating with a Microsoft Entra account, they should access Copilot through the Microsoft 365 Copilot app as the entry point. We recommend you pin Copilot to the navigation bar of the Microsoft 365 Copilot app to enable easy access.
-## Policy information
+## Policy information for previous Copilot in Windows (preview) experience
-Admins should configure the [pinning options](/copilot/microsoft-365/pin-copilot) to enable access to Microsoft Copilot within the Microsoft 365 app in the Microsoft 365 admin center.
+Admins should configure the [pinning options](/copilot/microsoft-365/pin-copilot) to enable access to Microsoft 365 Copilot Chat within the Microsoft 365 Copilot app in the Microsoft 365 admin center.
-The following policy to manage Copilot in Windows (preview) will be removed in the future:
+The following policy to manage Copilot in Windows (preview) will be removed in the future and is considered a legacy policy:
| | Setting |
@@ -76,3 +76,83 @@ The following policy to manage Copilot in Windows (preview) will be removed in t
| **CSP** | ./User/Vendor/MSFT/Policy/Config/WindowsAI/[TurnOffWindowsCopilot](mdm/policy-csp-windowsai.md#turnoffwindowscopilot) |
| **Group policy** | User Configuration > Administrative Templates > Windows Components > Windows Copilot > **Turn off Windows Copilot** |
+## Remove or prevent installation of the Copilot app
+
+You can remove or uninstall the Copilot app from your device by using one of the following methods:
+
+1. Enterprise users can uninstall the [Copilot app](https://apps.microsoft.com/detail/9NHT9RB2F4HD), which is a consumer experience, by going to **Settings** > **Apps** >**Installed Apps**. Select the three dots appearing on the right side of the app and select **Uninstall** from the dropdown list.
+
+1. If you are an IT administrator, you can prevent installation of the app or remove the Copilot app using one of the following methods:
+ 1. Prevent installation of the Copilot app:
+ - Configure [AppLocker policy](/windows/security/application-security/application-control/app-control-for-business/applocker/applocker-overview) before installing Windows update. AppLocker helps you control which apps and files users can run. Note: AppLocker policy should be used instead of the [Turn Off Windows Copilot](mdm/policy-csp-windowsai.md#turnoffwindowscopilot) legacy policy setting and its MDM equivalent, [TurnOffWindowsCopilot](mdm/policy-csp-windowsai.md#turnoffwindowscopilot). The policy is subject to near-term deprecation.
+ - The Applocker policy can be configured by following one of the methods listed in [Edit an AppLocker policy](/windows/security/application-security/application-control/app-control-for-business/applocker/edit-an-applocker-policy) and adding the below text to the policy:
+ **Publisher**: CN=MICROSOFT CORPORATION, O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US
+ **Package name**: MICROSOFT.COPILOT
+ **Package version**: * (and above)
+
+ 1. Remove the Copilot app using PowerShell script:
+ 1. Open a Windows PowerShell window. You can do this by opening the Start menu, typing `PowerShell`, and selecting **Windows PowerShell** from the results.
+ 1. Once the PowerShell window is open, enter the following commands:
+ ```powershell
+ # Get the package full name of the Copilot app
+ $packageFullName = Get-AppxPackage -Name "Microsoft.Copilot" | Select-Object -ExpandProperty PackageFullName
+ # Remove the Copilot app
+ Remove-AppxPackage -Package $packageFullName
+ ```
+
+
+## Implications for the Copilot hardware key
+
+The Microsoft 365 Copilot app is now available only to consumer users authenticating with a Microsoft account and won't work for commercial users authenticating with a Microsoft Entra account. With this change, IT admins need to take steps to ensure users authenticating with a Microsoft Entra account can still access Copilot with the Copilot key. Users attempting to sign in to the Copilot app with their Microsoft Entra account will be redirected to the browser version of Microsoft 365 Copilot Chat for work (https://copilot.cloud.microsoft).
+
+For the optimal experience, enterprise customers should go to Windows client policies, such as Group Policy or Configuration Service Provider (CSP) policies to update the target of the key to the Microsoft 365 Copilot app so that users can access Copilot within the Microsoft 365 Copilot app. End users can also configure this from the **Settings** page.
+
+The Microsoft 365 Copilot app comes preinstalled on all Windows 11 PCs. If your organization uninstalled the Microsoft 365 Copilot app, we suggest you reinstall it from the Microsoft Store or your preferred application management solution so that the Copilot key can be remapped to the Microsoft 365 Copilot app. We also suggest you [Pin Microsoft 365 Copilot Chat](/copilot/microsoft-365/pin-copilot) to the navigation bar of the Microsoft 365 Copilot app.
+
+To avoid confusion for users as to which entry point for Microsoft 365 Copilot Chat to use, we recommend you uninstall the Copilot app.
+
+Use the table below to help determine the experience for your managed organization:
+
+| Configuration | Copilot experience | Copilot key invokes |
+| ---| --- | --- |
+| Copilot **not enabled** in environment | Neither Copilot in Windows (preview) nor the Microsoft 365 Copilot app are present. | Windows Search |
+| Copilot **enabled** + **do not authenticate** with Microsoft Entra | Copilot in Windows (preview) is removed and replaced by the Microsoft 365 Copilot app, which is not pinned to the taskbar unless you elect to do so. | Microsoft 365 Copilot app |
+| Copilot **enabled** + **authenticate** with Microsoft Entra + **new device** | Copilot in Windows (preview) is not present. Microsoft 365 Copilot Chat is accessed through the Microsoft 365 Copilot app (after post-setup update). | Microsoft 365 Copilot Chat within the Microsoft 365 Copilot app (after post-setup update). |
+| Copilot **enabled** + **authenticate** with Microsoft Entra + **existing device** | Copilot in Windows (preview) is removed. Existing users with Copilot enabled on their devices will still see the Microsoft 365 Copilot app. | IT admins should use policy to remap the Copilot key to the Microsoft 365 Copilot app, or prompt users to choose. |
+
+
+## Policies to manage the Copilot key
+
+Policies are available to configure the target app of the Copilot hardware key. For more information, see [WindowsAI Policy CSP](mdm/policy-csp-windowsai.md).
+
+To configure the Copilot key, use the following policy:
+
+| | Setting |
+|---|---|
+| **CSP** | ./User/Vendor/MSFT/Policy/Config/WindowsAI/[SetCopilotHardwareKey](mdm/policy-csp-windowsai.md#setcopilothardwarekey) |
+| **Group policy** | User Configuration > Administrative Templates > Windows Components > Windows Copilot > **Set Copilot Hardware Key** |
+
+
+## End user settings for the Copilot key
+
+If you choose to provide users in your organization with the choice to manage their own experience, a protocol to launch the **Settings** app remap the Copilot key is available. The following can be used by apps and scripts to bring the user to the setting so they can modify it to meet their needs:
+
+`ms-settings:personalization-textinput-copilot-hardwarekey`
+
+:::image type="content" border="true" source="./images/9598546-copilot-key-settings.png" alt-text="Screenshot of the text input page in Settings." lightbox="./images/9598546-copilot-key-settings.png":::
+
+
+
+If a user signed in with their Microsoft Entra account doesn't already have the key mapped to the Microsoft 365 Copilot app, they can select the app by going to **Settings** > **Personalization** > **Text input**, then selecting from the dropdown menu in the setting called **Customize Copilot key on keyboard**. This dropdown has options for: **Search**, **Custom**, or a currently mapped app if one is selected.
+
+To map the key to the Microsoft 365 Copilot app, the user should select **Custom** and then choose the Microsoft 365 Copilot app from the app picker. If this app picker is empty or doesn't include the Microsoft 365 Copilot app, they should reinstall it from the Microsoft Store.
+
+Users can also choose to have the Copilot key launch an app that is MSIX packaged and signed, ensuring the app options the Copilot key can remap to meet security and privacy requirements.
+
+
+## Copilot installation with Windows updates and controls
+
+If you're an IT administrator and have enabled group policies to prevent the installation of Copilot, the Copilot app won't be installed on the configured devices. If you haven't enabled a group policy, you can remove the Copilot app by following one of the steps in the [Remove or prevent installation of the Copilot app](#remove-or-prevent-installation-of-the-copilot-app) section or configure the [AppLocker policy](/windows/security/application-security/application-control/app-control-for-business/applocker/applocker-overview) before installing Windows updates. When the AppLocker policy for Copilot is enabled, it will:
+
+- Prevent the app from being installed if it isn't already on the device.
+- Block the app from being launched if it's already installed.
\ No newline at end of file
diff --git a/windows/client-management/mdm-collect-logs.md b/windows/client-management/mdm-collect-logs.md
index 0a3b883dcd..1a1d05ff3c 100644
--- a/windows/client-management/mdm-collect-logs.md
+++ b/windows/client-management/mdm-collect-logs.md
@@ -1,7 +1,7 @@
---
title: Collect MDM logs
description: Learn how to collect MDM logs. Examining these logs can help diagnose enrollment or device management issues in Windows devices managed by an MDM server.
-ms.topic: conceptual
+ms.topic: how-to
ms.date: 07/08/2024
ms.collection:
- highpri
diff --git a/windows/client-management/mdm-diagnose-enrollment.md b/windows/client-management/mdm-diagnose-enrollment.md
index 5610d29c34..1b62250e8e 100644
--- a/windows/client-management/mdm-diagnose-enrollment.md
+++ b/windows/client-management/mdm-diagnose-enrollment.md
@@ -1,7 +1,7 @@
---
title: Diagnose MDM enrollment failures
description: Learn how to diagnose enrollment failures for Windows devices
-ms.topic: conceptual
+ms.topic: troubleshooting-general
ms.date: 07/08/2024
---
diff --git a/windows/client-management/mdm-enrollment-of-windows-devices.md b/windows/client-management/mdm-enrollment-of-windows-devices.md
index f57170b82c..b8023a8c8f 100644
--- a/windows/client-management/mdm-enrollment-of-windows-devices.md
+++ b/windows/client-management/mdm-enrollment-of-windows-devices.md
@@ -1,7 +1,7 @@
---
title: MDM enrollment of Windows devices
description: Learn about mobile device management (MDM) enrollment of Windows devices to simplify access to your organization's resources.
-ms.topic: conceptual
+ms.topic: how-to
ms.collection:
- highpri
- tier2
diff --git a/windows/client-management/mdm-known-issues.md b/windows/client-management/mdm-known-issues.md
index 43e571ecb6..6534f06502 100644
--- a/windows/client-management/mdm-known-issues.md
+++ b/windows/client-management/mdm-known-issues.md
@@ -1,7 +1,7 @@
---
title: Known issues in MDM
description: Learn about known issues for Windows devices in MDM
-ms.topic: conceptual
+ms.topic: troubleshooting-known-issue
ms.date: 07/08/2024
---
diff --git a/windows/client-management/mdm-overview.md b/windows/client-management/mdm-overview.md
index 1db4cb2fee..0bac6e35c0 100644
--- a/windows/client-management/mdm-overview.md
+++ b/windows/client-management/mdm-overview.md
@@ -2,7 +2,7 @@
title: Mobile Device Management overview
description: Windows provides an enterprise-level solution to mobile management, to help IT pros comply with security policies while avoiding compromise of user's privacy.
ms.date: 07/08/2024
-ms.topic: conceptual
+ms.topic: article
ms.localizationpriority: medium
ms.collection:
- highpri
diff --git a/windows/client-management/mdm/Language-pack-management-csp.md b/windows/client-management/mdm/Language-pack-management-csp.md
index 3fd4c9a6d5..9824f9f4bb 100644
--- a/windows/client-management/mdm/Language-pack-management-csp.md
+++ b/windows/client-management/mdm/Language-pack-management-csp.md
@@ -1,7 +1,8 @@
---
title: LanguagePackManagement CSP
description: Learn more about the LanguagePackManagement CSP.
-ms.date: 05/20/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
diff --git a/windows/client-management/mdm/accountmanagement-csp.md b/windows/client-management/mdm/accountmanagement-csp.md
index 55180da611..5dbbb32e91 100644
--- a/windows/client-management/mdm/accountmanagement-csp.md
+++ b/windows/client-management/mdm/accountmanagement-csp.md
@@ -1,7 +1,8 @@
---
title: AccountManagement CSP
description: Learn more about the AccountManagement CSP.
-ms.date: 01/18/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
@@ -134,7 +135,7 @@ Configures when profiles will be deleted. Allowed values: 0 (delete immediately
-Enable profile lifetime mangement for shared or communal device scenarios.
+Enable profile lifetime management for shared or communal device scenarios.
diff --git a/windows/client-management/mdm/accountmanagement-ddf.md b/windows/client-management/mdm/accountmanagement-ddf.md
index 06093b49ae..9fbf72a271 100644
--- a/windows/client-management/mdm/accountmanagement-ddf.md
+++ b/windows/client-management/mdm/accountmanagement-ddf.md
@@ -1,7 +1,8 @@
---
title: AccountManagement DDF file
description: View the XML file containing the device description framework (DDF) for the AccountManagement configuration service provider.
-ms.date: 01/18/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
diff --git a/windows/client-management/mdm/accounts-csp.md b/windows/client-management/mdm/accounts-csp.md
index e32ee78e33..2774e66244 100644
--- a/windows/client-management/mdm/accounts-csp.md
+++ b/windows/client-management/mdm/accounts-csp.md
@@ -54,7 +54,7 @@ Available naming macros:
Supported operation is Add.
> [!Note]
-> For desktop PCs on Windows 10, version 2004 or later, use the **Ext/Microsoft/DNSComputerName** node in [DevDetail CSP](devdetail-csp.md).
+> For desktop PCs on supported versions of Windows 10 or later, use the **Ext/Microsoft/DNSComputerName** node in [DevDetail CSP](devdetail-csp.md).
**Users**
Interior node for the user account information.
@@ -62,12 +62,26 @@ Interior node for the user account information.
**Users/_UserName_**
This node specifies the username for a new local user account. This setting can be managed remotely.
+> [!IMPORTANT]
+> The username is limited to 20 characters.
+
**Users/_UserName_/Password**
This node specifies the password for a new local user account. This setting can be managed remotely.
Supported operation is Add.
GET operation isn't supported. This setting will report as failed when deployed from Intune.
+> [!IMPORTANT]
+> This string needs to meet the current password policy requirements.
+>
+> Escape any special characters in the string. For example,
+>
+> | Character | Escape sequence |
+> |:---|:---|
+> | `<` | `<` |
+> | `>` | `>` |
+> | `&` | `&` |
+
**Users/_UserName_/LocalUserGroup**
This optional node specifies the local user group that a local user account should be joined to. If the node isn't set, the new local user account is joined just to the Standard Users group. Set the value to 2 for Administrators group. This setting can be managed remotely.
diff --git a/windows/client-management/mdm/activesync-csp.md b/windows/client-management/mdm/activesync-csp.md
index 8d862c057a..08d97f311c 100644
--- a/windows/client-management/mdm/activesync-csp.md
+++ b/windows/client-management/mdm/activesync-csp.md
@@ -1,7 +1,8 @@
---
title: ActiveSync CSP
description: Learn more about the ActiveSync CSP.
-ms.date: 01/18/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
diff --git a/windows/client-management/mdm/activesync-ddf-file.md b/windows/client-management/mdm/activesync-ddf-file.md
index 99038f75e0..7948682484 100644
--- a/windows/client-management/mdm/activesync-ddf-file.md
+++ b/windows/client-management/mdm/activesync-ddf-file.md
@@ -1,7 +1,8 @@
---
title: ActiveSync DDF file
description: View the XML file containing the device description framework (DDF) for the ActiveSync configuration service provider.
-ms.date: 06/28/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
diff --git a/windows/client-management/mdm/applicationcontrol-csp-ddf.md b/windows/client-management/mdm/applicationcontrol-csp-ddf.md
index 8b27862509..9a4927ab7f 100644
--- a/windows/client-management/mdm/applicationcontrol-csp-ddf.md
+++ b/windows/client-management/mdm/applicationcontrol-csp-ddf.md
@@ -1,7 +1,8 @@
---
title: ApplicationControl DDF file
description: View the XML file containing the device description framework (DDF) for the ApplicationControl configuration service provider.
-ms.date: 06/28/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
diff --git a/windows/client-management/mdm/applicationcontrol-csp.md b/windows/client-management/mdm/applicationcontrol-csp.md
index 7d20bc1c4c..8a598bacc1 100644
--- a/windows/client-management/mdm/applicationcontrol-csp.md
+++ b/windows/client-management/mdm/applicationcontrol-csp.md
@@ -1,7 +1,8 @@
---
title: ApplicationControl CSP
description: Learn more about the ApplicationControl CSP.
-ms.date: 01/31/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
diff --git a/windows/client-management/mdm/applocker-csp.md b/windows/client-management/mdm/applocker-csp.md
index b7c198fd13..668e1f1cc4 100644
--- a/windows/client-management/mdm/applocker-csp.md
+++ b/windows/client-management/mdm/applocker-csp.md
@@ -1,7 +1,8 @@
---
title: AppLocker CSP
description: Learn more about the AppLocker CSP.
-ms.date: 01/18/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
diff --git a/windows/client-management/mdm/applocker-ddf-file.md b/windows/client-management/mdm/applocker-ddf-file.md
index 9d1ededd2a..17e7c8517b 100644
--- a/windows/client-management/mdm/applocker-ddf-file.md
+++ b/windows/client-management/mdm/applocker-ddf-file.md
@@ -1,7 +1,8 @@
---
title: AppLocker DDF file
description: View the XML file containing the device description framework (DDF) for the AppLocker configuration service provider.
-ms.date: 06/28/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
diff --git a/windows/client-management/mdm/assignedaccess-csp.md b/windows/client-management/mdm/assignedaccess-csp.md
index cc69b6bb5a..226d30cd6d 100644
--- a/windows/client-management/mdm/assignedaccess-csp.md
+++ b/windows/client-management/mdm/assignedaccess-csp.md
@@ -1,7 +1,8 @@
---
title: AssignedAccess CSP
description: Learn more about the AssignedAccess CSP.
-ms.date: 04/10/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
@@ -126,7 +127,7 @@ To learn how to configure xml file, see [Create an Assigned Access configuration
This node can accept and return json string which comprises of account name, and AUMID for Kiosk mode app.
-Example: `{"User":"domain\\user", "AUMID":"Microsoft. WindowsCalculator_8wekyb3d8bbwe!App"}`.
+Example: `{"User":"domain\\user", "AUMID":"Microsoft.WindowsCalculator_8wekyb3d8bbwe!App"}`.
When configuring kiosk mode app, account name will be used to find the target user. Account name includes domain name and user name. Domain name can be optional if user name is unique across the system. For a local account, domain name should be machine name. When "Get" is executed on this node, domain name is always returned in the output.
diff --git a/windows/client-management/mdm/assignedaccess-ddf.md b/windows/client-management/mdm/assignedaccess-ddf.md
index 81d21dbfab..5e6d4bba56 100644
--- a/windows/client-management/mdm/assignedaccess-ddf.md
+++ b/windows/client-management/mdm/assignedaccess-ddf.md
@@ -1,7 +1,8 @@
---
title: AssignedAccess DDF file
description: View the XML file containing the device description framework (DDF) for the AssignedAccess configuration service provider.
-ms.date: 06/28/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
diff --git a/windows/client-management/mdm/bitlocker-csp.md b/windows/client-management/mdm/bitlocker-csp.md
index f4d06f4ce7..00bdf3ecff 100644
--- a/windows/client-management/mdm/bitlocker-csp.md
+++ b/windows/client-management/mdm/bitlocker-csp.md
@@ -1,7 +1,8 @@
---
title: BitLocker CSP
description: Learn more about the BitLocker CSP.
-ms.date: 08/06/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
@@ -551,6 +552,10 @@ The possible values for 'zz' are:
- 1 = Store recovery passwords and key packages
- 2 = Store recovery passwords only
+
+For Microsoft Entra hybrid joined devices, the BitLocker recovery password is backed up to both Active Directory and Entra ID.
+
+For Microsoft Entra joined devices, the BitLocker recovery password is backed up to Entra ID.
@@ -2092,6 +2097,10 @@ The possible values for 'zz' are:
- 1 = Store recovery passwords and key packages.
- 2 = Store recovery passwords only.
+
+For Microsoft Entra hybrid joined devices, the BitLocker recovery password is backed up to both Active Directory and Entra ID.
+
+For Microsoft Entra joined devices, the BitLocker recovery password is backed up to Entra ID.
diff --git a/windows/client-management/mdm/bitlocker-ddf-file.md b/windows/client-management/mdm/bitlocker-ddf-file.md
index 1680ecfd3d..c8dd0ba91c 100644
--- a/windows/client-management/mdm/bitlocker-ddf-file.md
+++ b/windows/client-management/mdm/bitlocker-ddf-file.md
@@ -1,7 +1,8 @@
---
title: BitLocker DDF file
description: View the XML file containing the device description framework (DDF) for the BitLocker configuration service provider.
-ms.date: 08/07/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
diff --git a/windows/client-management/mdm/certificatestore-csp.md b/windows/client-management/mdm/certificatestore-csp.md
index fc94239b02..0f807dd26f 100644
--- a/windows/client-management/mdm/certificatestore-csp.md
+++ b/windows/client-management/mdm/certificatestore-csp.md
@@ -1,7 +1,8 @@
---
title: CertificateStore CSP
description: Learn more about the CertificateStore CSP.
-ms.date: 01/31/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
diff --git a/windows/client-management/mdm/certificatestore-ddf-file.md b/windows/client-management/mdm/certificatestore-ddf-file.md
index b552ae24ad..4bafa3afe1 100644
--- a/windows/client-management/mdm/certificatestore-ddf-file.md
+++ b/windows/client-management/mdm/certificatestore-ddf-file.md
@@ -1,7 +1,8 @@
---
title: CertificateStore DDF file
description: View the XML file containing the device description framework (DDF) for the CertificateStore configuration service provider.
-ms.date: 06/28/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
diff --git a/windows/client-management/mdm/clientcertificateinstall-csp.md b/windows/client-management/mdm/clientcertificateinstall-csp.md
index 89b0a33e28..5e07bc1dce 100644
--- a/windows/client-management/mdm/clientcertificateinstall-csp.md
+++ b/windows/client-management/mdm/clientcertificateinstall-csp.md
@@ -1,7 +1,8 @@
---
title: ClientCertificateInstall CSP
description: Learn more about the ClientCertificateInstall CSP.
-ms.date: 04/10/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
diff --git a/windows/client-management/mdm/clientcertificateinstall-ddf-file.md b/windows/client-management/mdm/clientcertificateinstall-ddf-file.md
index 20bf836b45..0939486314 100644
--- a/windows/client-management/mdm/clientcertificateinstall-ddf-file.md
+++ b/windows/client-management/mdm/clientcertificateinstall-ddf-file.md
@@ -1,7 +1,8 @@
---
title: ClientCertificateInstall DDF file
description: View the XML file containing the device description framework (DDF) for the ClientCertificateInstall configuration service provider.
-ms.date: 06/28/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
diff --git a/windows/client-management/mdm/clouddesktop-csp.md b/windows/client-management/mdm/clouddesktop-csp.md
index 253efc7e95..ad088e970b 100644
--- a/windows/client-management/mdm/clouddesktop-csp.md
+++ b/windows/client-management/mdm/clouddesktop-csp.md
@@ -1,7 +1,8 @@
---
title: CloudDesktop CSP
description: Learn more about the CloudDesktop CSP.
-ms.date: 08/06/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
diff --git a/windows/client-management/mdm/clouddesktop-ddf-file.md b/windows/client-management/mdm/clouddesktop-ddf-file.md
index 07c68d9f04..d793b28c1c 100644
--- a/windows/client-management/mdm/clouddesktop-ddf-file.md
+++ b/windows/client-management/mdm/clouddesktop-ddf-file.md
@@ -1,7 +1,8 @@
---
title: CloudDesktop DDF file
description: View the XML file containing the device description framework (DDF) for the CloudDesktop configuration service provider.
-ms.date: 08/06/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
@@ -40,7 +41,7 @@ The following XML file contains the device description framework (DDF) for the C
99.9.999992.0
- 0x4;0x30;0x31;0x7E;0x87;0x88;0x88*;0xA1;0xA2;0xA4;0xA5;0xB4;0xBC;0xBD;0xBF;
+ 0x4;0x30;0x31;0x7E;0x88;0xA1;0xA2;0xA4;0xA5;0xBC;0xBF;0xCD;
@@ -139,7 +140,7 @@ The following XML file contains the device description framework (DDF) for the C
10.0.22621.33741.0
- 0x4;0x30;0x31;0x7E;0x87;0x88;0x88*;0xA1;0xA2;0xA4;0xA5;0xB4;0xBC;0xBD;0xBF;
+ 0x4;0x30;0x31;0x7E;0x88;0xA1;0xA2;0xA4;0xA5;0xBC;0xBF;0xCD;
diff --git a/windows/client-management/mdm/configuration-service-provider-ddf.md b/windows/client-management/mdm/configuration-service-provider-ddf.md
index 99b94df749..bcb544c636 100644
--- a/windows/client-management/mdm/configuration-service-provider-ddf.md
+++ b/windows/client-management/mdm/configuration-service-provider-ddf.md
@@ -13,7 +13,7 @@ This article lists the OMA DM device description framework (DDF) files for vario
As of December 2022, DDF XML schema was updated to include additional information such as OS build applicability. DDF v2 XML files for Windows 10 and Windows 11 are combined, and provided in a single download:
-- [DDF v2 Files, May 2024](https://download.microsoft.com/download/f/6/1/f61445f7-1d38-45f7-bc8c-609b86e4aabc/DDFv2May24.zip)
+- [DDF v2 Files, September 2024](https://download.microsoft.com/download/a/a/a/aaadc008-67d4-4dcd-b864-70c479baf7d6/DDFv2September24.zip)
## DDF v2 schema
@@ -574,7 +574,7 @@ DDF v2 XML schema definition is listed below along with the schema definition fo
## Older DDF files
You can download the older DDF files for various CSPs from the links below:
-
+- [Download all the DDF files for Windows 10 and 11 May 2024](https://download.microsoft.com/download/f/6/1/f61445f7-1d38-45f7-bc8c-609b86e4aabc/DDFv2May24.zip)
- [Download all the DDF files for Windows 10 and 11 September 2023](https://download.microsoft.com/download/0/e/c/0ec027e5-8971-49a2-9230-ec9352bc3ead/DDFv2September2023.zip)
- [Download all the DDF files for Windows 10 and 11 December 2022](https://download.microsoft.com/download/7/4/c/74c6daca-983e-4f16-964a-eef65b553a37/DDFv2December2022.zip)
- [Download all the DDF files for Windows 10, version 2004](https://download.microsoft.com/download/4/0/f/40f9ec45-3bea-442c-8afd-21edc1e057d8/Windows10_2004_DDF_download.zip)
diff --git a/windows/client-management/mdm/declaredconfiguration-csp.md b/windows/client-management/mdm/declaredconfiguration-csp.md
index 4251c9ab44..27ff417b8f 100644
--- a/windows/client-management/mdm/declaredconfiguration-csp.md
+++ b/windows/client-management/mdm/declaredconfiguration-csp.md
@@ -1,7 +1,8 @@
---
title: DeclaredConfiguration CSP
description: Learn more about the DeclaredConfiguration CSP.
-ms.date: 09/12/2024
+ms.date: 02/14/2025
+ms.topic: generated-reference
---
@@ -45,6 +46,8 @@ The following list shows the DeclaredConfiguration configuration service provide
- [Results](#hostinventoryresults)
- [{DocID}](#hostinventoryresultsdocid)
- [Document](#hostinventoryresultsdociddocument)
+ - [ManagementServiceConfiguration](#managementserviceconfiguration)
+ - [ConflictResolution](#managementserviceconfigurationconflictresolution)
@@ -223,7 +226,7 @@ Uniquely identifies the configuration document. No other document can have this
-The Document node's value is an XML based document containing a collection of settings and values to configure the specified scenario. The Declared Configuration stack verifies the syntax of the document, the stack marks the document to be processed asynchronously by the client. The stack then returns control back to the OMA-DM service. The stack, in turn, asynchronously processes the request. Below is an example of a specified desired state configuration using the Declared Configuration URI ./Device/Vendor/MSFT/DeclaredConfiguration/Host/Complete/Documents/27FEA311-68. B9-4320-9. FC4-296. F6FDFAFE2/Document.
+The Document node's value is an XML based document containing a collection of settings and values to configure the specified scenario. The Declared Configuration stack verifies the syntax of the document, the stack marks the document to be processed asynchronously by the client. The stack then returns control back to the OMA-DM service. The stack, in turn, asynchronously processes the request. Below is an example of a specified desired state configuration using the Declared Configuration URI ./Device/Vendor/MSFT/DeclaredConfiguration/Host/Complete/Documents/27FEA311-68B9-4320-9FC4-296F6FDFAFE2/Document.
@@ -588,7 +591,7 @@ Uniquely identifies the inventory document. No other document can have this id.
-The Document node's value is an XML based document containing a collection of settings that will be used to retrieve their values. The Declared Configuration stack verifies the syntax of the document, the stack marks the document to be processed asynchronously by the client. The stack then returns control back to the OMA-DM service. The stack, in turn, asynchronously processes the request. Below is an example of a specified desired state configuration using the Declared Configuration URI ./Device/Vendor/MSFT/DeclaredConfiguration/Host/Inventory/Documents/27FEA311-68. B9-4320-9. FC4-296. F6FDFAFE2/Document.
+The Document node's value is an XML based document containing a collection of settings that will be used to retrieve their values. The Declared Configuration stack verifies the syntax of the document, the stack marks the document to be processed asynchronously by the client. The stack then returns control back to the OMA-DM service. The stack, in turn, asynchronously processes the request. Below is an example of a specified desired state configuration using the Declared Configuration URI ./Device/Vendor/MSFT/DeclaredConfiguration/Host/Inventory/Documents/27FEA311-68B9-4320-9FC4-296F6FDFAFE2/Document.
@@ -728,6 +731,93 @@ The Document node's value is an XML based document containing a collection of se
+
+## ManagementServiceConfiguration
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+
+
+
+```Device
+./Device/Vendor/MSFT/DeclaredConfiguration/ManagementServiceConfiguration
+```
+
+
+
+
+The ManagementServiceConfiguration node that's used to control certain Windows Declared Configuration behavior.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `node` |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+### ManagementServiceConfiguration/ConflictResolution
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+
+
+
+```Device
+./Device/Vendor/MSFT/DeclaredConfiguration/ManagementServiceConfiguration/ConflictResolution
+```
+
+
+
+
+This node controls to turn on conflict resolution on and off.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `int` |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 | The conflict resolution is OFF. |
+| 1 | The conflict resolution is ON. |
+
+
+
+
+
+
+
+
## DeclaredConfiguration OMA URI
diff --git a/windows/client-management/mdm/declaredconfiguration-ddf-file.md b/windows/client-management/mdm/declaredconfiguration-ddf-file.md
index 07e2e406e6..bd5711d552 100644
--- a/windows/client-management/mdm/declaredconfiguration-ddf-file.md
+++ b/windows/client-management/mdm/declaredconfiguration-ddf-file.md
@@ -1,7 +1,8 @@
---
title: DeclaredConfiguration DDF file
description: View the XML file containing the device description framework (DDF) for the DeclaredConfiguration configuration service provider.
-ms.date: 06/28/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
@@ -466,6 +467,61 @@ The following XML file contains the device description framework (DDF) for the D
+
+ ManagementServiceConfiguration
+
+
+
+
+ The ManagementServiceConfiguration node that is used to control certain Windows Declared Configuration behavior
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ ConflictResolution
+
+
+
+
+
+
+
+ This node controls to turn on conflict resolution on and off.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 0
+ The conflict resolution is OFF.
+
+
+ 1
+ The conflict resolution is ON.
+
+
+
+
+
```
diff --git a/windows/client-management/mdm/defender-csp.md b/windows/client-management/mdm/defender-csp.md
index 198570987e..b3beaf7ff2 100644
--- a/windows/client-management/mdm/defender-csp.md
+++ b/windows/client-management/mdm/defender-csp.md
@@ -1,7 +1,8 @@
---
title: Defender CSP
description: Learn more about the Defender CSP.
-ms.date: 06/21/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
@@ -1289,7 +1290,7 @@ Define data duplication remote location for Device Control. When configuring thi
-Configure how many days can pass before an aggressive quick scan is triggered. The valid interval is [7-60] days. If not configured, aggressive quick scans will be disabled. By default, the value is set to 25 days when enabled.
+Configure how many days can pass before an aggressive quick scan is triggered. The valid interval is [7-60] days. If not configured, aggressive quick scans will be disabled. By default, the value is set to 30 days when enabled.
@@ -1304,7 +1305,7 @@ Configure how many days can pass before an aggressive quick scan is triggered. T
| Format | `int` |
| Access Type | Add, Delete, Get, Replace |
| Allowed Values | Range: `[7-60]` |
-| Default Value | 25 |
+| Default Value | 30 |
@@ -3775,9 +3776,9 @@ Enable this policy to specify when devices receive Microsoft Defender security i
| Value | Description |
|:--|:--|
-| 0 (Default) | Not configured (Default). The device will stay up to date automatically during the gradual release cycle. Suitable for most devices. |
-| 4 | Current Channel (Staged): Devices will be offered updates after the release cycle. Suggested to apply to a small, representative part of production population (~10%). |
-| 5 | Current Channel (Broad): Devices will be offered updates only after the gradual release cycle completes. Suggested to apply to a broad set of devices in your production population (~10-100%). |
+| 0 (Default) | Not configured (Default). Microsoft will either assign the device to Current Channel (Broad) or a beta channel early in the gradual release cycle. The channel selected by Microsoft might be one that receives updates early during the gradual release cycle, which may not be suitable for devices in a production or critical environment. |
+| 4 | Current Channel (Staged): Same as Current Channel (Broad). |
+| 5 | Current Channel (Broad): Devices will be offered updates only after the gradual release cycle completes. Suggested to apply to a broad set of devices in all populations, including production. |
diff --git a/windows/client-management/mdm/defender-ddf.md b/windows/client-management/mdm/defender-ddf.md
index f286ba947c..000fc9209d 100644
--- a/windows/client-management/mdm/defender-ddf.md
+++ b/windows/client-management/mdm/defender-ddf.md
@@ -1,7 +1,8 @@
---
title: Defender DDF file
description: View the XML file containing the device description framework (DDF) for the Defender configuration service provider.
-ms.date: 06/28/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
@@ -1627,15 +1628,15 @@ The following XML file contains the device description framework (DDF) for the D
0
- Not configured (Default). The device will stay up to date automatically during the gradual release cycle. Suitable for most devices.
+ Not configured (Default). Microsoft will either assign the device to Current Channel (Broad) or a beta channel early in the gradual release cycle. The channel selected by Microsoft might be one that receives updates early during the gradual release cycle, which may not be suitable for devices in a production or critical environment4
- Current Channel (Staged): Devices will be offered updates after the release cycle. Suggested to apply to a small, representative part of production population (~10%).
+ Current Channel (Staged): Same as Current Channel (Broad).5
- Current Channel (Broad): Devices will be offered updates only after the gradual release cycle completes. Suggested to apply to a broad set of devices in your production population (~10-100%).
+ Current Channel (Broad): Devices will be offered updates only after the gradual release cycle completes. Suggested to apply to a broad set of devices in all populations, including production.
@@ -2373,8 +2374,8 @@ The following XML file contains the device description framework (DDF) for the D
- 25
- Configure how many days can pass before an aggressive quick scan is triggered. The valid interval is [7-60] days. If not configured, aggressive quick scans will be disabled. By default, the value is set to 25 days when enabled.
+ 30
+ Configure how many days can pass before an aggressive quick scan is triggered. The valid interval is [7-60] days. If not configured, aggressive quick scans will be disabled. By default, the value is set to 30 days when enabled.
diff --git a/windows/client-management/mdm/devdetail-csp.md b/windows/client-management/mdm/devdetail-csp.md
index ef825d0541..98224519ff 100644
--- a/windows/client-management/mdm/devdetail-csp.md
+++ b/windows/client-management/mdm/devdetail-csp.md
@@ -1,7 +1,8 @@
---
title: DevDetail CSP
description: Learn more about the DevDetail CSP.
-ms.date: 08/06/2024
+ms.date: 02/14/2025
+ms.topic: generated-reference
---
@@ -399,7 +400,7 @@ Total free storage in MB from first internal drive on the device.
-Returns the client local time in ISO 8601 format. Example: 2003-06-16. T18:37:44Z.
+Returns the client local time in ISO 8601 format. Example: 2003-06-16T18:37:44Z.
@@ -1259,7 +1260,7 @@ Returns the name of the Original Equipment Manufacturer (OEM) as a string, as de
-Returns the Windows 10 OS software version in the format MajorVersion. MinorVersion. BuildNumber. QFEnumber. Currently the BuildNumber returns the build number on the desktop and mobile build number on the phone. In the future, the build numbers may converge.
+Returns the Windows 10 OS software version in the format `MajorVersion.MinorVersion.BuildNumber.QFEnumber`. Currently the BuildNumber returns the build number on the desktop and mobile build number on the phone. In the future, the build numbers may converge.
diff --git a/windows/client-management/mdm/devdetail-ddf-file.md b/windows/client-management/mdm/devdetail-ddf-file.md
index c7b1a08470..c95e76c1f5 100644
--- a/windows/client-management/mdm/devdetail-ddf-file.md
+++ b/windows/client-management/mdm/devdetail-ddf-file.md
@@ -1,7 +1,8 @@
---
title: DevDetail DDF file
description: View the XML file containing the device description framework (DDF) for the DevDetail configuration service provider.
-ms.date: 06/28/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
diff --git a/windows/client-management/mdm/devicemanageability-csp.md b/windows/client-management/mdm/devicemanageability-csp.md
index 7ca0975068..6512893f20 100644
--- a/windows/client-management/mdm/devicemanageability-csp.md
+++ b/windows/client-management/mdm/devicemanageability-csp.md
@@ -1,7 +1,8 @@
---
title: DeviceManageability CSP
description: Learn more about the DeviceManageability CSP.
-ms.date: 08/06/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
diff --git a/windows/client-management/mdm/devicemanageability-ddf.md b/windows/client-management/mdm/devicemanageability-ddf.md
index 4769870f2a..108d6f2baa 100644
--- a/windows/client-management/mdm/devicemanageability-ddf.md
+++ b/windows/client-management/mdm/devicemanageability-ddf.md
@@ -1,7 +1,8 @@
---
title: DeviceManageability DDF file
description: View the XML file containing the device description framework (DDF) for the DeviceManageability configuration service provider.
-ms.date: 06/28/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
diff --git a/windows/client-management/mdm/devicepreparation-csp.md b/windows/client-management/mdm/devicepreparation-csp.md
index b93cdfd164..d466c262e7 100644
--- a/windows/client-management/mdm/devicepreparation-csp.md
+++ b/windows/client-management/mdm/devicepreparation-csp.md
@@ -1,7 +1,8 @@
---
title: DevicePreparation CSP
description: Learn more about the DevicePreparation CSP.
-ms.date: 04/10/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
diff --git a/windows/client-management/mdm/devicepreparation-ddf-file.md b/windows/client-management/mdm/devicepreparation-ddf-file.md
index 903c08866d..c0c37e1261 100644
--- a/windows/client-management/mdm/devicepreparation-ddf-file.md
+++ b/windows/client-management/mdm/devicepreparation-ddf-file.md
@@ -1,7 +1,8 @@
---
title: DevicePreparation DDF file
description: View the XML file containing the device description framework (DDF) for the DevicePreparation configuration service provider.
-ms.date: 06/28/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
diff --git a/windows/client-management/mdm/devicestatus-csp.md b/windows/client-management/mdm/devicestatus-csp.md
index c119bdbf72..9c6ace8133 100644
--- a/windows/client-management/mdm/devicestatus-csp.md
+++ b/windows/client-management/mdm/devicestatus-csp.md
@@ -1,7 +1,8 @@
---
title: DeviceStatus CSP
description: Learn more about the DeviceStatus CSP.
-ms.date: 08/06/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
diff --git a/windows/client-management/mdm/devicestatus-ddf.md b/windows/client-management/mdm/devicestatus-ddf.md
index d1977f5eaa..19018f4905 100644
--- a/windows/client-management/mdm/devicestatus-ddf.md
+++ b/windows/client-management/mdm/devicestatus-ddf.md
@@ -1,7 +1,8 @@
---
title: DeviceStatus DDF file
description: View the XML file containing the device description framework (DDF) for the DeviceStatus configuration service provider.
-ms.date: 08/07/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
diff --git a/windows/client-management/mdm/devinfo-csp.md b/windows/client-management/mdm/devinfo-csp.md
index 348fd292dc..66333fd3ba 100644
--- a/windows/client-management/mdm/devinfo-csp.md
+++ b/windows/client-management/mdm/devinfo-csp.md
@@ -1,7 +1,8 @@
---
title: DevInfo CSP
description: Learn more about the DevInfo CSP.
-ms.date: 01/18/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
diff --git a/windows/client-management/mdm/devinfo-ddf-file.md b/windows/client-management/mdm/devinfo-ddf-file.md
index a57636514a..39841d704f 100644
--- a/windows/client-management/mdm/devinfo-ddf-file.md
+++ b/windows/client-management/mdm/devinfo-ddf-file.md
@@ -1,7 +1,8 @@
---
title: DevInfo DDF file
description: View the XML file containing the device description framework (DDF) for the DevInfo configuration service provider.
-ms.date: 06/28/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
diff --git a/windows/client-management/mdm/diagnosticlog-csp.md b/windows/client-management/mdm/diagnosticlog-csp.md
index 01c937ef35..971e077470 100644
--- a/windows/client-management/mdm/diagnosticlog-csp.md
+++ b/windows/client-management/mdm/diagnosticlog-csp.md
@@ -1,7 +1,8 @@
---
title: DiagnosticLog CSP
description: Learn more about the DiagnosticLog CSP.
-ms.date: 01/18/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
diff --git a/windows/client-management/mdm/diagnosticlog-ddf.md b/windows/client-management/mdm/diagnosticlog-ddf.md
index 03887d47c3..47b12ad46b 100644
--- a/windows/client-management/mdm/diagnosticlog-ddf.md
+++ b/windows/client-management/mdm/diagnosticlog-ddf.md
@@ -1,7 +1,8 @@
---
title: DiagnosticLog DDF file
description: View the XML file containing the device description framework (DDF) for the DiagnosticLog configuration service provider.
-ms.date: 06/28/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
diff --git a/windows/client-management/mdm/dmacc-csp.md b/windows/client-management/mdm/dmacc-csp.md
index 271a68b16e..fa5cbb05be 100644
--- a/windows/client-management/mdm/dmacc-csp.md
+++ b/windows/client-management/mdm/dmacc-csp.md
@@ -1,7 +1,8 @@
---
title: DMAcc CSP
description: Learn more about the DMAcc CSP.
-ms.date: 04/10/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
diff --git a/windows/client-management/mdm/dmacc-ddf-file.md b/windows/client-management/mdm/dmacc-ddf-file.md
index 15fc5f3231..2d3fb556aa 100644
--- a/windows/client-management/mdm/dmacc-ddf-file.md
+++ b/windows/client-management/mdm/dmacc-ddf-file.md
@@ -1,7 +1,8 @@
---
title: DMAcc DDF file
description: View the XML file containing the device description framework (DDF) for the DMAcc configuration service provider.
-ms.date: 06/28/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
diff --git a/windows/client-management/mdm/dmclient-csp.md b/windows/client-management/mdm/dmclient-csp.md
index 10c971f332..dafa7bc0bb 100644
--- a/windows/client-management/mdm/dmclient-csp.md
+++ b/windows/client-management/mdm/dmclient-csp.md
@@ -1,7 +1,8 @@
---
title: DMClient CSP
description: Learn more about the DMClient CSP.
-ms.date: 08/06/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
@@ -1654,7 +1655,7 @@ This node allows the MDM to set custom error text, detailing what the user needs
-This node contains a list of LocURIs that refer to App Packages the ISV expects to provision via EnterpriseModernAppManagement CSP, delimited by the character L"\xF000". The LocURI will be followed by a semicolon and a number, representing the number of apps included in the App Package. We won't verify that number. E. G. ./Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/PackageFamilyName/PackageFullName/Name;4"\xF000" ./Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/PackageFamilyName/PackageFullName2/Name;2 Which will represent that App Package PackageFullName contains 4 apps, whereas PackageFullName2 contains 2 apps.
+This node contains a list of LocURIs that refer to App Packages the ISV expects to provision via EnterpriseModernAppManagement CSP, delimited by the character L"\xF000". The LocURI will be followed by a semicolon and a number, representing the number of apps included in the App Package. We won't verify that number. For example, `./Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/PackageFamilyName/PackageFullName/Name;4"\xF000" ./Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/PackageFamilyName/PackageFullName2/Name;2` Which will represent that App Package PackageFullName contains 4 apps, whereas PackageFullName2 contains 2 apps.
@@ -1694,7 +1695,7 @@ This node contains a list of LocURIs that refer to App Packages the ISV expects
-This node contains a list of LocURIs that refer to App Packages the ISV expects to provision via EnterpriseDesktopAppManagement CSP, delimited by the character L"\xF000". The LocURI will be followed by a semicolon and a number, representing the number of apps included in the App Package. We won't verify that number. E. G. ./User/Vendor/MSFT/EnterpriseDesktopAppManagement/MSI/ProductID1/Status;4"\xF000" ./User/Vendor/MSFT/EnterpriseDesktopAppManagement/MSI/ProductID2/Status;2 Which will represent that App Package ProductID1 contains 4 apps, whereas ProductID2 contains 2 apps.
+This node contains a list of LocURIs that refer to App Packages the ISV expects to provision via EnterpriseDesktopAppManagement CSP, delimited by the character L"\xF000". The LocURI will be followed by a semicolon and a number, representing the number of apps included in the App Package. We won't verify that number. For example, `./User/Vendor/MSFT/EnterpriseDesktopAppManagement/MSI/ProductID1/Status;4"\xF000" ./User/Vendor/MSFT/EnterpriseDesktopAppManagement/MSI/ProductID2/Status;2` Which will represent that App Package ProductID1 contains 4 apps, whereas ProductID2 contains 2 apps.
@@ -4311,7 +4312,7 @@ This node allows the MDM to set custom error text, detailing what the user needs
-This node contains a list of LocURIs that refer to App Packages the ISV expects to provision via EnterpriseModernAppManagement CSP, delimited by the character L"\xF000". The LocURI will be followed by a semicolon and a number, representing the number of apps included in the App Package. We won't verify that number. E. G. ./Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/PackageFamilyName/PackageFullName/Name;4"\xF000" ./Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/PackageFamilyName/PackageFullName2/Name;2 Which will represent that App Package PackageFullName contains 4 apps, whereas PackageFullName2 contains 2 apps. This is per user.
+This node contains a list of LocURIs that refer to App Packages the ISV expects to provision via EnterpriseModernAppManagement CSP, delimited by the character L"\xF000". The LocURI will be followed by a semicolon and a number, representing the number of apps included in the App Package. We won't verify that number. For example, `./Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/PackageFamilyName/PackageFullName/Name;4"\xF000" ./Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/PackageFamilyName/PackageFullName2/Name;2` Which will represent that App Package PackageFullName contains 4 apps, whereas PackageFullName2 contains 2 apps. This is per user.
@@ -4351,7 +4352,7 @@ This node contains a list of LocURIs that refer to App Packages the ISV expects
-This node contains a list of LocURIs that refer to App Packages the ISV expects to provision via EnterpriseDesktopAppManagement CSP, delimited by the character L"\xF000". The LocURI will be followed by a semicolon and a number, representing the number of apps included in the App Package. We won't verify that number. E. G. ./User/Vendor/MSFT/EnterpriseDesktopAppManagement/MSI/ProductID1/Status;4"\xF000" ./User/Vendor/MSFT/EnterpriseDesktopAppManagement/MSI/ProductID2/Status;2 Which will represent that App Package ProductID1 contains 4 apps, whereas ProductID2 contains 2 apps. This is per user.
+This node contains a list of LocURIs that refer to App Packages the ISV expects to provision via EnterpriseDesktopAppManagement CSP, delimited by the character L"\xF000". The LocURI will be followed by a semicolon and a number, representing the number of apps included in the App Package. We won't verify that number. For example, `./User/Vendor/MSFT/EnterpriseDesktopAppManagement/MSI/ProductID1/Status;4"\xF000" ./User/Vendor/MSFT/EnterpriseDesktopAppManagement/MSI/ProductID2/Status;2` Which will represent that App Package ProductID1 contains 4 apps, whereas ProductID2 contains 2 apps. This is per user.
diff --git a/windows/client-management/mdm/dmclient-ddf-file.md b/windows/client-management/mdm/dmclient-ddf-file.md
index b82d0fe21b..e56f464486 100644
--- a/windows/client-management/mdm/dmclient-ddf-file.md
+++ b/windows/client-management/mdm/dmclient-ddf-file.md
@@ -1,7 +1,8 @@
---
title: DMClient DDF file
description: View the XML file containing the device description framework (DDF) for the DMClient configuration service provider.
-ms.date: 06/28/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
diff --git a/windows/client-management/mdm/email2-csp.md b/windows/client-management/mdm/email2-csp.md
index cb09b51a30..2e9994efd2 100644
--- a/windows/client-management/mdm/email2-csp.md
+++ b/windows/client-management/mdm/email2-csp.md
@@ -1,7 +1,8 @@
---
title: EMAIL2 CSP
description: Learn more about the EMAIL2 CSP.
-ms.date: 01/18/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
diff --git a/windows/client-management/mdm/email2-ddf-file.md b/windows/client-management/mdm/email2-ddf-file.md
index 144f69b17d..853b0143c9 100644
--- a/windows/client-management/mdm/email2-ddf-file.md
+++ b/windows/client-management/mdm/email2-ddf-file.md
@@ -1,7 +1,8 @@
---
title: EMAIL2 DDF file
description: View the XML file containing the device description framework (DDF) for the EMAIL2 configuration service provider.
-ms.date: 06/28/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
diff --git a/windows/client-management/mdm/enterprisedesktopappmanagement-csp.md b/windows/client-management/mdm/enterprisedesktopappmanagement-csp.md
index e0331f74f7..1e7b4ce38f 100644
--- a/windows/client-management/mdm/enterprisedesktopappmanagement-csp.md
+++ b/windows/client-management/mdm/enterprisedesktopappmanagement-csp.md
@@ -1,7 +1,8 @@
---
title: EnterpriseDesktopAppManagement CSP
description: Learn more about the EnterpriseDesktopAppManagement CSP.
-ms.date: 05/20/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
diff --git a/windows/client-management/mdm/enterprisedesktopappmanagement-ddf-file.md b/windows/client-management/mdm/enterprisedesktopappmanagement-ddf-file.md
index ba537d72e7..898fd84ff0 100644
--- a/windows/client-management/mdm/enterprisedesktopappmanagement-ddf-file.md
+++ b/windows/client-management/mdm/enterprisedesktopappmanagement-ddf-file.md
@@ -1,7 +1,8 @@
---
title: EnterpriseDesktopAppManagement DDF file
description: View the XML file containing the device description framework (DDF) for the EnterpriseDesktopAppManagement configuration service provider.
-ms.date: 06/28/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
diff --git a/windows/client-management/mdm/enterprisemodernappmanagement-csp.md b/windows/client-management/mdm/enterprisemodernappmanagement-csp.md
index 6357958bf3..878a0a1212 100644
--- a/windows/client-management/mdm/enterprisemodernappmanagement-csp.md
+++ b/windows/client-management/mdm/enterprisemodernappmanagement-csp.md
@@ -1,7 +1,8 @@
---
title: EnterpriseModernAppManagement CSP
description: Learn more about the EnterpriseModernAppManagement CSP.
-ms.date: 09/11/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
@@ -6951,7 +6952,7 @@ Interior node for all managed app setting values.
-The SettingValue and data represent a key value pair to be configured for the app. The node represents the name of the key and the data represents the value. You can find this value in LocalSettings in the Managed. App. Settings container.
+The SettingValue and data represent a key value pair to be configured for the app. The node represents the name of the key and the data represents the value. You can find this value in LocalSettings in the `Managed.App.Settings` container.
@@ -8193,7 +8194,7 @@ This node is only supported in the user context.
-The SettingValue and data represent a key value pair to be configured for the app. The node represents the name of the key and the data represents the value. You can find this value in LocalSettings in the Managed. App. Settings container.
+The SettingValue and data represent a key value pair to be configured for the app. The node represents the name of the key and the data represents the value. You can find this value in LocalSettings in the `Managed.App.Settings` container.
@@ -9495,7 +9496,7 @@ This node is only supported in the user context.
-The SettingValue and data represent a key value pair to be configured for the app. The node represents the name of the key and the data represents the value. You can find this value in LocalSettings in the Managed. App. Settings container.
+The SettingValue and data represent a key value pair to be configured for the app. The node represents the name of the key and the data represents the value. You can find this value in LocalSettings in the `Managed.App.Settings` container.
diff --git a/windows/client-management/mdm/enterprisemodernappmanagement-ddf.md b/windows/client-management/mdm/enterprisemodernappmanagement-ddf.md
index 5b95cba183..785c3ec2de 100644
--- a/windows/client-management/mdm/enterprisemodernappmanagement-ddf.md
+++ b/windows/client-management/mdm/enterprisemodernappmanagement-ddf.md
@@ -1,7 +1,8 @@
---
title: EnterpriseModernAppManagement DDF file
description: View the XML file containing the device description framework (DDF) for the EnterpriseModernAppManagement configuration service provider.
-ms.date: 09/11/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
diff --git a/windows/client-management/mdm/euiccs-csp.md b/windows/client-management/mdm/euiccs-csp.md
index a4af4d0697..d0c56c5e8c 100644
--- a/windows/client-management/mdm/euiccs-csp.md
+++ b/windows/client-management/mdm/euiccs-csp.md
@@ -1,7 +1,8 @@
---
title: eUICCs CSP
description: Learn more about the eUICCs CSP.
-ms.date: 01/18/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
diff --git a/windows/client-management/mdm/euiccs-ddf-file.md b/windows/client-management/mdm/euiccs-ddf-file.md
index 6a148a8d22..3b2b23d68b 100644
--- a/windows/client-management/mdm/euiccs-ddf-file.md
+++ b/windows/client-management/mdm/euiccs-ddf-file.md
@@ -1,7 +1,8 @@
---
title: eUICCs DDF file
description: View the XML file containing the device description framework (DDF) for the eUICCs configuration service provider.
-ms.date: 06/28/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
diff --git a/windows/client-management/mdm/firewall-csp.md b/windows/client-management/mdm/firewall-csp.md
index e269946643..e782cfc9c3 100644
--- a/windows/client-management/mdm/firewall-csp.md
+++ b/windows/client-management/mdm/firewall-csp.md
@@ -1,7 +1,8 @@
---
title: Firewall CSP
description: Learn more about the Firewall CSP.
-ms.date: 08/06/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
@@ -2221,7 +2222,7 @@ Specifies the friendly name of the firewall rule.
-Specifies one WDAC tag. This is a string that can contain any alphanumeric character and any of the characters ":", "/", ""., and "_". A PolicyAppId and ServiceName can't be specified in the same rule.
+Specifies one App Control tag. This is a string that can contain any alphanumeric character and any of the characters ":", "/", ""., and "_". A PolicyAppId and ServiceName can't be specified in the same rule.
diff --git a/windows/client-management/mdm/firewall-ddf-file.md b/windows/client-management/mdm/firewall-ddf-file.md
index e48568b2b5..d0cc7b9d7c 100644
--- a/windows/client-management/mdm/firewall-ddf-file.md
+++ b/windows/client-management/mdm/firewall-ddf-file.md
@@ -1,7 +1,8 @@
---
title: Firewall DDF file
description: View the XML file containing the device description framework (DDF) for the Firewall configuration service provider.
-ms.date: 06/28/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
diff --git a/windows/client-management/mdm/healthattestation-csp.md b/windows/client-management/mdm/healthattestation-csp.md
index 4367d3cb2f..99029bde87 100644
--- a/windows/client-management/mdm/healthattestation-csp.md
+++ b/windows/client-management/mdm/healthattestation-csp.md
@@ -1,7 +1,8 @@
---
title: HealthAttestation CSP
description: Learn more about the HealthAttestation CSP.
-ms.date: 01/31/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
@@ -51,7 +52,7 @@ The following list shows the HealthAttestation configuration service provider no
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 22H2 with [KB5046732](https://support.microsoft.com/help/5046732) [10.0.22621.4541] and later ✅ Windows 11, version 24H2 with [KB5046617](https://support.microsoft.com/help/5046617) [10.0.26100.2314] and later ✅ Windows Insider Preview |
diff --git a/windows/client-management/mdm/healthattestation-ddf.md b/windows/client-management/mdm/healthattestation-ddf.md
index 0c9d382872..3acbfc05ad 100644
--- a/windows/client-management/mdm/healthattestation-ddf.md
+++ b/windows/client-management/mdm/healthattestation-ddf.md
@@ -1,7 +1,8 @@
---
title: HealthAttestation DDF file
description: View the XML file containing the device description framework (DDF) for the HealthAttestation configuration service provider.
-ms.date: 06/28/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
@@ -436,7 +437,7 @@ The following XML file contains the device description framework (DDF) for the H
- 99.9.99999
+ 99.9.99999, 10.0.26100.2314, 10.0.22621.45411.4
diff --git a/windows/client-management/mdm/index.yml b/windows/client-management/mdm/index.yml
index f1b84cf506..632aec5fb8 100644
--- a/windows/client-management/mdm/index.yml
+++ b/windows/client-management/mdm/index.yml
@@ -9,7 +9,7 @@ metadata:
ms.topic: landing-page
ms.collection:
- tier1
- ms.date: 10/25/2023
+ ms.date: 10/07/2024
ms.localizationpriority: medium
# linkListType: architecture | concept | deploy | download | get-started | how-to-guide | learn | overview | quickstart | reference | tutorial | video | whats-new
@@ -27,8 +27,8 @@ landingContent:
url: configuration-service-provider-support.md
- text: Device description framework (DDF) files
url: configuration-service-provider-ddf.md
- - text: BitLocker CSP
- url: bitlocker-csp.md
+ - text: Contribute to CSP reference
+ url: contribute-csp-reference.md
- text: Declared Configuration protocol
url: ../declared-configuration.md
@@ -42,8 +42,8 @@ landingContent:
url: policy-configuration-service-provider.md
- text: Policy DDF file
url: configuration-service-provider-ddf.md
- - text: Policy CSP - Start
- url: policy-csp-start.md
+ - text: Policy CSP - Defender
+ url: policy-csp-defender.md
- text: Policy CSP - Update
url: policy-csp-update.md
diff --git a/windows/client-management/mdm/language-pack-management-ddf-file.md b/windows/client-management/mdm/language-pack-management-ddf-file.md
index 3739f4f142..1cbe49e886 100644
--- a/windows/client-management/mdm/language-pack-management-ddf-file.md
+++ b/windows/client-management/mdm/language-pack-management-ddf-file.md
@@ -1,7 +1,8 @@
---
title: LanguagePackManagement DDF file
description: View the XML file containing the device description framework (DDF) for the LanguagePackManagement configuration service provider.
-ms.date: 06/28/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
diff --git a/windows/client-management/mdm/laps-csp.md b/windows/client-management/mdm/laps-csp.md
index 0e5e7d5b2d..0f5b037f09 100644
--- a/windows/client-management/mdm/laps-csp.md
+++ b/windows/client-management/mdm/laps-csp.md
@@ -1,7 +1,8 @@
---
title: LAPS CSP
description: Learn more about the LAPS CSP.
-ms.date: 06/21/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
@@ -9,8 +10,6 @@ ms.date: 06/21/2024
# LAPS CSP
-[!INCLUDE [Windows Insider tip](includes/mdm-insider-csp-note.md)]
-
The Local Administrator Password Solution (LAPS) configuration service provider (CSP) is used by the enterprise to manage back up of local administrator account passwords. Windows supports a LAPS Group Policy Object that is entirely separate from the LAPS CSP. Many of the various settings are common across both the LAPS GPO and CSP (GPO does not support any of the Action-related settings). As long as at least one LAPS setting is configured via CSP, any GPO-configured settings will be ignored. Also see [Configure policy settings for Windows LAPS](/windows-server/identity/laps/laps-management-policy-settings).
@@ -327,7 +326,7 @@ Note if a custom managed local administrator account name is specified in this s
Use this setting to configure whether the password is encrypted before being stored in Active Directory.
-This setting is ignored if the password is currently being stored in Azure.
+This setting is ignored if the password is currently being stored in Microsoft Entra ID.
This setting is only honored when the Active Directory domain is at Windows Server 2016 Domain Functional Level or higher.
@@ -389,7 +388,7 @@ If not specified, this setting defaults to True.
Use this setting to configure the name or SID of a user or group that can decrypt the password stored in Active Directory.
-This setting is ignored if the password is currently being stored in Azure.
+This setting is ignored if the password is currently being stored in Microsoft Entra ID.
If not specified, the password will be decryptable by the Domain Admins group in the device's domain.
@@ -432,7 +431,7 @@ If the specified user or group account is invalid the device will fallback to us
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
@@ -488,7 +487,7 @@ If not specified, this setting defaults to False.
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
@@ -543,7 +542,7 @@ If not specified, this setting defaults to False.
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
@@ -587,7 +586,7 @@ If not specified, this setting will default to "WLapsAdmin".
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
@@ -643,7 +642,7 @@ If not specified, this setting defaults to False.
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
@@ -759,7 +758,7 @@ If not specified, this setting will default to 0.
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
diff --git a/windows/client-management/mdm/laps-ddf-file.md b/windows/client-management/mdm/laps-ddf-file.md
index 5d06e470a6..f8f906fd5d 100644
--- a/windows/client-management/mdm/laps-ddf-file.md
+++ b/windows/client-management/mdm/laps-ddf-file.md
@@ -1,7 +1,8 @@
---
title: LAPS DDF file
description: View the XML file containing the device description framework (DDF) for the LAPS configuration service provider.
-ms.date: 06/28/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
@@ -80,7 +81,7 @@ The following XML file contains the device description framework (DDF) for the L
The allowable settings are:
0=Disabled (password will not be backed up)
-1=Backup the password to Azure AD only
+1=Backup the password to Microsoft Entra ID only
2=Backup the password to Active Directory only
If not specified, this setting will default to 0.
@@ -103,7 +104,7 @@ If not specified, this setting will default to 0.
1
- Backup the password to Azure AD only
+ Backup the password to Microsoft Entra ID only2
@@ -126,7 +127,7 @@ If not specified, this setting will default to 0.
If not specified, this setting will default to 30 days
-This setting has a minimum allowed value of 1 day when backing the password to onpremises Active Directory, and 7 days when backing the password to Azure AD.
+This setting has a minimum allowed value of 1 day when backing the password to onpremises Active Directory, and 7 days when backing the password to Microsoft Entra ID.
This setting has a maximum allowed value of 365 days.
@@ -154,7 +155,7 @@ This setting has a maximum allowed value of 365 days.
1
- BackupDirectory configured to Azure AD
+ BackupDirectory configured to Microsoft Entra ID
@@ -327,7 +328,7 @@ This setting has a maximum allowed value of 10 words.
- 99.9.9999
+ 10.0.261001.1
@@ -442,7 +443,7 @@ If not specified, this setting defaults to True.
TrueUse this setting to configure whether the password is encrypted before being stored in Active Directory.
-This setting is ignored if the password is currently being stored in Azure.
+This setting is ignored if the password is currently being stored in Microsoft Entra ID.
This setting is only honored when the Active Directory domain is at Windows Server 2016 Domain Functional Level or higher.
@@ -499,7 +500,7 @@ If not specified, this setting defaults to True.Use this setting to configure the name or SID of a user or group that can decrypt the password stored in Active Directory.
-This setting is ignored if the password is currently being stored in Azure.
+This setting is ignored if the password is currently being stored in Microsoft Entra ID.
If not specified, the password will be decryptable by the Domain Admins group in the device's domain.
@@ -690,7 +691,7 @@ If not specified, this setting defaults to False.
- 99.9.9999
+ 10.0.261001.1
@@ -736,7 +737,7 @@ If not specified, this setting will default to 1.
- 99.9.9999
+ 10.0.261001.1
@@ -791,7 +792,7 @@ If not specified, this setting will default to "WLapsAdmin".
- 99.9.9999
+ 10.0.261001.1
@@ -839,7 +840,7 @@ If not specified, this setting defaults to False.
- 99.9.9999
+ 10.0.261001.1
@@ -897,7 +898,7 @@ If not specified, this setting defaults to False.
- 99.9.9999
+ 10.0.261001.1
diff --git a/windows/client-management/mdm/networkproxy-csp.md b/windows/client-management/mdm/networkproxy-csp.md
index 8eba61aa61..f8e643ccae 100644
--- a/windows/client-management/mdm/networkproxy-csp.md
+++ b/windows/client-management/mdm/networkproxy-csp.md
@@ -1,7 +1,8 @@
---
title: NetworkProxy CSP
description: Learn more about the NetworkProxy CSP.
-ms.date: 01/18/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
diff --git a/windows/client-management/mdm/networkproxy-ddf.md b/windows/client-management/mdm/networkproxy-ddf.md
index 4448901798..99756c2d7c 100644
--- a/windows/client-management/mdm/networkproxy-ddf.md
+++ b/windows/client-management/mdm/networkproxy-ddf.md
@@ -1,7 +1,8 @@
---
title: NetworkProxy DDF file
description: View the XML file containing the device description framework (DDF) for the NetworkProxy configuration service provider.
-ms.date: 06/28/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
diff --git a/windows/client-management/mdm/networkqospolicy-csp.md b/windows/client-management/mdm/networkqospolicy-csp.md
index 87c98019ce..3320f36adc 100644
--- a/windows/client-management/mdm/networkqospolicy-csp.md
+++ b/windows/client-management/mdm/networkqospolicy-csp.md
@@ -1,7 +1,8 @@
---
title: NetworkQoSPolicy CSP
description: Learn more about the NetworkQoSPolicy CSP.
-ms.date: 08/06/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
diff --git a/windows/client-management/mdm/networkqospolicy-ddf.md b/windows/client-management/mdm/networkqospolicy-ddf.md
index 04b4528ac6..52080f9687 100644
--- a/windows/client-management/mdm/networkqospolicy-ddf.md
+++ b/windows/client-management/mdm/networkqospolicy-ddf.md
@@ -1,7 +1,8 @@
---
title: NetworkQoSPolicy DDF file
description: View the XML file containing the device description framework (DDF) for the NetworkQoSPolicy configuration service provider.
-ms.date: 06/28/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
diff --git a/windows/client-management/mdm/nodecache-csp.md b/windows/client-management/mdm/nodecache-csp.md
index 53c5f2e391..91fb84f680 100644
--- a/windows/client-management/mdm/nodecache-csp.md
+++ b/windows/client-management/mdm/nodecache-csp.md
@@ -1,7 +1,8 @@
---
title: NodeCache CSP
description: Learn more about the NodeCache CSP.
-ms.date: 01/18/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
diff --git a/windows/client-management/mdm/nodecache-ddf-file.md b/windows/client-management/mdm/nodecache-ddf-file.md
index 4d442904e4..a635dca24e 100644
--- a/windows/client-management/mdm/nodecache-ddf-file.md
+++ b/windows/client-management/mdm/nodecache-ddf-file.md
@@ -1,7 +1,8 @@
---
title: NodeCache DDF file
description: View the XML file containing the device description framework (DDF) for the NodeCache configuration service provider.
-ms.date: 06/28/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
diff --git a/windows/client-management/mdm/office-csp.md b/windows/client-management/mdm/office-csp.md
index 70692efc8b..0fe23966a6 100644
--- a/windows/client-management/mdm/office-csp.md
+++ b/windows/client-management/mdm/office-csp.md
@@ -1,7 +1,8 @@
---
title: Office CSP
description: Learn more about the Office CSP.
-ms.date: 01/18/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
@@ -11,7 +12,7 @@ ms.date: 01/18/2024
-The Office configuration service provider (CSP) enables a Microsoft Office client to be installed on a device via the Office Deployment Tool (ODT). For more information, see [Configuration options for the Office Deployment Tool](/deployoffice/office-deployment-tool-configuration-options) and [How to assign Office 365 apps to Windows 10 devices with Microsoft Intune](/intune/apps-add-office365).
+The Office configuration service provider (CSP) enables a Microsoft Office client to be installed on a device via the Office Deployment Tool (ODT). For more information, see [Configuration options for the Office Deployment Tool](/deployoffice/office-deployment-tool-configuration-options) and [Add Microsoft 365 Apps to Windows devices with Microsoft Intune](/mem/intune/apps/apps-add-office365).
@@ -587,7 +588,7 @@ To get the current status of Office 365 on the device.
| 17001 | ERROR_QUEUE_SCENARIO Failed to queue installation scenario in C2RClient | Failure |
| 17002 | ERROR_COMPLETING_SCENARIO Failed to complete the process. Possible reasons:
Installation canceled by user
Installation canceled by another installation
Out of disk space during installation
Unknown language ID | Failure |
| 17003 | ERROR_ANOTHER_RUNNING_SCENARIO Another scenario is running | Failure |
-| 17004 | ERROR_COMPLETING_SCENARIO_NEED_CLEAN_UP Possible reasons:
Unknown SKUs
Content does't exist on CDN
Such as trying to install an unsupported LAP, like zh-sg
CDN issue that content is not available
Signature check issue, such as failed the signature check for Office content
User canceled | Failure |
+| 17004 | ERROR_COMPLETING_SCENARIO_NEED_CLEAN_UP Possible reasons:
Unknown SKUs
Content doesn't exist on CDN
Such as trying to install an unsupported LAP, like zh-sg
CDN issue that content is not available
Signature check issue, such as failed the signature check for Office content
User canceled | Failure |
| 17005 | ERROR_SCENARIO_CANCELLED_AS_PLANNED | Failure |
| 17006 | ERROR_SCENARIO_CANCELLED Blocked update by running apps | Failure |
| 17007 | ERROR_REMOVE_INSTALLATION_NEEDED The client is requesting client clean-up in a "Remove Installation" scenario | Failure |
diff --git a/windows/client-management/mdm/office-ddf.md b/windows/client-management/mdm/office-ddf.md
index e36405ce71..15d49860a7 100644
--- a/windows/client-management/mdm/office-ddf.md
+++ b/windows/client-management/mdm/office-ddf.md
@@ -1,7 +1,8 @@
---
title: Office DDF file
description: View the XML file containing the device description framework (DDF) for the Office configuration service provider.
-ms.date: 06/28/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
diff --git a/windows/client-management/mdm/passportforwork-csp.md b/windows/client-management/mdm/passportforwork-csp.md
index 2b322e0891..1151ff64a9 100644
--- a/windows/client-management/mdm/passportforwork-csp.md
+++ b/windows/client-management/mdm/passportforwork-csp.md
@@ -1,7 +1,8 @@
---
title: PassportForWork CSP
description: Learn more about the PassportForWork CSP.
-ms.date: 08/06/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
@@ -265,7 +266,7 @@ If the user forgets their PIN, it can be changed to a new PIN using the Windows
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 22H2 [10.0.22621] and later |
diff --git a/windows/client-management/mdm/passportforwork-ddf.md b/windows/client-management/mdm/passportforwork-ddf.md
index c94b22aed5..a40108a1d3 100644
--- a/windows/client-management/mdm/passportforwork-ddf.md
+++ b/windows/client-management/mdm/passportforwork-ddf.md
@@ -1,7 +1,8 @@
---
title: PassportForWork DDF file
description: View the XML file containing the device description framework (DDF) for the PassportForWork configuration service provider.
-ms.date: 06/28/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
@@ -831,7 +832,7 @@ If you disable or do not configure this policy setting, the PIN recovery secret
- 99.9.99999
+ 10.0.226211.6
diff --git a/windows/client-management/mdm/personaldataencryption-csp.md b/windows/client-management/mdm/personaldataencryption-csp.md
index 2a4648393a..68a0344e14 100644
--- a/windows/client-management/mdm/personaldataencryption-csp.md
+++ b/windows/client-management/mdm/personaldataencryption-csp.md
@@ -1,25 +1,32 @@
---
-title: PDE CSP
-description: Learn more about the PDE CSP.
-ms.date: 01/18/2024
+title: Personal Data Encryption CSP
+description: Learn more about the Personal Data Encryption CSP.
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
-# PDE CSP
+# Personal Data Encryption CSP
-The Personal Data Encryption (PDE) configuration service provider (CSP) is used by the enterprise to protect data confidentiality of PCs and devices. This CSP was added in Windows 11, version 22H2.
+The Personal Data Encryption configuration service provider (CSP) is used by the enterprise to protect data confidentiality of PCs and devices. This CSP was added in Windows 11, version 22H2.
-The following list shows the PDE configuration service provider nodes:
+The following list shows the Personal Data Encryption configuration service provider nodes:
- ./User/Vendor/MSFT/PDE
- [EnablePersonalDataEncryption](#enablepersonaldataencryption)
+ - [ProtectFolders](#protectfolders)
+ - [ProtectDesktop](#protectfoldersprotectdesktop)
+ - [ProtectDocuments](#protectfoldersprotectdocuments)
+ - [ProtectPictures](#protectfoldersprotectpictures)
- [Status](#status)
+ - [FolderProtectionStatus](#statusfolderprotectionstatus)
+ - [FoldersProtected](#statusfoldersprotected)
- [PersonalDataEncryptionStatus](#statuspersonaldataencryptionstatus)
@@ -45,7 +52,7 @@ Allows the Admin to enable Personal Data Encryption. Set to '1' to set this poli
-The [UserDataProtectionManager Class](/uwp/api/windows.security.dataprotection.userdataprotectionmanager) public API allows the applications running as the user to encrypt data as soon as this policy is enabled. However, prerequisites must be met for PDE to be enabled.
+The [UserDataProtectionManager Class](/uwp/api/windows.security.dataprotection.userdataprotectionmanager) public API allows the applications running as the user to encrypt data as soon as this policy is enabled. However, prerequisites must be met for Personal Data Encryption to be enabled.
@@ -72,6 +79,191 @@ The [UserDataProtectionManager Class](/uwp/api/windows.security.dataprotection.u
+
+## ProtectFolders
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ❌ Device ✅ User | ❌ Pro ✅ Enterprise ✅ Education ❌ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
+
+
+
+```User
+./User/Vendor/MSFT/PDE/ProtectFolders
+```
+
+
+
+
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `node` |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+### ProtectFolders/ProtectDesktop
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ❌ Device ✅ User | ❌ Pro ✅ Enterprise ✅ Education ❌ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
+
+
+
+```User
+./User/Vendor/MSFT/PDE/ProtectFolders/ProtectDesktop
+```
+
+
+
+
+Allows the Admin to enable Personal Data Encryption on Desktop folder. Set to '1' to set this policy.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `int` |
+| Access Type | Add, Delete, Get, Replace |
+| Dependency [EnablePersonalDataEncryptionDependency] | Dependency Type: `DependsOn` Dependency URI: `User/Vendor/MSFT/PDE/EnablePersonalDataEncryption` Dependency Allowed Value: `1` Dependency Allowed Value Type: `ENUM` |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 | Disable Personal Data Encryption on the folder. If the folder is currently protected by Personal Data Encryption, this will result in unprotecting the folder. |
+| 1 | Enable Personal Data Encryption on the folder. |
+
+
+
+
+
+
+
+
+
+### ProtectFolders/ProtectDocuments
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ❌ Device ✅ User | ❌ Pro ✅ Enterprise ✅ Education ❌ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
+
+
+
+```User
+./User/Vendor/MSFT/PDE/ProtectFolders/ProtectDocuments
+```
+
+
+
+
+Allows the Admin to enable Personal Data Encryption on Documents folder. Set to '1' to set this policy.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `int` |
+| Access Type | Add, Delete, Get, Replace |
+| Dependency [EnablePersonalDataEncryptionDependency] | Dependency Type: `DependsOn` Dependency URI: `User/Vendor/MSFT/PDE/EnablePersonalDataEncryption` Dependency Allowed Value: `1` Dependency Allowed Value Type: `ENUM` |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 | Disable Personal Data Encryption on the folder. If the folder is currently protected by Personal Data Encryption, this will result in unprotecting the folder. |
+| 1 | Enable Personal Data Encryption on the folder. |
+
+
+
+
+
+
+
+
+
+### ProtectFolders/ProtectPictures
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ❌ Device ✅ User | ❌ Pro ✅ Enterprise ✅ Education ❌ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
+
+
+
+```User
+./User/Vendor/MSFT/PDE/ProtectFolders/ProtectPictures
+```
+
+
+
+
+Allows the Admin to enable Personal Data Encryption on Pictures folder. Set to '1' to set this policy.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `int` |
+| Access Type | Add, Delete, Get, Replace |
+| Dependency [EnablePersonalDataEncryptionDependency] | Dependency Type: `DependsOn` Dependency URI: `User/Vendor/MSFT/PDE/EnablePersonalDataEncryption` Dependency Allowed Value: `1` Dependency Allowed Value Type: `ENUM` |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 | Disable Personal Data Encryption on the folder. If the folder is currently protected by Personal Data Encryption, this will result in unprotecting the folder. |
+| 1 | Enable Personal Data Encryption on the folder. |
+
+
+
+
+
+
+
+
## Status
@@ -93,10 +285,10 @@ The [UserDataProtectionManager Class](/uwp/api/windows.security.dataprotection.u
-Reports the current status of Personal Data Encryption (PDE) for the user.
+Reports the current status of Personal Data Encryption for the user.
-- If prerequisites of PDE aren't met, then the status will be 0.
-- If all prerequisites are met for PDE, then PDE will be enabled and status will be 1.
+- If prerequisites of Personal Data Encryption aren't met, then the status will be 0.
+- If all prerequisites are met for Personal Data Encryption, then Personal Data Encryption will be enabled and status will be 1.
@@ -114,6 +306,95 @@ Reports the current status of Personal Data Encryption (PDE) for the user.
+
+### Status/FolderProtectionStatus
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ❌ Device ✅ User | ❌ Pro ✅ Enterprise ✅ Education ❌ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
+
+
+
+```User
+./User/Vendor/MSFT/PDE/Status/FolderProtectionStatus
+```
+
+
+
+
+This node reports folder protection status for a user.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `int` |
+| Access Type | Get |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 | Protection not started. |
+| 1 | Protection is completed with no failures. |
+| 2 | Protection in progress. |
+| 3 | Protection failed. |
+
+
+
+
+
+
+
+
+
+### Status/FoldersProtected
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ❌ Device ✅ User | ❌ Pro ✅ Enterprise ✅ Education ❌ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
+
+
+
+```User
+./User/Vendor/MSFT/PDE/Status/FoldersProtected
+```
+
+
+
+
+This node reports all folders (full path to each folder) that have been protected.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `chr` (string) |
+| Access Type | Get |
+
+
+
+
+
+
+
+
### Status/PersonalDataEncryptionStatus
diff --git a/windows/client-management/mdm/personaldataencryption-ddf-file.md b/windows/client-management/mdm/personaldataencryption-ddf-file.md
index 165f97507c..9d837a739c 100644
--- a/windows/client-management/mdm/personaldataencryption-ddf-file.md
+++ b/windows/client-management/mdm/personaldataencryption-ddf-file.md
@@ -1,14 +1,15 @@
---
-title: PDE DDF file
-description: View the XML file containing the device description framework (DDF) for the PDE configuration service provider.
-ms.date: 06/28/2024
+title: Personal Data Encryption DDF file
+description: View the XML file containing the device description framework (DDF) for the Personal Data Encryption configuration service provider.
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
-# PDE DDF file
+# Personal Data Encryption DDF file
-The following XML file contains the device description framework (DDF) for the PDE configuration service provider.
+The following XML file contains the device description framework (DDF) for the Personal Data Encryption configuration service provider.
```xml
@@ -76,6 +77,171 @@ The following XML file contains the device description framework (DDF) for the P
+
+ ProtectFolders
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.26100
+ 1.0
+
+
+
+ ProtectDocuments
+
+
+
+
+
+
+
+ Allows the Admin to enable PDE on Documents folder. Set to '1' to set this policy.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 0
+ Disable PDE on the folder. If the folder is currently protected by PDE, this will result in unprotecting the folder.
+
+
+ 1
+ Enable PDE on the folder.
+
+
+
+
+
+ User/Vendor/MSFT/PDE/EnablePersonalDataEncryption
+
+
+ 1
+ Requires EnablePersonalDataEncryption to be set to 1.
+
+
+
+
+
+
+
+
+ ProtectDesktop
+
+
+
+
+
+
+
+ Allows the Admin to enable PDE on Desktop folder. Set to '1' to set this policy.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 0
+ Disable PDE on the folder. If the folder is currently protected by PDE, this will result in unprotecting the folder.
+
+
+ 1
+ Enable PDE on the folder.
+
+
+
+
+
+ User/Vendor/MSFT/PDE/EnablePersonalDataEncryption
+
+
+ 1
+ Requires EnablePersonalDataEncryption to be set to 1.
+
+
+
+
+
+
+
+
+ ProtectPictures
+
+
+
+
+
+
+
+ Allows the Admin to enable PDE on Pictures folder. Set to '1' to set this policy.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 0
+ Disable PDE on the folder. If the folder is currently protected by PDE, this will result in unprotecting the folder.
+
+
+ 1
+ Enable PDE on the folder.
+
+
+
+
+
+ User/Vendor/MSFT/PDE/EnablePersonalDataEncryption
+
+
+ 1
+ Requires EnablePersonalDataEncryption to be set to 1.
+
+
+
+
+
+
+
+ Status
@@ -116,6 +282,74 @@ The following XML file contains the device description framework (DDF) for the P
+
+ FolderProtectionStatus
+
+
+
+
+ This node reports folder protection status for a user.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.26100
+ 1.0
+
+
+
+ 0
+ Protection not started.
+
+
+ 1
+ Protection is completed with no failures.
+
+
+ 2
+ Protection in progress.
+
+
+ 3
+ Protection failed.
+
+
+
+
+
+ FoldersProtected
+
+
+
+
+ This node reports all folders (full path to each folder) that have been protected.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.26100
+ 1.0
+
+
+
@@ -123,4 +357,4 @@ The following XML file contains the device description framework (DDF) for the P
## Related articles
-[PDE configuration service provider reference](personaldataencryption-csp.md)
+[Personal Data Encryption configuration service provider reference](personaldataencryption-csp.md)
diff --git a/windows/client-management/mdm/personalization-csp.md b/windows/client-management/mdm/personalization-csp.md
index 56a05d8beb..b08ee9521e 100644
--- a/windows/client-management/mdm/personalization-csp.md
+++ b/windows/client-management/mdm/personalization-csp.md
@@ -1,7 +1,8 @@
---
title: Personalization CSP
description: Learn more about the Personalization CSP.
-ms.date: 08/06/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
diff --git a/windows/client-management/mdm/personalization-ddf.md b/windows/client-management/mdm/personalization-ddf.md
index 052f60bfcd..66928db977 100644
--- a/windows/client-management/mdm/personalization-ddf.md
+++ b/windows/client-management/mdm/personalization-ddf.md
@@ -1,7 +1,8 @@
---
title: Personalization DDF file
description: View the XML file containing the device description framework (DDF) for the Personalization configuration service provider.
-ms.date: 08/06/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
@@ -42,7 +43,7 @@ The following XML file contains the device description framework (DDF) for the P
10.0.162991.0
- 0x4;0x1B;0x30;0x31;0x48;0x54;0x77;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x87;0x88;0x88*;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xB4;0xBC;0xBD;0xBF;0xCA;0xCB;
+ 0x4;0x1B;0x30;0x31;0x48;0x54;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x88;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD;0xCF;0xD2;
diff --git a/windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens2.md b/windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens2.md
index c0c0fd2588..826ef1ac3b 100644
--- a/windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens2.md
+++ b/windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens2.md
@@ -137,7 +137,6 @@ ms.date: 02/03/2023
- [Update/ConfigureDeadlineForFeatureUpdates](policy-csp-update.md#configuredeadlineforfeatureupdates) 11
- [Update/ConfigureDeadlineForQualityUpdates](policy-csp-update.md#configuredeadlineforqualityupdates) 11
- [Update/ConfigureDeadlineGracePeriod](policy-csp-update.md#configuredeadlinegraceperiod) 11
-- [Update/ConfigureDeadlineNoAutoReboot](policy-csp-update.md#configuredeadlinenoautoreboot) 11
- [Update/DeferFeatureUpdatesPeriodInDays](policy-csp-update.md#deferfeatureupdatesperiodindays)
- [Update/DeferQualityUpdatesPeriodInDays](policy-csp-update.md#deferqualityupdatesperiodindays)
- [Update/ManagePreviewBuilds](policy-csp-update.md#managepreviewbuilds)
diff --git a/windows/client-management/mdm/policies-in-policy-csp-supported-by-surface-hub.md b/windows/client-management/mdm/policies-in-policy-csp-supported-by-surface-hub.md
index ebfe368e86..efe09a55c0 100644
--- a/windows/client-management/mdm/policies-in-policy-csp-supported-by-surface-hub.md
+++ b/windows/client-management/mdm/policies-in-policy-csp-supported-by-surface-hub.md
@@ -1,7 +1,8 @@
---
title: Policies supported by Windows 10 Team
description: Learn about the policies supported by Windows 10 Team.
-ms.date: 08/06/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
@@ -382,8 +383,10 @@ This article lists the policies that are applicable for the Surface Hub operatin
## Start
+- [AlwaysShowNotificationIcon](policy-csp-start.md#alwaysshownotificationicon)
- [HideRecommendedPersonalizedSites](policy-csp-start.md#hiderecommendedpersonalizedsites)
- [StartLayout](policy-csp-start.md#startlayout)
+- [TurnOffAbbreviatedDateTimeFormat](policy-csp-start.md#turnoffabbreviateddatetimeformat)
## System
@@ -417,6 +420,7 @@ This article lists the policies that are applicable for the Surface Hub operatin
- [ExcludeJapaneseIMEExceptJIS0208andEUDC](policy-csp-textinput.md#excludejapaneseimeexceptjis0208andeudc)
- [ExcludeJapaneseIMEExceptShiftJIS](policy-csp-textinput.md#excludejapaneseimeexceptshiftjis)
- [ForceTouchKeyboardDockedState](policy-csp-textinput.md#forcetouchkeyboarddockedstate)
+- [TouchKeyboardControllerModeAvailability](policy-csp-textinput.md#touchkeyboardcontrollermodeavailability)
- [TouchKeyboardDictationButtonAvailability](policy-csp-textinput.md#touchkeyboarddictationbuttonavailability)
- [TouchKeyboardEmojiButtonAvailability](policy-csp-textinput.md#touchkeyboardemojibuttonavailability)
- [TouchKeyboardFullModeAvailability](policy-csp-textinput.md#touchkeyboardfullmodeavailability)
diff --git a/windows/client-management/mdm/policies-in-preview.md b/windows/client-management/mdm/policies-in-preview.md
index 0ad7b632c3..b3ead6b748 100644
--- a/windows/client-management/mdm/policies-in-preview.md
+++ b/windows/client-management/mdm/policies-in-preview.md
@@ -1,7 +1,8 @@
---
title: Configuration service provider preview policies
description: Learn more about configuration service provider (CSP) policies that are available for Windows Insider Preview.
-ms.date: 09/11/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
@@ -17,6 +18,11 @@ This article lists the policies that are applicable for Windows Insider Preview
- [TurnOffInstallTracing](policy-csp-appdeviceinventory.md#turnoffinstalltracing)
- [TurnOffAPISamping](policy-csp-appdeviceinventory.md#turnoffapisamping)
- [TurnOffApplicationFootprint](policy-csp-appdeviceinventory.md#turnoffapplicationfootprint)
+- [TurnOffWin32AppBackup](policy-csp-appdeviceinventory.md#turnoffwin32appbackup)
+
+## ApplicationManagement
+
+- [AllowedNonAdminPackageFamilyNameRules](policy-csp-applicationmanagement.md#allowednonadminpackagefamilynamerules)
## ClientCertificateInstall CSP
@@ -28,41 +34,27 @@ This article lists the policies that are applicable for Windows Insider Preview
- [EnablePhysicalDeviceAccessOnErrorScreens](clouddesktop-csp.md#userenablephysicaldeviceaccessonerrorscreens)
- [EnableBootToCloudSharedPCMode](clouddesktop-csp.md#deviceenableboottocloudsharedpcmode)
-## Cryptography
+## Connectivity
-- [ConfigureEllipticCurveCryptography](policy-csp-cryptography.md#configureellipticcurvecryptography)
-- [ConfigureSystemCryptographyForceStrongKeyProtection](policy-csp-cryptography.md#configuresystemcryptographyforcestrongkeyprotection)
-- [OverrideMinimumEnabledTLSVersionClient](policy-csp-cryptography.md#overrideminimumenabledtlsversionclient)
-- [OverrideMinimumEnabledTLSVersionServer](policy-csp-cryptography.md#overrideminimumenabledtlsversionserver)
-- [OverrideMinimumEnabledDTLSVersionClient](policy-csp-cryptography.md#overrideminimumenableddtlsversionclient)
-- [OverrideMinimumEnabledDTLSVersionServer](policy-csp-cryptography.md#overrideminimumenableddtlsversionserver)
+- [DisableCrossDeviceResume](policy-csp-connectivity.md#disablecrossdeviceresume)
+- [UseCellularWhenWiFiPoor](policy-csp-connectivity.md#usecellularwhenwifipoor)
+- [DisableCellularSettingsPage](policy-csp-connectivity.md#disablecellularsettingspage)
+- [DisableCellularOperatorSettingsPage](policy-csp-connectivity.md#disablecellularoperatorsettingspage)
## DeclaredConfiguration CSP
- [Document](declaredconfiguration-csp.md#hostcompletedocumentsdociddocument)
- [Abandoned](declaredconfiguration-csp.md#hostcompletedocumentsdocidpropertiesabandoned)
+- [ConflictResolution](declaredconfiguration-csp.md#managementserviceconfigurationconflictresolution)
## DeliveryOptimization
- [DODisallowCacheServerDownloadsOnVPN](policy-csp-deliveryoptimization.md#dodisallowcacheserverdownloadsonvpn)
- [DOVpnKeywords](policy-csp-deliveryoptimization.md#dovpnkeywords)
-## DesktopAppInstaller
+## DeviceGuard
-- [EnableWindowsPackageManagerCommandLineInterfaces](policy-csp-desktopappinstaller.md#enablewindowspackagemanagercommandlineinterfaces)
-- [EnableWindowsPackageManagerConfiguration](policy-csp-desktopappinstaller.md#enablewindowspackagemanagerconfiguration)
-
-## DeviceLock
-
-- [MaximumPasswordAge](policy-csp-devicelock.md#maximumpasswordage)
-- [ClearTextPassword](policy-csp-devicelock.md#cleartextpassword)
-- [PasswordComplexity](policy-csp-devicelock.md#passwordcomplexity)
-- [PasswordHistorySize](policy-csp-devicelock.md#passwordhistorysize)
-- [AccountLockoutPolicy](policy-csp-devicelock.md#accountlockoutpolicy)
-- [AllowAdministratorLockout](policy-csp-devicelock.md#allowadministratorlockout)
-- [MinimumPasswordLength](policy-csp-devicelock.md#minimumpasswordlength)
-- [MinimumPasswordLengthAudit](policy-csp-devicelock.md#minimumpasswordlengthaudit)
-- [RelaxMinimumPasswordLengthLimits](policy-csp-devicelock.md#relaxminimumpasswordlengthlimits)
+- [MachineIdentityIsolation](policy-csp-deviceguard.md#machineidentityisolation)
## DevicePreparation CSP
@@ -77,6 +69,11 @@ This article lists the policies that are applicable for Windows Insider Preview
- [MdmAgentInstalled](devicepreparation-csp.md#mdmprovidermdmagentinstalled)
- [RebootRequired](devicepreparation-csp.md#mdmproviderrebootrequired)
+## Display
+
+- [ConfigureMultipleDisplayMode](policy-csp-display.md#configuremultipledisplaymode)
+- [SetClonePreferredResolutionSource](policy-csp-display.md#setclonepreferredresolutionsource)
+
## DMClient CSP
- [DiscoveryEndpoint](dmclient-csp.md#deviceproviderprovideridlinkedenrollmentdiscoveryendpoint)
@@ -84,12 +81,6 @@ This article lists the policies that are applicable for Windows Insider Preview
- [Cadence](dmclient-csp.md#deviceproviderprovideridconfigrefreshcadence)
- [PausePeriod](dmclient-csp.md#deviceproviderprovideridconfigrefreshpauseperiod)
-## Experience
-
-- [AllowScreenRecorder](policy-csp-experience.md#allowscreenrecorder)
-- [EnableOrganizationalMessages](policy-csp-experience.md#enableorganizationalmessages)
-- [DisableTextTranslation](policy-csp-experience.md#disabletexttranslation)
-
## FileSystem
- [EnableDevDrive](policy-csp-filesystem.md#enabledevdrive)
@@ -101,10 +92,9 @@ This article lists the policies that are applicable for Windows Insider Preview
## HumanPresence
-- [ForceDisableWakeWhenBatterySaverOn](policy-csp-humanpresence.md#forcedisablewakewhenbatterysaveron)
-- [ForceAllowWakeWhenExternalDisplayConnected](policy-csp-humanpresence.md#forceallowwakewhenexternaldisplayconnected)
-- [ForceAllowLockWhenExternalDisplayConnected](policy-csp-humanpresence.md#forceallowlockwhenexternaldisplayconnected)
-- [ForceAllowDimWhenExternalDisplayConnected](policy-csp-humanpresence.md#forceallowdimwhenexternaldisplayconnected)
+- [ForcePrivacyScreen](policy-csp-humanpresence.md#forceprivacyscreen)
+- [ForcePrivacyScreenDim](policy-csp-humanpresence.md#forceprivacyscreendim)
+- [ForcePrivacyScreenNotification](policy-csp-humanpresence.md#forceprivacyscreennotification)
## InternetExplorer
@@ -121,49 +111,9 @@ This article lists the policies that are applicable for Windows Insider Preview
- [StartInstallation](language-pack-management-csp.md#installlanguage-idstartinstallation)
- [SystemPreferredUILanguages](language-pack-management-csp.md#languagesettingssystempreferreduilanguages)
-## LAPS CSP
-
-- [PassphraseLength](laps-csp.md#policiespassphraselength)
-- [AutomaticAccountManagementEnabled](laps-csp.md#policiesautomaticaccountmanagementenabled)
-- [AutomaticAccountManagementTarget](laps-csp.md#policiesautomaticaccountmanagementtarget)
-- [AutomaticAccountManagementNameOrPrefix](laps-csp.md#policiesautomaticaccountmanagementnameorprefix)
-- [AutomaticAccountManagementEnableAccount](laps-csp.md#policiesautomaticaccountmanagementenableaccount)
-- [AutomaticAccountManagementRandomizeName](laps-csp.md#policiesautomaticaccountmanagementrandomizename)
-
## LocalPoliciesSecurityOptions
-- [Audit_AuditTheUseOfBackupAndRestoreprivilege](policy-csp-localpoliciessecurityoptions.md#audit_audittheuseofbackupandrestoreprivilege)
-- [Audit_ForceAuditPolicySubcategorySettingsToOverrideAuditPolicyCategorySettings](policy-csp-localpoliciessecurityoptions.md#audit_forceauditpolicysubcategorysettingstooverrideauditpolicycategorysettings)
-- [Audit_ShutdownSystemImmediatelyIfUnableToLogSecurityAudits](policy-csp-localpoliciessecurityoptions.md#audit_shutdownsystemimmediatelyifunabletologsecurityaudits)
-- [Devices_RestrictFloppyAccessToLocallyLoggedOnUserOnly](policy-csp-localpoliciessecurityoptions.md#devices_restrictfloppyaccesstolocallyloggedonuseronly)
-- [DomainMember_DigitallyEncryptOrSignSecureChannelDataAlways](policy-csp-localpoliciessecurityoptions.md#domainmember_digitallyencryptorsignsecurechanneldataalways)
-- [DomainMember_DigitallyEncryptSecureChannelDataWhenPossible](policy-csp-localpoliciessecurityoptions.md#domainmember_digitallyencryptsecurechanneldatawhenpossible)
-- [DomainMember_DigitallySignSecureChannelDataWhenPossible](policy-csp-localpoliciessecurityoptions.md#domainmember_digitallysignsecurechanneldatawhenpossible)
-- [DomainMember_DisableMachineAccountPasswordChanges](policy-csp-localpoliciessecurityoptions.md#domainmember_disablemachineaccountpasswordchanges)
-- [DomainMember_MaximumMachineAccountPasswordAge](policy-csp-localpoliciessecurityoptions.md#domainmember_maximummachineaccountpasswordage)
-- [DomainMember_RequireStrongSessionKey](policy-csp-localpoliciessecurityoptions.md#domainmember_requirestrongsessionkey)
-- [InteractiveLogon_MachineAccountLockoutThreshold](policy-csp-localpoliciessecurityoptions.md#interactivelogon_machineaccountlockoutthreshold)
- [InteractiveLogon_NumberOfPreviousLogonsToCache](policy-csp-localpoliciessecurityoptions.md#interactivelogon_numberofpreviouslogonstocache)
-- [InteractiveLogon_PromptUserToChangePasswordBeforeExpiration](policy-csp-localpoliciessecurityoptions.md#interactivelogon_promptusertochangepasswordbeforeexpiration)
-- [MicrosoftNetworkServer_AmountOfIdleTimeRequiredBeforeSuspendingSession](policy-csp-localpoliciessecurityoptions.md#microsoftnetworkserver_amountofidletimerequiredbeforesuspendingsession)
-- [MicrosoftNetworkServer_DisconnectClientsWhenLogonHoursExpire](policy-csp-localpoliciessecurityoptions.md#microsoftnetworkserver_disconnectclientswhenlogonhoursexpire)
-- [MicrosoftNetworkServer_ServerSPNTargetNameValidationLevel](policy-csp-localpoliciessecurityoptions.md#microsoftnetworkserver_serverspntargetnamevalidationlevel)
-- [NetworkAccess_AllowAnonymousSIDOrNameTranslation](policy-csp-localpoliciessecurityoptions.md#networkaccess_allowanonymoussidornametranslation)
-- [NetworkAccess_DoNotAllowStorageOfPasswordsAndCredentialsForNetworkAuthentication](policy-csp-localpoliciessecurityoptions.md#networkaccess_donotallowstorageofpasswordsandcredentialsfornetworkauthentication)
-- [NetworkAccess_LetEveryonePermissionsApplyToAnonymousUsers](policy-csp-localpoliciessecurityoptions.md#networkaccess_leteveryonepermissionsapplytoanonymoususers)
-- [NetworkAccess_NamedPipesThatCanBeAccessedAnonymously](policy-csp-localpoliciessecurityoptions.md#networkaccess_namedpipesthatcanbeaccessedanonymously)
-- [NetworkAccess_RemotelyAccessibleRegistryPaths](policy-csp-localpoliciessecurityoptions.md#networkaccess_remotelyaccessibleregistrypaths)
-- [NetworkAccess_RemotelyAccessibleRegistryPathsAndSubpaths](policy-csp-localpoliciessecurityoptions.md#networkaccess_remotelyaccessibleregistrypathsandsubpaths)
-- [NetworkAccess_SharesThatCanBeAccessedAnonymously](policy-csp-localpoliciessecurityoptions.md#networkaccess_sharesthatcanbeaccessedanonymously)
-- [NetworkAccess_SharingAndSecurityModelForLocalAccounts](policy-csp-localpoliciessecurityoptions.md#networkaccess_sharingandsecuritymodelforlocalaccounts)
-- [NetworkSecurity_AllowLocalSystemNULLSessionFallback](policy-csp-localpoliciessecurityoptions.md#networksecurity_allowlocalsystemnullsessionfallback)
-- [NetworkSecurity_ForceLogoffWhenLogonHoursExpire](policy-csp-localpoliciessecurityoptions.md#networksecurity_forcelogoffwhenlogonhoursexpire)
-- [NetworkSecurity_LDAPClientSigningRequirements](policy-csp-localpoliciessecurityoptions.md#networksecurity_ldapclientsigningrequirements)
-- [RecoveryConsole_AllowAutomaticAdministrativeLogon](policy-csp-localpoliciessecurityoptions.md#recoveryconsole_allowautomaticadministrativelogon)
-- [RecoveryConsole_AllowFloppyCopyAndAccessToAllDrivesAndAllFolders](policy-csp-localpoliciessecurityoptions.md#recoveryconsole_allowfloppycopyandaccesstoalldrivesandallfolders)
-- [SystemCryptography_ForceStrongKeyProtection](policy-csp-localpoliciessecurityoptions.md#systemcryptography_forcestrongkeyprotection)
-- [SystemObjects_RequireCaseInsensitivityForNonWindowsSubsystems](policy-csp-localpoliciessecurityoptions.md#systemobjects_requirecaseinsensitivityfornonwindowssubsystems)
-- [SystemObjects_StrengthenDefaultPermissionsOfInternalSystemObjects](policy-csp-localpoliciessecurityoptions.md#systemobjects_strengthendefaultpermissionsofinternalsystemobjects)
- [UserAccountControl_BehaviorOfTheElevationPromptForAdministratorProtection](policy-csp-localpoliciessecurityoptions.md#useraccountcontrol_behavioroftheelevationpromptforadministratorprotection)
- [UserAccountControl_TypeOfAdminApprovalMode](policy-csp-localpoliciessecurityoptions.md#useraccountcontrol_typeofadminapprovalmode)
@@ -174,105 +124,43 @@ This article lists the policies that are applicable for Windows Insider Preview
- [ConfigureDeviceStandbyAction](policy-csp-mixedreality.md#configuredevicestandbyaction)
- [ConfigureDeviceStandbyActionTimeout](policy-csp-mixedreality.md#configuredevicestandbyactiontimeout)
-## MSSecurityGuide
+## NewsAndInterests
-- [NetBTNodeTypeConfiguration](policy-csp-mssecurityguide.md#netbtnodetypeconfiguration)
-
-## NetworkListManager
-
-- [AllNetworks_NetworkIcon](policy-csp-networklistmanager.md#allnetworks_networkicon)
-- [AllNetworks_NetworkLocation](policy-csp-networklistmanager.md#allnetworks_networklocation)
-- [AllNetworks_NetworkName](policy-csp-networklistmanager.md#allnetworks_networkname)
-- [IdentifyingNetworks_LocationType](policy-csp-networklistmanager.md#identifyingnetworks_locationtype)
-- [UnidentifiedNetworks_LocationType](policy-csp-networklistmanager.md#unidentifiednetworks_locationtype)
-- [UnidentifiedNetworks_UserPermissions](policy-csp-networklistmanager.md#unidentifiednetworks_userpermissions)
-
-## Notifications
-
-- [DisableAccountNotifications](policy-csp-notifications.md#disableaccountnotifications)
+- [DisableWidgetsOnLockScreen](policy-csp-newsandinterests.md#disablewidgetsonlockscreen)
+- [DisableWidgetsBoard](policy-csp-newsandinterests.md#disablewidgetsboard)
## PassportForWork CSP
-- [EnableWindowsHelloProvisioningForSecurityKeys](passportforwork-csp.md#devicetenantidpoliciesenablewindowshelloprovisioningforsecuritykeys)
- [DisablePostLogonProvisioning](passportforwork-csp.md#devicetenantidpoliciesdisablepostlogonprovisioning)
-## Reboot CSP
+## Printers
-- [WeeklyRecurrent](reboot-csp.md#scheduleweeklyrecurrent)
+- [ConfigureIppTlsCertificatePolicy](policy-csp-printers.md#configureipptlscertificatepolicy)
## RemoteDesktopServices
-- [LimitServerToClientClipboardRedirection](policy-csp-remotedesktopservices.md#limitservertoclientclipboardredirection)
-- [LimitClientToServerClipboardRedirection](policy-csp-remotedesktopservices.md#limitclienttoserverclipboardredirection)
-- [DisconnectOnLockLegacyAuthn](policy-csp-remotedesktopservices.md#disconnectonlocklegacyauthn)
-- [DisconnectOnLockMicrosoftIdentityAuthn](policy-csp-remotedesktopservices.md#disconnectonlockmicrosoftidentityauthn)
- [TS_SERVER_REMOTEAPP_USE_SHELLAPPRUNTIME](policy-csp-remotedesktopservices.md#ts_server_remoteapp_use_shellappruntime)
-## Search
-
-- [ConfigureSearchOnTaskbarMode](policy-csp-search.md#configuresearchontaskbarmode)
-
## SettingsSync
-- [DisableAccessibilitySettingSync](policy-csp-settingssync.md#disableaccessibilitysettingsync)
-- [DisableLanguageSettingSync](policy-csp-settingssync.md#disablelanguagesettingsync)
+- [EnableWindowsbackup](policy-csp-settingssync.md#enablewindowsbackup)
-## Sudo
+## Start
-- [EnableSudo](policy-csp-sudo.md#enablesudo)
+- [AlwaysShowNotificationIcon](policy-csp-start.md#alwaysshownotificationicon)
+- [TurnOffAbbreviatedDateTimeFormat](policy-csp-start.md#turnoffabbreviateddatetimeformat)
## SurfaceHub CSP
- [ExchangeModernAuthEnabled](surfacehub-csp.md#deviceaccountexchangemodernauthenabled)
-## System
+## TextInput
-- [HideUnsupportedHardwareNotifications](policy-csp-system.md#hideunsupportedhardwarenotifications)
-
-## SystemServices
-
-- [ConfigureComputerBrowserServiceStartupMode](policy-csp-systemservices.md#configurecomputerbrowserservicestartupmode)
-- [ConfigureIISAdminServiceStartupMode](policy-csp-systemservices.md#configureiisadminservicestartupmode)
-- [ConfigureInfraredMonitorServiceStartupMode](policy-csp-systemservices.md#configureinfraredmonitorservicestartupmode)
-- [ConfigureInternetConnectionSharingServiceStartupMode](policy-csp-systemservices.md#configureinternetconnectionsharingservicestartupmode)
-- [ConfigureLxssManagerServiceStartupMode](policy-csp-systemservices.md#configurelxssmanagerservicestartupmode)
-- [ConfigureMicrosoftFTPServiceStartupMode](policy-csp-systemservices.md#configuremicrosoftftpservicestartupmode)
-- [ConfigureRemoteProcedureCallLocatorServiceStartupMode](policy-csp-systemservices.md#configureremoteprocedurecalllocatorservicestartupmode)
-- [ConfigureRoutingAndRemoteAccessServiceStartupMode](policy-csp-systemservices.md#configureroutingandremoteaccessservicestartupmode)
-- [ConfigureSimpleTCPIPServicesStartupMode](policy-csp-systemservices.md#configuresimpletcpipservicesstartupmode)
-- [ConfigureSpecialAdministrationConsoleHelperServiceStartupMode](policy-csp-systemservices.md#configurespecialadministrationconsolehelperservicestartupmode)
-- [ConfigureSSDPDiscoveryServiceStartupMode](policy-csp-systemservices.md#configuressdpdiscoveryservicestartupmode)
-- [ConfigureUPnPDeviceHostServiceStartupMode](policy-csp-systemservices.md#configureupnpdevicehostservicestartupmode)
-- [ConfigureWebManagementServiceStartupMode](policy-csp-systemservices.md#configurewebmanagementservicestartupmode)
-- [ConfigureWindowsMediaPlayerNetworkSharingServiceStartupMode](policy-csp-systemservices.md#configurewindowsmediaplayernetworksharingservicestartupmode)
-- [ConfigureWindowsMobileHotspotServiceStartupMode](policy-csp-systemservices.md#configurewindowsmobilehotspotservicestartupmode)
-- [ConfigureWorldWideWebPublishingServiceStartupMode](policy-csp-systemservices.md#configureworldwidewebpublishingservicestartupmode)
+- [TouchKeyboardControllerModeAvailability](policy-csp-textinput.md#touchkeyboardcontrollermodeavailability)
## Update
- [AllowTemporaryEnterpriseFeatureControl](policy-csp-update.md#allowtemporaryenterprisefeaturecontrol)
-- [ConfigureDeadlineNoAutoRebootForFeatureUpdates](policy-csp-update.md#configuredeadlinenoautorebootforfeatureupdates)
-- [ConfigureDeadlineNoAutoRebootForQualityUpdates](policy-csp-update.md#configuredeadlinenoautorebootforqualityupdates)
-- [AlwaysAutoRebootAtScheduledTimeMinutes](policy-csp-update.md#alwaysautorebootatscheduledtimeminutes)
-
-## UserRights
-
-- [BypassTraverseChecking](policy-csp-userrights.md#bypasstraversechecking)
-- [ReplaceProcessLevelToken](policy-csp-userrights.md#replaceprocessleveltoken)
-- [ChangeTimeZone](policy-csp-userrights.md#changetimezone)
-- [ShutDownTheSystem](policy-csp-userrights.md#shutdownthesystem)
-- [LogOnAsBatchJob](policy-csp-userrights.md#logonasbatchjob)
-- [ProfileSystemPerformance](policy-csp-userrights.md#profilesystemperformance)
-- [DenyLogOnAsBatchJob](policy-csp-userrights.md#denylogonasbatchjob)
-- [LogOnAsService](policy-csp-userrights.md#logonasservice)
-- [IncreaseProcessWorkingSet](policy-csp-userrights.md#increaseprocessworkingset)
-- [DenyLogOnAsService](policy-csp-userrights.md#denylogonasservice)
-- [AdjustMemoryQuotasForProcess](policy-csp-userrights.md#adjustmemoryquotasforprocess)
-- [AllowLogOnThroughRemoteDesktop](policy-csp-userrights.md#allowlogonthroughremotedesktop)
-
-## WebThreatDefense
-
-- [AutomaticDataCollection](policy-csp-webthreatdefense.md#automaticdatacollection)
## Wifi
@@ -281,9 +169,14 @@ This article lists the policies that are applicable for Windows Insider Preview
## WindowsAI
-- [DisableAIDataAnalysis](policy-csp-windowsai.md#disableaidataanalysis)
+- [SetDenyAppListForRecall](policy-csp-windowsai.md#setdenyapplistforrecall)
+- [SetDenyUriListForRecall](policy-csp-windowsai.md#setdenyurilistforrecall)
+- [SetMaximumStorageSpaceForRecallSnapshots](policy-csp-windowsai.md#setmaximumstoragespaceforrecallsnapshots)
+- [SetMaximumStorageDurationForRecallSnapshots](policy-csp-windowsai.md#setmaximumstoragedurationforrecallsnapshots)
- [DisableImageCreator](policy-csp-windowsai.md#disableimagecreator)
- [DisableCocreator](policy-csp-windowsai.md#disablecocreator)
+- [DisableGenerativeFill](policy-csp-windowsai.md#disablegenerativefill)
+- [AllowRecallEnablement](policy-csp-windowsai.md#allowrecallenablement)
## WindowsLicensing CSP
@@ -294,11 +187,6 @@ This article lists the policies that are applicable for Windows Insider Preview
- [DisableSubscription](windowslicensing-csp.md#subscriptionsdisablesubscription)
- [RemoveSubscription](windowslicensing-csp.md#subscriptionsremovesubscription)
-## WindowsSandbox
-
-- [AllowMappedFolders](policy-csp-windowssandbox.md#allowmappedfolders)
-- [AllowWriteToMappedFolders](policy-csp-windowssandbox.md#allowwritetomappedfolders)
-
## Related articles
[Policy configuration service provider](policy-configuration-service-provider.md)
diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md
index 0fa200d984..dcd77fb5aa 100644
--- a/windows/client-management/mdm/policy-configuration-service-provider.md
+++ b/windows/client-management/mdm/policy-configuration-service-provider.md
@@ -1,7 +1,8 @@
---
title: Policy CSP
description: Learn more about the Policy CSP.
-ms.date: 08/07/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
@@ -1152,6 +1153,7 @@ Specifies the name/value pair used in the policy. See the individual Area DDFs f
- [Settings](policy-csp-settings.md)
- [SettingsSync](policy-csp-settingssync.md)
- [SmartScreen](policy-csp-smartscreen.md)
+- [SpeakForMe](policy-csp-speakforme.md)
- [Speech](policy-csp-speech.md)
- [Start](policy-csp-start.md)
- [Stickers](policy-csp-stickers.md)
diff --git a/windows/client-management/mdm/policy-csp-abovelock.md b/windows/client-management/mdm/policy-csp-abovelock.md
index 05e84c1ade..85f21fa615 100644
--- a/windows/client-management/mdm/policy-csp-abovelock.md
+++ b/windows/client-management/mdm/policy-csp-abovelock.md
@@ -1,7 +1,8 @@
---
title: AboveLock Policy CSP
description: Learn more about the AboveLock Area in Policy CSP.
-ms.date: 04/10/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
diff --git a/windows/client-management/mdm/policy-csp-accounts.md b/windows/client-management/mdm/policy-csp-accounts.md
index 472fa8e6dc..76022ccc57 100644
--- a/windows/client-management/mdm/policy-csp-accounts.md
+++ b/windows/client-management/mdm/policy-csp-accounts.md
@@ -1,7 +1,8 @@
---
title: Accounts Policy CSP
description: Learn more about the Accounts Area in Policy CSP.
-ms.date: 01/18/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
diff --git a/windows/client-management/mdm/policy-csp-activexcontrols.md b/windows/client-management/mdm/policy-csp-activexcontrols.md
index 7fe5d7be45..e5822bdb83 100644
--- a/windows/client-management/mdm/policy-csp-activexcontrols.md
+++ b/windows/client-management/mdm/policy-csp-activexcontrols.md
@@ -1,7 +1,8 @@
---
title: ActiveXControls Policy CSP
description: Learn more about the ActiveXControls Area in Policy CSP.
-ms.date: 01/18/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
diff --git a/windows/client-management/mdm/policy-csp-admx-activexinstallservice.md b/windows/client-management/mdm/policy-csp-admx-activexinstallservice.md
index 23c46228c0..9fe709cf14 100644
--- a/windows/client-management/mdm/policy-csp-admx-activexinstallservice.md
+++ b/windows/client-management/mdm/policy-csp-admx-activexinstallservice.md
@@ -1,7 +1,8 @@
---
title: ADMX_ActiveXInstallService Policy CSP
description: Learn more about the ADMX_ActiveXInstallService Area in Policy CSP.
-ms.date: 08/06/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
diff --git a/windows/client-management/mdm/policy-csp-admx-addremoveprograms.md b/windows/client-management/mdm/policy-csp-admx-addremoveprograms.md
index 5aa088da13..e652181356 100644
--- a/windows/client-management/mdm/policy-csp-admx-addremoveprograms.md
+++ b/windows/client-management/mdm/policy-csp-admx-addremoveprograms.md
@@ -1,7 +1,8 @@
---
title: ADMX_AddRemovePrograms Policy CSP
description: Learn more about the ADMX_AddRemovePrograms Area in Policy CSP.
-ms.date: 08/06/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
diff --git a/windows/client-management/mdm/policy-csp-admx-admpwd.md b/windows/client-management/mdm/policy-csp-admx-admpwd.md
index 4522a908ac..a180c7b671 100644
--- a/windows/client-management/mdm/policy-csp-admx-admpwd.md
+++ b/windows/client-management/mdm/policy-csp-admx-admpwd.md
@@ -1,7 +1,8 @@
---
title: ADMX_AdmPwd Policy CSP
description: Learn more about the ADMX_AdmPwd Area in Policy CSP.
-ms.date: 08/06/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
diff --git a/windows/client-management/mdm/policy-csp-admx-appcompat.md b/windows/client-management/mdm/policy-csp-admx-appcompat.md
index af4c3a1089..eeea7fe122 100644
--- a/windows/client-management/mdm/policy-csp-admx-appcompat.md
+++ b/windows/client-management/mdm/policy-csp-admx-appcompat.md
@@ -1,7 +1,8 @@
---
title: ADMX_AppCompat Policy CSP
description: Learn more about the ADMX_AppCompat Area in Policy CSP.
-ms.date: 08/06/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
diff --git a/windows/client-management/mdm/policy-csp-admx-appxpackagemanager.md b/windows/client-management/mdm/policy-csp-admx-appxpackagemanager.md
index 0cdd78d66b..dd10e18ae3 100644
--- a/windows/client-management/mdm/policy-csp-admx-appxpackagemanager.md
+++ b/windows/client-management/mdm/policy-csp-admx-appxpackagemanager.md
@@ -1,7 +1,8 @@
---
title: ADMX_AppxPackageManager Policy CSP
description: Learn more about the ADMX_AppxPackageManager Area in Policy CSP.
-ms.date: 08/06/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
@@ -32,7 +33,7 @@ ms.date: 08/06/2024
-This policy setting allows you to manage the deployment of Windows Store apps when the user is signed in using a special profile. Special profiles are the following user profiles, where changes are discarded after the user signs off:
+This policy setting allows you to manage the deployment of packaged Microsoft Store apps when the user is signed in using a special profile. Special profiles are the following user profiles, where changes are discarded after the user signs off:
Roaming user profiles to which the "Delete cached copies of roaming profiles" Group Policy setting applies.
@@ -42,9 +43,9 @@ Temporary user profiles, which are created when an error prevents the correct pr
User profiles for the Guest account and members of the Guests group.
-- If you enable this policy setting, Group Policy allows deployment operations (adding, registering, staging, updating, or removing an app package) of Windows Store apps when using a special profile.
+- If you enable this policy setting, Group Policy allows deployment operations (adding, registering, staging, updating, or removing an app package) of packaged Microsoft Store apps when using a special profile.
-- If you disable or don't configure this policy setting, Group Policy blocks deployment operations of Windows Store apps when using a special profile.
+- If you disable or don't configure this policy setting, Group Policy blocks deployment operations of packaged Microsoft Store apps when using a special profile.
diff --git a/windows/client-management/mdm/policy-csp-admx-appxruntime.md b/windows/client-management/mdm/policy-csp-admx-appxruntime.md
index 540235107e..4dc7bea270 100644
--- a/windows/client-management/mdm/policy-csp-admx-appxruntime.md
+++ b/windows/client-management/mdm/policy-csp-admx-appxruntime.md
@@ -1,7 +1,8 @@
---
title: ADMX_AppXRuntime Policy CSP
description: Learn more about the ADMX_AppXRuntime Area in Policy CSP.
-ms.date: 08/06/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
@@ -32,11 +33,11 @@ ms.date: 08/06/2024
-This policy setting lets you turn on Content URI Rules to supplement the static Content URI Rules that were defined as part of the app manifest and apply to all Windows Store apps that use the enterpriseAuthentication capability on a computer.
+This policy setting lets you turn on Content URI Rules to supplement the static Content URI Rules that were defined as part of the app manifest and apply to all packaged Microsoft Store apps that use the enterpriseAuthentication capability on a computer.
-- If you enable this policy setting, you can define additional Content URI Rules that all Windows Store apps that use the enterpriseAuthentication capability on a computer can use.
+- If you enable this policy setting, you can define additional Content URI Rules that all packaged Microsoft Store apps that use the enterpriseAuthentication capability on a computer can use.
-- If you disable or don't set this policy setting, Windows Store apps will only use the static Content URI Rules.
+- If you disable or don't set this policy setting, packaged Microsoft Store apps will only use the static Content URI Rules.
@@ -60,7 +61,7 @@ This policy setting lets you turn on Content URI Rules to supplement the static
| Name | Value |
|:--|:--|
| Name | AppxRuntimeApplicationContentUriRules |
-| Friendly Name | Turn on dynamic Content URI Rules for Windows store apps |
+| Friendly Name | Turn on dynamic Content URI Rules for packaged Microsoft Store apps |
| Location | Computer Configuration |
| Path | Windows Components > App runtime |
| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Packages\Applications |
@@ -95,11 +96,11 @@ This policy setting lets you turn on Content URI Rules to supplement the static
-This policy setting lets you control whether Windows Store apps can open files using the default desktop app for a file type. Because desktop apps run at a higher integrity level than Windows Store apps, there is a risk that a Windows Store app might compromise the system by opening a file in the default desktop app for a file type.
+This policy setting lets you control whether packaged Microsoft Store apps can open files using the default desktop app for a file type. Because desktop apps run at a higher integrity level than packaged Microsoft Store apps, there is a risk that a packaged Microsoft Store app might compromise the system by opening a file in the default desktop app for a file type.
-- If you enable this policy setting, Windows Store apps can't open files in the default desktop app for a file type; they can open files only in other Windows Store apps.
+- If you enable this policy setting, packaged Microsoft Store apps can't open files in the default desktop app for a file type; they can open files only in other packaged Microsoft Store apps.
-- If you disable or don't configure this policy setting, Windows Store apps can open files in the default desktop app for a file type.
+- If you disable or don't configure this policy setting, packaged Microsoft Store apps can open files in the default desktop app for a file type.
@@ -219,14 +220,14 @@ This policy shouldn't be enabled unless recommended by Microsoft as a security r
-This policy setting lets you control whether Windows Store apps can open URIs using the default desktop app for a URI scheme. Because desktop apps run at a higher integrity level than Windows Store apps, there is a risk that a URI scheme launched by a Windows Store app might compromise the system by launching a desktop app.
+This policy setting lets you control whether packaged Microsoft Store apps can open URIs using the default desktop app for a URI scheme. Because desktop apps run at a higher integrity level than packaged Microsoft Store apps, there is a risk that a URI scheme launched by a packaged Microsoft Store app might compromise the system by launching a desktop app.
-- If you enable this policy setting, Windows Store apps can't open URIs in the default desktop app for a URI scheme; they can open URIs only in other Windows Store apps.
+- If you enable this policy setting, packaged Microsoft Store apps can't open URIs in the default desktop app for a URI scheme; they can open URIs only in other packaged Microsoft Store apps.
-- If you disable or don't configure this policy setting, Windows Store apps can open URIs in the default desktop app for a URI scheme.
+- If you disable or don't configure this policy setting, packaged Microsoft Store apps can open URIs in the default desktop app for a URI scheme.
> [!NOTE]
-> Enabling this policy setting doesn't block Windows Store apps from opening the default desktop app for the http, https, and mailto URI schemes. The handlers for these URI schemes are hardened against URI-based vulnerabilities from untrusted sources, reducing the associated risk.
+> Enabling this policy setting doesn't block packaged Microsoft Store apps from opening the default desktop app for the http, https, and mailto URI schemes. The handlers for these URI schemes are hardened against URI-based vulnerabilities from untrusted sources, reducing the associated risk.
diff --git a/windows/client-management/mdm/policy-csp-admx-attachmentmanager.md b/windows/client-management/mdm/policy-csp-admx-attachmentmanager.md
index 03730b7ad4..654b4071c2 100644
--- a/windows/client-management/mdm/policy-csp-admx-attachmentmanager.md
+++ b/windows/client-management/mdm/policy-csp-admx-attachmentmanager.md
@@ -1,7 +1,8 @@
---
title: ADMX_AttachmentManager Policy CSP
description: Learn more about the ADMX_AttachmentManager Area in Policy CSP.
-ms.date: 08/06/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
diff --git a/windows/client-management/mdm/policy-csp-admx-auditsettings.md b/windows/client-management/mdm/policy-csp-admx-auditsettings.md
index 3758b90ad9..a9d1568c27 100644
--- a/windows/client-management/mdm/policy-csp-admx-auditsettings.md
+++ b/windows/client-management/mdm/policy-csp-admx-auditsettings.md
@@ -1,7 +1,8 @@
---
title: ADMX_AuditSettings Policy CSP
description: Learn more about the ADMX_AuditSettings Area in Policy CSP.
-ms.date: 08/06/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
diff --git a/windows/client-management/mdm/policy-csp-admx-bits.md b/windows/client-management/mdm/policy-csp-admx-bits.md
index 00b4cf5513..73bc2cb4d1 100644
--- a/windows/client-management/mdm/policy-csp-admx-bits.md
+++ b/windows/client-management/mdm/policy-csp-admx-bits.md
@@ -1,7 +1,8 @@
---
title: ADMX_Bits Policy CSP
description: Learn more about the ADMX_Bits Area in Policy CSP.
-ms.date: 08/06/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
@@ -348,7 +349,7 @@ This policy setting limits the network bandwidth that Background Intelligent Tra
- If you enable this policy setting, you can define a separate set of network bandwidth limits and set up a schedule for the maintenance period.
-You can specify a limit to use for background jobs during a maintenance schedule. For example, if normal priority jobs are currently limited to 256 Kbps on a work schedule, you can further limit the network bandwidth of normal priority jobs to 0 Kbps from 8:00 A. M. to 10:00 A. M. on a maintenance schedule.
+You can specify a limit to use for background jobs during a maintenance schedule. For example, if normal priority jobs are currently limited to 256 Kbps on a work schedule, you can further limit the network bandwidth of normal priority jobs to 0 Kbps from 8:00 A.M. to 10:00 A.M. on a maintenance schedule.
- If you disable or don't configure this policy setting, the limits defined for work or nonwork schedules will be used.
@@ -412,7 +413,7 @@ This policy setting limits the network bandwidth that Background Intelligent Tra
- If you enable this policy setting, you can set up a schedule for limiting network bandwidth during both work and nonwork hours. After the work schedule is defined, you can set the bandwidth usage limits for each of the three BITS background priority levels: high, normal, and low.
-You can specify a limit to use for background jobs during a work schedule. For example, you can limit the network bandwidth of low priority jobs to 128 Kbps from 8:00 A. M. to 5:00 P. M. on Monday through Friday, and then set the limit to 512 Kbps for nonwork hours.
+You can specify a limit to use for background jobs during a work schedule. For example, you can limit the network bandwidth of low priority jobs to 128 Kbps from 8:00 A.M. to 5:00 P.M. on Monday through Friday, and then set the limit to 512 Kbps for nonwork hours.
- If you disable or don't configure this policy setting, BITS uses all available unused bandwidth for background job transfers.
diff --git a/windows/client-management/mdm/policy-csp-admx-ciphersuiteorder.md b/windows/client-management/mdm/policy-csp-admx-ciphersuiteorder.md
index 54835ffbf0..c5ac251bbb 100644
--- a/windows/client-management/mdm/policy-csp-admx-ciphersuiteorder.md
+++ b/windows/client-management/mdm/policy-csp-admx-ciphersuiteorder.md
@@ -1,7 +1,8 @@
---
title: ADMX_CipherSuiteOrder Policy CSP
description: Learn more about the ADMX_CipherSuiteOrder Area in Policy CSP.
-ms.date: 08/06/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
diff --git a/windows/client-management/mdm/policy-csp-admx-com.md b/windows/client-management/mdm/policy-csp-admx-com.md
index 308d376d86..d0d10f976e 100644
--- a/windows/client-management/mdm/policy-csp-admx-com.md
+++ b/windows/client-management/mdm/policy-csp-admx-com.md
@@ -1,7 +1,8 @@
---
title: ADMX_COM Policy CSP
description: Learn more about the ADMX_COM Area in Policy CSP.
-ms.date: 08/06/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
diff --git a/windows/client-management/mdm/policy-csp-admx-controlpanel.md b/windows/client-management/mdm/policy-csp-admx-controlpanel.md
index b819fe73bf..ff11797b8f 100644
--- a/windows/client-management/mdm/policy-csp-admx-controlpanel.md
+++ b/windows/client-management/mdm/policy-csp-admx-controlpanel.md
@@ -1,7 +1,8 @@
---
title: ADMX_ControlPanel Policy CSP
description: Learn more about the ADMX_ControlPanel Area in Policy CSP.
-ms.date: 08/06/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
@@ -36,7 +37,7 @@ This setting allows you to display or hide specified Control Panel items, such a
If you enable this setting, you can select specific items not to display on the Control Panel window and the Start screen.
-To hide a Control Panel item, enable this policy setting and click Show to access the list of disallowed Control Panel items. In the Show Contents dialog box in the Value column, enter the Control Panel item's canonical name. For example, enter Microsoft. Mouse, Microsoft. System, or Microsoft. Personalization.
+To hide a Control Panel item, enable this policy setting and click Show to access the list of disallowed Control Panel items. In the Show Contents dialog box in the Value column, enter the Control Panel item's canonical name. For example, enter `Microsoft.Mouse`, `Microsoft.System`, or `Microsoft.Personalization`.
> [!NOTE]
> For Windows Vista, Windows Server 2008, and earlier versions of Windows, the module name should be entered, for example timedate.cpl or inetcpl.cpl. If a Control Panel item doesn't have a CPL file, or the CPL file contains multiple applets, then its module name and string resource identification number should be entered, for example @systemcpl.dll,-1 for System, or @themecpl.dll,-1 for Personalization. A complete list of canonical and module names can be found in MSDN by searching "Control Panel items".
@@ -243,7 +244,7 @@ If users try to select a Control Panel item from the Properties item on a contex
This policy setting controls which Control Panel items such as Mouse, System, or Personalization, are displayed on the Control Panel window and the Start screen. The only items displayed in Control Panel are those you specify in this setting. This setting affects the Start screen and Control Panel, as well as other ways to access Control Panel items such as shortcuts in Help and Support or command lines that use control.exe. This policy has no effect on items displayed in PC settings.
-To display a Control Panel item, enable this policy setting and click Show to access the list of allowed Control Panel items. In the Show Contents dialog box in the Value column, enter the Control Panel item's canonical name. For example, enter Microsoft. Mouse, Microsoft. System, or Microsoft. Personalization.
+To display a Control Panel item, enable this policy setting and click Show to access the list of allowed Control Panel items. In the Show Contents dialog box in the Value column, enter the Control Panel item's canonical name. For example, enter `Microsoft.Mouse`, `Microsoft.System`, or `Microsoft.Personalization`.
> [!NOTE]
> For Windows Vista, Windows Server 2008, and earlier versions of Windows, the module name, for example timedate.cpl or inetcpl.cpl, should be entered. If a Control Panel item doesn't have a CPL file, or the CPL file contains multiple applets, then its module name and string resource identification number should be entered. For example, enter @systemcpl.dll,-1 for System or @themecpl.dll,-1 for Personalization. A complete list of canonical and module names of Control Panel items can be found in MSDN by searching "Control Panel items".
diff --git a/windows/client-management/mdm/policy-csp-admx-controlpaneldisplay.md b/windows/client-management/mdm/policy-csp-admx-controlpaneldisplay.md
index af2f85b62d..f52bcf1b61 100644
--- a/windows/client-management/mdm/policy-csp-admx-controlpaneldisplay.md
+++ b/windows/client-management/mdm/policy-csp-admx-controlpaneldisplay.md
@@ -1,7 +1,8 @@
---
title: ADMX_ControlPanelDisplay Policy CSP
description: Learn more about the ADMX_ControlPanelDisplay Area in Policy CSP.
-ms.date: 08/06/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
@@ -519,7 +520,7 @@ Prevents users from changing the background image shown when the machine is lock
By default, users can change the background image shown when the machine is locked or displaying the logon screen.
-If you enable this setting, the user won't be able to change their lock screen and logon image, and they will instead see the default image.
+If you enable this setting, the user won't be able to change their lock screen and logon image, and they'll instead see the default image.
@@ -1351,7 +1352,7 @@ Specifies which theme file is applied to the computer the first time a user logs
|:--|:--|
| Name | CPL_Personalization_SetTheme |
| Friendly Name | Load a specific theme |
-| Location | User Configuration |
+| Location | Computer and User Configuration |
| Path | Control Panel > Personalization |
| Registry Key Name | Software\Policies\Microsoft\Windows\Personalization |
| ADMX File Name | ControlPanelDisplay.admx |
diff --git a/windows/client-management/mdm/policy-csp-admx-cpls.md b/windows/client-management/mdm/policy-csp-admx-cpls.md
index 8ff5777e97..184afe4fb7 100644
--- a/windows/client-management/mdm/policy-csp-admx-cpls.md
+++ b/windows/client-management/mdm/policy-csp-admx-cpls.md
@@ -1,7 +1,8 @@
---
title: ADMX_Cpls Policy CSP
description: Learn more about the ADMX_Cpls Area in Policy CSP.
-ms.date: 08/06/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
diff --git a/windows/client-management/mdm/policy-csp-admx-credentialproviders.md b/windows/client-management/mdm/policy-csp-admx-credentialproviders.md
index 66487275ce..30546fe858 100644
--- a/windows/client-management/mdm/policy-csp-admx-credentialproviders.md
+++ b/windows/client-management/mdm/policy-csp-admx-credentialproviders.md
@@ -1,7 +1,8 @@
---
title: ADMX_CredentialProviders Policy CSP
description: Learn more about the ADMX_CredentialProviders Area in Policy CSP.
-ms.date: 08/06/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
diff --git a/windows/client-management/mdm/policy-csp-admx-credssp.md b/windows/client-management/mdm/policy-csp-admx-credssp.md
index 3384029777..96885646be 100644
--- a/windows/client-management/mdm/policy-csp-admx-credssp.md
+++ b/windows/client-management/mdm/policy-csp-admx-credssp.md
@@ -1,7 +1,8 @@
---
title: ADMX_CredSsp Policy CSP
description: Learn more about the ADMX_CredSsp Area in Policy CSP.
-ms.date: 08/06/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
diff --git a/windows/client-management/mdm/policy-csp-admx-credui.md b/windows/client-management/mdm/policy-csp-admx-credui.md
index 1d6008f006..d0efc5270c 100644
--- a/windows/client-management/mdm/policy-csp-admx-credui.md
+++ b/windows/client-management/mdm/policy-csp-admx-credui.md
@@ -1,7 +1,8 @@
---
title: ADMX_CredUI Policy CSP
description: Learn more about the ADMX_CredUI Area in Policy CSP.
-ms.date: 08/06/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
diff --git a/windows/client-management/mdm/policy-csp-admx-ctrlaltdel.md b/windows/client-management/mdm/policy-csp-admx-ctrlaltdel.md
index af5b17a0de..024f2b8973 100644
--- a/windows/client-management/mdm/policy-csp-admx-ctrlaltdel.md
+++ b/windows/client-management/mdm/policy-csp-admx-ctrlaltdel.md
@@ -1,7 +1,8 @@
---
title: ADMX_CtrlAltDel Policy CSP
description: Learn more about the ADMX_CtrlAltDel Area in Policy CSP.
-ms.date: 08/06/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
diff --git a/windows/client-management/mdm/policy-csp-admx-datacollection.md b/windows/client-management/mdm/policy-csp-admx-datacollection.md
index da6c059f32..093fcaea64 100644
--- a/windows/client-management/mdm/policy-csp-admx-datacollection.md
+++ b/windows/client-management/mdm/policy-csp-admx-datacollection.md
@@ -1,7 +1,8 @@
---
title: ADMX_DataCollection Policy CSP
description: Learn more about the ADMX_DataCollection Area in Policy CSP.
-ms.date: 08/06/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
diff --git a/windows/client-management/mdm/policy-csp-admx-dcom.md b/windows/client-management/mdm/policy-csp-admx-dcom.md
index 82338c786f..c36eaf9f96 100644
--- a/windows/client-management/mdm/policy-csp-admx-dcom.md
+++ b/windows/client-management/mdm/policy-csp-admx-dcom.md
@@ -1,7 +1,8 @@
---
title: ADMX_DCOM Policy CSP
description: Learn more about the ADMX_DCOM Area in Policy CSP.
-ms.date: 08/06/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
diff --git a/windows/client-management/mdm/policy-csp-admx-desktop.md b/windows/client-management/mdm/policy-csp-admx-desktop.md
index 463d46efd4..47f5d14233 100644
--- a/windows/client-management/mdm/policy-csp-admx-desktop.md
+++ b/windows/client-management/mdm/policy-csp-admx-desktop.md
@@ -1,7 +1,8 @@
---
title: ADMX_Desktop Policy CSP
description: Learn more about the ADMX_Desktop Area in Policy CSP.
-ms.date: 08/06/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
diff --git a/windows/client-management/mdm/policy-csp-admx-devicecompat.md b/windows/client-management/mdm/policy-csp-admx-devicecompat.md
index ee02c1fdb1..0b0dd73b2e 100644
--- a/windows/client-management/mdm/policy-csp-admx-devicecompat.md
+++ b/windows/client-management/mdm/policy-csp-admx-devicecompat.md
@@ -1,7 +1,8 @@
---
title: ADMX_DeviceCompat Policy CSP
description: Learn more about the ADMX_DeviceCompat Area in Policy CSP.
-ms.date: 08/06/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
diff --git a/windows/client-management/mdm/policy-csp-admx-deviceguard.md b/windows/client-management/mdm/policy-csp-admx-deviceguard.md
index 9ea0e21a78..0e5aef2c55 100644
--- a/windows/client-management/mdm/policy-csp-admx-deviceguard.md
+++ b/windows/client-management/mdm/policy-csp-admx-deviceguard.md
@@ -1,7 +1,8 @@
---
title: ADMX_DeviceGuard Policy CSP
description: Learn more about the ADMX_DeviceGuard Area in Policy CSP.
-ms.date: 08/06/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
@@ -34,7 +35,7 @@ ms.date: 08/06/2024
-Deploy Windows Defender Application Control.
+Deploy App Control for Business.
This policy setting lets you deploy a Code Integrity Policy to a machine to control what's allowed to run on that machine.
@@ -69,7 +70,7 @@ If using a signed and protected policy then disabling this policy setting doesn'
| Name | Value |
|:--|:--|
| Name | ConfigCIPolicy |
-| Friendly Name | Deploy Windows Defender Application Control |
+| Friendly Name | Deploy App Control for Business |
| Location | Computer Configuration |
| Path | System > Device Guard |
| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\DeviceGuard |
diff --git a/windows/client-management/mdm/policy-csp-admx-deviceinstallation.md b/windows/client-management/mdm/policy-csp-admx-deviceinstallation.md
index 04bbcda528..ec022eae1a 100644
--- a/windows/client-management/mdm/policy-csp-admx-deviceinstallation.md
+++ b/windows/client-management/mdm/policy-csp-admx-deviceinstallation.md
@@ -1,7 +1,8 @@
---
title: ADMX_DeviceInstallation Policy CSP
description: Learn more about the ADMX_DeviceInstallation Area in Policy CSP.
-ms.date: 08/06/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
diff --git a/windows/client-management/mdm/policy-csp-admx-devicesetup.md b/windows/client-management/mdm/policy-csp-admx-devicesetup.md
index 67eea97170..426b54f900 100644
--- a/windows/client-management/mdm/policy-csp-admx-devicesetup.md
+++ b/windows/client-management/mdm/policy-csp-admx-devicesetup.md
@@ -1,7 +1,8 @@
---
title: ADMX_DeviceSetup Policy CSP
description: Learn more about the ADMX_DeviceSetup Area in Policy CSP.
-ms.date: 08/06/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
diff --git a/windows/client-management/mdm/policy-csp-admx-dfs.md b/windows/client-management/mdm/policy-csp-admx-dfs.md
index 6e3f90a479..b49427af7e 100644
--- a/windows/client-management/mdm/policy-csp-admx-dfs.md
+++ b/windows/client-management/mdm/policy-csp-admx-dfs.md
@@ -1,7 +1,8 @@
---
title: ADMX_DFS Policy CSP
description: Learn more about the ADMX_DFS Area in Policy CSP.
-ms.date: 08/06/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
diff --git a/windows/client-management/mdm/policy-csp-admx-digitallocker.md b/windows/client-management/mdm/policy-csp-admx-digitallocker.md
index 44cc32a941..7dd12c55c1 100644
--- a/windows/client-management/mdm/policy-csp-admx-digitallocker.md
+++ b/windows/client-management/mdm/policy-csp-admx-digitallocker.md
@@ -1,7 +1,8 @@
---
title: ADMX_DigitalLocker Policy CSP
description: Learn more about the ADMX_DigitalLocker Area in Policy CSP.
-ms.date: 08/06/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
diff --git a/windows/client-management/mdm/policy-csp-admx-diskdiagnostic.md b/windows/client-management/mdm/policy-csp-admx-diskdiagnostic.md
index fd3f6d2bcd..b37f4e7fbd 100644
--- a/windows/client-management/mdm/policy-csp-admx-diskdiagnostic.md
+++ b/windows/client-management/mdm/policy-csp-admx-diskdiagnostic.md
@@ -1,7 +1,8 @@
---
title: ADMX_DiskDiagnostic Policy CSP
description: Learn more about the ADMX_DiskDiagnostic Area in Policy CSP.
-ms.date: 08/06/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
@@ -32,7 +33,7 @@ ms.date: 08/06/2024
-This policy setting substitutes custom alert text in the disk diagnostic message shown to users when a disk reports a S. M. A. R. T. fault.
+This policy setting substitutes custom alert text in the disk diagnostic message shown to users when a disk reports a S.M.A.R.T. fault.
- If you enable this policy setting, Windows displays custom alert text in the disk diagnostic message. The custom text may not exceed 512 characters.
@@ -97,15 +98,15 @@ This policy setting only takes effect if the Disk Diagnostic scenario policy set
-This policy setting determines the execution level for S. M. A. R. T.-based disk diagnostics.
+This policy setting determines the execution level for S.M.A.R.T.-based disk diagnostics.
-Self-Monitoring And Reporting Technology (S. M. A. R. T). is a standard mechanism for storage devices to report faults to Windows. A disk that reports a S. M. A. R. T. fault may need to be repaired or replaced. The Diagnostic Policy Service (DPS) detects and logs S. M. A. R. T. faults to the event log when they occur.
+Self-Monitoring And Reporting Technology (S.M.A.R.T). is a standard mechanism for storage devices to report faults to Windows. A disk that reports a S.M.A.R.T. fault may need to be repaired or replaced. The Diagnostic Policy Service (DPS) detects and logs S.M.A.R.T. faults to the event log when they occur.
-- If you enable this policy setting, the DPS also warns users of S. M. A. R. T. faults and guides them through backup and recovery to minimize potential data loss.
+- If you enable this policy setting, the DPS also warns users of S.M.A.R.T. faults and guides them through backup and recovery to minimize potential data loss.
-- If you disable this policy, S. M. A. R. T. faults are still detected and logged, but no corrective action is taken.
+- If you disable this policy, S.M.A.R.T. faults are still detected and logged, but no corrective action is taken.
-- If you don't configure this policy setting, the DPS enables S. M. A. R. T. fault resolution by default.
+- If you don't configure this policy setting, the DPS enables S.M.A.R.T. fault resolution by default.
This policy setting takes effect only if the diagnostics-wide scenario execution policy isn't configured.
diff --git a/windows/client-management/mdm/policy-csp-admx-disknvcache.md b/windows/client-management/mdm/policy-csp-admx-disknvcache.md
index c05e1abb81..aa1b5c42c8 100644
--- a/windows/client-management/mdm/policy-csp-admx-disknvcache.md
+++ b/windows/client-management/mdm/policy-csp-admx-disknvcache.md
@@ -1,7 +1,8 @@
---
title: ADMX_DiskNVCache Policy CSP
description: Learn more about the ADMX_DiskNVCache Area in Policy CSP.
-ms.date: 08/06/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
diff --git a/windows/client-management/mdm/policy-csp-admx-diskquota.md b/windows/client-management/mdm/policy-csp-admx-diskquota.md
index 9ed30a6596..4017ed9f80 100644
--- a/windows/client-management/mdm/policy-csp-admx-diskquota.md
+++ b/windows/client-management/mdm/policy-csp-admx-diskquota.md
@@ -1,7 +1,8 @@
---
title: ADMX_DiskQuota Policy CSP
description: Learn more about the ADMX_DiskQuota Area in Policy CSP.
-ms.date: 08/06/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
diff --git a/windows/client-management/mdm/policy-csp-admx-distributedlinktracking.md b/windows/client-management/mdm/policy-csp-admx-distributedlinktracking.md
index 86db7ab46f..657c704404 100644
--- a/windows/client-management/mdm/policy-csp-admx-distributedlinktracking.md
+++ b/windows/client-management/mdm/policy-csp-admx-distributedlinktracking.md
@@ -1,7 +1,8 @@
---
title: ADMX_DistributedLinkTracking Policy CSP
description: Learn more about the ADMX_DistributedLinkTracking Area in Policy CSP.
-ms.date: 08/06/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
diff --git a/windows/client-management/mdm/policy-csp-admx-dnsclient.md b/windows/client-management/mdm/policy-csp-admx-dnsclient.md
index 2f447009b6..2fcb54aa93 100644
--- a/windows/client-management/mdm/policy-csp-admx-dnsclient.md
+++ b/windows/client-management/mdm/policy-csp-admx-dnsclient.md
@@ -1,7 +1,8 @@
---
title: ADMX_DnsClient Policy CSP
description: Learn more about the ADMX_DnsClient Area in Policy CSP.
-ms.date: 08/06/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
@@ -91,7 +92,7 @@ Specifies that NetBIOS over TCP/IP (NetBT) queries are issued for fully qualifie
-Specifies that computers may attach suffixes to an unqualified multi-label name before sending subsequent DNS queries if the original name query fails.
+Specifies that the DNS client may attach suffixes to an unqualified multi-label name before sending subsequent DNS queries if the original name query fails.
A name containing dots, but not dot-terminated, is called an unqualified multi-label name, for example "server.corp" is an unqualified multi-label name. The name "server.corp.contoso.com" is an example of a fully qualified name because it contains a terminating dot.
@@ -103,7 +104,7 @@ If attaching suffixes is allowed, and a DNS client with a primary domain suffix
- If you disable this policy setting, no suffixes are appended to unqualified multi-label name queries if the original name query fails.
-- If you don't configure this policy setting, computers will use their local DNS client settings to determine the query behavior for unqualified multi-label names.
+- If you don't configure this policy setting, the DNS client will use its local settings to determine the query behavior for unqualified multi-label names.
@@ -162,9 +163,9 @@ Specifies a connection-specific DNS suffix. This policy setting supersedes local
To use this policy setting, click Enabled, and then enter a string value representing the DNS suffix.
-- If you enable this policy setting, the DNS suffix that you enter will be applied to all network connections used by computers that receive this policy setting.
+- If you enable this policy setting, the DNS suffix that you enter will be applied to all network connections used by the DNS client.
-- If you disable this policy setting, or if you don't configure this policy setting, computers will use the local or DHCP supplied connection specific DNS suffix, if configured.
+- If you disable this policy setting, or if you don't configure this policy setting, the DNS client will use the local or DHCP supplied connection specific DNS suffix, if configured.
@@ -234,7 +235,7 @@ Each connection-specific DNS suffix, assigned either through DHCP or specified i
For example, when a user submits a query for a single-label name such as "example," the DNS client attaches a suffix such as "microsoft.com" resulting in the query "example.microsoft.com," before sending the query to a DNS server.
-If a DNS suffix search list isn't specified, the DNS client attaches the primary DNS suffix to a single-label name. If this query fails, the connection-specific DNS suffix is attached for a new query. If none of these queries are resolved, the client devolves the primary DNS suffix of the computer (drops the leftmost label of the primary DNS suffix), attaches this devolved primary DNS suffix to the single-label name, and submits this new query to a DNS server.
+If a DNS suffix search list isn't specified, the DNS client attaches the primary DNS suffix to a single-label name. If this query fails, the connection-specific DNS suffix is attached for a new query. If none of these queries are resolved, the client devolves the primary DNS suffix of the DNS client (drops the leftmost label of the primary DNS suffix), attaches this devolved primary DNS suffix to the single-label name, and submits this new query to a DNS server.
For example, if the primary DNS suffix ooo.aaa.microsoft.com is attached to the non-dot-terminated single-label name "example," and the DNS query for example.ooo.aaa.microsoft.com fails, the DNS client devolves the primary DNS suffix (drops the leftmost label) till the specified devolution level, and submits a query for example.aaa.microsoft.com. If this query fails, the primary DNS suffix is devolved further if it's under specified devolution level and the query example.microsoft.com is submitted. If this query fails, devolution continues if it's under specified devolution level and the query example.microsoft.com is submitted, corresponding to a devolution level of two. The primary DNS suffix can't be devolved beyond a devolution level of two. The devolution level can be configured using this policy setting. The default devolution level is two.
@@ -295,11 +296,11 @@ For example, if the primary DNS suffix ooo.aaa.microsoft.com is attached to the
-Specifies whether the DNS client should convert internationalized domain names (IDNs) to Punycode when the computer is on non-domain networks with no WINS servers configured.
+Specifies whether the DNS client should convert internationalized domain names (IDNs) to Punycode when the DNS client is on non-domain networks with no WINS servers configured.
- If this policy setting is enabled, IDNs aren't converted to Punycode.
-- If this policy setting is disabled, or if this policy setting isn't configured, IDNs are converted to Punycode when the computer is on non-domain networks with no WINS servers configured.
+- If this policy setting is disabled, or if this policy setting isn't configured, IDNs are converted to Punycode when the DNS client is on non-domain networks with no WINS servers configured.
@@ -413,13 +414,13 @@ Specifies whether the DNS client should convert internationalized domain names (
-Defines the DNS servers to which a computer sends queries when it attempts to resolve names. This policy setting supersedes the list of DNS servers configured locally and those configured using DHCP.
+Defines the DNS servers to which the DNS client sends queries when it attempts to resolve names. This policy setting supersedes the list of DNS servers configured locally and those configured using DHCP.
To use this policy setting, click Enabled, and then enter a space-delimited list of IP addresses in the available field. To use this policy setting, you must enter at least one IP address.
-- If you enable this policy setting, the list of DNS servers is applied to all network connections used by computers that receive this policy setting.
+- If you enable this policy setting, the list of DNS servers is applied to all network connections used by the DNS client.
-- If you disable this policy setting, or if you don't configure this policy setting, computers will use the local or DHCP supplied list of DNS servers, if configured.
+- If you disable this policy setting, or if you don't configure this policy setting, the DNS client will use the local or DHCP supplied list of DNS servers, if configured.
@@ -535,18 +536,18 @@ Specifies that responses from link local name resolution protocols received over
-Specifies the primary DNS suffix used by computers in DNS name registration and DNS name resolution.
+Specifies the primary DNS suffix used by the DNS client in DNS name registration and DNS name resolution.
To use this policy setting, click Enabled and enter the entire primary DNS suffix you want to assign. For example: microsoft.com.
> [!IMPORTANT]
-> In order for changes to this policy setting to be applied on computers that receive it, you must restart Windows.
+> In order for changes to this policy setting to be applied on the DNS client, you must restart Windows.
- If you enable this policy setting, it supersedes the primary DNS suffix configured in the DNS Suffix and NetBIOS Computer Name dialog box using the System control panel.
You can use this policy setting to prevent users, including local administrators, from changing the primary DNS suffix.
-- If you disable this policy setting, or if you don't configure this policy setting, each computer uses its local primary DNS suffix, which is usually the DNS name of Active Directory domain to which it's joined.
+- If you disable this policy setting, or if you don't configure this policy setting, the DNS client uses the local primary DNS suffix, which is usually the DNS name of Active Directory domain to which it's joined.
@@ -600,18 +601,18 @@ You can use this policy setting to prevent users, including local administrators
-Specifies if a computer performing dynamic DNS registration will register A and PTR resource records with a concatenation of its computer name and a connection-specific DNS suffix, in addition to registering these records with a concatenation of its computer name and the primary DNS suffix.
+Specifies if the DNS client performing dynamic DNS registration will register A and PTR resource records with a concatenation of its computer name and a connection-specific DNS suffix, in addition to registering these records with a concatenation of its computer name and the primary DNS suffix.
-By default, a DNS client performing dynamic DNS registration registers A and PTR resource records with a concatenation of its computer name and the primary DNS suffix. For example, a computer name of mycomputer and a primary DNS suffix of microsoft.com will be registered as: mycomputer.microsoft.com.
+By default, a DNS client performing dynamic DNS registration registers A and PTR resource records with a concatenation of its computer name and the primary DNS suffix. For example, a computer name of mycomputer and a primary DNS suffix of microsoft.com will be registered as: `mycomputer.microsoft.com`.
-- If you enable this policy setting, a computer will register A and PTR resource records with its connection-specific DNS suffix, in addition to the primary DNS suffix. This applies to all network connections used by computers that receive this policy setting.
+- If you enable this policy setting, the DNS client will register A and PTR resource records with its connection-specific DNS suffix, in addition to the primary DNS suffix. This applies to all network connections used by the DNS client.
-For example, with a computer name of mycomputer, a primary DNS suffix of microsoft.com, and a connection specific DNS suffix of VPNconnection, a computer will register A and PTR resource records for mycomputer. VPNconnection and mycomputer.microsoft.com when this policy setting is enabled.
+For example, with a computer name of mycomputer, a primary DNS suffix of microsoft.com, and a connection specific DNS suffix of VPNconnection, the DNS client will register A and PTR resource records for `mycomputer.VPNconnection` and `mycomputer.microsoft.com` when this policy setting is enabled.
> [!IMPORTANT]
-> This policy setting is ignored on a DNS client computer if dynamic DNS registration is disabled.
+> This policy setting is ignored by the DNS client if dynamic DNS registration is disabled.
-- If you disable this policy setting, or if you don't configure this policy setting, a DNS client computer won't register any A and PTR resource records using a connection-specific DNS suffix.
+- If you disable this policy setting, or if you don't configure this policy setting, the DNS client won't register any A and PTR resource records using a connection-specific DNS suffix.
@@ -666,7 +667,7 @@ For example, with a computer name of mycomputer, a primary DNS suffix of microso
-Specifies if DNS client computers will register PTR resource records.
+Specifies if the DNS client will register PTR resource records.
By default, DNS clients configured to perform dynamic DNS registration will attempt to register PTR resource record only if they successfully registered the corresponding A resource record.
@@ -674,13 +675,13 @@ By default, DNS clients configured to perform dynamic DNS registration will atte
To use this policy setting, click Enabled, and then select one of the following options from the drop-down list:
-Don't register: Computers won't attempt to register PTR resource records.
+Don't register: the DNS client won't attempt to register PTR resource records.
-Register: Computers will attempt to register PTR resource records even if registration of the corresponding A records wasn't successful.
+Register: the DNS client will attempt to register PTR resource records even if registration of the corresponding A records wasn't successful.
-Register only if A record registration succeeds: Computers will attempt to register PTR resource records only if registration of the corresponding A records was successful.
+Register only if A record registration succeeds: the DNS client will attempt to register PTR resource records only if registration of the corresponding A records was successful.
-- If you disable this policy setting, or if you don't configure this policy setting, computers will use locally configured settings.
+- If you disable this policy setting, or if you don't configure this policy setting, the DNS client will use locally configured settings.
@@ -734,11 +735,11 @@ Register only if A record registration succeeds: Computers will attempt to regis
-Specifies if DNS dynamic update is enabled. Computers configured for DNS dynamic update automatically register and update their DNS resource records with a DNS server.
+Specifies if DNS dynamic update is enabled. DNS clients configured for DNS dynamic update automatically register and update their DNS resource records with a DNS server.
-- If you enable this policy setting, or you don't configure this policy setting, computers will attempt to use dynamic DNS registration on all network connections that have connection-specific dynamic DNS registration enabled. For a dynamic DNS registration to be enabled on a network connection, the connection-specific configuration must allow dynamic DNS registration, and this policy setting mustn't be disabled.
+- If you enable this policy setting, or you don't configure this policy setting, the DNS client will attempt to use dynamic DNS registration on all network connections that have connection-specific dynamic DNS registration enabled. For a dynamic DNS registration to be enabled on a network connection, the connection-specific configuration must allow dynamic DNS registration, and this policy setting mustn't be disabled.
-- If you disable this policy setting, computers may not use dynamic DNS registration for any of their network connections, regardless of the configuration for individual network connections.
+- If you disable this policy setting, the DNS client may not use dynamic DNS registration for any of their network connections, regardless of the configuration for individual network connections.
@@ -795,7 +796,7 @@ Specifies if DNS dynamic update is enabled. Computers configured for DNS dynamic
Specifies whether dynamic updates should overwrite existing resource records that contain conflicting IP addresses.
-This policy setting is designed for computers that register address (A) resource records in DNS zones that don't use Secure Dynamic Updates. Secure Dynamic Update preserves ownership of resource records and doesn't allow a DNS client to overwrite records that are registered by other computers.
+This policy setting is designed for DNS clients that register address (A) resource records in DNS zones that don't use Secure Dynamic Updates. Secure Dynamic Update preserves ownership of resource records and doesn't allow a DNS client to overwrite records that are registered by other DNS clients.
During dynamic update of resource records in a zone that doesn't use Secure Dynamic Updates, an A resource record might exist that associates the client's host name with an IP address different than the one currently in use by the client. By default, the DNS client attempts to replace the existing A resource record with an A resource record that has the client's current IP address.
@@ -856,18 +857,18 @@ During dynamic update of resource records in a zone that doesn't use Secure Dyna
-Specifies the interval used by DNS clients to refresh registration of A and PTR resource. This policy setting only applies to computers performing dynamic DNS updates.
+Specifies the interval used by DNS clients to refresh registration of A and PTR resource. This policy setting only applies DNS clients performing dynamic DNS updates.
-Computers configured to perform dynamic DNS registration of A and PTR resource records periodically reregister their records with DNS servers, even if the record hasn't changed. This reregistration is required to indicate to DNS servers that records are current and shouldn't be automatically removed (scavenged) when a DNS server is configured to delete stale records.
+DNS clients configured to perform dynamic DNS registration of A and PTR resource records periodically reregister their records with DNS servers, even if the record hasn't changed. This reregistration is required to indicate to DNS servers that records are current and shouldn't be automatically removed (scavenged) when a DNS server is configured to delete stale records.
> [!WARNING]
> If record scavenging is enabled on the zone, the value of this policy setting should never be longer than the value of the DNS zone refresh interval. Configuring the registration refresh interval to be longer than the refresh interval of the DNS zone might result in the undesired deletion of A and PTR resource records.
To specify the registration refresh interval, click Enabled and then enter a value of 1800 or greater. The value that you specify is the number of seconds to use for the registration refresh interval. For example, 1800 seconds is 30 minutes.
-- If you enable this policy setting, registration refresh interval that you specify will be applied to all network connections used by computers that receive this policy setting.
+- If you enable this policy setting, registration refresh interval that you specify will be applied to all network connections used by DNS clients that receive this policy setting.
-- If you disable this policy setting, or if you don't configure this policy setting, computers will use the local or DHCP supplied setting. By default, client computers configured with a static IP address attempt to update their DNS resource records once every 24 hours and DHCP clients will attempt to update their DNS resource records when a DHCP lease is granted or renewed.
+- If you disable this policy setting, or if you don't configure this policy setting, the DNS client will use the local or DHCP supplied setting. By default, DNS clients configured with a static IP address attempt to update their DNS resource records once every 24 hours and DHCP clients will attempt to update their DNS resource records when a DHCP lease is granted or renewed.
@@ -921,13 +922,13 @@ To specify the registration refresh interval, click Enabled and then enter a val
-Specifies the value of the time to live (TTL) field in A and PTR resource records that are registered by computers to which this policy setting is applied.
+Specifies the value of the time to live (TTL) field in A and PTR resource records that are registered by the DNS client to which this policy setting is applied.
To specify the TTL, click Enabled and then enter a value in seconds (for example, 900 is 15 minutes).
-- If you enable this policy setting, the TTL value that you specify will be applied to DNS resource records registered for all network connections used by computers that receive this policy setting.
+- If you enable this policy setting, the TTL value that you specify will be applied to DNS resource records registered for all network connections used by the DNS client.
-- If you disable this policy setting, or if you don't configure this policy setting, computers will use the TTL settings specified in DNS. By default, the TTL is 1200 seconds (20 minutes).
+- If you disable this policy setting, or if you don't configure this policy setting, the DNS client will use the TTL settings specified in DNS. By default, the TTL is 1200 seconds (20 minutes).
@@ -985,7 +986,7 @@ Specifies the DNS suffixes to attach to an unqualified single-label name before
An unqualified single-label name contains no dots. The name "example" is a single-label name. This is different from a fully qualified domain name such as "example.microsoft.com".
-Client computers that receive this policy setting will attach one or more suffixes to DNS queries for a single-label name. For example, a DNS query for the single-label name "example" will be modified to "example.microsoft.com" before sending the query to a DNS server if this policy setting is enabled with a suffix of "microsoft.com".
+DNS clients that receive this policy setting will attach one or more suffixes to DNS queries for a single-label name. For example, a DNS query for the single-label name "example" will be modified to "example.microsoft.com" before sending the query to a DNS server if this policy setting is enabled with a suffix of "microsoft.com".
To use this policy setting, click Enabled, and then enter a string value representing the DNS suffixes that should be appended to single-label names. You must specify at least one suffix. Use a comma-delimited string, such as "microsoft.com,serverua.microsoft.com,office.microsoft.com" to specify multiple suffixes.
@@ -1170,15 +1171,15 @@ Specifies the security level for dynamic DNS updates.
To use this policy setting, click Enabled and then select one of the following values:
-Unsecure followed by secure - computers send secure dynamic updates only when nonsecure dynamic updates are refused.
+Unsecure followed by secure - the DNS client sends secure dynamic updates only when nonsecure dynamic updates are refused.
-Only unsecure - computers send only nonsecure dynamic updates.
+Only unsecure - the DNS client sends only nonsecure dynamic updates.
-Only secure - computers send only secure dynamic updates.
+Only secure - The DNS client sends only secure dynamic updates.
-- If you enable this policy setting, computers that attempt to send dynamic DNS updates will use the security level that you specify in this policy setting.
+- If you enable this policy setting, DNS clients that attempt to send dynamic DNS updates will use the security level that you specify in this policy setting.
-- If you disable this policy setting, or if you don't configure this policy setting, computers will use local settings. By default, DNS clients attempt to use unsecured dynamic update first. If an unsecured update is refused, clients try to use secure update.
+- If you disable this policy setting, or if you don't configure this policy setting, DNS clients will use local settings. By default, DNS clients attempt to use unsecured dynamic update first. If an unsecured update is refused, clients try to use secure update.
@@ -1232,13 +1233,13 @@ Only secure - computers send only secure dynamic updates.
-Specifies if computers may send dynamic updates to zones with a single label name. These zones are also known as top-level domain zones, for example: "com".
+Specifies if the DNS client may send dynamic updates to zones with a single label name. These zones are also known as top-level domain zones, for example: "com".
By default, a DNS client that's configured to perform dynamic DNS update will update the DNS zone that's authoritative for its DNS resource records unless the authoritative zone is a top-level domain or root zone.
-- If you enable this policy setting, computers send dynamic updates to any zone that's authoritative for the resource records that the computer needs to update, except the root zone.
+- If you enable this policy setting, the DNS client sends dynamic updates to any zone that's authoritative for the resource records that the DNS client needs to update, except the root zone.
-- If you disable this policy setting, or if you don't configure this policy setting, computers don't send dynamic updates to the root zone or top-level domain zones that are authoritative for the resource records that the computer needs to update.
+- If you disable this policy setting, or if you don't configure this policy setting, the DNS client doesn't send dynamic updates to the root zone or top-level domain zones that are authoritative for the resource records that the DNS client needs to update.
@@ -1309,7 +1310,7 @@ Each connection-specific DNS suffix, assigned either through DHCP or specified i
For example, when a user submits a query for a single-label name such as "example," the DNS client attaches a suffix such as "microsoft.com" resulting in the query "example.microsoft.com," before sending the query to a DNS server.
-If a DNS suffix search list isn't specified, the DNS client attaches the primary DNS suffix to a single-label name. If this query fails, the connection-specific DNS suffix is attached for a new query. If none of these queries are resolved, the client devolves the primary DNS suffix of the computer (drops the leftmost label of the primary DNS suffix), attaches this devolved primary DNS suffix to the single-label name, and submits this new query to a DNS server.
+If a DNS suffix search list isn't specified, the DNS client attaches the primary DNS suffix to a single-label name. If this query fails, the connection-specific DNS suffix is attached for a new query. If none of these queries are resolved, the client devolves the primary DNS suffix of the DNS client (drops the leftmost label of the primary DNS suffix), attaches this devolved primary DNS suffix to the single-label name, and submits this new query to a DNS server.
For example, if the primary DNS suffix ooo.aaa.microsoft.com is attached to the non-dot-terminated single-label name "example," and the DNS query for example.ooo.aaa.microsoft.com fails, the DNS client devolves the primary DNS suffix (drops the leftmost label) till the specified devolution level, and submits a query for example.aaa.microsoft.com. If this query fails, the primary DNS suffix is devolved further if it's under specified devolution level and the query example.microsoft.com is submitted. If this query fails, devolution continues if it's under specified devolution level and the query example.microsoft.com is submitted, corresponding to a devolution level of two. The primary DNS suffix can't be devolved beyond a devolution level of two. The devolution level can be configured using the primary DNS suffix devolution level policy setting. The default devolution level is two.
@@ -1370,11 +1371,11 @@ For example, if the primary DNS suffix ooo.aaa.microsoft.com is attached to the
-Specifies that link local multicast name resolution (LLMNR) is disabled on client computers.
+Specifies that link local multicast name resolution (LLMNR) is disabled on the DNS client.
-LLMNR is a secondary name resolution protocol. With LLMNR, queries are sent using multicast over a local network link on a single subnet from a client computer to another client computer on the same subnet that also has LLMNR enabled. LLMNR doesn't require a DNS server or DNS client configuration, and provides name resolution in scenarios in which conventional DNS name resolution isn't possible.
+LLMNR is a secondary name resolution protocol. With LLMNR, queries are sent using multicast over a local network link on a single subnet from a DNS client to another DNS client on the same subnet that also has LLMNR enabled. LLMNR doesn't require a DNS server or DNS client configuration, and provides name resolution in scenarios in which conventional DNS name resolution isn't possible.
-- If you enable this policy setting, LLMNR will be disabled on all available network adapters on the client computer.
+- If you enable this policy setting, LLMNR will be disabled on all available network adapters on the DNS client.
- If you disable this policy setting, or you don't configure this policy setting, LLMNR will be enabled on all available network adapters.
diff --git a/windows/client-management/mdm/policy-csp-admx-dwm.md b/windows/client-management/mdm/policy-csp-admx-dwm.md
index 1cfe66691d..abf3f0c411 100644
--- a/windows/client-management/mdm/policy-csp-admx-dwm.md
+++ b/windows/client-management/mdm/policy-csp-admx-dwm.md
@@ -1,7 +1,8 @@
---
title: ADMX_DWM Policy CSP
description: Learn more about the ADMX_DWM Area in Policy CSP.
-ms.date: 08/06/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
diff --git a/windows/client-management/mdm/policy-csp-admx-eaime.md b/windows/client-management/mdm/policy-csp-admx-eaime.md
index 8c7874f974..42f7ad4fe5 100644
--- a/windows/client-management/mdm/policy-csp-admx-eaime.md
+++ b/windows/client-management/mdm/policy-csp-admx-eaime.md
@@ -1,7 +1,8 @@
---
title: ADMX_EAIME Policy CSP
description: Learn more about the ADMX_EAIME Area in Policy CSP.
-ms.date: 08/06/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
diff --git a/windows/client-management/mdm/policy-csp-admx-encryptfilesonmove.md b/windows/client-management/mdm/policy-csp-admx-encryptfilesonmove.md
index 4ff4c47c53..5260ac88e1 100644
--- a/windows/client-management/mdm/policy-csp-admx-encryptfilesonmove.md
+++ b/windows/client-management/mdm/policy-csp-admx-encryptfilesonmove.md
@@ -1,7 +1,8 @@
---
title: ADMX_EncryptFilesonMove Policy CSP
description: Learn more about the ADMX_EncryptFilesonMove Area in Policy CSP.
-ms.date: 08/06/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
diff --git a/windows/client-management/mdm/policy-csp-admx-enhancedstorage.md b/windows/client-management/mdm/policy-csp-admx-enhancedstorage.md
index f9c29b883f..2c8d9514f5 100644
--- a/windows/client-management/mdm/policy-csp-admx-enhancedstorage.md
+++ b/windows/client-management/mdm/policy-csp-admx-enhancedstorage.md
@@ -1,7 +1,8 @@
---
title: ADMX_EnhancedStorage Policy CSP
description: Learn more about the ADMX_EnhancedStorage Area in Policy CSP.
-ms.date: 08/06/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
diff --git a/windows/client-management/mdm/policy-csp-admx-errorreporting.md b/windows/client-management/mdm/policy-csp-admx-errorreporting.md
index 7c0a9b383c..7f1e33d55e 100644
--- a/windows/client-management/mdm/policy-csp-admx-errorreporting.md
+++ b/windows/client-management/mdm/policy-csp-admx-errorreporting.md
@@ -1,7 +1,8 @@
---
title: ADMX_ErrorReporting Policy CSP
description: Learn more about the ADMX_ErrorReporting Area in Policy CSP.
-ms.date: 08/06/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
diff --git a/windows/client-management/mdm/policy-csp-admx-eventforwarding.md b/windows/client-management/mdm/policy-csp-admx-eventforwarding.md
index 13353ee9ca..74214050d6 100644
--- a/windows/client-management/mdm/policy-csp-admx-eventforwarding.md
+++ b/windows/client-management/mdm/policy-csp-admx-eventforwarding.md
@@ -1,7 +1,8 @@
---
title: ADMX_EventForwarding Policy CSP
description: Learn more about the ADMX_EventForwarding Area in Policy CSP.
-ms.date: 08/06/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
diff --git a/windows/client-management/mdm/policy-csp-admx-eventlog.md b/windows/client-management/mdm/policy-csp-admx-eventlog.md
index 016c98016e..edb3cbcd0f 100644
--- a/windows/client-management/mdm/policy-csp-admx-eventlog.md
+++ b/windows/client-management/mdm/policy-csp-admx-eventlog.md
@@ -1,7 +1,8 @@
---
title: ADMX_EventLog Policy CSP
description: Learn more about the ADMX_EventLog Area in Policy CSP.
-ms.date: 08/06/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
diff --git a/windows/client-management/mdm/policy-csp-admx-eventlogging.md b/windows/client-management/mdm/policy-csp-admx-eventlogging.md
index 3c13367734..0e2affb87c 100644
--- a/windows/client-management/mdm/policy-csp-admx-eventlogging.md
+++ b/windows/client-management/mdm/policy-csp-admx-eventlogging.md
@@ -1,7 +1,8 @@
---
title: ADMX_EventLogging Policy CSP
description: Learn more about the ADMX_EventLogging Area in Policy CSP.
-ms.date: 08/06/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
diff --git a/windows/client-management/mdm/policy-csp-admx-eventviewer.md b/windows/client-management/mdm/policy-csp-admx-eventviewer.md
index 74f43583b2..809ac58355 100644
--- a/windows/client-management/mdm/policy-csp-admx-eventviewer.md
+++ b/windows/client-management/mdm/policy-csp-admx-eventviewer.md
@@ -1,7 +1,8 @@
---
title: ADMX_EventViewer Policy CSP
description: Learn more about the ADMX_EventViewer Area in Policy CSP.
-ms.date: 08/06/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
diff --git a/windows/client-management/mdm/policy-csp-admx-explorer.md b/windows/client-management/mdm/policy-csp-admx-explorer.md
index e9a61f1c6b..54b2715072 100644
--- a/windows/client-management/mdm/policy-csp-admx-explorer.md
+++ b/windows/client-management/mdm/policy-csp-admx-explorer.md
@@ -1,7 +1,8 @@
---
title: ADMX_Explorer Policy CSP
description: Learn more about the ADMX_Explorer Area in Policy CSP.
-ms.date: 08/06/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
@@ -120,7 +121,7 @@ This policy setting configures File Explorer to always display the menu bar.
| Name | Value |
|:--|:--|
| Name | AlwaysShowClassicMenu |
-| Friendly Name | Display the menu bar in File Explorer |
+| Friendly Name | Display the menu bar in File Explorer |
| Location | User Configuration |
| Path | WindowsComponents > File Explorer |
| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer |
diff --git a/windows/client-management/mdm/policy-csp-admx-externalboot.md b/windows/client-management/mdm/policy-csp-admx-externalboot.md
index 5f345d1ef6..2b32f842e4 100644
--- a/windows/client-management/mdm/policy-csp-admx-externalboot.md
+++ b/windows/client-management/mdm/policy-csp-admx-externalboot.md
@@ -1,7 +1,8 @@
---
title: ADMX_ExternalBoot Policy CSP
description: Learn more about the ADMX_ExternalBoot Area in Policy CSP.
-ms.date: 08/06/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
diff --git a/windows/client-management/mdm/policy-csp-admx-filerecovery.md b/windows/client-management/mdm/policy-csp-admx-filerecovery.md
index f2b3cb91db..84e154a8f0 100644
--- a/windows/client-management/mdm/policy-csp-admx-filerecovery.md
+++ b/windows/client-management/mdm/policy-csp-admx-filerecovery.md
@@ -1,7 +1,8 @@
---
title: ADMX_FileRecovery Policy CSP
description: Learn more about the ADMX_FileRecovery Area in Policy CSP.
-ms.date: 08/06/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
diff --git a/windows/client-management/mdm/policy-csp-admx-filerevocation.md b/windows/client-management/mdm/policy-csp-admx-filerevocation.md
index f62f39edaf..e17de8381a 100644
--- a/windows/client-management/mdm/policy-csp-admx-filerevocation.md
+++ b/windows/client-management/mdm/policy-csp-admx-filerevocation.md
@@ -1,7 +1,8 @@
---
title: ADMX_FileRevocation Policy CSP
description: Learn more about the ADMX_FileRevocation Area in Policy CSP.
-ms.date: 08/06/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
@@ -36,7 +37,7 @@ Windows Runtime applications can protect content which has been associated with
Example value:
-Contoso.com,ContosoIT. HumanResourcesApp_m5g0r7arhahqy.
+`Contoso.com,ContosoIT.HumanResourcesApp_m5g0r7arhahqy`
- If you enable this policy setting, the application identified by the Package Family Name will be permitted to revoke access to all content protected using the specified EID on the device.
diff --git a/windows/client-management/mdm/policy-csp-admx-fileservervssprovider.md b/windows/client-management/mdm/policy-csp-admx-fileservervssprovider.md
index f539b5910d..e9b8b96d7f 100644
--- a/windows/client-management/mdm/policy-csp-admx-fileservervssprovider.md
+++ b/windows/client-management/mdm/policy-csp-admx-fileservervssprovider.md
@@ -1,7 +1,8 @@
---
title: ADMX_FileServerVSSProvider Policy CSP
description: Learn more about the ADMX_FileServerVSSProvider Area in Policy CSP.
-ms.date: 08/06/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
diff --git a/windows/client-management/mdm/policy-csp-admx-filesys.md b/windows/client-management/mdm/policy-csp-admx-filesys.md
index 03c6eabd47..33379196d4 100644
--- a/windows/client-management/mdm/policy-csp-admx-filesys.md
+++ b/windows/client-management/mdm/policy-csp-admx-filesys.md
@@ -1,7 +1,8 @@
---
title: ADMX_FileSys Policy CSP
description: Learn more about the ADMX_FileSys Area in Policy CSP.
-ms.date: 08/06/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
@@ -260,7 +261,7 @@ Encrypting the page file prevents malicious users from reading data that has bee
-Enabling Win32 long paths will allow manifested win32 applications and Windows Store applications to access paths beyond the normal 260 character limit. Enabling this setting will cause the long paths to be accessible within the process.
+Enabling Win32 long paths will allow manifested win32 applications and packaged Microsoft Store applications to access paths beyond the normal 260 character limit. Enabling this setting will cause the long paths to be accessible within the process.
@@ -317,7 +318,7 @@ Enabling Win32 long paths will allow manifested win32 applications and Windows S
These settings provide control over whether or not short names are generated during file creation. Some applications require short names for compatibility, but short names have a negative performance impact on the system.
-If you enable short names on all volumes then short names will always be generated. If you disable them on all volumes then they will never be generated. If you set short name creation to be configurable on a per volume basis then an on-disk flag will determine whether or not short names are created on a given volume. If you disable short name creation on all data volumes then short names will only be generated for files created on the system volume.
+If you enable short names on all volumes then short names will always be generated. If you disable them on all volumes then they'll never be generated. If you set short name creation to be configurable on a per volume basis then an on-disk flag will determine whether or not short names are created on a given volume. If you disable short name creation on all data volumes then short names will only be generated for files created on the system volume.
diff --git a/windows/client-management/mdm/policy-csp-admx-folderredirection.md b/windows/client-management/mdm/policy-csp-admx-folderredirection.md
index bd04e0fa4f..72c19e4951 100644
--- a/windows/client-management/mdm/policy-csp-admx-folderredirection.md
+++ b/windows/client-management/mdm/policy-csp-admx-folderredirection.md
@@ -1,7 +1,8 @@
---
title: ADMX_FolderRedirection Policy CSP
description: Learn more about the ADMX_FolderRedirection Area in Policy CSP.
-ms.date: 08/06/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
diff --git a/windows/client-management/mdm/policy-csp-admx-framepanes.md b/windows/client-management/mdm/policy-csp-admx-framepanes.md
index a6e699f57e..afba6b4512 100644
--- a/windows/client-management/mdm/policy-csp-admx-framepanes.md
+++ b/windows/client-management/mdm/policy-csp-admx-framepanes.md
@@ -1,7 +1,8 @@
---
title: ADMX_FramePanes Policy CSP
description: Learn more about the ADMX_FramePanes Area in Policy CSP.
-ms.date: 08/06/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
diff --git a/windows/client-management/mdm/policy-csp-admx-fthsvc.md b/windows/client-management/mdm/policy-csp-admx-fthsvc.md
index 6151b18e4e..35b554fc9a 100644
--- a/windows/client-management/mdm/policy-csp-admx-fthsvc.md
+++ b/windows/client-management/mdm/policy-csp-admx-fthsvc.md
@@ -1,7 +1,8 @@
---
title: ADMX_fthsvc Policy CSP
description: Learn more about the ADMX_fthsvc Area in Policy CSP.
-ms.date: 08/06/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
diff --git a/windows/client-management/mdm/policy-csp-admx-globalization.md b/windows/client-management/mdm/policy-csp-admx-globalization.md
index 6dc909c654..56ed340242 100644
--- a/windows/client-management/mdm/policy-csp-admx-globalization.md
+++ b/windows/client-management/mdm/policy-csp-admx-globalization.md
@@ -1,7 +1,8 @@
---
title: ADMX_Globalization Policy CSP
description: Learn more about the ADMX_Globalization Area in Policy CSP.
-ms.date: 08/06/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
@@ -638,7 +639,7 @@ This policy setting is related to the "Turn off handwriting personalization" pol
-This policy setting restricts the permitted system locales to the specified list. If the list is empty, it locks the system locale to its current value. This policy setting doesn't change the existing system locale; however, the next time that an administrator attempts to change the computer's system locale, they will be restricted to the specified list.
+This policy setting restricts the permitted system locales to the specified list. If the list is empty, it locks the system locale to its current value. This policy setting doesn't change the existing system locale; however, the next time that an administrator attempts to change the computer's system locale, they'll be restricted to the specified list.
The locale list is specified using language names, separated by a semicolon (;). For example, en-US is English (United States). Specifying "en-US;en-CA" would restrict the system locale to English (United States) and English (Canada).
@@ -1097,7 +1098,7 @@ This policy setting prevents the user from customizing their locale by changing
Any existing overrides in place when this policy is enabled will be frozen. To remove existing user overrides, first reset the user(s) values to the defaults and then apply this policy.
-When this policy setting is enabled, users can still choose alternate locales installed on the system unless prevented by other policies, however, they will be unable to customize those choices. The user can't customize their user locale with user overrides.
+When this policy setting is enabled, users can still choose alternate locales installed on the system unless prevented by other policies, however, they'll be unable to customize those choices. The user can't customize their user locale with user overrides.
- If this policy setting is disabled or not configured, then the user can customize their user locale overrides.
@@ -1166,7 +1167,7 @@ This policy setting prevents the user from customizing their locale by changing
Any existing overrides in place when this policy is enabled will be frozen. To remove existing user overrides, first reset the user(s) values to the defaults and then apply this policy.
-When this policy setting is enabled, users can still choose alternate locales installed on the system unless prevented by other policies, however, they will be unable to customize those choices. The user can't customize their user locale with user overrides.
+When this policy setting is enabled, users can still choose alternate locales installed on the system unless prevented by other policies, however, they'll be unable to customize those choices. The user can't customize their user locale with user overrides.
- If this policy setting is disabled or not configured, then the user can customize their user locale overrides.
diff --git a/windows/client-management/mdm/policy-csp-admx-grouppolicy.md b/windows/client-management/mdm/policy-csp-admx-grouppolicy.md
index e28587728d..990f6f9dcb 100644
--- a/windows/client-management/mdm/policy-csp-admx-grouppolicy.md
+++ b/windows/client-management/mdm/policy-csp-admx-grouppolicy.md
@@ -1,7 +1,8 @@
---
title: ADMX_GroupPolicy Policy CSP
description: Learn more about the ADMX_GroupPolicy Area in Policy CSP.
-ms.date: 08/06/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
diff --git a/windows/client-management/mdm/policy-csp-admx-help.md b/windows/client-management/mdm/policy-csp-admx-help.md
index fdb73b28f4..5be7157ce1 100644
--- a/windows/client-management/mdm/policy-csp-admx-help.md
+++ b/windows/client-management/mdm/policy-csp-admx-help.md
@@ -1,7 +1,8 @@
---
title: ADMX_Help Policy CSP
description: Learn more about the ADMX_Help Area in Policy CSP.
-ms.date: 08/06/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
diff --git a/windows/client-management/mdm/policy-csp-admx-helpandsupport.md b/windows/client-management/mdm/policy-csp-admx-helpandsupport.md
index 6f4a746867..e2d790f3ee 100644
--- a/windows/client-management/mdm/policy-csp-admx-helpandsupport.md
+++ b/windows/client-management/mdm/policy-csp-admx-helpandsupport.md
@@ -1,7 +1,8 @@
---
title: ADMX_HelpAndSupport Policy CSP
description: Learn more about the ADMX_HelpAndSupport Area in Policy CSP.
-ms.date: 08/06/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
diff --git a/windows/client-management/mdm/policy-csp-admx-hotspotauth.md b/windows/client-management/mdm/policy-csp-admx-hotspotauth.md
index 25af4fd561..9d18ab87a6 100644
--- a/windows/client-management/mdm/policy-csp-admx-hotspotauth.md
+++ b/windows/client-management/mdm/policy-csp-admx-hotspotauth.md
@@ -1,7 +1,8 @@
---
title: ADMX_hotspotauth Policy CSP
description: Learn more about the ADMX_hotspotauth Area in Policy CSP.
-ms.date: 08/06/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
diff --git a/windows/client-management/mdm/policy-csp-admx-icm.md b/windows/client-management/mdm/policy-csp-admx-icm.md
index c1437d3c2c..d844742ecd 100644
--- a/windows/client-management/mdm/policy-csp-admx-icm.md
+++ b/windows/client-management/mdm/policy-csp-admx-icm.md
@@ -1,7 +1,8 @@
---
title: ADMX_ICM Policy CSP
description: Learn more about the ADMX_ICM Area in Policy CSP.
-ms.date: 08/06/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
diff --git a/windows/client-management/mdm/policy-csp-admx-iis.md b/windows/client-management/mdm/policy-csp-admx-iis.md
index 56fbe8386c..e007db0cf0 100644
--- a/windows/client-management/mdm/policy-csp-admx-iis.md
+++ b/windows/client-management/mdm/policy-csp-admx-iis.md
@@ -1,7 +1,8 @@
---
title: ADMX_IIS Policy CSP
description: Learn more about the ADMX_IIS Area in Policy CSP.
-ms.date: 08/06/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
diff --git a/windows/client-management/mdm/policy-csp-admx-iscsi.md b/windows/client-management/mdm/policy-csp-admx-iscsi.md
index 8f386092d9..6f7a7b55be 100644
--- a/windows/client-management/mdm/policy-csp-admx-iscsi.md
+++ b/windows/client-management/mdm/policy-csp-admx-iscsi.md
@@ -1,7 +1,8 @@
---
title: ADMX_iSCSI Policy CSP
description: Learn more about the ADMX_iSCSI Area in Policy CSP.
-ms.date: 08/06/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
diff --git a/windows/client-management/mdm/policy-csp-admx-kdc.md b/windows/client-management/mdm/policy-csp-admx-kdc.md
index 17a430e267..eb6ed09af8 100644
--- a/windows/client-management/mdm/policy-csp-admx-kdc.md
+++ b/windows/client-management/mdm/policy-csp-admx-kdc.md
@@ -1,7 +1,8 @@
---
title: ADMX_kdc Policy CSP
description: Learn more about the ADMX_kdc Area in Policy CSP.
-ms.date: 08/06/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
diff --git a/windows/client-management/mdm/policy-csp-admx-kerberos.md b/windows/client-management/mdm/policy-csp-admx-kerberos.md
index 44ad26e627..756376d2de 100644
--- a/windows/client-management/mdm/policy-csp-admx-kerberos.md
+++ b/windows/client-management/mdm/policy-csp-admx-kerberos.md
@@ -1,7 +1,8 @@
---
title: ADMX_Kerberos Policy CSP
description: Learn more about the ADMX_Kerberos Area in Policy CSP.
-ms.date: 08/06/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
@@ -172,6 +173,8 @@ This policy setting allows you to specify which DNS host names and which DNS suf
+> [!NOTE]
+> The list of DNS host names and DNS suffixes has a 2048 character limit. This policy would not apply if you exceed this limit. For more information, see [Kerberos realm to host mapping policy string-length limitations](https://support.microsoft.com/topic/e86856c2-1e02-43fe-9c58-d7c9d6386f01).
diff --git a/windows/client-management/mdm/policy-csp-admx-lanmanserver.md b/windows/client-management/mdm/policy-csp-admx-lanmanserver.md
index 15984c691c..a8b4c178c4 100644
--- a/windows/client-management/mdm/policy-csp-admx-lanmanserver.md
+++ b/windows/client-management/mdm/policy-csp-admx-lanmanserver.md
@@ -1,7 +1,8 @@
---
title: ADMX_LanmanServer Policy CSP
description: Learn more about the ADMX_LanmanServer Area in Policy CSP.
-ms.date: 08/06/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
diff --git a/windows/client-management/mdm/policy-csp-admx-lanmanworkstation.md b/windows/client-management/mdm/policy-csp-admx-lanmanworkstation.md
index b2fcbf19da..41d3f19fae 100644
--- a/windows/client-management/mdm/policy-csp-admx-lanmanworkstation.md
+++ b/windows/client-management/mdm/policy-csp-admx-lanmanworkstation.md
@@ -1,7 +1,8 @@
---
title: ADMX_LanmanWorkstation Policy CSP
description: Learn more about the ADMX_LanmanWorkstation Area in Policy CSP.
-ms.date: 08/06/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
diff --git a/windows/client-management/mdm/policy-csp-admx-leakdiagnostic.md b/windows/client-management/mdm/policy-csp-admx-leakdiagnostic.md
index 794a21e5a0..6b146cf631 100644
--- a/windows/client-management/mdm/policy-csp-admx-leakdiagnostic.md
+++ b/windows/client-management/mdm/policy-csp-admx-leakdiagnostic.md
@@ -1,7 +1,8 @@
---
title: ADMX_LeakDiagnostic Policy CSP
description: Learn more about the ADMX_LeakDiagnostic Area in Policy CSP.
-ms.date: 08/06/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
diff --git a/windows/client-management/mdm/policy-csp-admx-linklayertopologydiscovery.md b/windows/client-management/mdm/policy-csp-admx-linklayertopologydiscovery.md
index 636061e02e..e204763874 100644
--- a/windows/client-management/mdm/policy-csp-admx-linklayertopologydiscovery.md
+++ b/windows/client-management/mdm/policy-csp-admx-linklayertopologydiscovery.md
@@ -1,7 +1,8 @@
---
title: ADMX_LinkLayerTopologyDiscovery Policy CSP
description: Learn more about the ADMX_LinkLayerTopologyDiscovery Area in Policy CSP.
-ms.date: 08/06/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
diff --git a/windows/client-management/mdm/policy-csp-admx-locationprovideradm.md b/windows/client-management/mdm/policy-csp-admx-locationprovideradm.md
index 872eaf9994..a412891fdb 100644
--- a/windows/client-management/mdm/policy-csp-admx-locationprovideradm.md
+++ b/windows/client-management/mdm/policy-csp-admx-locationprovideradm.md
@@ -1,7 +1,8 @@
---
title: ADMX_LocationProviderAdm Policy CSP
description: Learn more about the ADMX_LocationProviderAdm Area in Policy CSP.
-ms.date: 08/06/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
diff --git a/windows/client-management/mdm/policy-csp-admx-logon.md b/windows/client-management/mdm/policy-csp-admx-logon.md
index dc5b8605ca..f54d096327 100644
--- a/windows/client-management/mdm/policy-csp-admx-logon.md
+++ b/windows/client-management/mdm/policy-csp-admx-logon.md
@@ -1,7 +1,8 @@
---
title: ADMX_Logon Policy CSP
description: Learn more about the ADMX_Logon Area in Policy CSP.
-ms.date: 08/06/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
diff --git a/windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus.md b/windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus.md
index 124f07bbb0..6d97074dc2 100644
--- a/windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus.md
+++ b/windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus.md
@@ -1,7 +1,8 @@
---
title: ADMX_MicrosoftDefenderAntivirus Policy CSP
description: Learn more about the ADMX_MicrosoftDefenderAntivirus Area in Policy CSP.
-ms.date: 08/06/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
@@ -1523,11 +1524,13 @@ This policy setting defines the number of days items should be kept in the Quara
-This policy setting allows you to configure the scheduled scan, and the scheduled security intelligence update, start time window in hours.
+This policy setting allows you to configure the randomization of the scheduled scan start time and the scheduled definition update start time.
-- If you disable or don't configure this setting, scheduled tasks will begin at a random time within 4 hours after the time specified in Task Scheduler.
+- If you enable or don't configure this policy setting, and didn't set a randomization window in the Configure scheduled task time randomization window setting , then randomization will be added between 0-4 hours.
-- If you enable this setting, you can widen, or narrow, this randomization period. Specify a randomization window of between 1 and 23 hours.
+- If you enable or don't configure this policy setting, and set a randomization window in the Configure scheduled task time randomization window setting, the configured randomization window will be used.
+
+- If you disable this policy setting, but configured the scheduled task time randomization window, randomization won't be done.
@@ -2936,7 +2939,7 @@ This policy setting allows you to manage whether or not end users can pause a sc
-This policy setting allows you to configure the maximum directory depth level into which archive files such as . ZIP or . CAB are unpacked during scanning. The default directory depth level is 0.
+This policy setting allows you to configure the maximum directory depth level into which archive files such as .ZIP or .CAB are unpacked during scanning. The default directory depth level is 0.
- If you enable this setting, archive files will be scanned to the directory depth level specified.
@@ -2995,7 +2998,7 @@ This policy setting allows you to configure the maximum directory depth level in
-This policy setting allows you to configure the maximum size of archive files such as . ZIP or . CAB that will be scanned. The value represents file size in kilobytes (KB). The default value is 0 and represents no limit to archive size for scanning.
+This policy setting allows you to configure the maximum size of archive files such as .ZIP or .CAB that will be scanned. The value represents file size in kilobytes (KB). The default value is 0 and represents no limit to archive size for scanning.
- If you enable this setting, archive files less than or equal to the size specified will be scanned.
@@ -3054,7 +3057,7 @@ This policy setting allows you to configure the maximum size of archive files su
-This policy setting allows you to configure scans for malicious software and unwanted software in archive files such as . ZIP or . CAB files.
+This policy setting allows you to configure scans for malicious software and unwanted software in archive files such as .ZIP or .CAB files.
- If you enable or don't configure this setting, archive files will be scanned.
@@ -3528,11 +3531,11 @@ This policy setting allows you to configure scanning mapped network drives.
-This policy setting allows you to configure scanning for network files. It's recommended that you don't enable this setting.
+This policy setting allows the scanning of network files using on access protection. The default is enabled. Recommended to remain enabled in most cases.
-- If you enable this setting, network files will be scanned.
+- If you enable or don't configure this setting, network files will be scanned.
-- If you disable or don't configure this setting, network files won't be scanned.
+- If you disable this setting, network files won't be scanned.
@@ -3556,7 +3559,7 @@ This policy setting allows you to configure scanning for network files. It's rec
| Name | Value |
|:--|:--|
| Name | Scan_DisableScanningNetworkFiles |
-| Friendly Name | Scan network files |
+| Friendly Name | Configure scanning of network files |
| Location | Computer Configuration |
| Path | Windows Components > Microsoft Defender Antivirus > Scan |
| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Scan |
@@ -5436,12 +5439,7 @@ Valid remediation action values are:
-
-This policy setting allows you to configure whether or not to display additional text to clients when they need to perform an action. The text displayed is a custom administrator-defined string. For example, the phone number to call the company help desk. The client interface will only display a maximum of 1024 characters. Longer strings will be truncated before display.
-
-- If you enable this setting, the additional text specified will be displayed.
-
-- If you disable or don't configure this setting, there will be no additional text displayed.
+
@@ -5458,6 +5456,7 @@ This policy setting allows you to configure whether or not to display additional
+
[!INCLUDE [ADMX-backed policy note](includes/mdm-admx-policy-note.md)]
**ADMX mapping**:
@@ -5465,10 +5464,6 @@ This policy setting allows you to configure whether or not to display additional
| Name | Value |
|:--|:--|
| Name | UX_Configuration_CustomDefaultActionToastString |
-| Friendly Name | Display additional text to clients when they need to perform an action |
-| Location | Computer Configuration |
-| Path | Windows Components > Microsoft Defender Antivirus > Client Interface |
-| Registry Key Name | Software\Policies\Microsoft\Windows Defender\UX Configuration |
| ADMX File Name | WindowsDefender.admx |
diff --git a/windows/client-management/mdm/policy-csp-admx-mmc.md b/windows/client-management/mdm/policy-csp-admx-mmc.md
index 2b2fc19e76..ee0f2f64f1 100644
--- a/windows/client-management/mdm/policy-csp-admx-mmc.md
+++ b/windows/client-management/mdm/policy-csp-admx-mmc.md
@@ -1,7 +1,8 @@
---
title: ADMX_MMC Policy CSP
description: Learn more about the ADMX_MMC Area in Policy CSP.
-ms.date: 08/06/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
diff --git a/windows/client-management/mdm/policy-csp-admx-mmcsnapins.md b/windows/client-management/mdm/policy-csp-admx-mmcsnapins.md
index 91840fc2df..3bfee0b99c 100644
--- a/windows/client-management/mdm/policy-csp-admx-mmcsnapins.md
+++ b/windows/client-management/mdm/policy-csp-admx-mmcsnapins.md
@@ -1,7 +1,8 @@
---
title: ADMX_MMCSnapins Policy CSP
description: Learn more about the ADMX_MMCSnapins Area in Policy CSP.
-ms.date: 08/06/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
diff --git a/windows/client-management/mdm/policy-csp-admx-mobilepcmobilitycenter.md b/windows/client-management/mdm/policy-csp-admx-mobilepcmobilitycenter.md
index ef789f1e59..a1e72125dd 100644
--- a/windows/client-management/mdm/policy-csp-admx-mobilepcmobilitycenter.md
+++ b/windows/client-management/mdm/policy-csp-admx-mobilepcmobilitycenter.md
@@ -1,7 +1,8 @@
---
title: ADMX_MobilePCMobilityCenter Policy CSP
description: Learn more about the ADMX_MobilePCMobilityCenter Area in Policy CSP.
-ms.date: 08/06/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
diff --git a/windows/client-management/mdm/policy-csp-admx-mobilepcpresentationsettings.md b/windows/client-management/mdm/policy-csp-admx-mobilepcpresentationsettings.md
index fd3c2b80c1..2bdad89c22 100644
--- a/windows/client-management/mdm/policy-csp-admx-mobilepcpresentationsettings.md
+++ b/windows/client-management/mdm/policy-csp-admx-mobilepcpresentationsettings.md
@@ -1,7 +1,8 @@
---
title: ADMX_MobilePCPresentationSettings Policy CSP
description: Learn more about the ADMX_MobilePCPresentationSettings Area in Policy CSP.
-ms.date: 08/06/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
diff --git a/windows/client-management/mdm/policy-csp-admx-msapolicy.md b/windows/client-management/mdm/policy-csp-admx-msapolicy.md
index f15b1bf8f8..47fa9b04a4 100644
--- a/windows/client-management/mdm/policy-csp-admx-msapolicy.md
+++ b/windows/client-management/mdm/policy-csp-admx-msapolicy.md
@@ -1,7 +1,8 @@
---
title: ADMX_MSAPolicy Policy CSP
description: Learn more about the ADMX_MSAPolicy Area in Policy CSP.
-ms.date: 08/06/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
diff --git a/windows/client-management/mdm/policy-csp-admx-msched.md b/windows/client-management/mdm/policy-csp-admx-msched.md
index 47f4f1113c..19b53cd8bd 100644
--- a/windows/client-management/mdm/policy-csp-admx-msched.md
+++ b/windows/client-management/mdm/policy-csp-admx-msched.md
@@ -1,7 +1,8 @@
---
title: ADMX_msched Policy CSP
description: Learn more about the ADMX_msched Area in Policy CSP.
-ms.date: 08/06/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
diff --git a/windows/client-management/mdm/policy-csp-admx-msdt.md b/windows/client-management/mdm/policy-csp-admx-msdt.md
index 4824f2f7af..77e9a412d2 100644
--- a/windows/client-management/mdm/policy-csp-admx-msdt.md
+++ b/windows/client-management/mdm/policy-csp-admx-msdt.md
@@ -1,7 +1,8 @@
---
title: ADMX_MSDT Policy CSP
description: Learn more about the ADMX_MSDT Area in Policy CSP.
-ms.date: 08/06/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
diff --git a/windows/client-management/mdm/policy-csp-admx-msi.md b/windows/client-management/mdm/policy-csp-admx-msi.md
index 104e20e9ca..d95bea4d31 100644
--- a/windows/client-management/mdm/policy-csp-admx-msi.md
+++ b/windows/client-management/mdm/policy-csp-admx-msi.md
@@ -1,7 +1,8 @@
---
title: ADMX_MSI Policy CSP
description: Learn more about the ADMX_MSI Area in Policy CSP.
-ms.date: 08/06/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
diff --git a/windows/client-management/mdm/policy-csp-admx-msifilerecovery.md b/windows/client-management/mdm/policy-csp-admx-msifilerecovery.md
index 5fd4e17f27..ddea63e18e 100644
--- a/windows/client-management/mdm/policy-csp-admx-msifilerecovery.md
+++ b/windows/client-management/mdm/policy-csp-admx-msifilerecovery.md
@@ -1,7 +1,8 @@
---
title: ADMX_MsiFileRecovery Policy CSP
description: Learn more about the ADMX_MsiFileRecovery Area in Policy CSP.
-ms.date: 08/06/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
diff --git a/windows/client-management/mdm/policy-csp-admx-mss-legacy.md b/windows/client-management/mdm/policy-csp-admx-mss-legacy.md
index a99b4bd0bf..f30f26a334 100644
--- a/windows/client-management/mdm/policy-csp-admx-mss-legacy.md
+++ b/windows/client-management/mdm/policy-csp-admx-mss-legacy.md
@@ -1,7 +1,8 @@
---
title: ADMX_MSS-legacy Policy CSP
description: Learn more about the ADMX_MSS-legacy Area in Policy CSP.
-ms.date: 08/06/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
diff --git a/windows/client-management/mdm/policy-csp-admx-nca.md b/windows/client-management/mdm/policy-csp-admx-nca.md
index 4c6b4307a3..e1aa9cee16 100644
--- a/windows/client-management/mdm/policy-csp-admx-nca.md
+++ b/windows/client-management/mdm/policy-csp-admx-nca.md
@@ -1,7 +1,8 @@
---
title: ADMX_nca Policy CSP
description: Learn more about the ADMX_nca Area in Policy CSP.
-ms.date: 08/06/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
diff --git a/windows/client-management/mdm/policy-csp-admx-ncsi.md b/windows/client-management/mdm/policy-csp-admx-ncsi.md
index 05752f6756..42de79d204 100644
--- a/windows/client-management/mdm/policy-csp-admx-ncsi.md
+++ b/windows/client-management/mdm/policy-csp-admx-ncsi.md
@@ -1,7 +1,8 @@
---
title: ADMX_NCSI Policy CSP
description: Learn more about the ADMX_NCSI Area in Policy CSP.
-ms.date: 08/06/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
diff --git a/windows/client-management/mdm/policy-csp-admx-netlogon.md b/windows/client-management/mdm/policy-csp-admx-netlogon.md
index 6603256c75..7d9ab6185d 100644
--- a/windows/client-management/mdm/policy-csp-admx-netlogon.md
+++ b/windows/client-management/mdm/policy-csp-admx-netlogon.md
@@ -1,7 +1,8 @@
---
title: ADMX_Netlogon Policy CSP
description: Learn more about the ADMX_Netlogon Area in Policy CSP.
-ms.date: 08/06/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
@@ -420,6 +421,8 @@ Note that this policy setting doesn't affect NetBIOS-based discovery for DC loca
- If you enable or don't configure this policy setting, the DC location algorithm doesn't use NetBIOS-based discovery as a fallback mechanism when DNS-based discovery fails. This is the default behavior.
- If you disable this policy setting, the DC location algorithm can use NetBIOS-based discovery as a fallback mechanism when DNS based discovery fails.
+
+This setting has no effect unless the BlockNetbiosDiscovery setting is disabled. NetBIOS-based discovery is considered unsecure, has many limitations, and will be deprecated in a future release. For these reasons, NetBIOS-based discovery isn't recommended. See for more information.
diff --git a/windows/client-management/mdm/policy-csp-admx-networkconnections.md b/windows/client-management/mdm/policy-csp-admx-networkconnections.md
index d79ef60825..9861e1f408 100644
--- a/windows/client-management/mdm/policy-csp-admx-networkconnections.md
+++ b/windows/client-management/mdm/policy-csp-admx-networkconnections.md
@@ -1,7 +1,8 @@
---
title: ADMX_NetworkConnections Policy CSP
description: Learn more about the ADMX_NetworkConnections Area in Policy CSP.
-ms.date: 08/06/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
diff --git a/windows/client-management/mdm/policy-csp-admx-offlinefiles.md b/windows/client-management/mdm/policy-csp-admx-offlinefiles.md
index f7467145fb..ca14cf11b9 100644
--- a/windows/client-management/mdm/policy-csp-admx-offlinefiles.md
+++ b/windows/client-management/mdm/policy-csp-admx-offlinefiles.md
@@ -1,7 +1,8 @@
---
title: ADMX_OfflineFiles Policy CSP
description: Learn more about the ADMX_OfflineFiles Area in Policy CSP.
-ms.date: 08/06/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
@@ -352,7 +353,7 @@ This setting replaces the Default Cache Size setting used by pre-Windows Vista s
Determines how computers respond when they're disconnected from particular offline file servers. This setting overrides the default response, a user-specified response, and the response specified in the "Action on server disconnect" setting.
-To use this setting, click Show. In the Show Contents dialog box in the Value Name column box, type the server's computer name. Then, in the Value column box, type "0" if users can work offline when they're disconnected from this server, or type "1" if they cannot.
+To use this setting, click Show. In the Show Contents dialog box in the Value Name column box, type the server's computer name. Then, in the Value column box, type "0" if users can work offline when they're disconnected from this server, or type "1" if they can't.
This setting appears in the Computer Configuration and User Configuration folders. If both settings are configured for a particular server, the setting in Computer Configuration takes precedence over the setting in User Configuration. Both Computer and User configuration take precedence over a user's setting. This setting doesn't prevent users from setting custom actions through the Offline Files tab. However, users are unable to change any custom actions established via this setting.
@@ -413,7 +414,7 @@ This setting appears in the Computer Configuration and User Configuration folder
Determines how computers respond when they're disconnected from particular offline file servers. This setting overrides the default response, a user-specified response, and the response specified in the "Action on server disconnect" setting.
-To use this setting, click Show. In the Show Contents dialog box in the Value Name column box, type the server's computer name. Then, in the Value column box, type "0" if users can work offline when they're disconnected from this server, or type "1" if they cannot.
+To use this setting, click Show. In the Show Contents dialog box in the Value Name column box, type the server's computer name. Then, in the Value column box, type "0" if users can work offline when they're disconnected from this server, or type "1" if they can't.
This setting appears in the Computer Configuration and User Configuration folders. If both settings are configured for a particular server, the setting in Computer Configuration takes precedence over the setting in User Configuration. Both Computer and User configuration take precedence over a user's setting. This setting doesn't prevent users from setting custom actions through the Offline Files tab. However, users are unable to change any custom actions established via this setting.
diff --git a/windows/client-management/mdm/policy-csp-admx-pca.md b/windows/client-management/mdm/policy-csp-admx-pca.md
index a2d2187900..12a079ed9c 100644
--- a/windows/client-management/mdm/policy-csp-admx-pca.md
+++ b/windows/client-management/mdm/policy-csp-admx-pca.md
@@ -1,7 +1,8 @@
---
title: ADMX_pca Policy CSP
description: Learn more about the ADMX_pca Area in Policy CSP.
-ms.date: 08/06/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
diff --git a/windows/client-management/mdm/policy-csp-admx-peertopeercaching.md b/windows/client-management/mdm/policy-csp-admx-peertopeercaching.md
index 37985a6c6e..8a5e2e1eed 100644
--- a/windows/client-management/mdm/policy-csp-admx-peertopeercaching.md
+++ b/windows/client-management/mdm/policy-csp-admx-peertopeercaching.md
@@ -1,7 +1,8 @@
---
title: ADMX_PeerToPeerCaching Policy CSP
description: Learn more about the ADMX_PeerToPeerCaching Area in Policy CSP.
-ms.date: 08/06/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
diff --git a/windows/client-management/mdm/policy-csp-admx-pentraining.md b/windows/client-management/mdm/policy-csp-admx-pentraining.md
index 44ee096673..dc5a034d65 100644
--- a/windows/client-management/mdm/policy-csp-admx-pentraining.md
+++ b/windows/client-management/mdm/policy-csp-admx-pentraining.md
@@ -1,7 +1,8 @@
---
title: ADMX_PenTraining Policy CSP
description: Learn more about the ADMX_PenTraining Area in Policy CSP.
-ms.date: 08/06/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
diff --git a/windows/client-management/mdm/policy-csp-admx-performancediagnostics.md b/windows/client-management/mdm/policy-csp-admx-performancediagnostics.md
index d8152d1814..ce8ed0a6be 100644
--- a/windows/client-management/mdm/policy-csp-admx-performancediagnostics.md
+++ b/windows/client-management/mdm/policy-csp-admx-performancediagnostics.md
@@ -1,7 +1,8 @@
---
title: ADMX_PerformanceDiagnostics Policy CSP
description: Learn more about the ADMX_PerformanceDiagnostics Area in Policy CSP.
-ms.date: 08/06/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
diff --git a/windows/client-management/mdm/policy-csp-admx-power.md b/windows/client-management/mdm/policy-csp-admx-power.md
index 0ae111ff74..80cb0391aa 100644
--- a/windows/client-management/mdm/policy-csp-admx-power.md
+++ b/windows/client-management/mdm/policy-csp-admx-power.md
@@ -1,7 +1,8 @@
---
title: ADMX_Power Policy CSP
description: Learn more about the ADMX_Power Area in Policy CSP.
-ms.date: 08/06/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
diff --git a/windows/client-management/mdm/policy-csp-admx-powershellexecutionpolicy.md b/windows/client-management/mdm/policy-csp-admx-powershellexecutionpolicy.md
index d16b9ad08c..80bf7ac963 100644
--- a/windows/client-management/mdm/policy-csp-admx-powershellexecutionpolicy.md
+++ b/windows/client-management/mdm/policy-csp-admx-powershellexecutionpolicy.md
@@ -1,7 +1,8 @@
---
title: ADMX_PowerShellExecutionPolicy Policy CSP
description: Learn more about the ADMX_PowerShellExecutionPolicy Area in Policy CSP.
-ms.date: 08/06/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
diff --git a/windows/client-management/mdm/policy-csp-admx-previousversions.md b/windows/client-management/mdm/policy-csp-admx-previousversions.md
index 48f1d71724..258e872a33 100644
--- a/windows/client-management/mdm/policy-csp-admx-previousversions.md
+++ b/windows/client-management/mdm/policy-csp-admx-previousversions.md
@@ -1,7 +1,8 @@
---
title: ADMX_PreviousVersions Policy CSP
description: Learn more about the ADMX_PreviousVersions Area in Policy CSP.
-ms.date: 08/06/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
diff --git a/windows/client-management/mdm/policy-csp-admx-printing.md b/windows/client-management/mdm/policy-csp-admx-printing.md
index d610c2f9e8..2c6b23768b 100644
--- a/windows/client-management/mdm/policy-csp-admx-printing.md
+++ b/windows/client-management/mdm/policy-csp-admx-printing.md
@@ -1,7 +1,8 @@
---
title: ADMX_Printing Policy CSP
description: Learn more about the ADMX_Printing Area in Policy CSP.
-ms.date: 08/06/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
@@ -749,7 +750,7 @@ This preference allows you to change default printer management.
-Microsoft XPS Document Writer (MXDW) generates OpenXPS (*.oxps) files by default in Windows 10, Windows 10 and Windows Server 2022.
+Microsoft XPS Document Writer (MXDW) generates OpenXPS (*.oxps) files by default in Windows 10, Windows 10 and Windows Server 2025.
- If you enable this group policy setting, the default MXDW output format is the legacy Microsoft XPS (*.xps).
diff --git a/windows/client-management/mdm/policy-csp-admx-printing2.md b/windows/client-management/mdm/policy-csp-admx-printing2.md
index c71f46d09d..dd8543a643 100644
--- a/windows/client-management/mdm/policy-csp-admx-printing2.md
+++ b/windows/client-management/mdm/policy-csp-admx-printing2.md
@@ -1,7 +1,8 @@
---
title: ADMX_Printing2 Policy CSP
description: Learn more about the ADMX_Printing2 Area in Policy CSP.
-ms.date: 08/06/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
diff --git a/windows/client-management/mdm/policy-csp-admx-programs.md b/windows/client-management/mdm/policy-csp-admx-programs.md
index 1c448b67f8..928117fb7b 100644
--- a/windows/client-management/mdm/policy-csp-admx-programs.md
+++ b/windows/client-management/mdm/policy-csp-admx-programs.md
@@ -1,7 +1,8 @@
---
title: ADMX_Programs Policy CSP
description: Learn more about the ADMX_Programs Area in Policy CSP.
-ms.date: 08/06/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
diff --git a/windows/client-management/mdm/policy-csp-admx-pushtoinstall.md b/windows/client-management/mdm/policy-csp-admx-pushtoinstall.md
index 805395134d..21a5f026d6 100644
--- a/windows/client-management/mdm/policy-csp-admx-pushtoinstall.md
+++ b/windows/client-management/mdm/policy-csp-admx-pushtoinstall.md
@@ -1,7 +1,8 @@
---
title: ADMX_PushToInstall Policy CSP
description: Learn more about the ADMX_PushToInstall Area in Policy CSP.
-ms.date: 08/06/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
diff --git a/windows/client-management/mdm/policy-csp-admx-qos.md b/windows/client-management/mdm/policy-csp-admx-qos.md
index 00a0b30f09..121df9124f 100644
--- a/windows/client-management/mdm/policy-csp-admx-qos.md
+++ b/windows/client-management/mdm/policy-csp-admx-qos.md
@@ -1,7 +1,8 @@
---
title: ADMX_QOS Policy CSP
description: Learn more about the ADMX_QOS Area in Policy CSP.
-ms.date: 08/06/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
diff --git a/windows/client-management/mdm/policy-csp-admx-radar.md b/windows/client-management/mdm/policy-csp-admx-radar.md
index ffcba6e38e..9196f8c101 100644
--- a/windows/client-management/mdm/policy-csp-admx-radar.md
+++ b/windows/client-management/mdm/policy-csp-admx-radar.md
@@ -1,7 +1,8 @@
---
title: ADMX_Radar Policy CSP
description: Learn more about the ADMX_Radar Area in Policy CSP.
-ms.date: 08/06/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
diff --git a/windows/client-management/mdm/policy-csp-admx-reliability.md b/windows/client-management/mdm/policy-csp-admx-reliability.md
index c5ac96a8e4..bc92e44fae 100644
--- a/windows/client-management/mdm/policy-csp-admx-reliability.md
+++ b/windows/client-management/mdm/policy-csp-admx-reliability.md
@@ -1,7 +1,8 @@
---
title: ADMX_Reliability Policy CSP
description: Learn more about the ADMX_Reliability Area in Policy CSP.
-ms.date: 08/06/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
diff --git a/windows/client-management/mdm/policy-csp-admx-remoteassistance.md b/windows/client-management/mdm/policy-csp-admx-remoteassistance.md
index fa9cd31f9c..39a5c54ac1 100644
--- a/windows/client-management/mdm/policy-csp-admx-remoteassistance.md
+++ b/windows/client-management/mdm/policy-csp-admx-remoteassistance.md
@@ -1,7 +1,8 @@
---
title: ADMX_RemoteAssistance Policy CSP
description: Learn more about the ADMX_RemoteAssistance Area in Policy CSP.
-ms.date: 08/06/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
diff --git a/windows/client-management/mdm/policy-csp-admx-removablestorage.md b/windows/client-management/mdm/policy-csp-admx-removablestorage.md
index 6010e92b08..6af1242454 100644
--- a/windows/client-management/mdm/policy-csp-admx-removablestorage.md
+++ b/windows/client-management/mdm/policy-csp-admx-removablestorage.md
@@ -1,7 +1,8 @@
---
title: ADMX_RemovableStorage Policy CSP
description: Learn more about the ADMX_RemovableStorage Area in Policy CSP.
-ms.date: 08/06/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
diff --git a/windows/client-management/mdm/policy-csp-admx-rpc.md b/windows/client-management/mdm/policy-csp-admx-rpc.md
index c39da81dc2..20b71871da 100644
--- a/windows/client-management/mdm/policy-csp-admx-rpc.md
+++ b/windows/client-management/mdm/policy-csp-admx-rpc.md
@@ -1,7 +1,8 @@
---
title: ADMX_RPC Policy CSP
description: Learn more about the ADMX_RPC Area in Policy CSP.
-ms.date: 08/06/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
diff --git a/windows/client-management/mdm/policy-csp-admx-sam.md b/windows/client-management/mdm/policy-csp-admx-sam.md
index 8e30372654..29c561bce4 100644
--- a/windows/client-management/mdm/policy-csp-admx-sam.md
+++ b/windows/client-management/mdm/policy-csp-admx-sam.md
@@ -1,7 +1,8 @@
---
title: ADMX_sam Policy CSP
description: Learn more about the ADMX_sam Area in Policy CSP.
-ms.date: 08/06/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
diff --git a/windows/client-management/mdm/policy-csp-admx-scripts.md b/windows/client-management/mdm/policy-csp-admx-scripts.md
index e4f196f9c1..a6f14787c7 100644
--- a/windows/client-management/mdm/policy-csp-admx-scripts.md
+++ b/windows/client-management/mdm/policy-csp-admx-scripts.md
@@ -1,7 +1,8 @@
---
title: ADMX_Scripts Policy CSP
description: Learn more about the ADMX_Scripts Area in Policy CSP.
-ms.date: 08/06/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
diff --git a/windows/client-management/mdm/policy-csp-admx-sdiageng.md b/windows/client-management/mdm/policy-csp-admx-sdiageng.md
index f1a0bd29ec..c7df498781 100644
--- a/windows/client-management/mdm/policy-csp-admx-sdiageng.md
+++ b/windows/client-management/mdm/policy-csp-admx-sdiageng.md
@@ -1,7 +1,8 @@
---
title: ADMX_sdiageng Policy CSP
description: Learn more about the ADMX_sdiageng Area in Policy CSP.
-ms.date: 08/06/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
diff --git a/windows/client-management/mdm/policy-csp-admx-sdiagschd.md b/windows/client-management/mdm/policy-csp-admx-sdiagschd.md
index 449d3b0270..ddbaf8e3a1 100644
--- a/windows/client-management/mdm/policy-csp-admx-sdiagschd.md
+++ b/windows/client-management/mdm/policy-csp-admx-sdiagschd.md
@@ -1,7 +1,8 @@
---
title: ADMX_sdiagschd Policy CSP
description: Learn more about the ADMX_sdiagschd Area in Policy CSP.
-ms.date: 08/06/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
diff --git a/windows/client-management/mdm/policy-csp-admx-securitycenter.md b/windows/client-management/mdm/policy-csp-admx-securitycenter.md
index 5d85d32ab3..f9bd2b2d9c 100644
--- a/windows/client-management/mdm/policy-csp-admx-securitycenter.md
+++ b/windows/client-management/mdm/policy-csp-admx-securitycenter.md
@@ -1,7 +1,8 @@
---
title: ADMX_Securitycenter Policy CSP
description: Learn more about the ADMX_Securitycenter Area in Policy CSP.
-ms.date: 08/06/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
diff --git a/windows/client-management/mdm/policy-csp-admx-sensors.md b/windows/client-management/mdm/policy-csp-admx-sensors.md
index 3702686690..48ddd100cf 100644
--- a/windows/client-management/mdm/policy-csp-admx-sensors.md
+++ b/windows/client-management/mdm/policy-csp-admx-sensors.md
@@ -1,7 +1,8 @@
---
title: ADMX_Sensors Policy CSP
description: Learn more about the ADMX_Sensors Area in Policy CSP.
-ms.date: 08/06/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
diff --git a/windows/client-management/mdm/policy-csp-admx-servermanager.md b/windows/client-management/mdm/policy-csp-admx-servermanager.md
index c61b343f81..3d6347374d 100644
--- a/windows/client-management/mdm/policy-csp-admx-servermanager.md
+++ b/windows/client-management/mdm/policy-csp-admx-servermanager.md
@@ -1,7 +1,8 @@
---
title: ADMX_ServerManager Policy CSP
description: Learn more about the ADMX_ServerManager Area in Policy CSP.
-ms.date: 08/06/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
diff --git a/windows/client-management/mdm/policy-csp-admx-servicing.md b/windows/client-management/mdm/policy-csp-admx-servicing.md
index b7608a80f3..9b97bf82aa 100644
--- a/windows/client-management/mdm/policy-csp-admx-servicing.md
+++ b/windows/client-management/mdm/policy-csp-admx-servicing.md
@@ -1,7 +1,8 @@
---
title: ADMX_Servicing Policy CSP
description: Learn more about the ADMX_Servicing Area in Policy CSP.
-ms.date: 08/06/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
diff --git a/windows/client-management/mdm/policy-csp-admx-settingsync.md b/windows/client-management/mdm/policy-csp-admx-settingsync.md
index 28649a54bb..32ec1c0f80 100644
--- a/windows/client-management/mdm/policy-csp-admx-settingsync.md
+++ b/windows/client-management/mdm/policy-csp-admx-settingsync.md
@@ -1,7 +1,8 @@
---
title: ADMX_SettingSync Policy CSP
description: Learn more about the ADMX_SettingSync Area in Policy CSP.
-ms.date: 08/06/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
diff --git a/windows/client-management/mdm/policy-csp-admx-sharedfolders.md b/windows/client-management/mdm/policy-csp-admx-sharedfolders.md
index dc791f72b5..27e087cf56 100644
--- a/windows/client-management/mdm/policy-csp-admx-sharedfolders.md
+++ b/windows/client-management/mdm/policy-csp-admx-sharedfolders.md
@@ -1,7 +1,8 @@
---
title: ADMX_SharedFolders Policy CSP
description: Learn more about the ADMX_SharedFolders Area in Policy CSP.
-ms.date: 08/06/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
diff --git a/windows/client-management/mdm/policy-csp-admx-sharing.md b/windows/client-management/mdm/policy-csp-admx-sharing.md
index fb685b026e..29aaa13813 100644
--- a/windows/client-management/mdm/policy-csp-admx-sharing.md
+++ b/windows/client-management/mdm/policy-csp-admx-sharing.md
@@ -1,7 +1,8 @@
---
title: ADMX_Sharing Policy CSP
description: Learn more about the ADMX_Sharing Area in Policy CSP.
-ms.date: 08/06/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
diff --git a/windows/client-management/mdm/policy-csp-admx-shellcommandpromptregedittools.md b/windows/client-management/mdm/policy-csp-admx-shellcommandpromptregedittools.md
index 87242a5c8d..7868dc6f91 100644
--- a/windows/client-management/mdm/policy-csp-admx-shellcommandpromptregedittools.md
+++ b/windows/client-management/mdm/policy-csp-admx-shellcommandpromptregedittools.md
@@ -1,7 +1,8 @@
---
title: ADMX_ShellCommandPromptRegEditTools Policy CSP
description: Learn more about the ADMX_ShellCommandPromptRegEditTools Area in Policy CSP.
-ms.date: 08/06/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
diff --git a/windows/client-management/mdm/policy-csp-admx-smartcard.md b/windows/client-management/mdm/policy-csp-admx-smartcard.md
index f7b65e39b9..f4a71bef5e 100644
--- a/windows/client-management/mdm/policy-csp-admx-smartcard.md
+++ b/windows/client-management/mdm/policy-csp-admx-smartcard.md
@@ -1,7 +1,8 @@
---
title: ADMX_Smartcard Policy CSP
description: Learn more about the ADMX_Smartcard Area in Policy CSP.
-ms.date: 08/06/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
diff --git a/windows/client-management/mdm/policy-csp-admx-snmp.md b/windows/client-management/mdm/policy-csp-admx-snmp.md
index 36fe79b61d..2f50365b26 100644
--- a/windows/client-management/mdm/policy-csp-admx-snmp.md
+++ b/windows/client-management/mdm/policy-csp-admx-snmp.md
@@ -1,7 +1,8 @@
---
title: ADMX_Snmp Policy CSP
description: Learn more about the ADMX_Snmp Area in Policy CSP.
-ms.date: 08/06/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
diff --git a/windows/client-management/mdm/policy-csp-admx-soundrec.md b/windows/client-management/mdm/policy-csp-admx-soundrec.md
index de2a3b6bf9..6094515818 100644
--- a/windows/client-management/mdm/policy-csp-admx-soundrec.md
+++ b/windows/client-management/mdm/policy-csp-admx-soundrec.md
@@ -1,7 +1,8 @@
---
title: ADMX_SoundRec Policy CSP
description: Learn more about the ADMX_SoundRec Area in Policy CSP.
-ms.date: 08/06/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
diff --git a/windows/client-management/mdm/policy-csp-admx-srmfci.md b/windows/client-management/mdm/policy-csp-admx-srmfci.md
index 9f738881cb..d8c7480832 100644
--- a/windows/client-management/mdm/policy-csp-admx-srmfci.md
+++ b/windows/client-management/mdm/policy-csp-admx-srmfci.md
@@ -1,7 +1,8 @@
---
title: ADMX_srmfci Policy CSP
description: Learn more about the ADMX_srmfci Area in Policy CSP.
-ms.date: 08/06/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
diff --git a/windows/client-management/mdm/policy-csp-admx-startmenu.md b/windows/client-management/mdm/policy-csp-admx-startmenu.md
index e43437afce..2a80ace809 100644
--- a/windows/client-management/mdm/policy-csp-admx-startmenu.md
+++ b/windows/client-management/mdm/policy-csp-admx-startmenu.md
@@ -1,7 +1,8 @@
---
title: ADMX_StartMenu Policy CSP
description: Learn more about the ADMX_StartMenu Area in Policy CSP.
-ms.date: 08/06/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
@@ -997,7 +998,7 @@ This policy setting allows you to prevent users from changing their Start screen
|:--|:--|
| Name | NoChangeStartMenu |
| Friendly Name | Prevent users from customizing their Start Screen |
-| Location | User Configuration |
+| Location | Computer and User Configuration |
| Path | Start Menu and Taskbar |
| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer |
| Registry Value Name | NoChangeStartMenu |
diff --git a/windows/client-management/mdm/policy-csp-admx-systemrestore.md b/windows/client-management/mdm/policy-csp-admx-systemrestore.md
index 5cabd1d034..eeb57dfceb 100644
--- a/windows/client-management/mdm/policy-csp-admx-systemrestore.md
+++ b/windows/client-management/mdm/policy-csp-admx-systemrestore.md
@@ -1,7 +1,8 @@
---
title: ADMX_SystemRestore Policy CSP
description: Learn more about the ADMX_SystemRestore Area in Policy CSP.
-ms.date: 08/06/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
diff --git a/windows/client-management/mdm/policy-csp-admx-tabletpcinputpanel.md b/windows/client-management/mdm/policy-csp-admx-tabletpcinputpanel.md
index 53afd9ca6d..134dcb28e4 100644
--- a/windows/client-management/mdm/policy-csp-admx-tabletpcinputpanel.md
+++ b/windows/client-management/mdm/policy-csp-admx-tabletpcinputpanel.md
@@ -1,7 +1,8 @@
---
title: ADMX_TabletPCInputPanel Policy CSP
description: Learn more about the ADMX_TabletPCInputPanel Area in Policy CSP.
-ms.date: 08/06/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
diff --git a/windows/client-management/mdm/policy-csp-admx-tabletshell.md b/windows/client-management/mdm/policy-csp-admx-tabletshell.md
index 54cd7e2993..2958e9e921 100644
--- a/windows/client-management/mdm/policy-csp-admx-tabletshell.md
+++ b/windows/client-management/mdm/policy-csp-admx-tabletshell.md
@@ -1,7 +1,8 @@
---
title: ADMX_TabletShell Policy CSP
description: Learn more about the ADMX_TabletShell Area in Policy CSP.
-ms.date: 08/06/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
diff --git a/windows/client-management/mdm/policy-csp-admx-taskbar.md b/windows/client-management/mdm/policy-csp-admx-taskbar.md
index 15a624d898..a9a78648d1 100644
--- a/windows/client-management/mdm/policy-csp-admx-taskbar.md
+++ b/windows/client-management/mdm/policy-csp-admx-taskbar.md
@@ -1,7 +1,8 @@
---
title: ADMX_Taskbar Policy CSP
description: Learn more about the ADMX_Taskbar Area in Policy CSP.
-ms.date: 08/06/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
@@ -69,7 +70,7 @@ A reboot is required for this policy setting to take effect.
|:--|:--|
| Name | DisableNotificationCenter |
| Friendly Name | Remove Notifications and Action Center |
-| Location | User Configuration |
+| Location | Computer and User Configuration |
| Path | Start Menu and Taskbar |
| Registry Key Name | Software\Policies\Microsoft\Windows\Explorer |
| Registry Value Name | DisableNotificationCenter |
@@ -748,11 +749,11 @@ This policy setting allows you to turn off automatic promotion of notification i
-This policy setting allows users to see Windows Store apps on the taskbar.
+This policy setting allows users to see packaged Microsoft Store apps on the taskbar.
-- If you enable this policy setting, users will see Windows Store apps on the taskbar.
+- If you enable this policy setting, users will see packaged Microsoft Store apps on the taskbar.
-- If you disable this policy setting, users won't see Windows Store apps on the taskbar.
+- If you disable this policy setting, users won't see packaged Microsoft Store apps on the taskbar.
- If you don't configure this policy setting, the default setting for the user's device will be used, and the user can choose to change it.
@@ -778,7 +779,7 @@ This policy setting allows users to see Windows Store apps on the taskbar.
| Name | Value |
|:--|:--|
| Name | ShowWindowsStoreAppsOnTaskbar |
-| Friendly Name | Show Windows Store apps on the taskbar |
+| Friendly Name | Show packaged Microsoft Store apps on the taskbar |
| Location | User Configuration |
| Path | Start Menu and Taskbar |
| Registry Key Name | Software\Policies\Microsoft\Windows\Explorer |
diff --git a/windows/client-management/mdm/policy-csp-admx-tcpip.md b/windows/client-management/mdm/policy-csp-admx-tcpip.md
index 2cf61bd6b9..b9eca775bc 100644
--- a/windows/client-management/mdm/policy-csp-admx-tcpip.md
+++ b/windows/client-management/mdm/policy-csp-admx-tcpip.md
@@ -1,7 +1,8 @@
---
title: ADMX_tcpip Policy CSP
description: Learn more about the ADMX_tcpip Area in Policy CSP.
-ms.date: 08/06/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
diff --git a/windows/client-management/mdm/policy-csp-admx-terminalserver.md b/windows/client-management/mdm/policy-csp-admx-terminalserver.md
index c4f588506a..e5582ef354 100644
--- a/windows/client-management/mdm/policy-csp-admx-terminalserver.md
+++ b/windows/client-management/mdm/policy-csp-admx-terminalserver.md
@@ -1,7 +1,8 @@
---
title: ADMX_TerminalServer Policy CSP
description: Learn more about the ADMX_TerminalServer Area in Policy CSP.
-ms.date: 08/06/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
@@ -3585,7 +3586,7 @@ This policy setting allows you to specify which protocols can be used for Remote
- If you enable this policy setting, you must specify if you would like RDP to use UDP.
-You can select one of the following options: "Use both UDP and TCP", "Use only TCP" or "Use either UDP or TCP (default)".
+You can select one of the following options: "Use either UDP or TCP (default)" or "Use only TCP".
If you select "Use either UDP or TCP" and the UDP connection is successful, most of the RDP traffic will use UDP.
diff --git a/windows/client-management/mdm/policy-csp-admx-thumbnails.md b/windows/client-management/mdm/policy-csp-admx-thumbnails.md
index 7095179c9c..68ed3bd626 100644
--- a/windows/client-management/mdm/policy-csp-admx-thumbnails.md
+++ b/windows/client-management/mdm/policy-csp-admx-thumbnails.md
@@ -1,7 +1,8 @@
---
title: ADMX_Thumbnails Policy CSP
description: Learn more about the ADMX_Thumbnails Area in Policy CSP.
-ms.date: 08/06/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
@@ -95,11 +96,14 @@ File Explorer displays thumbnail images by default.
This policy setting allows you to configure how File Explorer displays thumbnail images or icons on network folders.
-File Explorer displays thumbnail images on network folders by default.
+File Explorer displays only icons and never displays thumbnail images on network folders by default.
-- If you enable this policy setting, File Explorer displays only icons and never displays thumbnail images on network folders.
+- If you disable this policy setting, File Explorer displays thumbnail images on network folders.
-- If you disable or don't configure this policy setting, File Explorer displays only thumbnail images on network folders.
+- If you enable or don't configure this policy setting, File Explorer displays only icons and never displays thumbnail images on network folders.
+
+> [!NOTE]
+> Allowing the use of thumbnail images from network folders can expose the users' computers to security risks.
diff --git a/windows/client-management/mdm/policy-csp-admx-touchinput.md b/windows/client-management/mdm/policy-csp-admx-touchinput.md
index 0dd7cbbfb3..6c4a106687 100644
--- a/windows/client-management/mdm/policy-csp-admx-touchinput.md
+++ b/windows/client-management/mdm/policy-csp-admx-touchinput.md
@@ -1,7 +1,8 @@
---
title: ADMX_TouchInput Policy CSP
description: Learn more about the ADMX_TouchInput Area in Policy CSP.
-ms.date: 08/06/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
diff --git a/windows/client-management/mdm/policy-csp-admx-tpm.md b/windows/client-management/mdm/policy-csp-admx-tpm.md
index f32dd4464c..d562fe09f8 100644
--- a/windows/client-management/mdm/policy-csp-admx-tpm.md
+++ b/windows/client-management/mdm/policy-csp-admx-tpm.md
@@ -1,7 +1,8 @@
---
title: ADMX_TPM Policy CSP
description: Learn more about the ADMX_TPM Area in Policy CSP.
-ms.date: 08/06/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
diff --git a/windows/client-management/mdm/policy-csp-admx-userexperiencevirtualization.md b/windows/client-management/mdm/policy-csp-admx-userexperiencevirtualization.md
index 01ba02840f..aa95c5771b 100644
--- a/windows/client-management/mdm/policy-csp-admx-userexperiencevirtualization.md
+++ b/windows/client-management/mdm/policy-csp-admx-userexperiencevirtualization.md
@@ -1,7 +1,8 @@
---
title: ADMX_UserExperienceVirtualization Policy CSP
description: Learn more about the ADMX_UserExperienceVirtualization Area in Policy CSP.
-ms.date: 08/06/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
@@ -7541,7 +7542,7 @@ This policy setting configures where custom settings location templates are stor
- If you enable this policy setting, the UE-V Agent checks the specified location once each day and updates its synchronization behavior based on the templates in this location. Settings location templates added or updated since the last check are registered by the UE-V Agent. The UE-V Agent deregisters templates that were removed from this location.
-If you specify a UNC path and leave the option to replace the default Microsoft templates unchecked, the UE-V Agent will use the default Microsoft templates installed by the UE-V Agent and custom templates in the settings template catalog. If there are custom templates in the settings template catalog which use the same ID as the default Microsoft templates, they will be ignored.
+If you specify a UNC path and leave the option to replace the default Microsoft templates unchecked, the UE-V Agent will use the default Microsoft templates installed by the UE-V Agent and custom templates in the settings template catalog. If there are custom templates in the settings template catalog which use the same ID as the default Microsoft templates, they'll be ignored.
If you specify a UNC path and check the option to replace the default Microsoft templates, all of the default Microsoft templates installed by the UE-V Agent will be deleted from the computer and only the templates located in the settings template catalog will be used.
diff --git a/windows/client-management/mdm/policy-csp-admx-userprofiles.md b/windows/client-management/mdm/policy-csp-admx-userprofiles.md
index f6d72112f3..e169874574 100644
--- a/windows/client-management/mdm/policy-csp-admx-userprofiles.md
+++ b/windows/client-management/mdm/policy-csp-admx-userprofiles.md
@@ -1,7 +1,8 @@
---
title: ADMX_UserProfiles Policy CSP
description: Learn more about the ADMX_UserProfiles Area in Policy CSP.
-ms.date: 08/06/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
@@ -157,7 +158,7 @@ This policy setting controls whether Windows forcefully unloads the user's regis
This policy setting determines whether the system retains a roaming user's Windows Installer and Group Policy based software installation data on their profile deletion.
-By default Windows deletes all information related to a roaming user (which includes the user's settings, data, Windows Installer related data, and the like) when their profile is deleted. As a result, the next time a roaming user whose profile was previously deleted on that client logs on, they will need to reinstall all apps published via policy at logon increasing logon time. You can use this policy setting to change this behavior.
+By default Windows deletes all information related to a roaming user (which includes the user's settings, data, Windows Installer related data, and the like) when their profile is deleted. As a result, the next time a roaming user whose profile was previously deleted on that client logs on, they'll need to reinstall all apps published via policy at logon increasing logon time. You can use this policy setting to change this behavior.
- If you enable this policy setting, Windows won't delete Windows Installer or Group Policy software installation data for roaming users when profiles are deleted from the machine. This will improve the performance of Group Policy based Software Installation during user logon when a user profile is deleted and that user subsequently logs on to the machine.
diff --git a/windows/client-management/mdm/policy-csp-admx-w32time.md b/windows/client-management/mdm/policy-csp-admx-w32time.md
index 36500806d4..c5e04d51fe 100644
--- a/windows/client-management/mdm/policy-csp-admx-w32time.md
+++ b/windows/client-management/mdm/policy-csp-admx-w32time.md
@@ -1,7 +1,8 @@
---
title: ADMX_W32Time Policy CSP
description: Learn more about the ADMX_W32Time Area in Policy CSP.
-ms.date: 08/06/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
diff --git a/windows/client-management/mdm/policy-csp-admx-wcm.md b/windows/client-management/mdm/policy-csp-admx-wcm.md
index 67bae2d6f2..eddfd41aa9 100644
--- a/windows/client-management/mdm/policy-csp-admx-wcm.md
+++ b/windows/client-management/mdm/policy-csp-admx-wcm.md
@@ -1,7 +1,8 @@
---
title: ADMX_WCM Policy CSP
description: Learn more about the ADMX_WCM Area in Policy CSP.
-ms.date: 08/06/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
diff --git a/windows/client-management/mdm/policy-csp-admx-wdi.md b/windows/client-management/mdm/policy-csp-admx-wdi.md
index 1c28ee517e..886ee5fbba 100644
--- a/windows/client-management/mdm/policy-csp-admx-wdi.md
+++ b/windows/client-management/mdm/policy-csp-admx-wdi.md
@@ -1,7 +1,8 @@
---
title: ADMX_WDI Policy CSP
description: Learn more about the ADMX_WDI Area in Policy CSP.
-ms.date: 08/06/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
diff --git a/windows/client-management/mdm/policy-csp-admx-wincal.md b/windows/client-management/mdm/policy-csp-admx-wincal.md
index 182bcadb67..fda5e84038 100644
--- a/windows/client-management/mdm/policy-csp-admx-wincal.md
+++ b/windows/client-management/mdm/policy-csp-admx-wincal.md
@@ -1,7 +1,8 @@
---
title: ADMX_WinCal Policy CSP
description: Learn more about the ADMX_WinCal Area in Policy CSP.
-ms.date: 08/06/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
diff --git a/windows/client-management/mdm/policy-csp-admx-windowscolorsystem.md b/windows/client-management/mdm/policy-csp-admx-windowscolorsystem.md
index d975aa7c0c..938407c19d 100644
--- a/windows/client-management/mdm/policy-csp-admx-windowscolorsystem.md
+++ b/windows/client-management/mdm/policy-csp-admx-windowscolorsystem.md
@@ -1,7 +1,8 @@
---
title: ADMX_WindowsColorSystem Policy CSP
description: Learn more about the ADMX_WindowsColorSystem Area in Policy CSP.
-ms.date: 08/06/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
diff --git a/windows/client-management/mdm/policy-csp-admx-windowsconnectnow.md b/windows/client-management/mdm/policy-csp-admx-windowsconnectnow.md
index 581b608823..547df1e902 100644
--- a/windows/client-management/mdm/policy-csp-admx-windowsconnectnow.md
+++ b/windows/client-management/mdm/policy-csp-admx-windowsconnectnow.md
@@ -1,7 +1,8 @@
---
title: ADMX_WindowsConnectNow Policy CSP
description: Learn more about the ADMX_WindowsConnectNow Area in Policy CSP.
-ms.date: 08/06/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
diff --git a/windows/client-management/mdm/policy-csp-admx-windowsexplorer.md b/windows/client-management/mdm/policy-csp-admx-windowsexplorer.md
index 44d542de9d..ee2d66d528 100644
--- a/windows/client-management/mdm/policy-csp-admx-windowsexplorer.md
+++ b/windows/client-management/mdm/policy-csp-admx-windowsexplorer.md
@@ -1,7 +1,8 @@
---
title: ADMX_WindowsExplorer Policy CSP
description: Learn more about the ADMX_WindowsExplorer Area in Policy CSP.
-ms.date: 08/06/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
@@ -472,7 +473,15 @@ You can specify a known folder using its known folder id or using its canonical
-
+
+This policy setting determines the application of the Mark of the Web tag to files sourced from insecure locations.
+
+- If you enable this policy setting, files copied from unsecure sources won't be tagged with the Mark of the Web.
+
+- If you disable or don't configure this policy setting, files copied from unsecure sources will be tagged with the appropriate Mark of the Web.
+
+> [!NOTE]
+> Failure to tag files from unsecure sources with the Mark of the Web can expose users' computers to security risks.
@@ -489,7 +498,6 @@ You can specify a known folder using its known folder id or using its canonical
-
[!INCLUDE [ADMX-backed policy note](includes/mdm-admx-policy-note.md)]
**ADMX mapping**:
@@ -497,6 +505,11 @@ You can specify a known folder using its known folder id or using its canonical
| Name | Value |
|:--|:--|
| Name | DisableMotWOnInsecurePathCopy |
+| Friendly Name | Do not apply the Mark of the Web tag to files copied from insecure sources |
+| Location | Computer Configuration |
+| Path | WindowsComponents > File Explorer |
+| Registry Key Name | Software\Policies\Microsoft\Windows\Explorer |
+| Registry Value Name | DisableMotWOnInsecurePathCopy |
| ADMX File Name | WindowsExplorer.admx |
@@ -4456,7 +4469,7 @@ Shows or hides sleep from the power options menu.
-This policy setting allows up to five Libraries or Search Connectors to be pinned to the "Search again" links and the Start menu links. The "Search again" links at the bottom of the Search Results view allow the user to reconduct a search but in a different location. To add a Library or Search Connector link, specify the path of the . Library-ms or .searchConnector-ms file in the "Location" text box (for example, "C:\sampleLibrary. Library-ms" for the Documents library, or "C:\sampleSearchConnector.searchConnector-ms" for a Search Connector). The pinned link will only work if this path is valid and the location contains the specified . Library-ms or .searchConnector-ms file.
+This policy setting allows up to five Libraries or Search Connectors to be pinned to the "Search again" links and the Start menu links. The "Search again" links at the bottom of the Search Results view allow the user to reconduct a search but in a different location. To add a Library or Search Connector link, specify the path of the `.Library-ms or .searchConnector-ms` file in the "Location" text box (for example, "C:\sampleLibrary.Library-ms" for the Documents library, or "C:\sampleSearchConnector.searchConnector-ms" for a Search Connector). The pinned link will only work if this path is valid and the location contains the specified `.Library-ms or .searchConnector-ms` file.
You can add up to five additional links to the "Search again" links at the bottom of results returned in File Explorer after a search is executed. These links will be shared between Internet search sites and Search Connectors/Libraries. Search Connector/Library links take precedence over Internet search links.
diff --git a/windows/client-management/mdm/policy-csp-admx-windowsmediadrm.md b/windows/client-management/mdm/policy-csp-admx-windowsmediadrm.md
index 1e41f5c049..ef7a2157f4 100644
--- a/windows/client-management/mdm/policy-csp-admx-windowsmediadrm.md
+++ b/windows/client-management/mdm/policy-csp-admx-windowsmediadrm.md
@@ -1,7 +1,8 @@
---
title: ADMX_WindowsMediaDRM Policy CSP
description: Learn more about the ADMX_WindowsMediaDRM Area in Policy CSP.
-ms.date: 08/06/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
diff --git a/windows/client-management/mdm/policy-csp-admx-windowsmediaplayer.md b/windows/client-management/mdm/policy-csp-admx-windowsmediaplayer.md
index 7f1dc35461..038328fa16 100644
--- a/windows/client-management/mdm/policy-csp-admx-windowsmediaplayer.md
+++ b/windows/client-management/mdm/policy-csp-admx-windowsmediaplayer.md
@@ -1,7 +1,8 @@
---
title: ADMX_WindowsMediaPlayer Policy CSP
description: Learn more about the ADMX_WindowsMediaPlayer Area in Policy CSP.
-ms.date: 08/06/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
diff --git a/windows/client-management/mdm/policy-csp-admx-windowsremotemanagement.md b/windows/client-management/mdm/policy-csp-admx-windowsremotemanagement.md
index 6839ac8703..999113f8f3 100644
--- a/windows/client-management/mdm/policy-csp-admx-windowsremotemanagement.md
+++ b/windows/client-management/mdm/policy-csp-admx-windowsremotemanagement.md
@@ -1,7 +1,8 @@
---
title: ADMX_WindowsRemoteManagement Policy CSP
description: Learn more about the ADMX_WindowsRemoteManagement Area in Policy CSP.
-ms.date: 08/06/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
diff --git a/windows/client-management/mdm/policy-csp-admx-windowsstore.md b/windows/client-management/mdm/policy-csp-admx-windowsstore.md
index 16548d4632..af0e371994 100644
--- a/windows/client-management/mdm/policy-csp-admx-windowsstore.md
+++ b/windows/client-management/mdm/policy-csp-admx-windowsstore.md
@@ -1,7 +1,8 @@
---
title: ADMX_WindowsStore Policy CSP
description: Learn more about the ADMX_WindowsStore Area in Policy CSP.
-ms.date: 08/06/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
diff --git a/windows/client-management/mdm/policy-csp-admx-wininit.md b/windows/client-management/mdm/policy-csp-admx-wininit.md
index 53c453b291..626f2e0cf7 100644
--- a/windows/client-management/mdm/policy-csp-admx-wininit.md
+++ b/windows/client-management/mdm/policy-csp-admx-wininit.md
@@ -1,7 +1,8 @@
---
title: ADMX_WinInit Policy CSP
description: Learn more about the ADMX_WinInit Area in Policy CSP.
-ms.date: 08/06/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
diff --git a/windows/client-management/mdm/policy-csp-admx-winlogon.md b/windows/client-management/mdm/policy-csp-admx-winlogon.md
index 3777efde58..4921e607a7 100644
--- a/windows/client-management/mdm/policy-csp-admx-winlogon.md
+++ b/windows/client-management/mdm/policy-csp-admx-winlogon.md
@@ -1,7 +1,8 @@
---
title: ADMX_WinLogon Policy CSP
description: Learn more about the ADMX_WinLogon Area in Policy CSP.
-ms.date: 08/06/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
diff --git a/windows/client-management/mdm/policy-csp-admx-winsrv.md b/windows/client-management/mdm/policy-csp-admx-winsrv.md
index 4bb456deae..aeb9221473 100644
--- a/windows/client-management/mdm/policy-csp-admx-winsrv.md
+++ b/windows/client-management/mdm/policy-csp-admx-winsrv.md
@@ -1,7 +1,8 @@
---
title: ADMX_Winsrv Policy CSP
description: Learn more about the ADMX_Winsrv Area in Policy CSP.
-ms.date: 08/06/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
diff --git a/windows/client-management/mdm/policy-csp-admx-wlansvc.md b/windows/client-management/mdm/policy-csp-admx-wlansvc.md
index f757409689..27ddcde8a5 100644
--- a/windows/client-management/mdm/policy-csp-admx-wlansvc.md
+++ b/windows/client-management/mdm/policy-csp-admx-wlansvc.md
@@ -1,7 +1,8 @@
---
title: ADMX_wlansvc Policy CSP
description: Learn more about the ADMX_wlansvc Area in Policy CSP.
-ms.date: 08/06/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
diff --git a/windows/client-management/mdm/policy-csp-admx-wordwheel.md b/windows/client-management/mdm/policy-csp-admx-wordwheel.md
index 100d06044e..a9e13d8d5a 100644
--- a/windows/client-management/mdm/policy-csp-admx-wordwheel.md
+++ b/windows/client-management/mdm/policy-csp-admx-wordwheel.md
@@ -1,7 +1,8 @@
---
title: ADMX_WordWheel Policy CSP
description: Learn more about the ADMX_WordWheel Area in Policy CSP.
-ms.date: 08/06/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
diff --git a/windows/client-management/mdm/policy-csp-admx-workfoldersclient.md b/windows/client-management/mdm/policy-csp-admx-workfoldersclient.md
index 0cc0f52149..b89ba70666 100644
--- a/windows/client-management/mdm/policy-csp-admx-workfoldersclient.md
+++ b/windows/client-management/mdm/policy-csp-admx-workfoldersclient.md
@@ -1,7 +1,8 @@
---
title: ADMX_WorkFoldersClient Policy CSP
description: Learn more about the ADMX_WorkFoldersClient Area in Policy CSP.
-ms.date: 08/06/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
diff --git a/windows/client-management/mdm/policy-csp-admx-wpn.md b/windows/client-management/mdm/policy-csp-admx-wpn.md
index bfddc2641c..300f775095 100644
--- a/windows/client-management/mdm/policy-csp-admx-wpn.md
+++ b/windows/client-management/mdm/policy-csp-admx-wpn.md
@@ -1,7 +1,8 @@
---
title: ADMX_WPN Policy CSP
description: Learn more about the ADMX_WPN Area in Policy CSP.
-ms.date: 08/06/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
@@ -254,7 +255,7 @@ No reboots or service restarts are required for this policy setting to take effe
|:--|:--|
| Name | NoToastNotification |
| Friendly Name | Turn off toast notifications |
-| Location | User Configuration |
+| Location | Computer and User Configuration |
| Path | Start Menu and Taskbar > Notifications |
| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\PushNotifications |
| Registry Value Name | NoToastApplicationNotification |
diff --git a/windows/client-management/mdm/policy-csp-appdeviceinventory.md b/windows/client-management/mdm/policy-csp-appdeviceinventory.md
index 7e0fb8176b..93ca6fdfaa 100644
--- a/windows/client-management/mdm/policy-csp-appdeviceinventory.md
+++ b/windows/client-management/mdm/policy-csp-appdeviceinventory.md
@@ -1,7 +1,8 @@
---
title: AppDeviceInventory Policy CSP
description: Learn more about the AppDeviceInventory Area in Policy CSP.
-ms.date: 08/07/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
@@ -33,7 +34,12 @@ ms.date: 08/07/2024
-
+
+This policy controls the state of API Sampling. API Sampling monitors the sampled collection of application programming interfaces used during system runtime to help diagnose compatibility problems.
+
+- If you enable this policy, API Sampling won't be run.
+
+- If you disable or don't configure this policy, API Sampling will be turned on.
@@ -50,7 +56,6 @@ ms.date: 08/07/2024
-
[!INCLUDE [ADMX-backed policy note](includes/mdm-admx-policy-note.md)]
**ADMX mapping**:
@@ -58,6 +63,11 @@ ms.date: 08/07/2024
| Name | Value |
|:--|:--|
| Name | TurnOffAPISamping |
+| Friendly Name | Turn off API Sampling |
+| Location | Computer Configuration |
+| Path | Windows Components > App and Device Inventory |
+| Registry Key Name | Software\Policies\Microsoft\Windows\AppCompat |
+| Registry Value Name | DisableAPISamping |
| ADMX File Name | AppDeviceInventory.admx |
@@ -83,7 +93,12 @@ ms.date: 08/07/2024
-
+
+This policy controls the state of Application Footprint. Application Footprint monitors the sampled collection of registry and file usage to help diagnose compatibility problems.
+
+- If you enable this policy, Application Footprint won't be run.
+
+- If you disable or don't configure this policy, Application Footprint will be turned on.
@@ -100,7 +115,6 @@ ms.date: 08/07/2024
-
[!INCLUDE [ADMX-backed policy note](includes/mdm-admx-policy-note.md)]
**ADMX mapping**:
@@ -108,6 +122,11 @@ ms.date: 08/07/2024
| Name | Value |
|:--|:--|
| Name | TurnOffApplicationFootprint |
+| Friendly Name | Turn off Application Footprint |
+| Location | Computer Configuration |
+| Path | Windows Components > App and Device Inventory |
+| Registry Key Name | Software\Policies\Microsoft\Windows\AppCompat |
+| Registry Value Name | DisableApplicationFootprint |
| ADMX File Name | AppDeviceInventory.admx |
@@ -133,7 +152,12 @@ ms.date: 08/07/2024
-
+
+This policy controls the state of Install Tracing. Install Tracing is a mechanism that tracks application installs to help diagnose compatibility problems.
+
+- If you enable this policy, Install Tracing won't be run.
+
+- If you disable or don't configure this policy, Install Tracing will be turned on.
@@ -150,7 +174,6 @@ ms.date: 08/07/2024
-
[!INCLUDE [ADMX-backed policy note](includes/mdm-admx-policy-note.md)]
**ADMX mapping**:
@@ -158,6 +181,11 @@ ms.date: 08/07/2024
| Name | Value |
|:--|:--|
| Name | TurnOffInstallTracing |
+| Friendly Name | Turn off Install Tracing |
+| Location | Computer Configuration |
+| Path | Windows Components > App and Device Inventory |
+| Registry Key Name | Software\Policies\Microsoft\Windows\AppCompat |
+| Registry Value Name | DisableInstallTracing |
| ADMX File Name | AppDeviceInventory.admx |
@@ -167,6 +195,65 @@ ms.date: 08/07/2024
+
+## TurnOffWin32AppBackup
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+
+
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/AppDeviceInventory/TurnOffWin32AppBackup
+```
+
+
+
+
+This policy controls the state of the compatibility scan for backed up applications. The compatibility scan for backed up applications evaluates for compatibility problems in installed applications.
+
+- If you enable this policy, the compatibility scan for backed up applications won't be run.
+
+- If you disable or don't configure this policy, the compatibility scan for backed up applications will be run.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `chr` (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+[!INCLUDE [ADMX-backed policy note](includes/mdm-admx-policy-note.md)]
+
+**ADMX mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | TurnOffWin32AppBackup |
+| Friendly Name | Turn off compatibility scan for backed up applications |
+| Location | Computer Configuration |
+| Path | Windows Components > App and Device Inventory |
+| Registry Key Name | Software\Policies\Microsoft\Windows\AppCompat |
+| Registry Value Name | DisableWin32AppBackup |
+| ADMX File Name | AppDeviceInventory.admx |
+
+
+
+
+
+
+
+
diff --git a/windows/client-management/mdm/policy-csp-applicationdefaults.md b/windows/client-management/mdm/policy-csp-applicationdefaults.md
index 8b9aeb6e3c..91b1fc4ac8 100644
--- a/windows/client-management/mdm/policy-csp-applicationdefaults.md
+++ b/windows/client-management/mdm/policy-csp-applicationdefaults.md
@@ -1,7 +1,8 @@
---
title: ApplicationDefaults Policy CSP
description: Learn more about the ApplicationDefaults Area in Policy CSP.
-ms.date: 09/11/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
diff --git a/windows/client-management/mdm/policy-csp-applicationmanagement.md b/windows/client-management/mdm/policy-csp-applicationmanagement.md
index 7b1698c462..a35a33a38a 100644
--- a/windows/client-management/mdm/policy-csp-applicationmanagement.md
+++ b/windows/client-management/mdm/policy-csp-applicationmanagement.md
@@ -1,7 +1,8 @@
---
title: ApplicationManagement Policy CSP
description: Learn more about the ApplicationManagement Area in Policy CSP.
-ms.date: 04/10/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
@@ -9,6 +10,10 @@ ms.date: 04/10/2024
# Policy CSP - ApplicationManagement
+[!INCLUDE [ADMX-backed CSP tip](includes/mdm-admx-csp-note.md)]
+
+[!INCLUDE [Windows Insider tip](includes/mdm-insider-csp-note.md)]
+
@@ -30,11 +35,11 @@ ms.date: 04/10/2024
-This policy setting allows you to manage the installation of trusted line-of-business (LOB) or developer-signed Windows Store apps.
+This policy setting allows you to manage the installation of trusted line-of-business (LOB) or developer-signed packaged Microsoft Store apps.
-- If you enable this policy setting, you can install any LOB or developer-signed Windows Store app (which must be signed with a certificate chain that can be successfully validated by the local computer).
+- If you enable this policy setting, you can install any LOB or developer-signed packaged Microsoft Store app (which must be signed with a certificate chain that can be successfully validated by the local computer).
-- If you disable or don't configure this policy setting, you can't install LOB or developer-signed Windows Store apps.
+- If you disable or don't configure this policy setting, you can't install LOB or developer-signed packaged Microsoft Store apps.
@@ -269,7 +274,7 @@ Allows or denies development of Microsoft Store applications and installing them
| Name | Value |
|:--|:--|
| Name | AllowDevelopmentWithoutDevLicense |
-| Friendly Name | Allows development of Windows Store apps and installing them from an integrated development environment (IDE) |
+| Friendly Name | Allows development of packaged Microsoft Store apps and installing them from an integrated development environment (IDE) |
| Location | Computer Configuration |
| Path | Windows Components > App Package Deployment |
| Registry Key Name | Software\Policies\Microsoft\Windows\Appx |
@@ -283,6 +288,56 @@ Allows or denies development of Microsoft Store applications and installing them
+
+## AllowedNonAdminPackageFamilyNameRules
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device ❌ User | ❌ Pro ✅ Enterprise ✅ Education ❌ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+
+
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/ApplicationManagement/AllowedNonAdminPackageFamilyNameRules
+```
+
+
+
+
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `chr` (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+[!INCLUDE [ADMX-backed policy note](includes/mdm-admx-policy-note.md)]
+
+**ADMX mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | AllowedNonAdminPackageFamilyNameRules |
+| ADMX File Name | AppxPackageManager.admx |
+
+
+
+
+
+
+
+
## AllowGameDVR
@@ -371,7 +426,7 @@ If the setting is enabled or not configured, then Recording and Broadcasting (st
Manages a Windows app's ability to share data between users who have installed the app.
-- If you enable this policy, a Windows app can share app data with other instances of that app. Data is shared through the SharedLocal folder. This folder is available through the Windows. Storage API.
+- If you enable this policy, a Windows app can share app data with other instances of that app. Data is shared through the SharedLocal folder. This folder is available through the `Windows.Storage` API.
- If you disable this policy, a Windows app can't share app data with other instances of that app. If this policy was previously enabled, any previously shared app data will remain in the SharedLocal folder.
@@ -629,7 +684,7 @@ Disable turns off the launch of all apps from the Microsoft Store that came pre-
| Name | Value |
|:--|:--|
| Name | DisableStoreApps |
-| Friendly Name | Disable all apps from Microsoft Store |
+| Friendly Name | Disable all apps from Microsoft Store |
| Location | Computer Configuration |
| Path | Windows Components > Store |
| Registry Key Name | Software\Policies\Microsoft\WindowsStore |
@@ -867,7 +922,7 @@ This policy setting directs Windows Installer to use elevated permissions when i
Denies access to the retail catalog in the Microsoft Store, but displays the private store.
-- If you enable this setting, users won't be able to view the retail catalog in the Microsoft Store, but they will be able to view apps in the private store.
+- If you enable this setting, users won't be able to view the retail catalog in the Microsoft Store, but they'll be able to view apps in the private store.
- If you disable or don't configure this setting, users can access the retail catalog in the Microsoft Store.
diff --git a/windows/client-management/mdm/policy-csp-appruntime.md b/windows/client-management/mdm/policy-csp-appruntime.md
index 20cddfc183..f350d286be 100644
--- a/windows/client-management/mdm/policy-csp-appruntime.md
+++ b/windows/client-management/mdm/policy-csp-appruntime.md
@@ -1,7 +1,8 @@
---
title: AppRuntime Policy CSP
description: Learn more about the AppRuntime Area in Policy CSP.
-ms.date: 01/18/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
@@ -32,9 +33,9 @@ ms.date: 01/18/2024
-This policy setting lets you control whether Microsoft accounts are optional for Windows Store apps that require an account to sign in. This policy only affects Windows Store apps that support it.
+This policy setting lets you control whether Microsoft accounts are optional for packaged Microsoft Store apps that require an account to sign in. This policy only affects packaged Microsoft Store apps that support it.
-- If you enable this policy setting, Windows Store apps that typically require a Microsoft account to sign in will allow users to sign in with an enterprise account instead.
+- If you enable this policy setting, packaged Microsoft Store apps that typically require a Microsoft account to sign in will allow users to sign in with an enterprise account instead.
- If you disable or don't configure this policy setting, users will need to sign in with a Microsoft account.
diff --git a/windows/client-management/mdm/policy-csp-appvirtualization.md b/windows/client-management/mdm/policy-csp-appvirtualization.md
index 6e677aa3b7..410bed737a 100644
--- a/windows/client-management/mdm/policy-csp-appvirtualization.md
+++ b/windows/client-management/mdm/policy-csp-appvirtualization.md
@@ -1,7 +1,8 @@
---
title: AppVirtualization Policy CSP
description: Learn more about the AppVirtualization Area in Policy CSP.
-ms.date: 01/18/2024
+ms.date: 02/14/2025
+ms.topic: generated-reference
---
@@ -33,6 +34,9 @@ ms.date: 01/18/2024
This policy setting allows you to enable or disable Microsoft Application Virtualization (App-V) feature. Reboot is needed for disable to take effect.
+
+> [!NOTE]
+> Application Virtualization (App-V) will reach end-of-life April 2026. After that time, the App-V client will be excluded from new versions of the Windows operating system. See aka.ms/AppVDeprecation for more information.
@@ -309,7 +313,7 @@ Enables a UX to display to the user when a publishing refresh is performed on th
Reporting Server URL: Displays the URL of reporting server.
-Reporting Time: When the client data should be reported to the server. Acceptable range is 0~23, corresponding to the 24 hours in a day. A good practice is, don't set this time to a busy hour, e.g. 9. AM.
+Reporting Time: When the client data should be reported to the server. Acceptable range is 0~23, corresponding to the 24 hours in a day. A good practice is, don't set this time to a busy hour, e.g. 9AM.
Delay reporting for the random minutes: The maximum minutes of random delay on top of the reporting time. For a busy system, the random delay will help reduce the server load.
diff --git a/windows/client-management/mdm/policy-csp-attachmentmanager.md b/windows/client-management/mdm/policy-csp-attachmentmanager.md
index 63caf16da0..66a283655a 100644
--- a/windows/client-management/mdm/policy-csp-attachmentmanager.md
+++ b/windows/client-management/mdm/policy-csp-attachmentmanager.md
@@ -1,7 +1,8 @@
---
title: AttachmentManager Policy CSP
description: Learn more about the AttachmentManager Area in Policy CSP.
-ms.date: 01/18/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
@@ -154,7 +155,7 @@ This policy setting allows you to manage whether users can manually remove the z
-This policy setting allows you to manage the behavior for notifying registered antivirus programs. If multiple programs are registered, they will all be notified. If the registered antivirus program already performs on-access checks or scans files as they arrive on the computer's email server, additional calls would be redundant.
+This policy setting allows you to manage the behavior for notifying registered antivirus programs. If multiple programs are registered, they'll all be notified. If the registered antivirus program already performs on-access checks or scans files as they arrive on the computer's email server, additional calls would be redundant.
- If you enable this policy setting, Windows tells the registered antivirus program to scan the file when a user opens a file attachment. If the antivirus program fails, the attachment is blocked from being opened.
diff --git a/windows/client-management/mdm/policy-csp-audit.md b/windows/client-management/mdm/policy-csp-audit.md
index 3e7b9cbfee..6e6a59f438 100644
--- a/windows/client-management/mdm/policy-csp-audit.md
+++ b/windows/client-management/mdm/policy-csp-audit.md
@@ -1,7 +1,8 @@
---
title: Audit Policy CSP
description: Learn more about the Audit Area in Policy CSP.
-ms.date: 08/06/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
@@ -846,7 +847,7 @@ Volume: Low.
-This policy setting allows you to audit events generated by special logons such as the following: The use of a special logon, which is a logon that has administrator-equivalent privileges and can be used to elevate a process to a higher level. A logon by a member of a Special Group. Special Groups enable you to audit events generated when a member of a certain group has logged-on to your network. You can configure a list of group security identifiers (SIDs) in the registry. If any of those SIDs are added to a token during logon and the subcategory is enabled, an event is logged. For more information about this feature, see [article 947223 in the Microsoft Knowledge Base](https://go.microsoft.com/fwlink/?LinkId=121697).
+This policy setting allows you to audit events generated by special logons such as the following: The use of a special logon, which is a logon that has administrator-equivalent privileges and can be used to elevate a process to a higher level. A logon by a member of a Special Group. Special Groups enable you to audit events generated when a member of a certain group has logged-on to your network. You can configure a list of group security identifiers (SIDs) in the registry. If any of those SIDs are added to a token during logon and the subcategory is enabled, an event is logged.
diff --git a/windows/client-management/mdm/policy-csp-authentication.md b/windows/client-management/mdm/policy-csp-authentication.md
index bfd166053c..b05b71eb8e 100644
--- a/windows/client-management/mdm/policy-csp-authentication.md
+++ b/windows/client-management/mdm/policy-csp-authentication.md
@@ -1,7 +1,8 @@
---
title: Authentication Policy CSP
description: Learn more about the Authentication Area in Policy CSP.
-ms.date: 08/06/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
diff --git a/windows/client-management/mdm/policy-csp-autoplay.md b/windows/client-management/mdm/policy-csp-autoplay.md
index f94c675d89..955e4d92ab 100644
--- a/windows/client-management/mdm/policy-csp-autoplay.md
+++ b/windows/client-management/mdm/policy-csp-autoplay.md
@@ -1,7 +1,8 @@
---
title: Autoplay Policy CSP
description: Learn more about the Autoplay Area in Policy CSP.
-ms.date: 01/18/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
diff --git a/windows/client-management/mdm/policy-csp-bitlocker.md b/windows/client-management/mdm/policy-csp-bitlocker.md
index 85ba82af82..308853dff2 100644
--- a/windows/client-management/mdm/policy-csp-bitlocker.md
+++ b/windows/client-management/mdm/policy-csp-bitlocker.md
@@ -1,7 +1,8 @@
---
title: Bitlocker Policy CSP
description: Learn more about the Bitlocker Area in Policy CSP.
-ms.date: 01/18/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
diff --git a/windows/client-management/mdm/policy-csp-bits.md b/windows/client-management/mdm/policy-csp-bits.md
index 01dbd07987..eb4c4c5f2b 100644
--- a/windows/client-management/mdm/policy-csp-bits.md
+++ b/windows/client-management/mdm/policy-csp-bits.md
@@ -1,7 +1,8 @@
---
title: BITS Policy CSP
description: Learn more about the BITS Area in Policy CSP.
-ms.date: 01/18/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
@@ -32,7 +33,7 @@ ms.date: 01/18/2024
This policy setting limits the network bandwidth that Background Intelligent Transfer Service (BITS) uses for background transfers. (This policy setting doesn't affect foreground transfers).
-You can specify a limit to use during a specific time interval and at all other times. For example, limit the use of network bandwidth to 10 Kbps from 8:00 A. M. to 5:00 P. M., and use all available unused bandwidth the rest of the day's hours.
+You can specify a limit to use during a specific time interval and at all other times. For example, limit the use of network bandwidth to 10 Kbps from 8:00 A.M. to 5:00 P.M., and use all available unused bandwidth the rest of the day's hours.
- If you enable this policy setting, BITS will limit its bandwidth usage to the specified values. You can specify the limit in kilobits per second (Kbps). If you specify a value less than 2 kilobits, BITS will continue to use approximately 2 kilobits. To prevent BITS transfers from occurring, specify a limit of 0.
@@ -98,7 +99,7 @@ Consider using this setting to prevent BITS transfers from competing for network
This policy setting limits the network bandwidth that Background Intelligent Transfer Service (BITS) uses for background transfers. (This policy setting doesn't affect foreground transfers).
-You can specify a limit to use during a specific time interval and at all other times. For example, limit the use of network bandwidth to 10 Kbps from 8:00 A. M. to 5:00 P. M., and use all available unused bandwidth the rest of the day's hours.
+You can specify a limit to use during a specific time interval and at all other times. For example, limit the use of network bandwidth to 10 Kbps from 8:00 A.M. to 5:00 P.M., and use all available unused bandwidth the rest of the day's hours.
- If you enable this policy setting, BITS will limit its bandwidth usage to the specified values. You can specify the limit in kilobits per second (Kbps). If you specify a value less than 2 kilobits, BITS will continue to use approximately 2 kilobits. To prevent BITS transfers from occurring, specify a limit of 0.
@@ -164,7 +165,7 @@ Consider using this setting to prevent BITS transfers from competing for network
This policy setting limits the network bandwidth that Background Intelligent Transfer Service (BITS) uses for background transfers. (This policy setting doesn't affect foreground transfers).
-You can specify a limit to use during a specific time interval and at all other times. For example, limit the use of network bandwidth to 10 Kbps from 8:00 A. M. to 5:00 P. M., and use all available unused bandwidth the rest of the day's hours.
+You can specify a limit to use during a specific time interval and at all other times. For example, limit the use of network bandwidth to 10 Kbps from 8:00 A.M. to 5:00 P.M., and use all available unused bandwidth the rest of the day's hours.
- If you enable this policy setting, BITS will limit its bandwidth usage to the specified values. You can specify the limit in kilobits per second (Kbps). If you specify a value less than 2 kilobits, BITS will continue to use approximately 2 kilobits. To prevent BITS transfers from occurring, specify a limit of 0.
diff --git a/windows/client-management/mdm/policy-csp-bluetooth.md b/windows/client-management/mdm/policy-csp-bluetooth.md
index fc321bd1b1..0d33c7e54f 100644
--- a/windows/client-management/mdm/policy-csp-bluetooth.md
+++ b/windows/client-management/mdm/policy-csp-bluetooth.md
@@ -1,7 +1,8 @@
---
title: Bluetooth Policy CSP
description: Learn more about the Bluetooth Area in Policy CSP.
-ms.date: 01/18/2024
+ms.date: 02/14/2025
+ms.topic: generated-reference
---
@@ -265,7 +266,7 @@ Sets the local Bluetooth device name. If this is set, the value that it's set to
-Set a list of allowable services and profiles. String hex formatted array of Bluetooth service UUIDs in canonical format, delimited by semicolons. For example, {782AFCFC-7. CAA-436. C-8. BF0-78. CD0FFBD4AF}. The default value is an empty string. For more information, see ServicesAllowedList usage guide.
+Set a list of allowable services and profiles. String hex formatted array of Bluetooth service UUIDs in canonical format, delimited by semicolons. For example, {782AFCFC-7CAA-436C-8BF0-78CD0FFBD4AF}. The default value is an empty string. For more information, see ServicesAllowedList usage guide.
diff --git a/windows/client-management/mdm/policy-csp-browser.md b/windows/client-management/mdm/policy-csp-browser.md
index a86b54d3d2..1acad4511f 100644
--- a/windows/client-management/mdm/policy-csp-browser.md
+++ b/windows/client-management/mdm/policy-csp-browser.md
@@ -1,7 +1,8 @@
---
title: Browser Policy CSP
description: Learn more about the Browser Area in Policy CSP.
-ms.date: 09/11/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
diff --git a/windows/client-management/mdm/policy-csp-camera.md b/windows/client-management/mdm/policy-csp-camera.md
index 3882e07879..7e02fa6542 100644
--- a/windows/client-management/mdm/policy-csp-camera.md
+++ b/windows/client-management/mdm/policy-csp-camera.md
@@ -1,7 +1,8 @@
---
title: Camera Policy CSP
description: Learn more about the Camera Area in Policy CSP.
-ms.date: 01/18/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
diff --git a/windows/client-management/mdm/policy-csp-cellular.md b/windows/client-management/mdm/policy-csp-cellular.md
index a2cfae0564..b45e85ec8a 100644
--- a/windows/client-management/mdm/policy-csp-cellular.md
+++ b/windows/client-management/mdm/policy-csp-cellular.md
@@ -1,7 +1,8 @@
---
title: Cellular Policy CSP
description: Learn more about the Cellular Area in Policy CSP.
-ms.date: 01/18/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
diff --git a/windows/client-management/mdm/policy-csp-clouddesktop.md b/windows/client-management/mdm/policy-csp-clouddesktop.md
index cb287ddd00..d216746bc8 100644
--- a/windows/client-management/mdm/policy-csp-clouddesktop.md
+++ b/windows/client-management/mdm/policy-csp-clouddesktop.md
@@ -1,7 +1,8 @@
---
title: CloudDesktop Policy CSP
description: Learn more about the CloudDesktop Area in Policy CSP.
-ms.date: 01/18/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
diff --git a/windows/client-management/mdm/policy-csp-connectivity.md b/windows/client-management/mdm/policy-csp-connectivity.md
index 1a15adf8c0..c22245a862 100644
--- a/windows/client-management/mdm/policy-csp-connectivity.md
+++ b/windows/client-management/mdm/policy-csp-connectivity.md
@@ -1,7 +1,8 @@
---
title: Connectivity Policy CSP
description: Learn more about the Connectivity Area in Policy CSP.
-ms.date: 04/10/2024
+ms.date: 02/14/2025
+ms.topic: generated-reference
---
@@ -11,6 +12,8 @@ ms.date: 04/10/2024
[!INCLUDE [ADMX-backed CSP tip](includes/mdm-admx-csp-note.md)]
+[!INCLUDE [Windows Insider tip](includes/mdm-insider-csp-note.md)]
+
@@ -584,6 +587,159 @@ Also, see the "Web-based printing" policy setting in Computer Configuration/Admi
+
+## DisableCellularOperatorSettingsPage
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+
+
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/Connectivity/DisableCellularOperatorSettingsPage
+```
+
+
+
+
+This policy makes all configurable settings in the 'Cellular' > 'Mobile operator settings' page read-only.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `int` |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | 0 |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 (Default) | Disabled. |
+| 1 | Enabled. |
+
+
+
+
+
+
+
+
+
+## DisableCellularSettingsPage
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+
+
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/Connectivity/DisableCellularSettingsPage
+```
+
+
+
+
+This policy makes all configurable settings in the 'Cellular' Settings page read-only.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `int` |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | 0 |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 (Default) | Disabled. |
+| 1 | Enabled. |
+
+
+
+
+
+
+
+
+
+## DisableCrossDeviceResume
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ❌ Device ✅ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+
+
+
+```User
+./User/Vendor/MSFT/Policy/Config/Connectivity/DisableCrossDeviceResume
+```
+
+
+
+
+This policy allows IT admins to turn off CrossDeviceResume feature to continue tasks, such as browsing file, continue using 1P/ 3P apps that require linking between Phone and PC.
+
+- If you enable this policy setting, the Windows device won't receive any CrossDeviceResume notification.
+
+- If you disable this policy setting, the Windows device will receive notification to resume activity from linked phone.
+
+- If you don't configure this policy setting, the default behavior is that the CrossDeviceResume feature is turned 'ON'. Changes to this policy take effect on reboot.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `int` |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | 0 |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 (Default) | CrossDeviceResume is Enabled. |
+| 1 | CrossDeviceResume is Disabled. |
+
+
+
+
+
+
+
+
## DisableDownloadingOfPrintDriversOverHTTP
@@ -899,6 +1055,55 @@ If you disable this setting or don't configure it, the user will be able to crea
+
+## UseCellularWhenWiFiPoor
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+
+
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/Connectivity/UseCellularWhenWiFiPoor
+```
+
+
+
+
+This policy allows the use of a cellular connection when Wi-Fi connectivity is limited.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `int` |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | 1 |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 | Disabled. |
+| 1 (Default) | Enabled. |
+
+
+
+
+
+
+
+
diff --git a/windows/client-management/mdm/policy-csp-controlpolicyconflict.md b/windows/client-management/mdm/policy-csp-controlpolicyconflict.md
index cd2bf997f6..14777213d3 100644
--- a/windows/client-management/mdm/policy-csp-controlpolicyconflict.md
+++ b/windows/client-management/mdm/policy-csp-controlpolicyconflict.md
@@ -1,7 +1,8 @@
---
title: ControlPolicyConflict Policy CSP
description: Learn more about the ControlPolicyConflict Area in Policy CSP.
-ms.date: 01/18/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
@@ -37,7 +38,7 @@ If set to 1 then any MDM policy that's set that has an equivalent GP policy will
> [!NOTE]
-> MDMWinsOverGP only applies to policies in Policy CSP. MDM policies win over Group Policies where applicable; not all Group Policies are available via MDM or CSP. It does not apply to other MDM settings with equivalent GP settings that are defined in other CSPs such as the [Defender CSP](defender-csp.md). Nor does it apply to the [Update Policy CSP](policy-csp-update.md) for managing Windows updates.
+> MDMWinsOverGP only applies to policies in Policy CSP. MDM policies win over Group Policies where applicable; not all Group Policies are available via MDM or CSP. It does not apply to other MDM settings with equivalent GP settings that are defined in other CSPs such as the [Defender CSP](defender-csp.md). As a result, it is recommended that the same settings should not be configured in both GPO and MDM policies unless the settings are under the control of MDMWinsOverGP. Otherwise, there will be a race condition and no guarantee which one wins.
This policy is used to ensure that MDM policy wins over GP when policy is configured on MDM channel. The default value is 0. The MDM policies in Policy CSP will behave as described if this policy value is set 1.
diff --git a/windows/client-management/mdm/policy-csp-credentialproviders.md b/windows/client-management/mdm/policy-csp-credentialproviders.md
index d73b3ade9c..543e2efb7f 100644
--- a/windows/client-management/mdm/policy-csp-credentialproviders.md
+++ b/windows/client-management/mdm/policy-csp-credentialproviders.md
@@ -1,7 +1,8 @@
---
title: CredentialProviders Policy CSP
description: Learn more about the CredentialProviders Area in Policy CSP.
-ms.date: 01/18/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
diff --git a/windows/client-management/mdm/policy-csp-credentialsdelegation.md b/windows/client-management/mdm/policy-csp-credentialsdelegation.md
index af3cee543f..263eb0058e 100644
--- a/windows/client-management/mdm/policy-csp-credentialsdelegation.md
+++ b/windows/client-management/mdm/policy-csp-credentialsdelegation.md
@@ -1,7 +1,8 @@
---
title: CredentialsDelegation Policy CSP
description: Learn more about the CredentialsDelegation Area in Policy CSP.
-ms.date: 01/18/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
diff --git a/windows/client-management/mdm/policy-csp-credentialsui.md b/windows/client-management/mdm/policy-csp-credentialsui.md
index f6f9d847a7..1e2a4e8319 100644
--- a/windows/client-management/mdm/policy-csp-credentialsui.md
+++ b/windows/client-management/mdm/policy-csp-credentialsui.md
@@ -1,7 +1,8 @@
---
title: CredentialsUI Policy CSP
description: Learn more about the CredentialsUI Area in Policy CSP.
-ms.date: 01/18/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
diff --git a/windows/client-management/mdm/policy-csp-cryptography.md b/windows/client-management/mdm/policy-csp-cryptography.md
index 27aae04079..709e9e57bd 100644
--- a/windows/client-management/mdm/policy-csp-cryptography.md
+++ b/windows/client-management/mdm/policy-csp-cryptography.md
@@ -1,7 +1,8 @@
---
title: Cryptography Policy CSP
description: Learn more about the Cryptography Area in Policy CSP.
-ms.date: 01/18/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
@@ -9,8 +10,6 @@ ms.date: 01/18/2024
# Policy CSP - Cryptography
-[!INCLUDE [Windows Insider tip](includes/mdm-insider-csp-note.md)]
-
@@ -79,7 +78,7 @@ Allows or disallows the Federal Information Processing Standard (FIPS) policy.
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
@@ -146,7 +145,7 @@ CertUtil.exe -DisplayEccCurve.
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
@@ -196,7 +195,7 @@ System cryptography: Force strong key protection for user keys stored on the com
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
@@ -235,7 +234,7 @@ Override minimal enabled TLS version for client role. Last write wins.
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
@@ -274,7 +273,7 @@ Override minimal enabled TLS version for server role. Last write wins.
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
@@ -313,7 +312,7 @@ Override minimal enabled TLS version for client role. Last write wins.
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
diff --git a/windows/client-management/mdm/policy-csp-dataprotection.md b/windows/client-management/mdm/policy-csp-dataprotection.md
index ed3d5d84d4..be943180ef 100644
--- a/windows/client-management/mdm/policy-csp-dataprotection.md
+++ b/windows/client-management/mdm/policy-csp-dataprotection.md
@@ -1,7 +1,8 @@
---
title: DataProtection Policy CSP
description: Learn more about the DataProtection Area in Policy CSP.
-ms.date: 01/18/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
diff --git a/windows/client-management/mdm/policy-csp-datausage.md b/windows/client-management/mdm/policy-csp-datausage.md
index 37ef82f657..d821a157ad 100644
--- a/windows/client-management/mdm/policy-csp-datausage.md
+++ b/windows/client-management/mdm/policy-csp-datausage.md
@@ -1,7 +1,8 @@
---
title: DataUsage Policy CSP
description: Learn more about the DataUsage Area in Policy CSP.
-ms.date: 01/18/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
diff --git a/windows/client-management/mdm/policy-csp-defender.md b/windows/client-management/mdm/policy-csp-defender.md
index a790f24a26..885ebb21e6 100644
--- a/windows/client-management/mdm/policy-csp-defender.md
+++ b/windows/client-management/mdm/policy-csp-defender.md
@@ -1,7 +1,8 @@
---
title: Defender Policy CSP
description: Learn more about the Defender Area in Policy CSP.
-ms.date: 06/28/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
@@ -30,7 +31,7 @@ ms.date: 06/28/2024
-This policy setting allows you to configure scans for malicious software and unwanted software in archive files such as . ZIP or . CAB files.
+This policy setting allows you to configure scans for malicious software and unwanted software in archive files such as .ZIP or .CAB files.
- If you enable or don't configure this setting, archive files will be scanned.
@@ -745,7 +746,7 @@ This policy setting allows you to configure scheduled scans and on-demand (manua
| Name | Value |
|:--|:--|
| Name | Scan_DisableScanningNetworkFiles |
-| Friendly Name | Scan network files |
+| Friendly Name | Configure scanning of network files |
| Location | Computer Configuration |
| Path | Windows Components > Microsoft Defender Antivirus > Scan |
| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Scan |
diff --git a/windows/client-management/mdm/policy-csp-deliveryoptimization.md b/windows/client-management/mdm/policy-csp-deliveryoptimization.md
index 171f5c4349..6bf367d3e9 100644
--- a/windows/client-management/mdm/policy-csp-deliveryoptimization.md
+++ b/windows/client-management/mdm/policy-csp-deliveryoptimization.md
@@ -1,7 +1,8 @@
---
title: DeliveryOptimization Policy CSP
description: Learn more about the DeliveryOptimization Area in Policy CSP.
-ms.date: 08/06/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
@@ -34,11 +35,7 @@ ms.date: 08/06/2024
-Specifies the maximum size in GB of Delivery Optimization cache.
-
-This policy overrides the DOMaxCacheSize policy.
-
-The value 0 (zero) means "unlimited" cache; Delivery Optimization will clear the cache when the device runs low on disk space.
+Specifies the maximum size in GB of Delivery Optimization cache. This policy overrides the MaxCacheSize policy.
@@ -93,7 +90,7 @@ The value 0 (zero) means "unlimited" cache; Delivery Optimization will clear the
-Specifies whether the device is allowed to participate in Peer Caching while connected via VPN to the domain network. This means the device can download from or upload to other domain network devices, either on VPN or on the corporate domain network.
+Specifies whether the device, with an active VPN connection, is allowed to participate in P2P or not.
@@ -125,8 +122,8 @@ Specifies whether the device is allowed to participate in Peer Caching while con
| Name | Value |
|:--|:--|
| Name | AllowVPNPeerCaching |
-| Friendly Name | Enable Peer Caching while the device connects via VPN |
-| Element Name | Enable Peer Caching while the device connects via VPN. |
+| Friendly Name | Enable P2P while the device connects via VPN |
+| Element Name | Enable P2P while the device connects via VPN. |
| Location | Computer Configuration |
| Path | Windows Components > Delivery Optimization |
| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization |
@@ -156,15 +153,13 @@ Specifies whether the device is allowed to participate in Peer Caching while con
-This policy allows you to set one or more Microsoft Connected Cache servers that will be used by your client(s).
-
-One or more values can be added as either fully qualified domain names (FQDN) or IP addresses. To add multiple values, separate each FQDN or IP address by commas.
+Specifies one or more Microsoft Connected Cache servers that will be used by your client(s). One or more values can be added as either fully qualified domain names (FQDN) or IP addresses. To add multiple values, separate each FQDN or IP address by commas.
> [!NOTE]
-> Clients don't talk to multiple Microsoft Connected Cache (MCC) servers at the same time. If you configure a list of MCC servers in this policy, the clients will round robin until they successfully connect to an MCC server. The clients have no way to determine if the MCC server has the content or not. If the MCC server doesn't have the content, it caches the content as it is handing the content back to the client.
+> Clients don't talk to multiple Microsoft Connected Cache servers at the same time. If you configure a list of Connected Cache servers in this policy, the clients will round robin until they successfully connect to a Connected Cache server. The clients have no way to determine if the Connected Cache server has the content or not. If the Connected Cache server doesn't have the content, it caches the content as it is handing the content back to the client.
@@ -214,17 +209,10 @@ One or more values can be added as either fully qualified domain names (FQDN) or
-This policy allows you to specify how your client(s) can discover Microsoft Connected Cache servers dynamically.
-
-Options available are:
-
-0 = Disable DNS-SD.
-
-1 = DHCP Option 235.
+Specifies how your client(s) can discover Microsoft Connected Cache servers dynamically.
+1 = DHCP Option 235
2 = DHCP Option 235 Force.
-
-If this policy isn't configured, the client will attempt to automatically find a cache server using DNS-SD. If set to 0, the client won't use DNS-SD to automatically find a cache server. If set to 1 or 2, the client will query DHCP Option ID 235 and use the returned value as the Cache Server Hostname. Option 2 overrides the Cache Server Hostname policy, if configured.
@@ -240,10 +228,18 @@ If this policy isn't configured, the client will attempt to automatically find a
|:--|:--|
| Format | `int` |
| Access Type | Add, Delete, Get, Replace |
-| Allowed Values | Range: `[0-4294967295]` |
| Default Value | 0 |
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 1 | DHCP Option 235. |
+| 2 | DHCP Option 235 Force. |
+
+
**Group policy mapping**:
@@ -281,13 +277,7 @@ If this policy isn't configured, the client will attempt to automatically find a
-This policy allows you to delay the use of an HTTP source in a background download that's allowed to use P2P.
-
-After the max delay has reached, the download will resume using HTTP, either downloading the entire payload or complementing the bytes that couldn't be downloaded from Peers.
-
-Note that a download that's waiting for peer sources, will appear to be stuck for the end user.
-
-The recommended value is 1 hour (3600).
+For background downloads that use P2P, specifies the time to wait before starting to download from the HTTP source.
@@ -311,7 +301,7 @@ The recommended value is 1 hour (3600).
| Name | Value |
|:--|:--|
| Name | DelayBackgroundDownloadFromHttp |
-| Friendly Name | Delay background download from http (in secs) |
+| Friendly Name | Delay background download from http (in seconds) |
| Element Name | Delay background download from http (in secs) |
| Location | Computer Configuration |
| Path | Windows Components > Delivery Optimization |
@@ -342,7 +332,7 @@ The recommended value is 1 hour (3600).
-Specifies the time in seconds to delay the fallback from Cache Server to the HTTP source for a background content download. Note that the DODelayBackgroundDownloadFromHttp policy takes precedence over this policy to allow downloads from peers first.
+For background downloads that use a cache server, specifies the time to wait before falling back to download from the original HTTP source.
@@ -397,7 +387,7 @@ Specifies the time in seconds to delay the fallback from Cache Server to the HTT
-Specifies the time in seconds to delay the fallback from Cache Server to the HTTP source for foreground content download. Note that the DODelayForegroundDownloadFromHttp policy takes precedence over this policy to allow downloads from peers first.
+For foreground downloads that use a cache server, specifies the time to wait before falling back to download from the original HTTP source.
@@ -452,13 +442,7 @@ Specifies the time in seconds to delay the fallback from Cache Server to the HTT
-This policy allows you to delay the use of an HTTP source in a foreground (interactive) download that's allowed to use P2P.
-
-After the max delay has reached, the download will resume using HTTP, either downloading the entire payload or complementing the bytes that couldn't be downloaded from Peers.
-
-Note that a download that's waiting for peer sources, will appear to be stuck for the end user.
-
-The recommended value is 1 minute (60).
+For foreground downloads that use P2P, specifies the time to wait before starting to download from the HTTP source.
@@ -482,7 +466,7 @@ The recommended value is 1 minute (60).
| Name | Value |
|:--|:--|
| Name | DelayForegroundDownloadFromHttp |
-| Friendly Name | Delay Foreground download from http (in secs) |
+| Friendly Name | Delay Foreground download from http (in seconds) |
| Element Name | Delay Foreground download from http (in secs) |
| Location | Computer Configuration |
| Path | Windows Components > Delivery Optimization |
@@ -513,7 +497,7 @@ The recommended value is 1 minute (60).
-Disallow downloads from Microsoft Connected Cache servers when the device connects via VPN. By default, the device is allowed to download from Microsoft Connected Cache when connected via VPN.
+Specify to disallow downloads from Microsoft Connected Cache servers when the device has an active VPN connection. By default, the button is 'Not Set'. This means the device is allowed to download from Microsoft Connected Cache when the device has an active VPN connection. To block these downloads, turn the button on to 'Enabled'.
@@ -535,8 +519,8 @@ Disallow downloads from Microsoft Connected Cache servers when the device connec
| Value | Description |
|:--|:--|
-| 0 (Default) | Allowed. |
-| 1 | Not allowed. |
+| 0 (Default) | Not Set. |
+| 1 | Enabled. |
@@ -572,13 +556,13 @@ Disallow downloads from Microsoft Connected Cache servers when the device connec
-Specifies the download method that Delivery Optimization can use in downloads of Windows Updates, Apps and App updates. The default value is 1.
+Specifies the method that Delivery Optimization can use to download content on behalf of various Microsoft products.
> [!NOTE]
-> The Delivery Optimization service on the clients checks to see if there are peers and/or an MCC server which contains the content and determines the best source for the content.
+> The Delivery Optimization service on the clients checks to see if there are peers and/or a Connected Cache server which contains the content and determines the best source for the content.
@@ -598,10 +582,10 @@ Specifies the download method that Delivery Optimization can use in downloads of
|:--|:--|
| 0 (Default) | HTTP only, no peering. |
| 1 | HTTP blended with peering behind the same NAT. |
-| 2 | When this option is selected, peering will cross NATs. To create a custom group use Group ID in combination with Mode 2. |
+| 2 | HTTP blended with peering across a private group. |
| 3 | HTTP blended with Internet peering. |
-| 99 | Simple download mode with no peering. Delivery Optimization downloads using HTTP only and doesn't attempt to contact the Delivery Optimization cloud services. Added in Windows 10, version 1607. |
-| 100 | Bypass mode. Windows 10: Don't use Delivery Optimization and use BITS instead. Windows 11: Deprecated, use Simple mode instead. |
+| 99 | HTTP only, no peering, no use of DO cloud service. |
+| 100 | Bypass mode, deprecated in Windows 11. |
@@ -641,11 +625,7 @@ Specifies the download method that Delivery Optimization can use in downloads of
-Group ID must be set as a GUID. This Policy specifies an arbitrary group ID that the device belongs to.
-
-Use this if you need to create a single group for Local Network Peering for branches that are on different domains or aren't on the same LAN.
-
-Note this is a best effort optimization and shouldn't be relied on for an authentication of identity.
+Specifies an arbitrary group ID that the device belongs to. A GUID must be used.
@@ -698,7 +678,7 @@ Note this is a best effort optimization and shouldn't be relied on for an authen
-Set this policy to restrict peer selection to a specific source. Available options are: 1 = AD Site, 2 = Authenticated domain SID, 3 = DHCP Option ID, 4 = DNS Suffix, 5 = Microsoft Entra ID. When set, the Group ID will be assigned automatically from the selected source. This policy is ignored if the GroupID policy is also set. The options set in this policy only apply to Group (2) download mode. If Group (2) isn't set as Download mode, this policy will be ignored. For option 3 - DHCP Option ID, the client will query DHCP Option ID 234 and use the returned GUID value as the Group ID. Starting with Windows 10, version 1903, you can use the Microsoft Entra tenant ID as a means to define groups. To do this, set the value of DOGroupIdSource to 5.
+Specifies the source of group ID used for peer selection.
@@ -722,12 +702,12 @@ Set this policy to restrict peer selection to a specific source. Available optio
| Value | Description |
|:--|:--|
-| 0 (Default) | Unset. |
+| 0 (Default) | Not Set. |
| 1 | AD site. |
| 2 | Authenticated domain SID. |
-| 3 | DHCP user option. |
-| 4 | DNS suffix. |
-| 5 | Microsoft Entra ID. |
+| 3 | DHCP Option ID. |
+| 4 | DNS Suffix. |
+| 5 | Entra ID Tenant ID. |
@@ -768,8 +748,6 @@ Set this policy to restrict peer selection to a specific source. Available optio
Specifies the maximum background download bandwidth in KiloBytes/second that the device can use across all concurrent download activities using Delivery Optimization.
-
-The default value 0 (zero) means that Delivery Optimization dynamically adjusts to use the available bandwidth for downloads.
@@ -824,7 +802,7 @@ The default value 0 (zero) means that Delivery Optimization dynamically adjusts
-Specifies the maximum time in seconds that each file is held in the Delivery Optimization cache after downloading successfully. The value 0 (zero) means unlimited; Delivery Optimization will hold the files in the cache longer and make the files available for uploads to other devices, as long as the cache size hasn't exceeded. The value 0 is new in Windows 10, version 1607. The default value is 604800 seconds (7 days).
+Specifies the maximum time in seconds that each file is held in the Delivery Optimization cache after downloading successfully.
@@ -879,7 +857,7 @@ Specifies the maximum time in seconds that each file is held in the Delivery Opt
-Specifies the maximum cache size that Delivery Optimization can utilize, as a percentage of disk size (1-100). The default value is 20.
+Specifies the maximum cache size that Delivery Optimization can utilize, as a percentage of the available drive space.
@@ -935,8 +913,6 @@ Specifies the maximum cache size that Delivery Optimization can utilize, as a pe
Specifies the maximum foreground download bandwidth in KiloBytes/second that the device can use across all concurrent download activities using Delivery Optimization.
-
-The default value 0 (zero) means that Delivery Optimization dynamically adjusts to use the available bandwidth for downloads.
@@ -991,7 +967,7 @@ The default value 0 (zero) means that Delivery Optimization dynamically adjusts
-Specifies the minimum download QoS (Quality of Service or speed) in KiloBytes/sec for background downloads. This policy affects the blending of peer and HTTP sources. Delivery Optimization complements the download from the HTTP source to achieve the minimum QoS value set. The default value is 20480 (20 MB/s).
+Specifies the minimum download QoS (Quality of Service) in KiloBytes/sec for background downloads.
@@ -1046,11 +1022,7 @@ Specifies the minimum download QoS (Quality of Service or speed) in KiloBytes/se
-Specify any value between 1 and 100 (in percentage) to allow the device to upload data to LAN and Group peers while on DC power (Battery).
-
-The recommended value to set if you allow uploads on battery is 40 (for 40%). The device can download from peers while on battery regardless of this policy.
-
-The value 0 means "not-limited"; The cloud service set default value will be used.
+Specifies the minimum battery level required for uploading to peers, while on battery power.
@@ -1105,12 +1077,7 @@ The value 0 means "not-limited"; The cloud service set default value will be use
-Specifies the required minimum disk size (capacity in GB) for the device to use Peer Caching. The cloud service set default value will be used.
-
-Recommended values: 64 GB to 256 GB.
-
-> [!NOTE]
-> If the DOModifyCacheDrive policy is set, the disk size check will apply to the new working directory specified by this policy.
+Specifies the required minimum total disk size in GB for the device to use P2P.
@@ -1134,8 +1101,8 @@ Recommended values: 64 GB to 256 GB.
| Name | Value |
|:--|:--|
| Name | MinDiskSizeAllowedToPeer |
-| Friendly Name | Minimum disk size allowed to use Peer Caching (in GB) |
-| Element Name | Minimum disk size allowed to use Peer Caching (in GB) |
+| Friendly Name | Minimum disk size allowed to use P2P (in GB) |
+| Element Name | Minimum disk size allowed to use P2P (in GB) |
| Location | Computer Configuration |
| Path | Windows Components > Delivery Optimization |
| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization |
@@ -1165,7 +1132,7 @@ Recommended values: 64 GB to 256 GB.
-Specifies the minimum content file size in MB enabled to use Peer Caching. Recommended values: 1 MB to 100,000 MB. The default value is 100 MB.
+Specifies the minimum content file size in MB eligible to use P2P.
@@ -1189,8 +1156,8 @@ Specifies the minimum content file size in MB enabled to use Peer Caching. Recom
| Name | Value |
|:--|:--|
| Name | MinFileSizeToCache |
-| Friendly Name | Minimum Peer Caching Content File Size (in MB) |
-| Element Name | Minimum Peer Caching Content File Size (in MB) |
+| Friendly Name | Minimum P2P Content File Size (in MB) |
+| Element Name | Minimum P2P Content File Size (in MB) |
| Location | Computer Configuration |
| Path | Windows Components > Delivery Optimization |
| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization |
@@ -1220,7 +1187,7 @@ Specifies the minimum content file size in MB enabled to use Peer Caching. Recom
-Specifies the minimum RAM size in GB required to use Peer Caching. For example, if the minimum set is 1 GB, then devices with 1 GB or higher available RAM will be allowed to use Peer caching. Recommended values: 1 GB to 4 GB. The default value is 4 GB.
+Specifies the minimum total RAM size in GB required to use P2P.
@@ -1244,8 +1211,8 @@ Specifies the minimum RAM size in GB required to use Peer Caching. For example,
| Name | Value |
|:--|:--|
| Name | MinRAMAllowedToPeer |
-| Friendly Name | Minimum RAM capacity (inclusive) required to enable use of Peer Caching (in GB) |
-| Element Name | Minimum RAM capacity (inclusive) required to enable use of Peer Caching (in GB) |
+| Friendly Name | Minimum RAM capacity (inclusive) required to enable use of P2P (in GB) |
+| Element Name | Minimum RAM capacity (inclusive) required to enable use of P2P (in GB) |
| Location | Computer Configuration |
| Path | Windows Components > Delivery Optimization |
| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization |
@@ -1275,9 +1242,7 @@ Specifies the minimum RAM size in GB required to use Peer Caching. For example,
-Specifies the drive Delivery Optimization shall use for its cache.
-
-By default, %SystemDrive% is used to store the cache. The drive location can be specified using environment variables, drive letter or using a full path.
+Specifies the drive that Delivery Optimization should use for its cache. The drive location can be specified using environment variables, drive letter or using a full path.
@@ -1330,7 +1295,7 @@ By default, %SystemDrive% is used to store the cache. The drive location can be
-Specifies the maximum total bytes in GB that Delivery Optimization is allowed to upload to Internet peers in each calendar month. The value 0 (zero) means unlimited; No monthly upload limit's applied if 0 is set. The default value is 5120 (5 TB).
+Specifies the maximum bytes in GB that Delivery Optimization is allowed to upload to Internet peers in each calendar month.
@@ -1386,8 +1351,6 @@ Specifies the maximum total bytes in GB that Delivery Optimization is allowed to
Specifies the maximum background download bandwidth that Delivery Optimization uses across all concurrent download activities as a percentage of available download bandwidth.
-
-The default value 0 (zero) means that Delivery Optimization dynamically adjusts to use the available bandwidth for background downloads.
@@ -1445,8 +1408,6 @@ Downloads from LAN peers won't be throttled even when this policy is set.
Specifies the maximum foreground download bandwidth that Delivery Optimization uses across all concurrent download activities as a percentage of available download bandwidth.
-
-The default value 0 (zero) means that Delivery Optimization dynamically adjusts to use the available bandwidth for foreground downloads.
@@ -1501,7 +1462,7 @@ The default value 0 (zero) means that Delivery Optimization dynamically adjusts
-Set this policy to restrict peer selection via selected option. Options available are: 1=Subnet mask, 2 = Local discovery (DNS-SD). These options apply to both Download Mode LAN (1) and Group (2).
+Specifies to restrict peer selection using the selected method, in addition to the DownloadMode policy.
@@ -1528,7 +1489,7 @@ In Windows 11 the 'Local Peer Discovery' option was introduced to restrict peer
|:--|:--|
| 0 (Default) | None. |
| 1 | Subnet mask. |
-| 2 | Local peer discovery (DNS-SD). |
+| 2 | Local discovery (DNS-SD). |
@@ -1681,7 +1642,7 @@ This policy allows an IT Admin to define the following details:
-This policy allows you to set one or more keywords used to recognize VPN connections. To add multiple keywords, separate them with commas.
+Specifies one or more keywords used to recognize VPN connections. To add multiple keywords, separate each by a comma.
diff --git a/windows/client-management/mdm/policy-csp-desktop.md b/windows/client-management/mdm/policy-csp-desktop.md
index 60c0d9c6aa..c2c1c5c18b 100644
--- a/windows/client-management/mdm/policy-csp-desktop.md
+++ b/windows/client-management/mdm/policy-csp-desktop.md
@@ -1,7 +1,8 @@
---
title: Desktop Policy CSP
description: Learn more about the Desktop Area in Policy CSP.
-ms.date: 01/18/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
diff --git a/windows/client-management/mdm/policy-csp-desktopappinstaller.md b/windows/client-management/mdm/policy-csp-desktopappinstaller.md
index 2b3fea16a4..eb317efb9d 100644
--- a/windows/client-management/mdm/policy-csp-desktopappinstaller.md
+++ b/windows/client-management/mdm/policy-csp-desktopappinstaller.md
@@ -1,7 +1,8 @@
---
title: DesktopAppInstaller Policy CSP
description: Learn more about the DesktopAppInstaller Area in Policy CSP.
-ms.date: 01/18/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
@@ -11,8 +12,6 @@ ms.date: 01/18/2024
[!INCLUDE [ADMX-backed CSP tip](includes/mdm-admx-csp-note.md)]
-[!INCLUDE [Windows Insider tip](includes/mdm-insider-csp-note.md)]
-
@@ -215,7 +214,14 @@ Users will still be able to execute the *winget* command. The default help will
-
+
+This policy controls whether the [Windows Package Manager](/windows/package-manager/) will validate the Microsoft Store certificate hash matches to a known Microsoft Store certificate when initiating a connection to the Microsoft Store Source.
+
+- If you enable this policy, the [Windows Package Manager](/windows/package-manager/) will bypass the Microsoft Store certificate validation.
+
+- If you disable this policy, the [Windows Package Manager](/windows/package-manager/) will validate the Microsoft Store certificate used is valid and belongs to the Microsoft Store before communicating with the Microsoft Store source.
+
+- If you don't configure this policy, the [Windows Package Manager](/windows/package-manager/) administrator settings will be adhered to.
@@ -232,7 +238,6 @@ Users will still be able to execute the *winget* command. The default help will
-
[!INCLUDE [ADMX-backed policy note](includes/mdm-admx-policy-note.md)]
**ADMX mapping**:
@@ -240,6 +245,11 @@ Users will still be able to execute the *winget* command. The default help will
| Name | Value |
|:--|:--|
| Name | EnableBypassCertificatePinningForMicrosoftStore |
+| Friendly Name | Enable App Installer Microsoft Store Source Certificate Validation Bypass |
+| Location | Computer Configuration |
+| Path | Windows Components > Desktop App Installer |
+| Registry Key Name | Software\Policies\Microsoft\Windows\AppInstaller |
+| Registry Value Name | EnableBypassCertificatePinningForMicrosoftStore |
| ADMX File Name | DesktopAppInstaller.admx |
@@ -445,7 +455,14 @@ This policy controls whether or not the [Windows Package Manager](/windows/packa
-
+
+This policy controls the ability to override malware vulnerability scans when installing an archive file using a local manifest using the command line arguments.
+
+- If you enable this policy, users can override the malware scan when performing a local manifest install of an archive file.
+
+- If you disable this policy, users will be unable to override the malware scan of an archive file when installing using a local manifest.
+
+- If you don't configure this policy, the [Windows Package Manager](/windows/package-manager/) administrator settings will be adhered to.
@@ -462,7 +479,6 @@ This policy controls whether or not the [Windows Package Manager](/windows/packa
-
[!INCLUDE [ADMX-backed policy note](includes/mdm-admx-policy-note.md)]
**ADMX mapping**:
@@ -470,6 +486,11 @@ This policy controls whether or not the [Windows Package Manager](/windows/packa
| Name | Value |
|:--|:--|
| Name | EnableLocalArchiveMalwareScanOverride |
+| Friendly Name | Enable App Installer Local Archive Malware Scan Override |
+| Location | Computer Configuration |
+| Path | Windows Components > Desktop App Installer |
+| Registry Key Name | Software\Policies\Microsoft\Windows\AppInstaller |
+| Registry Value Name | EnableLocalArchiveMalwareScanOverride |
| ADMX File Name | DesktopAppInstaller.admx |
@@ -618,9 +639,9 @@ This policy controls the Microsoft Store source included with the [Windows Packa
This policy controls whether users can install packages from a website that's using the ms-appinstaller protocol.
-- If you enable or don't configure this setting, users will be able to install packages from websites that use this protocol.
+- If you enable this setting, users will be able to install packages from websites that use this protocol.
-- If you disable this setting, users won't be able to install packages from websites that use this protocol.
+- If you disable or don't configure this setting, users won't be able to install packages from websites that use this protocol.
@@ -724,7 +745,7 @@ The settings are stored inside of a .json file on the user’s system. It may be
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
@@ -734,7 +755,14 @@ The settings are stored inside of a .json file on the user’s system. It may be
-
+
+This policy determines if a user can perform an action using the [Windows Package Manager](/windows/package-manager/) through a command line interface (WinGet CLI, or WinGet PowerShell).
+
+If you disable this policy, users won't be able execute the [Windows Package Manager](/windows/package-manager/) CLI, and PowerShell cmdlets.
+
+If you enable, or don't configuring this policy, users will be able to execute the [Windows Package Manager](/windows/package-manager/) CLI commands, and PowerShell cmdlets. (Provided "Enable App Installer" policy isn't disabled).
+
+This policy doesn't override the "Enable App Installer" policy.
@@ -751,7 +779,6 @@ The settings are stored inside of a .json file on the user’s system. It may be
-
[!INCLUDE [ADMX-backed policy note](includes/mdm-admx-policy-note.md)]
**ADMX mapping**:
@@ -759,6 +786,11 @@ The settings are stored inside of a .json file on the user’s system. It may be
| Name | Value |
|:--|:--|
| Name | EnableWindowsPackageManagerCommandLineInterfaces |
+| Friendly Name | Enable Windows Package Manager command line interfaces |
+| Location | Computer Configuration |
+| Path | Windows Components > Desktop App Installer |
+| Registry Key Name | Software\Policies\Microsoft\Windows\AppInstaller |
+| Registry Value Name | EnableWindowsPackageManagerCommandLineInterfaces |
| ADMX File Name | DesktopAppInstaller.admx |
@@ -774,7 +806,7 @@ The settings are stored inside of a .json file on the user’s system. It may be
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
@@ -784,7 +816,12 @@ The settings are stored inside of a .json file on the user’s system. It may be
-
+
+This policy controls whether the [Windows Package Manager](/windows/package-manager/) configuration feature can be used by users.
+
+- If you enable or don't configure this setting, users will be able to use the [Windows Package Manager](/windows/package-manager/) configuration feature.
+
+- If you disable this setting, users won't be able to use the [Windows Package Manager](/windows/package-manager/) configuration feature.
@@ -801,7 +838,6 @@ The settings are stored inside of a .json file on the user’s system. It may be
-
[!INCLUDE [ADMX-backed policy note](includes/mdm-admx-policy-note.md)]
**ADMX mapping**:
@@ -809,6 +845,11 @@ The settings are stored inside of a .json file on the user’s system. It may be
| Name | Value |
|:--|:--|
| Name | EnableWindowsPackageManagerConfiguration |
+| Friendly Name | Enable Windows Package Manager Configuration |
+| Location | Computer Configuration |
+| Path | Windows Components > Desktop App Installer |
+| Registry Key Name | Software\Policies\Microsoft\Windows\AppInstaller |
+| Registry Value Name | EnableWindowsPackageManagerConfiguration |
| ADMX File Name | DesktopAppInstaller.admx |
@@ -835,9 +876,9 @@ The settings are stored inside of a .json file on the user’s system. It may be
-This policy controls the auto update interval for package-based sources.
+This policy controls the auto-update interval for package-based sources. The default source for [Windows Package Manager](/windows/package-manager/) is configured such that an index of the packages is cached on the local machine. The index is downloaded when a user invokes a command, and the interval has passed.
-- If you disable or don't configure this setting, the default interval or the value specified in settings will be used by the [Windows Package Manager](/windows/package-manager/).
+- If you disable or don't configure this setting, the default interval or the value specified in the [Windows Package Manager](/windows/package-manager/) settings will be used.
- If you enable this setting, the number of minutes specified will be used by the [Windows Package Manager](/windows/package-manager/).
diff --git a/windows/client-management/mdm/policy-csp-deviceguard.md b/windows/client-management/mdm/policy-csp-deviceguard.md
index c27a142696..d015682073 100644
--- a/windows/client-management/mdm/policy-csp-deviceguard.md
+++ b/windows/client-management/mdm/policy-csp-deviceguard.md
@@ -1,7 +1,8 @@
---
title: DeviceGuard Policy CSP
description: Learn more about the DeviceGuard Area in Policy CSP.
-ms.date: 01/18/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
@@ -9,6 +10,8 @@ ms.date: 01/18/2024
# Policy CSP - DeviceGuard
+[!INCLUDE [Windows Insider tip](includes/mdm-insider-csp-note.md)]
+
@@ -205,6 +208,70 @@ Credential Guard Configuration: 0 - Turns off CredentialGuard remotely if config
+
+## MachineIdentityIsolation
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device ❌ User | ❌ Pro ✅ Enterprise ✅ Education ❌ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+
+
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/DeviceGuard/MachineIdentityIsolation
+```
+
+
+
+
+Machine Identity Isolation: 0 - Machine password is only LSASS-bound and stored in $MACHINE.ACC registry key. 1 - Machine password both LSASS-bound and IUM-bound. It's stored in $MACHINE.ACC and $MACHINE.ACC.IUM registry keys. 2 - Machine password is only IUM-bound and stored in $MACHINE.ACC.IUM registry key.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `int` |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | 0 |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 (Default) | (Disabled) Machine password is only LSASS-bound and stored in $MACHINE.ACC registry key. |
+| 1 | (Enabled in audit mode) Machine password both LSASS-bound and IUM-bound. It's stored in $MACHINE.ACC and $MACHINE.ACC.IUM registry keys. |
+| 2 | (Enabled in enforcement mode) Machine password is only IUM-bound and stored in $MACHINE.ACC.IUM registry key. |
+
+
+
+**Group policy mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | VirtualizationBasedSecurity |
+| Friendly Name | Turn On Virtualization Based Security |
+| Element Name | Machine Identity Isolation Configuration. |
+| Location | Computer Configuration |
+| Path | System > Device Guard |
+| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\DeviceGuard |
+| ADMX File Name | DeviceGuard.admx |
+
+
+
+
+
+
+
+
## RequirePlatformSecurityFeatures
diff --git a/windows/client-management/mdm/policy-csp-devicehealthmonitoring.md b/windows/client-management/mdm/policy-csp-devicehealthmonitoring.md
index 271866959b..a91246ac62 100644
--- a/windows/client-management/mdm/policy-csp-devicehealthmonitoring.md
+++ b/windows/client-management/mdm/policy-csp-devicehealthmonitoring.md
@@ -1,7 +1,8 @@
---
title: DeviceHealthMonitoring Policy CSP
description: Learn more about the DeviceHealthMonitoring Area in Policy CSP.
-ms.date: 01/18/2024
+ms.date: 02/14/2025
+ms.topic: generated-reference
---
@@ -30,7 +31,7 @@ ms.date: 01/18/2024
-Enable/disable 4. Nines device health monitoring on devices.
+Enable/disable device health monitoring on devices.
diff --git a/windows/client-management/mdm/policy-csp-deviceinstallation.md b/windows/client-management/mdm/policy-csp-deviceinstallation.md
index 87f3608dd1..d4c8aab970 100644
--- a/windows/client-management/mdm/policy-csp-deviceinstallation.md
+++ b/windows/client-management/mdm/policy-csp-deviceinstallation.md
@@ -1,7 +1,8 @@
---
title: DeviceInstallation Policy CSP
description: Learn more about the DeviceInstallation Area in Policy CSP.
-ms.date: 08/06/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
diff --git a/windows/client-management/mdm/policy-csp-devicelock.md b/windows/client-management/mdm/policy-csp-devicelock.md
index 259d88a891..4bacc831f5 100644
--- a/windows/client-management/mdm/policy-csp-devicelock.md
+++ b/windows/client-management/mdm/policy-csp-devicelock.md
@@ -1,7 +1,8 @@
---
title: DeviceLock Policy CSP
description: Learn more about the DeviceLock Area in Policy CSP.
-ms.date: 08/05/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
@@ -11,8 +12,6 @@ ms.date: 08/05/2024
[!INCLUDE [ADMX-backed CSP tip](includes/mdm-admx-csp-note.md)]
-[!INCLUDE [Windows Insider tip](includes/mdm-insider-csp-note.md)]
-
> [!IMPORTANT]
@@ -25,7 +24,7 @@ ms.date: 08/05/2024
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
@@ -64,7 +63,7 @@ Account lockout threshold - This security setting determines the number of faile
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
@@ -329,7 +328,7 @@ Determines the type of PIN or password required. This policy only applies if the
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
@@ -685,7 +684,7 @@ The number of authentication failures allowed before the device will be wiped. A
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
@@ -1025,7 +1024,7 @@ This security setting determines the period of time (in days) that a password mu
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
@@ -1078,7 +1077,7 @@ This security setting determines the least number of characters that a password
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
@@ -1128,7 +1127,7 @@ This security setting determines the minimum password length for which password
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
@@ -1188,7 +1187,7 @@ Complexity requirements are enforced when passwords are changed or created.
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
@@ -1360,7 +1359,7 @@ If you enable this setting, users will no longer be able to modify slide show se
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
diff --git a/windows/client-management/mdm/policy-csp-display.md b/windows/client-management/mdm/policy-csp-display.md
index 8f021f8337..2c7e2917eb 100644
--- a/windows/client-management/mdm/policy-csp-display.md
+++ b/windows/client-management/mdm/policy-csp-display.md
@@ -1,7 +1,8 @@
---
title: Display Policy CSP
description: Learn more about the Display Area in Policy CSP.
-ms.date: 01/18/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
@@ -9,10 +10,72 @@ ms.date: 01/18/2024
# Policy CSP - Display
+[!INCLUDE [Windows Insider tip](includes/mdm-insider-csp-note.md)]
+
+
+## ConfigureMultipleDisplayMode
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+
+
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/Display/ConfigureMultipleDisplayMode
+```
+
+
+
+
+This policy sets the default display arrangement to pick between clone or extend.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `int` |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | 1 |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 | Default. |
+| 1 (Default) | Clone. |
+| 2 | Extend. |
+
+
+
+**Group policy mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | ConfigureMultipleDisplayMode |
+| Path | Display > AT > System > DisplayCat |
+| Element Name | DisplayConfigureMultipleDisplayModeSettings |
+
+
+
+
+
+
+
+
## DisablePerProcessDpiForApps
@@ -236,6 +299,66 @@ Enabling this setting lets you specify the system-wide default for desktop appli
+
+## SetClonePreferredResolutionSource
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+
+
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/Display/SetClonePreferredResolutionSource
+```
+
+
+
+
+This policy sets the cloned monitor preferred resolution source to an internal or external monitor by default.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `int` |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | 1 |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 | Default. |
+| 1 (Default) | Internal. |
+| 2 | External. |
+
+
+
+**Group policy mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | SetClonePreferredResolutionSource |
+| Path | Display > AT > System > DisplayCat |
+| Element Name | DisplaySetClonePreferredResolutionSourceSettings |
+
+
+
+
+
+
+
+
## TurnOffGdiDPIScalingForApps
diff --git a/windows/client-management/mdm/policy-csp-dmaguard.md b/windows/client-management/mdm/policy-csp-dmaguard.md
index ed3b7b4609..f3c22ca841 100644
--- a/windows/client-management/mdm/policy-csp-dmaguard.md
+++ b/windows/client-management/mdm/policy-csp-dmaguard.md
@@ -1,7 +1,8 @@
---
title: DmaGuard Policy CSP
description: Learn more about the DmaGuard Area in Policy CSP.
-ms.date: 01/18/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
diff --git a/windows/client-management/mdm/policy-csp-eap.md b/windows/client-management/mdm/policy-csp-eap.md
index 14022fde28..64de1f0ca5 100644
--- a/windows/client-management/mdm/policy-csp-eap.md
+++ b/windows/client-management/mdm/policy-csp-eap.md
@@ -1,7 +1,8 @@
---
title: Eap Policy CSP
description: Learn more about the Eap Area in Policy CSP.
-ms.date: 01/18/2024
+ms.date: 02/14/2025
+ms.topic: generated-reference
---
@@ -30,7 +31,7 @@ ms.date: 01/18/2024
-Added in Windows 10, version 21. H1. Allow or disallow use of TLS 1.3 during EAP client authentication.
+Added in Windows 10, version 21H1. Allow or disallow use of TLS 1.3 during EAP client authentication.
diff --git a/windows/client-management/mdm/policy-csp-education.md b/windows/client-management/mdm/policy-csp-education.md
index cfd49a1bf0..4efe4c1ad8 100644
--- a/windows/client-management/mdm/policy-csp-education.md
+++ b/windows/client-management/mdm/policy-csp-education.md
@@ -1,7 +1,8 @@
---
title: Education Policy CSP
description: Learn more about the Education Area in Policy CSP.
-ms.date: 01/18/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
diff --git a/windows/client-management/mdm/policy-csp-enterprisecloudprint.md b/windows/client-management/mdm/policy-csp-enterprisecloudprint.md
index 016c5d5a51..0d94ccfd85 100644
--- a/windows/client-management/mdm/policy-csp-enterprisecloudprint.md
+++ b/windows/client-management/mdm/policy-csp-enterprisecloudprint.md
@@ -1,7 +1,8 @@
---
title: EnterpriseCloudPrint Policy CSP
description: Learn more about the EnterpriseCloudPrint Area in Policy CSP.
-ms.date: 01/18/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
diff --git a/windows/client-management/mdm/policy-csp-errorreporting.md b/windows/client-management/mdm/policy-csp-errorreporting.md
index 50e401227e..1fc4e56ebb 100644
--- a/windows/client-management/mdm/policy-csp-errorreporting.md
+++ b/windows/client-management/mdm/policy-csp-errorreporting.md
@@ -1,7 +1,8 @@
---
title: ErrorReporting Policy CSP
description: Learn more about the ErrorReporting Area in Policy CSP.
-ms.date: 01/18/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
diff --git a/windows/client-management/mdm/policy-csp-eventlogservice.md b/windows/client-management/mdm/policy-csp-eventlogservice.md
index 83a5c6c350..e79a85ea8b 100644
--- a/windows/client-management/mdm/policy-csp-eventlogservice.md
+++ b/windows/client-management/mdm/policy-csp-eventlogservice.md
@@ -1,7 +1,8 @@
---
title: EventLogService Policy CSP
description: Learn more about the EventLogService Area in Policy CSP.
-ms.date: 01/18/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
diff --git a/windows/client-management/mdm/policy-csp-experience.md b/windows/client-management/mdm/policy-csp-experience.md
index f0831810bd..37d22f55dc 100644
--- a/windows/client-management/mdm/policy-csp-experience.md
+++ b/windows/client-management/mdm/policy-csp-experience.md
@@ -1,7 +1,8 @@
---
title: Experience Policy CSP
description: Learn more about the Experience Area in Policy CSP.
-ms.date: 08/07/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
@@ -9,8 +10,6 @@ ms.date: 08/07/2024
# Policy CSP - Experience
-[!INCLUDE [Windows Insider tip](includes/mdm-insider-csp-note.md)]
-
@@ -484,7 +483,7 @@ Allow screen capture.
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ❌ Device ✅ User | ❌ Pro ✅ Enterprise ✅ Education ❌ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+| ❌ Device ✅ User | ❌ Pro ✅ Enterprise ✅ Education ❌ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
@@ -494,7 +493,7 @@ Allow screen capture.
-
+
This policy setting allows you to control whether screen recording functionality is available in the Windows Snipping Tool app.
- If you disable this policy setting, screen recording functionality won't be accessible in the Windows Snipping Tool app.
@@ -531,7 +530,12 @@ This policy setting allows you to control whether screen recording functionality
| Name | Value |
|:--|:--|
| Name | AllowScreenRecorder |
-| Path | Programs > AT > WindowsComponents > SnippingTool |
+| Friendly Name | Allow Screen Recorder |
+| Location | User Configuration |
+| Path | Windows Components > Snipping Tool |
+| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\SnippingTool |
+| Registry Value Name | AllowScreenRecorder |
+| ADMX File Name | Programs.admx |
@@ -1681,7 +1685,7 @@ This policy setting lets you turn off cloud consumer account state content in al
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device ❌ User | ❌ Pro ✅ Enterprise ✅ Education ❌ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+| ✅ Device ❌ User | ❌ Pro ✅ Enterprise ✅ Education ❌ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
@@ -1887,7 +1891,7 @@ _**Turn syncing off by default but don’t disable**_
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ❌ Device ✅ User | ❌ Pro ✅ Enterprise ✅ Education ❌ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 2004 [10.0.19041.4828] and later ✅ Windows 11, version 22H2 with [KB5020044](https://support.microsoft.com/help/5020044) [10.0.22621.900] and later ✅ Windows Insider Preview |
+| ❌ Device ✅ User | ❌ Pro ✅ Enterprise ✅ Education ❌ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 22H2 with [KB5041582](https://support.microsoft.com/help/5041582) [10.0.19045.4842] and later ✅ Windows 11, version 22H2 with [KB5020044](https://support.microsoft.com/help/5020044) [10.0.22621.900] and later ✅ Windows 11, version 24H2 [10.0.26100] and later |
diff --git a/windows/client-management/mdm/policy-csp-exploitguard.md b/windows/client-management/mdm/policy-csp-exploitguard.md
index 6d947b5cd3..1722439b80 100644
--- a/windows/client-management/mdm/policy-csp-exploitguard.md
+++ b/windows/client-management/mdm/policy-csp-exploitguard.md
@@ -1,7 +1,8 @@
---
title: ExploitGuard Policy CSP
description: Learn more about the ExploitGuard Area in Policy CSP.
-ms.date: 01/18/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
diff --git a/windows/client-management/mdm/policy-csp-federatedauthentication.md b/windows/client-management/mdm/policy-csp-federatedauthentication.md
index 4b4de43f51..da5662f29d 100644
--- a/windows/client-management/mdm/policy-csp-federatedauthentication.md
+++ b/windows/client-management/mdm/policy-csp-federatedauthentication.md
@@ -1,7 +1,8 @@
---
title: FederatedAuthentication Policy CSP
description: Learn more about the FederatedAuthentication Area in Policy CSP.
-ms.date: 01/18/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
diff --git a/windows/client-management/mdm/policy-csp-fileexplorer.md b/windows/client-management/mdm/policy-csp-fileexplorer.md
index fb55df7a5d..e49af36ddf 100644
--- a/windows/client-management/mdm/policy-csp-fileexplorer.md
+++ b/windows/client-management/mdm/policy-csp-fileexplorer.md
@@ -1,7 +1,8 @@
---
title: FileExplorer Policy CSP
description: Learn more about the FileExplorer Area in Policy CSP.
-ms.date: 01/18/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
@@ -138,7 +139,7 @@ When This PC location is restricted, give the user the option to enumerate and n
-Turning off this setting will prevent File Explorer from requesting cloud file metadata and displaying it in the homepage and other views in File Explorer. Any insights and files available based on account activity will be stopped in views such as Recent, Recommended, Favorites, etc.
+Turning off this setting will prevent File Explorer from requesting cloud file metadata and displaying it in the homepage and other views in File Explorer. Any insights and files available based on account activity will be stopped in views such as Recent, Recommended, Favorites, Details pane, etc.
diff --git a/windows/client-management/mdm/policy-csp-filesystem.md b/windows/client-management/mdm/policy-csp-filesystem.md
index f1d4135999..bc73918bf9 100644
--- a/windows/client-management/mdm/policy-csp-filesystem.md
+++ b/windows/client-management/mdm/policy-csp-filesystem.md
@@ -1,7 +1,8 @@
---
title: FileSystem Policy CSP
description: Learn more about the FileSystem Area in Policy CSP.
-ms.date: 01/18/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
diff --git a/windows/client-management/mdm/policy-csp-games.md b/windows/client-management/mdm/policy-csp-games.md
index d16bea4048..42f5209042 100644
--- a/windows/client-management/mdm/policy-csp-games.md
+++ b/windows/client-management/mdm/policy-csp-games.md
@@ -1,7 +1,8 @@
---
title: Games Policy CSP
description: Learn more about the Games Area in Policy CSP.
-ms.date: 01/18/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
diff --git a/windows/client-management/mdm/policy-csp-handwriting.md b/windows/client-management/mdm/policy-csp-handwriting.md
index 6cd40803bd..2dc76390b0 100644
--- a/windows/client-management/mdm/policy-csp-handwriting.md
+++ b/windows/client-management/mdm/policy-csp-handwriting.md
@@ -1,7 +1,8 @@
---
title: Handwriting Policy CSP
description: Learn more about the Handwriting Area in Policy CSP.
-ms.date: 01/18/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
diff --git a/windows/client-management/mdm/policy-csp-humanpresence.md b/windows/client-management/mdm/policy-csp-humanpresence.md
index 3ef891ed68..38c80beebe 100644
--- a/windows/client-management/mdm/policy-csp-humanpresence.md
+++ b/windows/client-management/mdm/policy-csp-humanpresence.md
@@ -1,7 +1,8 @@
---
title: HumanPresence Policy CSP
description: Learn more about the HumanPresence Area in Policy CSP.
-ms.date: 01/18/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
@@ -21,7 +22,7 @@ ms.date: 01/18/2024
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ❌ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ❌ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
@@ -85,7 +86,7 @@ Determines whether Allow Adaptive Dimming When Battery Saver On checkbox is forc
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ❌ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ❌ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
@@ -149,7 +150,7 @@ Determines whether Allow Lock on Leave When Battery Saver On checkbox is forced
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ❌ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ❌ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
@@ -213,7 +214,7 @@ Determines whether Allow Wake on Approach When External Display Connected checkb
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ❌ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ❌ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
@@ -528,6 +529,183 @@ Determines the timeout for Lock on Leave forced by the MDM policy. The user will
+
+## ForcePrivacyScreen
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ❌ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+
+
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/HumanPresence/ForcePrivacyScreen
+```
+
+
+
+
+Determines whether detect when other people are looking at my screen is forced on/off by the MDM policy. The user won't be able to change this setting and the UI will be greyed out.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `int` |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | 0 |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 2 | ForcedOff. |
+| 1 | ForcedOn. |
+| 0 (Default) | DefaultToUserChoice. |
+
+
+
+**Group policy mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | ForcePrivacyScreen |
+| Path | Sensors > AT > WindowsComponents > HumanPresence |
+
+
+
+
+
+
+
+
+
+## ForcePrivacyScreenDim
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ❌ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+
+
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/HumanPresence/ForcePrivacyScreenDim
+```
+
+
+
+
+Determines whether dim the screen when other people are looking at my screen checkbox is forced checked/unchecked by the MDM policy. The user won't be able to change this setting and the checkbox in the UI will be greyed out.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `int` |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | 0 |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 2 | ForcedUnchecked. |
+| 1 | ForcedChecked. |
+| 0 (Default) | DefaultToUserChoice. |
+
+
+
+**Group policy mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | ForcePrivacyScreenDim |
+| Path | Sensors > AT > WindowsComponents > HumanPresence |
+
+
+
+
+
+
+
+
+
+## ForcePrivacyScreenNotification
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ❌ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+
+
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/HumanPresence/ForcePrivacyScreenNotification
+```
+
+
+
+
+Determines whether providing alert when people are looking at my screen checkbox is forced checked/unchecked by the MDM policy. The user won't be able to change this setting and the checkbox in the UI will be greyed out.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `int` |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | 0 |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 2 | ForcedUnchecked. |
+| 1 | ForcedChecked. |
+| 0 (Default) | DefaultToUserChoice. |
+
+
+
+**Group policy mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | ForcePrivacyScreenNotification |
+| Path | Sensors > AT > WindowsComponents > HumanPresence |
+
+
+
+
+
+
+
+
diff --git a/windows/client-management/mdm/policy-csp-internetexplorer.md b/windows/client-management/mdm/policy-csp-internetexplorer.md
index 5e218fe45c..c10d0663c7 100644
--- a/windows/client-management/mdm/policy-csp-internetexplorer.md
+++ b/windows/client-management/mdm/policy-csp-internetexplorer.md
@@ -1,7 +1,8 @@
---
title: InternetExplorer Policy CSP
description: Learn more about the InternetExplorer Area in Policy CSP.
-ms.date: 08/06/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
@@ -1005,7 +1006,12 @@ Note. It's recommended to configure template policy settings in one Group Policy
-
+
+This policy setting allows the use of some disabled functionality, such as WorkingDirectory field or pluggable protocol handling, in Internet Shortcut files.
+
+If you enable this policy, disabled functionality for Internet Shortcut files will be re-enabled.
+
+If you disable, or don't configure this policy, some functionality for Internet Shortcut files, such as WorkingDirectory field or pluggable protocol handling, will be disabled.
@@ -1022,7 +1028,6 @@ Note. It's recommended to configure template policy settings in one Group Policy
-
[!INCLUDE [ADMX-backed policy note](includes/mdm-admx-policy-note.md)]
**ADMX mapping**:
@@ -1030,6 +1035,11 @@ Note. It's recommended to configure template policy settings in one Group Policy
| Name | Value |
|:--|:--|
| Name | AllowLegacyURLFields |
+| Friendly Name | Allow legacy functionality for Internet Shortcut files |
+| Location | Computer and User Configuration |
+| Path | Windows Components > Internet Explorer |
+| Registry Key Name | Software\Policies\Microsoft\Internet Explorer\Main |
+| Registry Value Name | AllowLegacyURLFields |
| ADMX File Name | inetres.admx |
@@ -2463,11 +2473,11 @@ This policy setting determines whether Internet Explorer requires that all file-
-This setting determines whether IE automatically downloads updated versions of Microsoft's VersionList. XML. IE uses this file to determine whether an ActiveX control should be stopped from loading.
+This setting determines whether IE automatically downloads updated versions of Microsoft's VersionList.XML. IE uses this file to determine whether an ActiveX control should be stopped from loading.
-- If you enable this setting, IE stops downloading updated versions of VersionList. XML. Turning off this automatic download breaks the out-of-date ActiveX control blocking feature by not letting the version list update with newly outdated controls, potentially compromising the security of your computer.
+- If you enable this setting, IE stops downloading updated versions of VersionList.XML. Turning off this automatic download breaks the out-of-date ActiveX control blocking feature by not letting the version list update with newly outdated controls, potentially compromising the security of your computer.
-- If you disable or don't configure this setting, IE continues to download updated versions of VersionList. XML.
+- If you disable or don't configure this setting, IE continues to download updated versions of VersionList.XML.
For more information, see "Out-of-date ActiveX control blocking" in the Internet Explorer TechNet library.
@@ -4420,7 +4430,7 @@ This policy setting allows you to manage a list of domains on which Internet Exp
- If you enable this policy setting, you can enter a custom list of domains for which outdated ActiveX controls won't be blocked in Internet Explorer. Each domain entry must be formatted like one of the following:
-1. "domain.name. TLD". For example, if you want to include *.contoso.com/*, use "contoso.com"
+1. "domain.name.TLD". For example, if you want to include *.contoso.com/*, use "contoso.com"
2. "hostname". For example, if you want to include https://example, use "example".
3. "file:///path/filename.htm". For example, use "file:///C:/Users/contoso/Desktop/index.htm".
@@ -5263,7 +5273,7 @@ This policy setting allows you to manage the loading of Extensible Application M
-This policy setting allows you to manage whether . NET Framework components that aren't signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.
+This policy setting allows you to manage whether .NET Framework components that aren't signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.
- If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components.
@@ -6816,7 +6826,7 @@ This policy setting allows you to manage the opening of windows and frames and a
-This policy setting allows you to manage whether . NET Framework components that are signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.
+This policy setting allows you to manage whether .NET Framework components that are signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.
- If you enable this policy setting, Internet Explorer will execute signed managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute signed managed components.
@@ -7328,7 +7338,7 @@ This policy setting allows you to manage whether Web sites from less privileged
-This policy setting allows you to manage whether . NET Framework components that aren't signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.
+This policy setting allows you to manage whether .NET Framework components that aren't signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.
- If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components.
@@ -7923,13 +7933,11 @@ This policy setting allows you to manage the opening of windows and frames and a
-This policy setting specifies whether JScript or JScript9Legacy is loaded for MSHTML/WebOC/MSXML/Cscript based invocations.
+This policy setting specifies whether JScript or JScript9Legacy is loaded.
-- If you enable this policy setting, JScript9Legacy will be loaded in situations where JScript is instantiated.
+- If you enable this policy setting or not configured, JScript9Legacy will be loaded in situations where JScript is instantiated.
- If you disable this policy, then JScript will be utilized.
-
-- If this policy is left unconfigured, then MSHTML will use JScript9Legacy and MSXML/Cscript will use JScript.
@@ -7953,7 +7961,7 @@ This policy setting specifies whether JScript or JScript9Legacy is loaded for MS
| Name | Value |
|:--|:--|
| Name | JScriptReplacement |
-| Friendly Name | Replace JScript by loading JScript9Legacy in place of JScript via MSHTML/WebOC. |
+| Friendly Name | Replace JScript by loading JScript9Legacy in place of JScript. |
| Location | Computer and User Configuration |
| Path | Windows Components > Internet Explorer |
| Registry Key Name | Software\Policies\Microsoft\Internet Explorer\Main |
@@ -8403,7 +8411,7 @@ This policy setting allows you to manage whether Web sites from less privileged
-This policy setting allows you to manage whether . NET Framework components that aren't signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.
+This policy setting allows you to manage whether .NET Framework components that aren't signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.
- If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components.
@@ -9318,7 +9326,7 @@ This policy setting allows you to manage whether Web sites from less privileged
-This policy setting allows you to manage whether . NET Framework components that aren't signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.
+This policy setting allows you to manage whether .NET Framework components that aren't signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.
- If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components.
@@ -10167,7 +10175,7 @@ This policy setting allows you to manage whether Web sites from less privileged
-This policy setting allows you to manage whether . NET Framework components that aren't signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.
+This policy setting allows you to manage whether .NET Framework components that aren't signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.
- If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components.
@@ -10876,7 +10884,7 @@ This policy setting allows you to manage whether Web sites from less privileged
-This policy setting allows you to manage whether . NET Framework components that aren't signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.
+This policy setting allows you to manage whether .NET Framework components that aren't signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.
- If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components.
@@ -11655,7 +11663,7 @@ This policy setting allows you to manage whether Web sites from less privileged
-This policy setting allows you to manage whether . NET Framework components that aren't signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.
+This policy setting allows you to manage whether .NET Framework components that aren't signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.
- If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components.
@@ -12434,7 +12442,7 @@ This policy setting allows you to manage whether Web sites from less privileged
-This policy setting allows you to manage whether . NET Framework components that aren't signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.
+This policy setting allows you to manage whether .NET Framework components that aren't signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.
- If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components.
@@ -13366,7 +13374,7 @@ For more information, see "Outdated ActiveX Controls" in the Internet Explorer T
| Name | Value |
|:--|:--|
| Name | VerMgmtDisableRunThisTime |
-| Friendly Name | Remove "Run this time" button for outdated ActiveX controls in Internet Explorer |
+| Friendly Name | Remove "Run this time" button for outdated ActiveX controls in Internet Explorer |
| Location | Computer and User Configuration |
| Path | Windows Components > Internet Explorer > Security Features > Add-on Management |
| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Ext |
@@ -13407,7 +13415,7 @@ If you enable this policy, the zoom of an HTML dialog in Internet Explorer mode
If you disable, or don't configure this policy, the zoom of an HTML dialog in Internet Explorer mode will be set based on the zoom of it's parent page.
-For more information, see
+For more information, see
@@ -14300,7 +14308,7 @@ This policy setting allows you to manage whether a user's browser can be redirec
-This policy setting allows you to manage whether . NET Framework components that aren't signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.
+This policy setting allows you to manage whether .NET Framework components that aren't signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.
- If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components.
@@ -15855,7 +15863,7 @@ If you selected Prompt in the drop-down box, users are asked to choose whether t
-This policy setting allows you to manage whether . NET Framework components that are signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.
+This policy setting allows you to manage whether .NET Framework components that are signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.
- If you enable this policy setting, Internet Explorer will execute signed managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute signed managed components.
@@ -16465,7 +16473,7 @@ Also, see the "Security zones: Don't allow users to change policies" policy.
| Name | Value |
|:--|:--|
| Name | Security_HKLM_only |
-| Friendly Name | Security Zones: Use only machine settings |
+| Friendly Name | Security Zones: Use only machine settings |
| Location | Computer Configuration |
| Path | Windows Components > Internet Explorer |
| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings |
@@ -16974,7 +16982,7 @@ This policy setting allows you to manage whether Web sites from less privileged
-This policy setting allows you to manage whether . NET Framework components that aren't signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.
+This policy setting allows you to manage whether .NET Framework components that aren't signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.
- If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components.
diff --git a/windows/client-management/mdm/policy-csp-kerberos.md b/windows/client-management/mdm/policy-csp-kerberos.md
index 092f0fcfa3..acc05b4bdf 100644
--- a/windows/client-management/mdm/policy-csp-kerberos.md
+++ b/windows/client-management/mdm/policy-csp-kerberos.md
@@ -1,7 +1,8 @@
---
title: Kerberos Policy CSP
description: Learn more about the Kerberos Area in Policy CSP.
-ms.date: 01/31/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
diff --git a/windows/client-management/mdm/policy-csp-kioskbrowser.md b/windows/client-management/mdm/policy-csp-kioskbrowser.md
index ab923304b0..061ecffdfa 100644
--- a/windows/client-management/mdm/policy-csp-kioskbrowser.md
+++ b/windows/client-management/mdm/policy-csp-kioskbrowser.md
@@ -1,7 +1,8 @@
---
title: KioskBrowser Policy CSP
description: Learn more about the KioskBrowser Area in Policy CSP.
-ms.date: 01/18/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
diff --git a/windows/client-management/mdm/policy-csp-lanmanworkstation.md b/windows/client-management/mdm/policy-csp-lanmanworkstation.md
index b3e44fe44d..69d9d6d17c 100644
--- a/windows/client-management/mdm/policy-csp-lanmanworkstation.md
+++ b/windows/client-management/mdm/policy-csp-lanmanworkstation.md
@@ -1,7 +1,8 @@
---
title: LanmanWorkstation Policy CSP
description: Learn more about the LanmanWorkstation Area in Policy CSP.
-ms.date: 01/18/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
@@ -36,6 +37,8 @@ This policy setting determines if the SMB client will allow insecure guest logon
- If you disable this policy setting, the SMB client will reject insecure guest logons.
+If you enable signing, the SMB client will reject insecure guest logons.
+
Insecure guest logons are used by file servers to allow unauthenticated access to shared folders. While uncommon in an enterprise environment, insecure guest logons are frequently used by consumer Network Attached Storage (NAS) appliances acting as file servers. Windows file servers require authentication and don't use insecure guest logons by default. Since insecure guest logons are unauthenticated, important security features such as SMB Signing and SMB Encryption are disabled. As a result, clients that allow insecure guest logons are vulnerable to a variety of man-in-the-middle attacks that can result in data loss, data corruption, and exposure to malware. Additionally, any data written to a file server using an insecure guest logon is potentially accessible to anyone on the network. Microsoft recommends disabling insecure guest logons and configuring file servers to require authenticated access".
diff --git a/windows/client-management/mdm/policy-csp-licensing.md b/windows/client-management/mdm/policy-csp-licensing.md
index 69f8d74490..b57d3f7614 100644
--- a/windows/client-management/mdm/policy-csp-licensing.md
+++ b/windows/client-management/mdm/policy-csp-licensing.md
@@ -1,7 +1,8 @@
---
title: Licensing Policy CSP
description: Learn more about the Licensing Area in Policy CSP.
-ms.date: 01/18/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
diff --git a/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md b/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md
index 8caa34c334..9ce6bd86df 100644
--- a/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md
+++ b/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md
@@ -1,7 +1,8 @@
---
title: LocalPoliciesSecurityOptions Policy CSP
description: Learn more about the LocalPoliciesSecurityOptions Area in Policy CSP.
-ms.date: 09/11/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
@@ -360,7 +361,7 @@ Accounts: Rename guest account This security setting determines whether a differ
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
@@ -388,10 +389,27 @@ Audit: Audit the use of Backup and Restore privilege This security setting deter
|:--|:--|
| Format | `b64` |
| Access Type | Add, Delete, Get, Replace |
-| Allowed Values | List (Delimiter: ``) |
-| Default Value | 00 |
+| Default Value | AA== |
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| AQ== | Enable. |
+| AA== (Default) | Disable. |
+
+
+
+**Group policy mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | Audit: Audit the use of Backup and Restore privilege |
+| Path | Windows Settings > Security Settings > Local Policies > Security Options |
+
+
@@ -404,7 +422,7 @@ Audit: Audit the use of Backup and Restore privilege This security setting deter
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
@@ -445,7 +463,7 @@ Audit: Force audit policy subcategory settings (Windows Vista or later) to overr
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
@@ -718,7 +736,7 @@ Devices: Restrict CD-ROM access to locally logged-on user only This security set
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
@@ -771,7 +789,7 @@ Devices: Restrict floppy access to locally logged-on user only This security set
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
@@ -825,7 +843,7 @@ Domain member: Digitally encrypt or sign secure channel data (always) This secur
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
@@ -878,7 +896,7 @@ Domain member: Digitally encrypt secure channel data (when possible) This securi
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
@@ -928,7 +946,7 @@ Domain member: Digitally sign secure channel data (when possible) This security
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
@@ -982,7 +1000,7 @@ Domain member: Disable machine account password changes Determines whether a dom
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
@@ -1035,7 +1053,7 @@ Domain member: Maximum machine account password age This security setting determ
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
@@ -1335,7 +1353,7 @@ Interactive logon: Don't require CTRL+ALT+DEL This security setting determines w
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
@@ -1454,6 +1472,8 @@ Interactive logon: Message text for users attempting to log on This security set
+> [!IMPORTANT]
+> Windows Autopilot pre-provisioning doesn't work when this policy setting is enabled. For more information, see [Windows Autopilot troubleshooting FAQ](/autopilot/troubleshooting-faq#troubleshooting-policy-conflicts-with-windows-autopilot).
@@ -1503,6 +1523,8 @@ Interactive logon: Message title for users attempting to log on This security se
+> [!IMPORTANT]
+> Windows Autopilot pre-provisioning doesn't work when this policy setting is enabled. For more information, see [Windows Autopilot troubleshooting FAQ](/autopilot/troubleshooting-faq#troubleshooting-policy-conflicts-with-windows-autopilot).
@@ -1551,6 +1573,8 @@ Interactive logon: Number of previous logons to cache (in case domain controller
+> [!NOTE]
+> This setting previously showed as applicable to Windows 11, version 24H2 [10.0.26100] and later in error. MDM solutions may show as applicable to that version until a future release.
@@ -1575,7 +1599,7 @@ Interactive logon: Number of previous logons to cache (in case domain controller
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
@@ -1864,7 +1888,7 @@ Microsoft network client: Send unencrypted password to connect to third-party SM
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
@@ -2047,7 +2071,7 @@ Microsoft network server: Digitally sign communications (if client agrees) This
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
@@ -2090,7 +2114,7 @@ Microsoft network server: Disconnect clients when logon hours expire This securi
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
@@ -2131,7 +2155,7 @@ Microsoft network server: Server SPN target name validation level This policy se
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
@@ -2312,7 +2336,7 @@ Network access: Don't allow anonymous enumeration of SAM accounts and shares Thi
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
@@ -2360,7 +2384,7 @@ Network access: Don't allow storage of passwords and credentials for network aut
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
@@ -2412,7 +2436,7 @@ Network access: Let Everyone permissions apply to anonymous users This security
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
@@ -2452,7 +2476,7 @@ Network access: Named pipes that can be accessed anonymously This security setti
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
@@ -2495,7 +2519,7 @@ Network access: Remotely accessible registry paths This security setting determi
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
@@ -2644,7 +2668,7 @@ Network access: Restrict clients allowed to make remote calls to SAM This policy
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
@@ -2684,7 +2708,7 @@ Network access: Shares that can be accessed anonymously This security setting de
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
@@ -2728,7 +2752,7 @@ Network access: Sharing and security model for local accounts This security sett
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
@@ -2958,7 +2982,7 @@ Network security: Don't store LAN Manager hash value on next password change Thi
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
@@ -3083,7 +3107,7 @@ Network security LAN Manager authentication level This security setting determin
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
@@ -3489,7 +3513,7 @@ Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers This po
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
@@ -3539,7 +3563,7 @@ Recovery console: Allow automatic administrative logon This security setting det
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
@@ -3696,7 +3720,7 @@ Shutdown: Clear virtual memory pagefile This security setting determines whether
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
@@ -3737,7 +3761,7 @@ System Cryptography: Force strong key protection for user keys stored on the com
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
@@ -3787,7 +3811,7 @@ System objects: Require case insensitivity for non-Windows subsystems This secur
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
diff --git a/windows/client-management/mdm/policy-csp-localusersandgroups.md b/windows/client-management/mdm/policy-csp-localusersandgroups.md
index 08570e074e..da2922a942 100644
--- a/windows/client-management/mdm/policy-csp-localusersandgroups.md
+++ b/windows/client-management/mdm/policy-csp-localusersandgroups.md
@@ -1,7 +1,8 @@
---
title: LocalUsersAndGroups Policy CSP
description: Learn more about the LocalUsersAndGroups Area in Policy CSP.
-ms.date: 08/06/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
diff --git a/windows/client-management/mdm/policy-csp-lockdown.md b/windows/client-management/mdm/policy-csp-lockdown.md
index 95f4c33c50..11299e781b 100644
--- a/windows/client-management/mdm/policy-csp-lockdown.md
+++ b/windows/client-management/mdm/policy-csp-lockdown.md
@@ -1,7 +1,8 @@
---
title: LockDown Policy CSP
description: Learn more about the LockDown Area in Policy CSP.
-ms.date: 01/18/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
diff --git a/windows/client-management/mdm/policy-csp-lsa.md b/windows/client-management/mdm/policy-csp-lsa.md
index d4773d4c5d..9338d13c66 100644
--- a/windows/client-management/mdm/policy-csp-lsa.md
+++ b/windows/client-management/mdm/policy-csp-lsa.md
@@ -1,7 +1,8 @@
---
title: LocalSecurityAuthority Policy CSP
description: Learn more about the LocalSecurityAuthority Area in Policy CSP.
-ms.date: 01/18/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
@@ -93,7 +94,7 @@ This policy controls the configuration under which LSASS loads custom SSPs and A
This policy controls the configuration under which LSASS is run.
-- If you don't configure this policy and there is no current setting in the registry, LSA will run as protected process for clean installed, HVCI capable, client SKUs that are domain or cloud domain joined devices. This configuration isn't UEFI locked. This can be overridden if the policy is configured.
+- If you don't configure this policy and there is no current setting in the registry, LSA will run as protected process for all clean installed, HVCI capable, client SKUs. This configuration isn't UEFI locked. This can be overridden if the policy is configured.
- If you configure and set this policy setting to "Disabled", LSA won't run as a protected process.
@@ -135,7 +136,7 @@ This policy controls the configuration under which LSASS is run.
| Friendly Name | Configures LSASS to run as a protected process |
| Location | Computer Configuration |
| Path | System > Local Security Authority |
-| Registry Key Name | System\CurrentControlSet\Control\Lsa |
+| Registry Key Name | Software\Policies\Microsoft\Windows\System |
| ADMX File Name | LocalSecurityAuthority.admx |
diff --git a/windows/client-management/mdm/policy-csp-maps.md b/windows/client-management/mdm/policy-csp-maps.md
index 7dc52aed91..0148a014f0 100644
--- a/windows/client-management/mdm/policy-csp-maps.md
+++ b/windows/client-management/mdm/policy-csp-maps.md
@@ -1,7 +1,8 @@
---
title: Maps Policy CSP
description: Learn more about the Maps Area in Policy CSP.
-ms.date: 01/18/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
diff --git a/windows/client-management/mdm/policy-csp-memorydump.md b/windows/client-management/mdm/policy-csp-memorydump.md
index d6550053a3..ae3cea44fd 100644
--- a/windows/client-management/mdm/policy-csp-memorydump.md
+++ b/windows/client-management/mdm/policy-csp-memorydump.md
@@ -1,7 +1,8 @@
---
title: MemoryDump Policy CSP
description: Learn more about the MemoryDump Area in Policy CSP.
-ms.date: 01/18/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
diff --git a/windows/client-management/mdm/policy-csp-messaging.md b/windows/client-management/mdm/policy-csp-messaging.md
index 30117ff84d..bdb2fb5e55 100644
--- a/windows/client-management/mdm/policy-csp-messaging.md
+++ b/windows/client-management/mdm/policy-csp-messaging.md
@@ -1,7 +1,8 @@
---
title: Messaging Policy CSP
description: Learn more about the Messaging Area in Policy CSP.
-ms.date: 01/18/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
diff --git a/windows/client-management/mdm/policy-csp-mixedreality.md b/windows/client-management/mdm/policy-csp-mixedreality.md
index d2ccb8d7eb..ace4441d82 100644
--- a/windows/client-management/mdm/policy-csp-mixedreality.md
+++ b/windows/client-management/mdm/policy-csp-mixedreality.md
@@ -1,7 +1,8 @@
---
title: MixedReality Policy CSP
description: Learn more about the MixedReality Area in Policy CSP.
-ms.date: 09/11/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
@@ -139,7 +140,7 @@ This opt-in policy can help with the setup of new devices in new areas or new us
-By default, launching applications via Launcher API (Launcher Class (Windows. System) - Windows UWP applications | Microsoft Docs) is disabled in single app kiosk mode. To enable applications to launch in single app kiosk mode on HoloLens devices, set the policy value to true.
+By default, launching applications via Launcher API is disabled in single app kiosk mode. To enable applications to launch in single app kiosk mode on HoloLens devices, set the policy value to true.
diff --git a/windows/client-management/mdm/policy-csp-mssecurityguide.md b/windows/client-management/mdm/policy-csp-mssecurityguide.md
index da47e000cd..988bfdc000 100644
--- a/windows/client-management/mdm/policy-csp-mssecurityguide.md
+++ b/windows/client-management/mdm/policy-csp-mssecurityguide.md
@@ -1,7 +1,8 @@
---
title: MSSecurityGuide Policy CSP
description: Learn more about the MSSecurityGuide Area in Policy CSP.
-ms.date: 01/31/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
@@ -11,8 +12,6 @@ ms.date: 01/31/2024
[!INCLUDE [ADMX-backed CSP tip](includes/mdm-admx-csp-note.md)]
-[!INCLUDE [Windows Insider tip](includes/mdm-insider-csp-note.md)]
-
@@ -223,7 +222,7 @@ ms.date: 01/31/2024
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
diff --git a/windows/client-management/mdm/policy-csp-msslegacy.md b/windows/client-management/mdm/policy-csp-msslegacy.md
index 6e60b0d9dd..ad3748f44a 100644
--- a/windows/client-management/mdm/policy-csp-msslegacy.md
+++ b/windows/client-management/mdm/policy-csp-msslegacy.md
@@ -1,7 +1,8 @@
---
title: MSSLegacy Policy CSP
description: Learn more about the MSSLegacy Area in Policy CSP.
-ms.date: 01/18/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
diff --git a/windows/client-management/mdm/policy-csp-multitasking.md b/windows/client-management/mdm/policy-csp-multitasking.md
index 84df0472de..06d1458a87 100644
--- a/windows/client-management/mdm/policy-csp-multitasking.md
+++ b/windows/client-management/mdm/policy-csp-multitasking.md
@@ -1,7 +1,8 @@
---
title: Multitasking Policy CSP
description: Learn more about the Multitasking Area in Policy CSP.
-ms.date: 01/18/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
diff --git a/windows/client-management/mdm/policy-csp-networkisolation.md b/windows/client-management/mdm/policy-csp-networkisolation.md
index 14633df6c8..6ec838f5ad 100644
--- a/windows/client-management/mdm/policy-csp-networkisolation.md
+++ b/windows/client-management/mdm/policy-csp-networkisolation.md
@@ -1,7 +1,8 @@
---
title: NetworkIsolation Policy CSP
description: Learn more about the NetworkIsolation Area in Policy CSP.
-ms.date: 01/18/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
diff --git a/windows/client-management/mdm/policy-csp-networklistmanager.md b/windows/client-management/mdm/policy-csp-networklistmanager.md
index 5864c486c1..71e78973a4 100644
--- a/windows/client-management/mdm/policy-csp-networklistmanager.md
+++ b/windows/client-management/mdm/policy-csp-networklistmanager.md
@@ -1,7 +1,8 @@
---
title: NetworkListManager Policy CSP
description: Learn more about the NetworkListManager Area in Policy CSP.
-ms.date: 08/06/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
@@ -9,8 +10,6 @@ ms.date: 08/06/2024
# Policy CSP - NetworkListManager
-[!INCLUDE [Windows Insider tip](includes/mdm-insider-csp-note.md)]
-
@@ -21,7 +20,7 @@ ms.date: 08/06/2024
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ❌ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ❌ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
@@ -70,7 +69,7 @@ This policy setting allows you to specify whether users can change the network i
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ❌ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ❌ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
@@ -119,7 +118,7 @@ This policy setting allows you to specify whether users can change the network l
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ❌ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ❌ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
@@ -262,7 +261,7 @@ This policy setting provides the string that names a network. If this setting is
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ❌ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ❌ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
@@ -311,7 +310,7 @@ This policy setting allows you to configure the Network Location for networks th
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ❌ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ❌ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
@@ -360,7 +359,7 @@ This policy setting allows you to configure the Network Location type for networ
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ❌ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ❌ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
diff --git a/windows/client-management/mdm/policy-csp-newsandinterests.md b/windows/client-management/mdm/policy-csp-newsandinterests.md
index 16fabdc822..fe79c499b0 100644
--- a/windows/client-management/mdm/policy-csp-newsandinterests.md
+++ b/windows/client-management/mdm/policy-csp-newsandinterests.md
@@ -1,7 +1,8 @@
---
title: NewsAndInterests Policy CSP
description: Learn more about the NewsAndInterests Area in Policy CSP.
-ms.date: 01/18/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
@@ -9,6 +10,8 @@ ms.date: 01/18/2024
# Policy CSP - NewsAndInterests
+[!INCLUDE [Windows Insider tip](includes/mdm-insider-csp-note.md)]
+
@@ -82,6 +85,122 @@ This policy applies to the entire widgets experience, including content on the t
+
+## DisableWidgetsBoard
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+
+
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/NewsAndInterests/DisableWidgetsBoard
+```
+
+
+
+
+Disable widgets board.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `int` |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | 0 |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 (Default) | Enabled. |
+| 1 | Disabled. |
+
+
+
+**Group policy mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | DisableWidgetsBoard |
+| Path | NewsAndInterests > AT > WindowsComponents > NewsAndInterests |
+
+
+
+
+
+
+
+
+
+## DisableWidgetsOnLockScreen
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+
+
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/NewsAndInterests/DisableWidgetsOnLockScreen
+```
+
+
+
+
+Disable widgets on lock screen.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `int` |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | 0 |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 (Default) | Enabled. |
+| 1 | Disabled. |
+
+
+
+**Group policy mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | DisableWidgetsOnLockScreen |
+| Path | NewsAndInterests > AT > WindowsComponents > NewsAndInterests |
+
+
+
+
+
+
+
+
diff --git a/windows/client-management/mdm/policy-csp-notifications.md b/windows/client-management/mdm/policy-csp-notifications.md
index 65d5cb42bc..30942a896d 100644
--- a/windows/client-management/mdm/policy-csp-notifications.md
+++ b/windows/client-management/mdm/policy-csp-notifications.md
@@ -1,7 +1,8 @@
---
title: Notifications Policy CSP
description: Learn more about the Notifications Area in Policy CSP.
-ms.date: 01/18/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
@@ -9,8 +10,6 @@ ms.date: 01/18/2024
# Policy CSP - Notifications
-[!INCLUDE [Windows Insider tip](includes/mdm-insider-csp-note.md)]
-
@@ -21,7 +20,7 @@ ms.date: 01/18/2024
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ❌ Device ✅ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+| ❌ Device ✅ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
diff --git a/windows/client-management/mdm/policy-csp-power.md b/windows/client-management/mdm/policy-csp-power.md
index 165845af43..8e6e557bb7 100644
--- a/windows/client-management/mdm/policy-csp-power.md
+++ b/windows/client-management/mdm/policy-csp-power.md
@@ -1,7 +1,8 @@
---
title: Power Policy CSP
description: Learn more about the Power Area in Policy CSP.
-ms.date: 01/18/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
diff --git a/windows/client-management/mdm/policy-csp-printers.md b/windows/client-management/mdm/policy-csp-printers.md
index fa423988bf..cb984a7530 100644
--- a/windows/client-management/mdm/policy-csp-printers.md
+++ b/windows/client-management/mdm/policy-csp-printers.md
@@ -1,7 +1,8 @@
---
title: Printers Policy CSP
description: Learn more about the Printers Area in Policy CSP.
-ms.date: 01/31/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
@@ -11,6 +12,8 @@ ms.date: 01/31/2024
[!INCLUDE [ADMX-backed CSP tip](includes/mdm-admx-csp-note.md)]
+[!INCLUDE [Windows Insider tip](includes/mdm-insider-csp-note.md)]
+
@@ -348,6 +351,56 @@ The following are the supported values:
+
+## ConfigureIppTlsCertificatePolicy
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+
+
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/Printers/ConfigureIppTlsCertificatePolicy
+```
+
+
+
+
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `chr` (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+[!INCLUDE [ADMX-backed policy note](includes/mdm-admx-policy-note.md)]
+
+**ADMX mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | ConfigureIppTlsCertificatePolicy |
+| ADMX File Name | Printing.admx |
+
+
+
+
+
+
+
+
## ConfigureRedirectionGuardPolicy
@@ -369,7 +422,7 @@ Determines whether Redirection Guard is enabled for the print spooler.
You can enable this setting to configure the Redirection Guard policy being applied to spooler.
-- If you disable or don't configure this policy setting, Redirection Guard will default to being 'enabled'.
+- If you disable or don't configure this policy setting, Redirection Guard will default to being 'Enabled'.
- If you enable this setting you may select the following options:
@@ -435,7 +488,12 @@ The following are the supported values:
-
+
+This policy setting controls whether packet level privacy is enabled for RPC for incoming connections.
+
+By default packet level privacy is enabled for RPC for incoming connections.
+
+If you enable or don't configure this policy setting, packet level privacy is enabled for RPC for incoming connections.
@@ -452,7 +510,6 @@ The following are the supported values:
-
[!INCLUDE [ADMX-backed policy note](includes/mdm-admx-policy-note.md)]
**ADMX mapping**:
@@ -460,6 +517,11 @@ The following are the supported values:
| Name | Value |
|:--|:--|
| Name | ConfigureRpcAuthnLevelPrivacyEnabled |
+| Friendly Name | Configure RPC packet level privacy setting for incoming connections |
+| Location | Computer Configuration |
+| Path | Printers |
+| Registry Key Name | System\CurrentControlSet\Control\Print |
+| Registry Value Name | RpcAuthnLevelPrivacyEnabled |
| ADMX File Name | Printing.admx |
@@ -685,7 +747,16 @@ If you disable or don't configure this policy setting, dynamic TCP ports are use
-
+
+Determines whether Windows protected print is enabled on this computer.
+
+By default, Windows protected print isn't enabled and there aren't any restrictions on the print drivers that can be installed or print functionality.
+
+- If you enable this setting, the computer will operate in Windows protected print mode which only allows printing to printers that support a subset of inbox Windows print drivers.
+
+- If you disable this setting or don't configure it, there aren't any restrictions on the print drivers that can be installed or print functionality.
+
+For more information, please see [insert link to web page with WPP info]
@@ -702,7 +773,6 @@ If you disable or don't configure this policy setting, dynamic TCP ports are use
-
[!INCLUDE [ADMX-backed policy note](includes/mdm-admx-policy-note.md)]
**ADMX mapping**:
@@ -710,6 +780,11 @@ If you disable or don't configure this policy setting, dynamic TCP ports are use
| Name | Value |
|:--|:--|
| Name | ConfigureWindowsProtectedPrint |
+| Friendly Name | Configure Windows protected print |
+| Location | Computer Configuration |
+| Path | Printers |
+| Registry Key Name | Software\Policies\Microsoft\Windows NT\Printers\WPP |
+| Registry Value Name | WindowsProtectedPrintGroupPolicyState |
| ADMX File Name | Printing.admx |
diff --git a/windows/client-management/mdm/policy-csp-privacy.md b/windows/client-management/mdm/policy-csp-privacy.md
index 895ee8c286..6ef4648bc0 100644
--- a/windows/client-management/mdm/policy-csp-privacy.md
+++ b/windows/client-management/mdm/policy-csp-privacy.md
@@ -1,7 +1,8 @@
---
title: Privacy Policy CSP
description: Learn more about the Privacy Area in Policy CSP.
-ms.date: 09/11/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
@@ -2398,207 +2399,6 @@ List of semi-colon delimited Package Family Names of Windows Store Apps. The use
-
-## LetAppsAccessGenerativeAI
-
-
-| Scope | Editions | Applicable OS |
-|:--|:--|:--|
-| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 21H2 [10.0.22000] and later |
-
-
-
-```Device
-./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsAccessGenerativeAI
-```
-
-
-
-
-This policy setting specifies whether Windows apps can use generative AI features of Windows.
-
-
-
-
-
-
-
-**Description framework properties**:
-
-| Property name | Property value |
-|:--|:--|
-| Format | `int` |
-| Access Type | Add, Delete, Get, Replace |
-| Allowed Values | Range: `[0-2]` |
-| Default Value | 0 |
-
-
-
-**Group policy mapping**:
-
-| Name | Value |
-|:--|:--|
-| Name | LetAppsAccessGenerativeAI |
-| Path | AppPrivacy > AT > WindowsComponents > AppPrivacy |
-| Element Name | LetAppsAccessGenerativeAI_Enum |
-
-
-
-
-
-
-
-
-
-## LetAppsAccessGenerativeAI_ForceAllowTheseApps
-
-
-| Scope | Editions | Applicable OS |
-|:--|:--|:--|
-| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 21H2 [10.0.22000] and later |
-
-
-
-```Device
-./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsAccessGenerativeAI_ForceAllowTheseApps
-```
-
-
-
-
-List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed to use generative AI features of Windows. This setting overrides the default LetAppsAccessGenerativeAI policy setting for the specified apps.
-
-
-
-
-
-
-
-**Description framework properties**:
-
-| Property name | Property value |
-|:--|:--|
-| Format | `chr` (string) |
-| Access Type | Add, Delete, Get, Replace |
-| Allowed Values | List (Delimiter: `;`) |
-
-
-
-**Group policy mapping**:
-
-| Name | Value |
-|:--|:--|
-| Name | LetAppsAccessGenerativeAI |
-| Path | AppPrivacy > AT > WindowsComponents > AppPrivacy |
-| Element Name | LetAppsAccessGenerativeAI_ForceAllowTheseApps_List |
-
-
-
-
-
-
-
-
-
-## LetAppsAccessGenerativeAI_ForceDenyTheseApps
-
-
-| Scope | Editions | Applicable OS |
-|:--|:--|:--|
-| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 21H2 [10.0.22000] and later |
-
-
-
-```Device
-./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsAccessGenerativeAI_ForceDenyTheseApps
-```
-
-
-
-
-List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied the use generative AI features of Windows. This setting overrides the default LetAppsAccessGenerativeAI policy setting for the specified apps.
-
-
-
-
-
-
-
-**Description framework properties**:
-
-| Property name | Property value |
-|:--|:--|
-| Format | `chr` (string) |
-| Access Type | Add, Delete, Get, Replace |
-| Allowed Values | List (Delimiter: `;`) |
-
-
-
-**Group policy mapping**:
-
-| Name | Value |
-|:--|:--|
-| Name | LetAppsAccessGenerativeAI |
-| Path | AppPrivacy > AT > WindowsComponents > AppPrivacy |
-| Element Name | LetAppsAccessGenerativeAI_ForceDenyTheseApps_List |
-
-
-
-
-
-
-
-
-
-## LetAppsAccessGenerativeAI_UserInControlOfTheseApps
-
-
-| Scope | Editions | Applicable OS |
-|:--|:--|:--|
-| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 21H2 [10.0.22000] and later |
-
-
-
-```Device
-./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsAccessGenerativeAI_UserInControlOfTheseApps
-```
-
-
-
-
-List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the generative AI setting for the listed apps. This setting overrides the default LetAppsAccessGenerativeAI policy setting for the specified apps.
-
-
-
-
-
-
-
-**Description framework properties**:
-
-| Property name | Property value |
-|:--|:--|
-| Format | `chr` (string) |
-| Access Type | Add, Delete, Get, Replace |
-| Allowed Values | List (Delimiter: `;`) |
-
-
-
-**Group policy mapping**:
-
-| Name | Value |
-|:--|:--|
-| Name | LetAppsAccessGenerativeAI |
-| Path | AppPrivacy > AT > WindowsComponents > AppPrivacy |
-| Element Name | LetAppsAccessGenerativeAI_UserInControlOfTheseApps_List |
-
-
-
-
-
-
-
-
## LetAppsAccessGraphicsCaptureProgrammatic
diff --git a/windows/client-management/mdm/policy-csp-remoteassistance.md b/windows/client-management/mdm/policy-csp-remoteassistance.md
index 1e190204ac..7e150cadbe 100644
--- a/windows/client-management/mdm/policy-csp-remoteassistance.md
+++ b/windows/client-management/mdm/policy-csp-remoteassistance.md
@@ -1,7 +1,8 @@
---
title: RemoteAssistance Policy CSP
description: Learn more about the RemoteAssistance Area in Policy CSP.
-ms.date: 01/18/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
diff --git a/windows/client-management/mdm/policy-csp-remotedesktop.md b/windows/client-management/mdm/policy-csp-remotedesktop.md
index f549cfc712..b6a52d4ce2 100644
--- a/windows/client-management/mdm/policy-csp-remotedesktop.md
+++ b/windows/client-management/mdm/policy-csp-remotedesktop.md
@@ -1,7 +1,8 @@
---
title: RemoteDesktop Policy CSP
description: Learn more about the RemoteDesktop Area in Policy CSP.
-ms.date: 08/06/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
diff --git a/windows/client-management/mdm/policy-csp-remotedesktopservices.md b/windows/client-management/mdm/policy-csp-remotedesktopservices.md
index 68895bc0f7..6075c67e97 100644
--- a/windows/client-management/mdm/policy-csp-remotedesktopservices.md
+++ b/windows/client-management/mdm/policy-csp-remotedesktopservices.md
@@ -1,7 +1,8 @@
---
title: RemoteDesktopServices Policy CSP
description: Learn more about the RemoteDesktopServices Area in Policy CSP.
-ms.date: 08/06/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
@@ -156,7 +157,7 @@ FIPS compliance can be configured through the System cryptography. Use FIPS comp
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ [10.0.20348.2461] and later ✅ [10.0.25398.887] and later ✅ Windows 10, version 2004 [10.0.19041.4474] and later ✅ Windows 11, version 21H2 with [KB5037770](https://support.microsoft.com/help/5037770) [10.0.22000.2960] and later ✅ Windows 11, version 22H2 with [KB5037771](https://support.microsoft.com/help/5037771) [10.0.22621.3593] and later ✅ Windows 11, version 24H2 [10.0.26100] and later |
@@ -166,7 +167,14 @@ FIPS compliance can be configured through the System cryptography. Use FIPS comp
-
+
+This policy setting allows you to configure the user experience when the Remote Desktop session is locked by the user or by a policy. You can specify whether the remote session will show the remote lock screen or disconnect when the remote session is locked. Disconnecting the remote session ensures that a remote session can't be left on the lock screen and can't reconnect automatically due to loss of network connectivity.
+
+This policy applies only when using legacy authentication to authenticate to the remote PC. Legacy authentication is limited to username and password, or certificates like smartcards. Legacy authentication doesn't leverage the Microsoft identity platform, such as Microsoft Entra ID. Legacy authentication includes the NTLM, CredSSP, RDSTLS, TLS, and RDP basic authentication protocols.
+
+- If you enable this policy setting, Remote Desktop connections using legacy authentication will disconnect the remote session when the remote session is locked. Users can reconnect when they're ready and re-enter their credentials when prompted.
+
+- If you disable or don't configure this policy setting, Remote Desktop connections using legacy authentication will show the remote lock screen when the remote session is locked. Users can unlock the remote session using their username and password, or certificates.
@@ -183,7 +191,6 @@ FIPS compliance can be configured through the System cryptography. Use FIPS comp
-
[!INCLUDE [ADMX-backed policy note](includes/mdm-admx-policy-note.md)]
**ADMX mapping**:
@@ -191,7 +198,12 @@ FIPS compliance can be configured through the System cryptography. Use FIPS comp
| Name | Value |
|:--|:--|
| Name | TS_DISCONNECT_ON_LOCK_POLICY |
-| ADMX File Name | terminalserver.admx |
+| Friendly Name | Disconnect remote session on lock for legacy authentication |
+| Location | Computer Configuration |
+| Path | Windows Components > Remote Desktop Services > Remote Desktop Session Host > Security |
+| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services |
+| Registry Value Name | fDisconnectOnLockLegacy |
+| ADMX File Name | TerminalServer.admx |
@@ -206,7 +218,7 @@ FIPS compliance can be configured through the System cryptography. Use FIPS comp
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ [10.0.20348.2461] and later ✅ [10.0.25398.887] and later ✅ Windows 10, version 2004 [10.0.19041.4474] and later ✅ Windows 11, version 21H2 with [KB5037770](https://support.microsoft.com/help/5037770) [10.0.22000.2960] and later ✅ Windows 11, version 22H2 with [KB5037771](https://support.microsoft.com/help/5037771) [10.0.22621.3593] and later ✅ Windows 11, version 24H2 [10.0.26100] and later |
@@ -216,7 +228,14 @@ FIPS compliance can be configured through the System cryptography. Use FIPS comp
-
+
+This policy setting allows you to configure the user experience when the Remote Desktop session is locked by the user or by a policy. You can specify whether the remote session will show the remote lock screen or disconnect when the remote session is locked. Disconnecting the remote session ensures that a remote session can't be left on the lock screen and can't reconnect automatically due to loss of network connectivity.
+
+This policy applies only when using an identity provider that uses the Microsoft identity platform, such as Microsoft Entra ID, to authenticate to the remote PC. This policy doesn't apply when using Legacy authentication which includes the NTLM, CredSSP, RDSTLS, TLS, and RDP basic authentication protocols.
+
+- If you enable or don't configure this policy setting, Remote Desktop connections using the Microsoft identity platform will disconnect the remote session when the remote session is locked. Users can reconnect when they're ready and can use passwordless authentication if configured.
+
+- If you disable this policy setting, Remote Desktop connections using the Microsoft identity platform will show the remote lock screen when the remote session is locked. Users can unlock the remote session using their username and password, or certificates.
@@ -233,7 +252,6 @@ FIPS compliance can be configured through the System cryptography. Use FIPS comp
-
[!INCLUDE [ADMX-backed policy note](includes/mdm-admx-policy-note.md)]
**ADMX mapping**:
@@ -241,7 +259,12 @@ FIPS compliance can be configured through the System cryptography. Use FIPS comp
| Name | Value |
|:--|:--|
| Name | TS_DISCONNECT_ON_LOCK_AAD_POLICY |
-| ADMX File Name | terminalserver.admx |
+| Friendly Name | Disconnect remote session on lock for Microsoft identity platform authentication |
+| Location | Computer Configuration |
+| Path | Windows Components > Remote Desktop Services > Remote Desktop Session Host > Security |
+| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services |
+| Registry Value Name | fDisconnectOnLockMicrosoftIdentity |
+| ADMX File Name | TerminalServer.admx |
@@ -439,7 +462,7 @@ By default, Remote Desktop allows redirection of WebAuthn requests.
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device ✅ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ [10.0.20348.2523] and later ✅ [10.0.25398.946] and later ✅ Windows 11, version 21H2 [10.0.22000.3014] and later ✅ Windows 11, version 22H2 with [KB5037853](https://support.microsoft.com/help/5037853) [10.0.22621.3672] and later ✅ Windows 11, version 23H2 with [KB5037853](https://support.microsoft.com/help/5037853) [10.0.22631.3672] and later ✅ Windows Insider Preview |
+| ✅ Device ✅ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ [10.0.20348.2523] and later ✅ [10.0.25398.946] and later ✅ Windows 11, version 21H2 [10.0.22000.3014] and later ✅ Windows 11, version 22H2 with [KB5037853](https://support.microsoft.com/help/5037853) [10.0.22621.3672] and later ✅ Windows 11, version 23H2 with [KB5037853](https://support.microsoft.com/help/5037853) [10.0.22631.3672] and later ✅ Windows 11, version 24H2 [10.0.26100] and later |
@@ -453,7 +476,25 @@ By default, Remote Desktop allows redirection of WebAuthn requests.
-
+
+This policy setting allows you to restrict clipboard data transfers from client to server.
+
+- If you enable this policy setting, you must choose from the following behaviors:
+
+- Disable clipboard transfers from client to server.
+
+- Allow plain text copying from client to server.
+
+- Allow plain text and images copying from client to server.
+
+- Allow plain text, images and Rich Text Format copying from client to server.
+
+- Allow plain text, images, Rich Text Format and HTML copying from client to server.
+
+- If you disable or don't configure this policy setting, users can copy arbitrary contents from client to server if clipboard redirection is enabled.
+
+> [!NOTE]
+> This policy setting appears in both Computer Configuration and User Configuration. If both policy settings are configured, the stricter restriction will be used.
@@ -470,7 +511,6 @@ By default, Remote Desktop allows redirection of WebAuthn requests.
-
[!INCLUDE [ADMX-backed policy note](includes/mdm-admx-policy-note.md)]
**ADMX mapping**:
@@ -478,7 +518,11 @@ By default, Remote Desktop allows redirection of WebAuthn requests.
| Name | Value |
|:--|:--|
| Name | TS_CLIENT_CLIPBOARDRESTRICTION_CS |
-| ADMX File Name | terminalserver.admx |
+| Friendly Name | Restrict clipboard transfer from client to server |
+| Location | Computer and User Configuration |
+| Path | Windows Components > Remote Desktop Services > Remote Desktop Session Host > Device and Resource Redirection |
+| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services |
+| ADMX File Name | TerminalServer.admx |
@@ -493,7 +537,7 @@ By default, Remote Desktop allows redirection of WebAuthn requests.
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device ✅ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ [10.0.20348.2523] and later ✅ [10.0.25398.946] and later ✅ Windows 11, version 21H2 [10.0.22000.3014] and later ✅ Windows 11, version 22H2 with [KB5037853](https://support.microsoft.com/help/5037853) [10.0.22621.3672] and later ✅ Windows 11, version 23H2 with [KB5037853](https://support.microsoft.com/help/5037853) [10.0.22631.3672] and later ✅ Windows Insider Preview |
+| ✅ Device ✅ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ [10.0.20348.2523] and later ✅ [10.0.25398.946] and later ✅ Windows 11, version 21H2 [10.0.22000.3014] and later ✅ Windows 11, version 22H2 with [KB5037853](https://support.microsoft.com/help/5037853) [10.0.22621.3672] and later ✅ Windows 11, version 23H2 with [KB5037853](https://support.microsoft.com/help/5037853) [10.0.22631.3672] and later ✅ Windows 11, version 24H2 [10.0.26100] and later |
@@ -507,7 +551,25 @@ By default, Remote Desktop allows redirection of WebAuthn requests.
-
+
+This policy setting allows you to restrict clipboard data transfers from server to client.
+
+- If you enable this policy setting, you must choose from the following behaviors:
+
+- Disable clipboard transfers from server to client.
+
+- Allow plain text copying from server to client.
+
+- Allow plain text and images copying from server to client.
+
+- Allow plain text, images and Rich Text Format copying from server to client.
+
+- Allow plain text, images, Rich Text Format and HTML copying from server to client.
+
+- If you disable or don't configure this policy setting, users can copy arbitrary contents from server to client if clipboard redirection is enabled.
+
+> [!NOTE]
+> This policy setting appears in both Computer Configuration and User Configuration. If both policy settings are configured, the stricter restriction will be used.
@@ -524,7 +586,6 @@ By default, Remote Desktop allows redirection of WebAuthn requests.
-
[!INCLUDE [ADMX-backed policy note](includes/mdm-admx-policy-note.md)]
**ADMX mapping**:
@@ -532,7 +593,11 @@ By default, Remote Desktop allows redirection of WebAuthn requests.
| Name | Value |
|:--|:--|
| Name | TS_CLIENT_CLIPBOARDRESTRICTION_SC |
-| ADMX File Name | terminalserver.admx |
+| Friendly Name | Restrict clipboard transfer from server to client |
+| Location | Computer and User Configuration |
+| Path | Windows Components > Remote Desktop Services > Remote Desktop Session Host > Device and Resource Redirection |
+| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services |
+| ADMX File Name | TerminalServer.admx |
diff --git a/windows/client-management/mdm/policy-csp-remotemanagement.md b/windows/client-management/mdm/policy-csp-remotemanagement.md
index 0f19f54970..cd2bb62790 100644
--- a/windows/client-management/mdm/policy-csp-remotemanagement.md
+++ b/windows/client-management/mdm/policy-csp-remotemanagement.md
@@ -1,7 +1,8 @@
---
title: RemoteManagement Policy CSP
description: Learn more about the RemoteManagement Area in Policy CSP.
-ms.date: 01/18/2024
+ms.date: 02/14/2025
+ms.topic: generated-reference
---
@@ -285,7 +286,7 @@ For example, if you want the service to listen only on IPv4 addresses, leave the
Ranges are specified using the syntax IP1-IP2. Multiple ranges are separated using "," (comma) as the delimiter.
Example IPv4 filters:\n2.0.0.1-2.0.0.20, 24.0.0.1-24.0.0.22
-Example IPv6 filters:\n3FFE:FFFF:7654:FEDA:1245:BA98:0000:0000-3. FFE:FFFF:7654:FEDA:1245:BA98:3210:4562.
+Example IPv6 filters:\n3FFE:FFFF:7654:FEDA:1245:BA98:0000:0000-3FFE:FFFF:7654:FEDA:1245:BA98:3210:4562.
diff --git a/windows/client-management/mdm/policy-csp-remoteprocedurecall.md b/windows/client-management/mdm/policy-csp-remoteprocedurecall.md
index 1def7d700f..891a76c576 100644
--- a/windows/client-management/mdm/policy-csp-remoteprocedurecall.md
+++ b/windows/client-management/mdm/policy-csp-remoteprocedurecall.md
@@ -1,7 +1,8 @@
---
title: RemoteProcedureCall Policy CSP
description: Learn more about the RemoteProcedureCall Area in Policy CSP.
-ms.date: 01/18/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
@@ -105,11 +106,11 @@ This policy setting impacts all RPC applications. In a domain environment this p
This policy setting controls whether RPC clients authenticate with the Endpoint Mapper Service when the call they're making contains authentication information. The Endpoint Mapper Service on computers running Windows NT4 (all service packs) can't process authentication information supplied in this manner.
-- If you disable this policy setting, RPC clients won't authenticate to the Endpoint Mapper Service, but they will be able to communicate with the Endpoint Mapper Service on Windows NT4 Server.
+- If you disable this policy setting, RPC clients won't authenticate to the Endpoint Mapper Service, but they'll be able to communicate with the Endpoint Mapper Service on Windows NT4 Server.
- If you enable this policy setting, RPC clients will authenticate to the Endpoint Mapper Service for calls that contain authentication information. Clients making such calls won't be able to communicate with the Windows NT4 Server Endpoint Mapper Service.
-- If you don't configure this policy setting, it remains disabled. RPC clients won't authenticate to the Endpoint Mapper Service, but they will be able to communicate with the Windows NT4 Server Endpoint Mapper Service.
+- If you don't configure this policy setting, it remains disabled. RPC clients won't authenticate to the Endpoint Mapper Service, but they'll be able to communicate with the Windows NT4 Server Endpoint Mapper Service.
> [!NOTE]
> This policy won't be applied until the system is rebooted.
diff --git a/windows/client-management/mdm/policy-csp-remoteshell.md b/windows/client-management/mdm/policy-csp-remoteshell.md
index e7c0d076a7..e8ec5c3a48 100644
--- a/windows/client-management/mdm/policy-csp-remoteshell.md
+++ b/windows/client-management/mdm/policy-csp-remoteshell.md
@@ -1,7 +1,8 @@
---
title: RemoteShell Policy CSP
description: Learn more about the RemoteShell Area in Policy CSP.
-ms.date: 01/18/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
diff --git a/windows/client-management/mdm/policy-csp-restrictedgroups.md b/windows/client-management/mdm/policy-csp-restrictedgroups.md
index 6c8af25f6a..330359312f 100644
--- a/windows/client-management/mdm/policy-csp-restrictedgroups.md
+++ b/windows/client-management/mdm/policy-csp-restrictedgroups.md
@@ -1,7 +1,8 @@
---
title: RestrictedGroups Policy CSP
description: Learn more about the RestrictedGroups Area in Policy CSP.
-ms.date: 01/18/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
diff --git a/windows/client-management/mdm/policy-csp-search.md b/windows/client-management/mdm/policy-csp-search.md
index 005ef18357..a0c7802840 100644
--- a/windows/client-management/mdm/policy-csp-search.md
+++ b/windows/client-management/mdm/policy-csp-search.md
@@ -1,7 +1,8 @@
---
title: Search Policy CSP
description: Learn more about the Search Area in Policy CSP.
-ms.date: 08/06/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
@@ -9,8 +10,6 @@ ms.date: 08/06/2024
# Policy CSP - Search
-[!INCLUDE [Windows Insider tip](includes/mdm-insider-csp-note.md)]
-
@@ -648,7 +647,7 @@ The most restrictive value is `0` to now allow automatic language detection.
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
@@ -930,13 +929,13 @@ This policy setting configures whether or not locations on removable drives can
-This policy setting allows you to control whether or not Search can perform queries on the web, if web results are displayed in Search, and if search highlights are shown in the search box and in search home.
+This policy setting allows you to control whether or not Search can perform queries on the web, and if the web results are displayed in Search.
-- If you enable this policy setting, queries won't be performed on the web, web results won't be displayed when a user performs a query in Search, and search highlights won't be shown in the search box and in search home.
+- If you enable this policy setting, queries won't be performed on the web and web results won't be displayed when a user performs a query in Search.
-- If you disable this policy setting, queries will be performed on the web, web results will be displayed when a user performs a query in Search, and search highlights will be shown in the search box and in search home.
+- If you disable this policy setting, queries will be performed on the web and web results will be displayed when a user performs a query in Search.
-- If you don't configure this policy setting, a user can choose whether or not Search can perform queries on the web, and if the web results are displayed in Search, and if search highlights are shown in the search box and in search home.
+- If you don't configure this policy setting, a user can choose whether or not Search can perform queries on the web, and if the web results are displayed in Search.
diff --git a/windows/client-management/mdm/policy-csp-security.md b/windows/client-management/mdm/policy-csp-security.md
index 25e55a8941..a640213a1c 100644
--- a/windows/client-management/mdm/policy-csp-security.md
+++ b/windows/client-management/mdm/policy-csp-security.md
@@ -1,7 +1,8 @@
---
title: Security Policy CSP
description: Learn more about the Security Area in Policy CSP.
-ms.date: 04/10/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
diff --git a/windows/client-management/mdm/policy-csp-servicecontrolmanager.md b/windows/client-management/mdm/policy-csp-servicecontrolmanager.md
index 46c10a8e9a..0b7daa00a9 100644
--- a/windows/client-management/mdm/policy-csp-servicecontrolmanager.md
+++ b/windows/client-management/mdm/policy-csp-servicecontrolmanager.md
@@ -1,7 +1,8 @@
---
title: ServiceControlManager Policy CSP
description: Learn more about the ServiceControlManager Area in Policy CSP.
-ms.date: 01/18/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
diff --git a/windows/client-management/mdm/policy-csp-settings.md b/windows/client-management/mdm/policy-csp-settings.md
index bf9e5d11f5..89c42f0030 100644
--- a/windows/client-management/mdm/policy-csp-settings.md
+++ b/windows/client-management/mdm/policy-csp-settings.md
@@ -1,7 +1,8 @@
---
title: Settings Policy CSP
description: Learn more about the Settings Area in Policy CSP.
-ms.date: 05/20/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
diff --git a/windows/client-management/mdm/policy-csp-settingssync.md b/windows/client-management/mdm/policy-csp-settingssync.md
index 39e032a8b4..9b8ffbd08d 100644
--- a/windows/client-management/mdm/policy-csp-settingssync.md
+++ b/windows/client-management/mdm/policy-csp-settingssync.md
@@ -1,7 +1,8 @@
---
title: SettingsSync Policy CSP
description: Learn more about the SettingsSync Area in Policy CSP.
-ms.date: 01/18/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
@@ -23,7 +24,7 @@ ms.date: 01/18/2024
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
@@ -84,7 +85,7 @@ If you don't set or disable this setting, syncing of the "accessibility" group i
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
@@ -139,6 +140,56 @@ If you don't set or disable this setting, syncing of the "language preferences"
+
+## EnableWindowsbackup
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+
+
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/SettingsSync/EnableWindowsbackup
+```
+
+
+
+
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `chr` (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+[!INCLUDE [ADMX-backed policy note](includes/mdm-admx-policy-note.md)]
+
+**ADMX mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | EnableWindowsbackup |
+| ADMX File Name | SettingSync.admx |
+
+
+
+
+
+
+
+
diff --git a/windows/client-management/mdm/policy-csp-smartscreen.md b/windows/client-management/mdm/policy-csp-smartscreen.md
index 6e99e05ccb..6f7fd23280 100644
--- a/windows/client-management/mdm/policy-csp-smartscreen.md
+++ b/windows/client-management/mdm/policy-csp-smartscreen.md
@@ -1,7 +1,8 @@
---
title: SmartScreen Policy CSP
description: Learn more about the SmartScreen Area in Policy CSP.
-ms.date: 01/31/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
@@ -29,20 +30,11 @@ ms.date: 01/31/2024
-
-App Install Control is a feature of Windows Defender SmartScreen that helps protect PCs by allowing users to install apps only from the Store. SmartScreen must be enabled for this feature to work properly.
+
+Allows IT Admins to control whether users are allowed to install apps from places other than the Store.
-- If you enable this setting, you must choose from the following behaviors:
-
-- Turn off app recommendations.
-
-- Show me app recommendations.
-
-- Warn me before installing apps from outside the Store.
-
-- Allow apps from Store only.
-
-- If you disable or don't configure this setting, users will be able to install apps from anywhere, including files downloaded from the Internet.
+> [!NOTE]
+> This policy will block installation only while the device is online. To block offline installation too, SmartScreen/PreventOverrideForFilesInShell and SmartScreen/EnableSmartScreenInShell policies should also be enabled. This policy setting is intended to prevent malicious content from affecting your user's devices when downloading executable content from the internet.
@@ -110,23 +102,8 @@ App Install Control is a feature of Windows Defender SmartScreen that helps prot
-
-This policy allows you to turn Windows Defender SmartScreen on or off. SmartScreen helps protect PCs by warning users before running potentially malicious programs downloaded from the Internet. This warning is presented as an interstitial dialog shown before running an app that has been downloaded from the Internet and is unrecognized or known to be malicious. No dialog is shown for apps that don't appear to be suspicious.
-
-Some information is sent to Microsoft about files and programs run on PCs with this feature enabled.
-
-- If you enable this policy, SmartScreen will be turned on for all users. Its behavior can be controlled by the following options:
-
-- Warn and prevent bypass
-- Warn.
-
-- If you enable this policy with the "Warn and prevent bypass" option, SmartScreen's dialogs won't present the user with the option to disregard the warning and run the app. SmartScreen will continue to show the warning on subsequent attempts to run the app.
-
-- If you enable this policy with the "Warn" option, SmartScreen's dialogs will warn the user that the app appears suspicious, but will permit the user to disregard the warning and run the app anyway. SmartScreen won't warn the user again for that app if the user tells SmartScreen to run the app.
-
-- If you disable this policy, SmartScreen will be turned off for all users. Users won't be warned if they try to run suspicious apps from the Internet.
-
-- If you don't configure this policy, SmartScreen will be enabled by default, but users may change their settings.
+
+Allows IT Admins to configure SmartScreen for Windows.
@@ -188,23 +165,8 @@ Some information is sent to Microsoft about files and programs run on PCs with t
-
-This policy allows you to turn Windows Defender SmartScreen on or off. SmartScreen helps protect PCs by warning users before running potentially malicious programs downloaded from the Internet. This warning is presented as an interstitial dialog shown before running an app that has been downloaded from the Internet and is unrecognized or known to be malicious. No dialog is shown for apps that don't appear to be suspicious.
-
-Some information is sent to Microsoft about files and programs run on PCs with this feature enabled.
-
-- If you enable this policy, SmartScreen will be turned on for all users. Its behavior can be controlled by the following options:
-
-- Warn and prevent bypass
-- Warn.
-
-- If you enable this policy with the "Warn and prevent bypass" option, SmartScreen's dialogs won't present the user with the option to disregard the warning and run the app. SmartScreen will continue to show the warning on subsequent attempts to run the app.
-
-- If you enable this policy with the "Warn" option, SmartScreen's dialogs will warn the user that the app appears suspicious, but will permit the user to disregard the warning and run the app anyway. SmartScreen won't warn the user again for that app if the user tells SmartScreen to run the app.
-
-- If you disable this policy, SmartScreen will be turned off for all users. Users won't be warned if they try to run suspicious apps from the Internet.
-
-- If you don't configure this policy, SmartScreen will be enabled by default, but users may change their settings.
+
+Allows IT Admins to control whether users can ignore SmartScreen warnings and run malicious files.
diff --git a/windows/client-management/mdm/policy-csp-speakforme.md b/windows/client-management/mdm/policy-csp-speakforme.md
new file mode 100644
index 0000000000..d03ff6ce59
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-speakforme.md
@@ -0,0 +1,80 @@
+---
+title: SpeakForMe Policy CSP
+description: Learn more about the SpeakForMe Area in Policy CSP.
+ms.date: 02/13/2025
+ms.topic: generated-reference
+---
+
+
+
+
+# Policy CSP - SpeakForMe
+
+
+
+
+
+
+## EnableSpeakForMe
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ❌ Device ✅ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
+
+
+
+```User
+./User/Vendor/MSFT/Policy/Config/SpeakForMe/EnableSpeakForMe
+```
+
+
+
+
+This policy setting controls whether to allow the creation of personal voices with SpeakForMe Accessibility Windows Application.
+
+- If you enable this policy setting, then user can create their personal voice models.
+
+- If you disable this policy setting, then user can't create their personal voice models with SpeakForMe.
+
+- If you don't configure this policy setting (default), then users can launch the training flow and create their personal voice model through SpeakForMe.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `int` |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | 1 |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 | Not allowed. |
+| 1 (Default) | Allowed. |
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+## Related articles
+
+[Policy configuration service provider](policy-configuration-service-provider.md)
diff --git a/windows/client-management/mdm/policy-csp-speech.md b/windows/client-management/mdm/policy-csp-speech.md
index 437f917212..7f7060963f 100644
--- a/windows/client-management/mdm/policy-csp-speech.md
+++ b/windows/client-management/mdm/policy-csp-speech.md
@@ -1,7 +1,8 @@
---
title: Speech Policy CSP
description: Learn more about the Speech Area in Policy CSP.
-ms.date: 01/18/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
diff --git a/windows/client-management/mdm/policy-csp-start.md b/windows/client-management/mdm/policy-csp-start.md
index 418199d466..8b02053b78 100644
--- a/windows/client-management/mdm/policy-csp-start.md
+++ b/windows/client-management/mdm/policy-csp-start.md
@@ -1,7 +1,8 @@
---
title: Start Policy CSP
description: Learn more about the Start Area in Policy CSP.
-ms.date: 08/06/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
@@ -9,6 +10,8 @@ ms.date: 08/06/2024
# Policy CSP - Start
+[!INCLUDE [Windows Insider tip](includes/mdm-insider-csp-note.md)]
+
@@ -513,6 +516,63 @@ This policy controls the visibility of the Videos shortcut on the Start menu. Th
+
+## AlwaysShowNotificationIcon
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ❌ Device ✅ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+
+
+
+```User
+./User/Vendor/MSFT/Policy/Config/Start/AlwaysShowNotificationIcon
+```
+
+
+
+
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `int` |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | 0 |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 (Default) | Auto-hide notification bell icon. |
+| 1 | Show notification bell icon. |
+
+
+
+**Group policy mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | AlwaysShowNotificationIcon |
+| Path | Taskbar > AT > StartMenu |
+
+
+
+
+
+
+
+
## ConfigureStartPins
@@ -2247,6 +2307,63 @@ For more information on how to customize the Start layout, see [Customize the St
+
+## TurnOffAbbreviatedDateTimeFormat
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ❌ Device ✅ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+
+
+
+```User
+./User/Vendor/MSFT/Policy/Config/Start/TurnOffAbbreviatedDateTimeFormat
+```
+
+
+
+
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `int` |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | 0 |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 (Default) | Show abbreviated time and date format. |
+| 1 | Show classic time and date format. |
+
+
+
+**Group policy mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | TurnOffAbbreviatedDateTimeFormat |
+| Path | Taskbar > AT > StartMenu |
+
+
+
+
+
+
+
+
diff --git a/windows/client-management/mdm/policy-csp-stickers.md b/windows/client-management/mdm/policy-csp-stickers.md
index 34b5c89385..ce1b8bc8d9 100644
--- a/windows/client-management/mdm/policy-csp-stickers.md
+++ b/windows/client-management/mdm/policy-csp-stickers.md
@@ -1,7 +1,8 @@
---
title: Stickers Policy CSP
description: Learn more about the Stickers Area in Policy CSP.
-ms.date: 01/18/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
diff --git a/windows/client-management/mdm/policy-csp-storage.md b/windows/client-management/mdm/policy-csp-storage.md
index 78f789eba8..ef35797a4d 100644
--- a/windows/client-management/mdm/policy-csp-storage.md
+++ b/windows/client-management/mdm/policy-csp-storage.md
@@ -1,7 +1,8 @@
---
title: Storage Policy CSP
description: Learn more about the Storage Area in Policy CSP.
-ms.date: 01/18/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
diff --git a/windows/client-management/mdm/policy-csp-sudo.md b/windows/client-management/mdm/policy-csp-sudo.md
index 09a4e3c938..eaa5e96654 100644
--- a/windows/client-management/mdm/policy-csp-sudo.md
+++ b/windows/client-management/mdm/policy-csp-sudo.md
@@ -1,7 +1,8 @@
---
title: Sudo Policy CSP
description: Learn more about the Sudo Area in Policy CSP.
-ms.date: 04/10/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
@@ -9,8 +10,6 @@ ms.date: 04/10/2024
# Policy CSP - Sudo
-[!INCLUDE [Windows Insider tip](includes/mdm-insider-csp-note.md)]
-
@@ -21,7 +20,7 @@ ms.date: 04/10/2024
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device ❌ User | ❌ Pro ❌ Enterprise ❌ Education ❌ Windows SE ❌ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
@@ -31,7 +30,20 @@ ms.date: 04/10/2024
-
+
+This policy setting controls use of the sudo.exe command line tool.
+
+- If you enable this policy setting, then you may set a maximum allowed mode to run sudo in. This restricts the ways in which users may interact with command-line applications run with sudo. You may pick one of the following modes to allow sudo to run in:
+
+"Disabled": sudo is entirely disabled on this machine. When the user tries to run sudo, sudo will print an error message and exit.
+
+"Force new window": When sudo launches a command line application, it will launch that app in a new console window.
+
+"Disable input": When sudo launches a command line application, it will launch the app in the current console window, but the user won't be able to type input to the command line app. The user may also choose to run sudo in "Force new window" mode.
+
+"Normal": When sudo launches a command line application, it will launch the app in the current console window. The user may also choose to run sudo in "Force new window" or "Disable input" mode.
+
+- If you disable this policy or don't configure it, the user will be able to run sudo.exe normally (after enabling the setting in the Settings app).
@@ -65,7 +77,11 @@ ms.date: 04/10/2024
| Name | Value |
|:--|:--|
| Name | EnableSudo |
-| Path | Sudo > AT > System |
+| Friendly Name | Configure the behavior of the sudo command |
+| Location | Computer Configuration |
+| Path | System |
+| Registry Key Name | Software\Policies\Microsoft\Windows\Sudo |
+| ADMX File Name | Sudo.admx |
diff --git a/windows/client-management/mdm/policy-csp-system.md b/windows/client-management/mdm/policy-csp-system.md
index 57739476b7..98fd8a3ee9 100644
--- a/windows/client-management/mdm/policy-csp-system.md
+++ b/windows/client-management/mdm/policy-csp-system.md
@@ -1,7 +1,8 @@
---
title: System Policy CSP
description: Learn more about the System Area in Policy CSP.
-ms.date: 08/06/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
@@ -11,8 +12,6 @@ ms.date: 08/06/2024
[!INCLUDE [ADMX-backed CSP tip](includes/mdm-admx-csp-note.md)]
-[!INCLUDE [Windows Insider tip](includes/mdm-insider-csp-note.md)]
-
@@ -431,7 +430,7 @@ This policy setting determines whether Windows is allowed to download fonts and
- If you enable this policy setting, Windows periodically queries an online font provider to determine whether a new font catalog is available. Windows may also download font data if needed to format or render text.
-- If you disable this policy setting, Windows doesn't connect to an online font provider and only enumerates locally installed fonts.
+- If you disable this policy setting, Windows doesn't connect to an online font provider and only enumerates locally-installed fonts.
- If you don't configure this policy setting, the default behavior depends on the Windows edition. Changes to this policy take effect on reboot.
@@ -569,7 +568,7 @@ Specifies whether to allow app access to the Location service. Most restricted v
This policy is deprecated and will only work on Windows 10 version 1809. Setting this policy will have no effect for other supported versions of Windows.
This policy setting configures a Microsoft Entra joined device so that Microsoft is the processor of the Windows diagnostic data collected from the device, subject to the Product Terms at< https://go.microsoft.com/fwlink/?linkid=2185086>.
For customers who enroll into the Microsoft Managed Desktop service, enabling this policy is required to allow Microsoft to process data for operational and analytic needs. See for more information.
-When these policies are configured, Windows diagnostic data collected from the device will be subject to Microsoft processor commitments.
+hen these policies are configured, Windows diagnostic data collected from the device will be subject to Microsoft processor commitments.
This setting has no effect on devices unless they're properly enrolled in Microsoft Managed Desktop. If you disable this policy setting, devices may not appear in Microsoft Managed Desktop.
@@ -888,7 +887,7 @@ To enable this behavior:
When these policies are configured, Windows diagnostic data collected from the device will be subject to Microsoft processor commitments.
-If you disable or don't configure this policy setting, devices enrolled to Windows Autopatch won't be able to take advantage of some deployment service features.
+If you disable or don't configure this policy setting, devices enrolled to the Windows Update for Business deployment service won't be able to take advantage of some deployment service features.
@@ -1471,7 +1470,7 @@ This policy setting lets you prevent apps and features from working with files o
* Users can't access OneDrive from the OneDrive app and file picker.
-* Windows Store apps can't access OneDrive using the WinRT API.
+* Packaged Microsoft Store apps can't access OneDrive using the WinRT API.
* OneDrive doesn't appear in the navigation pane in File Explorer.
@@ -1739,7 +1738,7 @@ This policy setting controls whether Windows records attempts to connect with th
-Diagnostic files created when feedback is filed in the Feedback Hub app will always be saved locally. If this policy isn't present or set to false, users will be presented with the option to save locally. The default is to not save locally.
+Diagnostic files created when a feedback is filed in the Feedback Hub app will always be saved locally. If this policy isn't present or set to false, users will be presented with the option to save locally. The default is to not save locally.
@@ -1761,8 +1760,8 @@ Diagnostic files created when feedback is filed in the Feedback Hub app will alw
| Value | Description |
|:--|:--|
-| 0 (Default) | False. The Feedback Hub won't always save a local copy of diagnostics that may be created when feedback is submitted. The user will have the option to do so. |
-| 1 | True. The Feedback Hub should always save a local copy of diagnostics that may be created when feedback is submitted. |
+| 0 (Default) | False. The Feedback Hub won't always save a local copy of diagnostics that may be created when a feedback is submitted. The user will have the option to do so. |
+| 1 | True. The Feedback Hub should always save a local copy of diagnostics that may be created when a feedback is submitted. |
@@ -1777,7 +1776,7 @@ Diagnostic files created when feedback is filed in the Feedback Hub app will alw
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
diff --git a/windows/client-management/mdm/policy-csp-systemservices.md b/windows/client-management/mdm/policy-csp-systemservices.md
index 2d9c9595f5..028d0720fb 100644
--- a/windows/client-management/mdm/policy-csp-systemservices.md
+++ b/windows/client-management/mdm/policy-csp-systemservices.md
@@ -1,7 +1,8 @@
---
title: SystemServices Policy CSP
description: Learn more about the SystemServices Area in Policy CSP.
-ms.date: 04/10/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
@@ -9,8 +10,6 @@ ms.date: 04/10/2024
# Policy CSP - SystemServices
-[!INCLUDE [Windows Insider tip](includes/mdm-insider-csp-note.md)]
-
@@ -21,7 +20,7 @@ ms.date: 04/10/2024
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
@@ -171,7 +170,7 @@ This setting determines whether the service's start type is Automatic(2), Manual
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
@@ -221,7 +220,7 @@ This setting determines whether the service's start type is Automatic(2), Manual
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
@@ -271,7 +270,7 @@ This setting determines whether the service's start type is Automatic(2), Manual
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
@@ -321,7 +320,7 @@ This setting determines whether the service's start type is Automatic(2), Manual
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
@@ -371,7 +370,7 @@ This setting determines whether the service's start type is Automatic(2), Manual
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
@@ -421,7 +420,7 @@ This setting determines whether the service's start type is Automatic(2), Manual
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
@@ -471,7 +470,7 @@ This setting determines whether the service's start type is Automatic(2), Manual
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
@@ -521,7 +520,7 @@ This setting determines whether the service's start type is Automatic(2), Manual
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
@@ -571,7 +570,7 @@ This setting determines whether the service's start type is Automatic(2), Manual
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
@@ -621,7 +620,7 @@ This setting determines whether the service's start type is Automatic(2), Manual
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
@@ -671,7 +670,7 @@ This setting determines whether the service's start type is Automatic(2), Manual
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
@@ -721,7 +720,7 @@ This setting determines whether the service's start type is Automatic(2), Manual
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
@@ -771,7 +770,7 @@ This setting determines whether the service's start type is Automatic(2), Manual
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
@@ -821,7 +820,7 @@ This setting determines whether the service's start type is Automatic(2), Manual
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
@@ -871,7 +870,7 @@ This setting determines whether the service's start type is Automatic(2), Manual
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
diff --git a/windows/client-management/mdm/policy-csp-taskmanager.md b/windows/client-management/mdm/policy-csp-taskmanager.md
index 439cfdb8d3..0de2582caa 100644
--- a/windows/client-management/mdm/policy-csp-taskmanager.md
+++ b/windows/client-management/mdm/policy-csp-taskmanager.md
@@ -1,7 +1,8 @@
---
title: TaskManager Policy CSP
description: Learn more about the TaskManager Area in Policy CSP.
-ms.date: 01/18/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
diff --git a/windows/client-management/mdm/policy-csp-taskscheduler.md b/windows/client-management/mdm/policy-csp-taskscheduler.md
index bfe95ab006..d8eae077b9 100644
--- a/windows/client-management/mdm/policy-csp-taskscheduler.md
+++ b/windows/client-management/mdm/policy-csp-taskscheduler.md
@@ -1,7 +1,8 @@
---
title: TaskScheduler Policy CSP
description: Learn more about the TaskScheduler Area in Policy CSP.
-ms.date: 09/11/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
diff --git a/windows/client-management/mdm/policy-csp-tenantdefinedtelemetry.md b/windows/client-management/mdm/policy-csp-tenantdefinedtelemetry.md
index 6c9181ab8c..00a0d03419 100644
--- a/windows/client-management/mdm/policy-csp-tenantdefinedtelemetry.md
+++ b/windows/client-management/mdm/policy-csp-tenantdefinedtelemetry.md
@@ -1,7 +1,8 @@
---
title: TenantDefinedTelemetry Policy CSP
description: Learn more about the TenantDefinedTelemetry Area in Policy CSP.
-ms.date: 01/18/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
diff --git a/windows/client-management/mdm/policy-csp-tenantrestrictions.md b/windows/client-management/mdm/policy-csp-tenantrestrictions.md
index 484f4c88ad..92aabbaa29 100644
--- a/windows/client-management/mdm/policy-csp-tenantrestrictions.md
+++ b/windows/client-management/mdm/policy-csp-tenantrestrictions.md
@@ -1,7 +1,8 @@
---
title: TenantRestrictions Policy CSP
description: Learn more about the TenantRestrictions Area in Policy CSP.
-ms.date: 08/06/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
@@ -41,9 +42,9 @@ When you enable this setting, compliant applications will be prevented from acce
-Before enabling firewall protection, ensure that a Windows Defender Application Control (WDAC) policy that correctly tags applications has been applied to the target devices. Enabling firewall protection without a corresponding WDAC policy will prevent all applications from reaching Microsoft endpoints. This firewall setting isn't supported on all versions of Windows - see the following link for more information.
+Before enabling firewall protection, ensure that an App Control for Business policy that correctly tags applications has been applied to the target devices. Enabling firewall protection without a corresponding App Control for Business policy will prevent all applications from reaching Microsoft endpoints. This firewall setting isn't supported on all versions of Windows - see the following link for more information.
-For details about setting up WDAC with tenant restrictions, see
+For details about setting up App Control with tenant restrictions, see
diff --git a/windows/client-management/mdm/policy-csp-textinput.md b/windows/client-management/mdm/policy-csp-textinput.md
index 359c78a5c8..aeb348c64d 100644
--- a/windows/client-management/mdm/policy-csp-textinput.md
+++ b/windows/client-management/mdm/policy-csp-textinput.md
@@ -1,7 +1,8 @@
---
title: TextInput Policy CSP
description: Learn more about the TextInput Area in Policy CSP.
-ms.date: 01/18/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
@@ -9,6 +10,8 @@ ms.date: 01/18/2024
# Policy CSP - TextInput
+[!INCLUDE [Windows Insider tip](includes/mdm-insider-csp-note.md)]
+
@@ -1172,6 +1175,56 @@ Specifies the touch keyboard is always docked. When this policy is set to enable
+
+## TouchKeyboardControllerModeAvailability
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+
+
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/TextInput/TouchKeyboardControllerModeAvailability
+```
+
+
+
+
+Specifies whether the controller keyboard mode is enabled or disabled for the touch keyboard. When this policy is set to disabled, the controller keyboard mode for touch keyboard is disabled.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `int` |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | 0 |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 (Default) | The OS determines when it's most appropriate to be available. |
+| 1 | Controller keyboard is always available. |
+| 2 | Controller keyboard is always disabled. |
+
+
+
+
+
+
+
+
## TouchKeyboardDictationButtonAvailability
diff --git a/windows/client-management/mdm/policy-csp-timelanguagesettings.md b/windows/client-management/mdm/policy-csp-timelanguagesettings.md
index cfd36f3bb7..46ccf7ac9e 100644
--- a/windows/client-management/mdm/policy-csp-timelanguagesettings.md
+++ b/windows/client-management/mdm/policy-csp-timelanguagesettings.md
@@ -1,7 +1,8 @@
---
title: TimeLanguageSettings Policy CSP
description: Learn more about the TimeLanguageSettings Area in Policy CSP.
-ms.date: 04/10/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
diff --git a/windows/client-management/mdm/policy-csp-troubleshooting.md b/windows/client-management/mdm/policy-csp-troubleshooting.md
index 4e27dcdaee..9445141187 100644
--- a/windows/client-management/mdm/policy-csp-troubleshooting.md
+++ b/windows/client-management/mdm/policy-csp-troubleshooting.md
@@ -1,7 +1,8 @@
---
title: Troubleshooting Policy CSP
description: Learn more about the Troubleshooting Area in Policy CSP.
-ms.date: 01/18/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
diff --git a/windows/client-management/mdm/policy-csp-update.md b/windows/client-management/mdm/policy-csp-update.md
index 9ecb6a207c..23b1f025ff 100644
--- a/windows/client-management/mdm/policy-csp-update.md
+++ b/windows/client-management/mdm/policy-csp-update.md
@@ -1,7 +1,8 @@
---
title: Update Policy CSP
description: Learn more about the Update Area in Policy CSP.
-ms.date: 09/11/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
@@ -9,18 +10,12 @@ ms.date: 09/11/2024
# Policy CSP - Update
-[!INCLUDE [Windows Insider tip](includes/mdm-insider-csp-note.md)]
-
Update CSP policies are listed below based on the group policy area:
-- [Windows Insider Preview](#windows-insider-preview)
- - [AlwaysAutoRebootAtScheduledTimeMinutes](#alwaysautorebootatscheduledtimeminutes)
- - [ConfigureDeadlineNoAutoRebootForFeatureUpdates](#configuredeadlinenoautorebootforfeatureupdates)
- - [ConfigureDeadlineNoAutoRebootForQualityUpdates](#configuredeadlinenoautorebootforqualityupdates)
- [Manage updates offered from Windows Update](#manage-updates-offered-from-windows-update)
- [AllowNonMicrosoftSignedUpdate](#allownonmicrosoftsignedupdate)
- [AllowOptionalContent](#allowoptionalcontent)
@@ -61,7 +56,8 @@ Update CSP policies are listed below based on the group policy area:
- [ConfigureDeadlineForQualityUpdates](#configuredeadlineforqualityupdates)
- [ConfigureDeadlineGracePeriod](#configuredeadlinegraceperiod)
- [ConfigureDeadlineGracePeriodForFeatureUpdates](#configuredeadlinegraceperiodforfeatureupdates)
- - [ConfigureDeadlineNoAutoReboot](#configuredeadlinenoautoreboot)
+ - [ConfigureDeadlineNoAutoRebootForFeatureUpdates](#configuredeadlinenoautorebootforfeatureupdates)
+ - [ConfigureDeadlineNoAutoRebootForQualityUpdates](#configuredeadlinenoautorebootforqualityupdates)
- [ConfigureFeatureUpdateUninstallPeriod](#configurefeatureupdateuninstallperiod)
- [NoUpdateNotificationsDuringActiveHours](#noupdatenotificationsduringactivehours)
- [ScheduledInstallDay](#scheduledinstallday)
@@ -76,6 +72,7 @@ Update CSP policies are listed below based on the group policy area:
- [SetEDURestart](#setedurestart)
- [UpdateNotificationLevel](#updatenotificationlevel)
- [Legacy Policies](#legacy-policies)
+ - [AlwaysAutoRebootAtScheduledTimeMinutes](#alwaysautorebootatscheduledtimeminutes)
- [AutoRestartDeadlinePeriodInDays](#autorestartdeadlineperiodindays)
- [AutoRestartDeadlinePeriodInDaysForFeatureUpdates](#autorestartdeadlineperiodindaysforfeatureupdates)
- [AutoRestartNotificationSchedule](#autorestartnotificationschedule)
@@ -99,188 +96,6 @@ Update CSP policies are listed below based on the group policy area:
- [ScheduleRestartWarning](#schedulerestartwarning)
- [SetAutoRestartNotificationDisable](#setautorestartnotificationdisable)
-## Windows Insider Preview
-
-
-### AlwaysAutoRebootAtScheduledTimeMinutes
-
-
-| Scope | Editions | Applicable OS |
-|:--|:--|:--|
-| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
-
-
-
-```Device
-./Device/Vendor/MSFT/Policy/Config/Update/AlwaysAutoRebootAtScheduledTimeMinutes
-```
-
-
-
-
-
-- If you enable this policy, a restart timer will always begin immediately after Windows Update installs important updates, instead of first notifying users on the login screen for at least two days.
-
-The restart timer can be configured to start with any value from 15 to 180 minutes. When the timer runs out, the restart will proceed even if the PC has signed-in users.
-
-- If you disable or don't configure this policy, Windows Update won't alter its restart behavior.
-
-If the "No auto-restart with logged-on users for scheduled automatic updates installations" policy is enabled, then this policy has no effect.
-
-
-
-
-
-
-
-**Description framework properties**:
-
-| Property name | Property value |
-|:--|:--|
-| Format | `int` |
-| Access Type | Add, Delete, Get, Replace |
-| Allowed Values | Range: `[15-180]` |
-| Default Value | 15 |
-
-
-
-**Group policy mapping**:
-
-| Name | Value |
-|:--|:--|
-| Name | AlwaysAutoRebootAtScheduledTime |
-| Friendly Name | Always automatically restart at the scheduled time |
-| Element Name | work (minutes) |
-| Location | Computer Configuration |
-| Path | Windows Components > Windows Update > Manage end user experience |
-| Registry Key Name | Software\Policies\Microsoft\Windows\WindowsUpdate\AU |
-| ADMX File Name | WindowsUpdate.admx |
-
-
-
-
-
-
-
-
-
-### ConfigureDeadlineNoAutoRebootForFeatureUpdates
-
-
-| Scope | Editions | Applicable OS |
-|:--|:--|:--|
-| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
-
-
-
-```Device
-./Device/Vendor/MSFT/Policy/Config/Update/ConfigureDeadlineNoAutoRebootForFeatureUpdates
-```
-
-
-
-
-When enabled, devices won't automatically restart outside of active hours until the deadline and grace period have expired for feature updates, even if an update is ready for restart. When disabled, an automatic restart may be attempted outside of active hours after update is ready for restart before the deadline is reached. Takes effect only if Update/ConfigureDeadlineForFeatureUpdates is configured.
-
-
-
-
-
-
-
-**Description framework properties**:
-
-| Property name | Property value |
-|:--|:--|
-| Format | `int` |
-| Access Type | Add, Delete, Get, Replace |
-| Default Value | 0 |
-
-
-
-**Allowed values**:
-
-| Value | Description |
-|:--|:--|
-| 0 (Default) | Disabled. |
-| 1 | Enabled. |
-
-
-
-**Group policy mapping**:
-
-| Name | Value |
-|:--|:--|
-| Name | ConfigureDeadlineNoAutoRebootForFeatureUpdates |
-| Path | WindowsUpdate > AT > WindowsComponents > WindowsUpdateCat |
-| Element Name | ConfigureDeadlineNoAutoRebootForFeatureUpdates |
-
-
-
-
-
-
-
-
-
-### ConfigureDeadlineNoAutoRebootForQualityUpdates
-
-
-| Scope | Editions | Applicable OS |
-|:--|:--|:--|
-| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
-
-
-
-```Device
-./Device/Vendor/MSFT/Policy/Config/Update/ConfigureDeadlineNoAutoRebootForQualityUpdates
-```
-
-
-
-
-When enabled, devices won't automatically restart outside of active hours until the deadline and grace period have expired for quality updates, even if an update is ready for restart. When disabled, an automatic restart may be attempted outside of active hours after update is ready for restart before the deadline is reached. Takes effect only if Update/ConfigureDeadlineForQualityUpdates is configured.
-
-
-
-
-
-
-
-**Description framework properties**:
-
-| Property name | Property value |
-|:--|:--|
-| Format | `int` |
-| Access Type | Add, Delete, Get, Replace |
-| Default Value | 0 |
-
-
-
-**Allowed values**:
-
-| Value | Description |
-|:--|:--|
-| 0 (Default) | Disabled. |
-| 1 | Enabled. |
-
-
-
-**Group policy mapping**:
-
-| Name | Value |
-|:--|:--|
-| Name | ConfigureDeadlineNoAutoRebootForQualityUpdates |
-| Path | WindowsUpdate > AT > WindowsComponents > WindowsUpdateCat |
-| Element Name | ConfigureDeadlineNoAutoRebootForQualityUpdates |
-
-
-
-
-
-
-
-
## Manage updates offered from Windows Update
@@ -2518,8 +2333,8 @@ Number of days before feature updates are installed on devices automatically reg
| Name | Value |
|:--|:--|
-| Name | ComplianceDeadline |
-| Friendly Name | Specify deadlines for automatic updates and restarts |
+| Name | ComplianceDeadlineForFU |
+| Friendly Name | Specify deadline for automatic updates and restarts for feature update |
| Element Name | Deadline (days) |
| Location | Computer Configuration |
| Path | Windows Components > Windows Update > Manage end user experience |
@@ -2578,7 +2393,7 @@ Number of days before quality updates are installed on devices automatically reg
| Name | Value |
|:--|:--|
| Name | ComplianceDeadline |
-| Friendly Name | Specify deadlines for automatic updates and restarts |
+| Friendly Name | Specify deadline for automatic updates and restarts for quality update |
| Element Name | Deadline (days) |
| Location | Computer Configuration |
| Path | Windows Components > Windows Update > Manage end user experience |
@@ -2633,7 +2448,7 @@ Minimum number of days from update installation until restarts occur automatical
| Name | Value |
|:--|:--|
| Name | ComplianceDeadline |
-| Friendly Name | Specify deadlines for automatic updates and restarts |
+| Friendly Name | Specify deadline for automatic updates and restarts for quality update |
| Element Name | Grace period (days) |
| Location | Computer Configuration |
| Path | Windows Components > Windows Update > Manage end user experience |
@@ -2687,8 +2502,8 @@ Minimum number of days from update installation until restarts occur automatical
| Name | Value |
|:--|:--|
-| Name | ComplianceDeadline |
-| Friendly Name | Specify deadlines for automatic updates and restarts |
+| Name | ComplianceDeadlineForFU |
+| Friendly Name | Specify deadline for automatic updates and restarts for feature update |
| Element Name | Grace Period (days) |
| Location | Computer Configuration |
| Path | Windows Components > Windows Update > Manage end user experience |
@@ -2702,31 +2517,47 @@ Minimum number of days from update installation until restarts occur automatical
-
-### ConfigureDeadlineNoAutoReboot
+
+### ConfigureDeadlineNoAutoRebootForFeatureUpdates
-
+
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1903 [10.0.18362] and later |
-
+| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 22H2 [10.0.22621] and later |
+
-
+
```Device
-./Device/Vendor/MSFT/Policy/Config/Update/ConfigureDeadlineNoAutoReboot
+./Device/Vendor/MSFT/Policy/Config/Update/ConfigureDeadlineNoAutoRebootForFeatureUpdates
```
-
+
-
-
-When enabled, devices won't automatically restart outside of active hours until the deadline and grace period have expired, even if an update is ready for restart. When disabled, an automatic restart may be attempted outside of active hours after update is ready for restart before the deadline is reached. Takes effect only if Update/ConfigureDeadlineForQualityUpdates or Update/ConfigureDeadlineForFeatureUpdates is configured.
-
+
+
+This policy lets you specify the number of days before feature updates are installed on devices automatically, and a grace period after which required restarts occur automatically.
-
+Set deadlines for feature updates and quality updates to meet your compliance goals. Updates will be downloaded and installed as soon as they're offered and automatic restarts will be attempted outside of active hours. Once the deadline has passed, restarts will occur regardless of active hours, and users won't be able to reschedule. If the deadline is set to 0 days, the update will be installed immediately upon offering, but might not finish within the day due to device availability and network connectivity.
+
+Set a grace period for feature updates to guarantee users a minimum time to manage their restarts once updates are installed. Users will be able to schedule restarts during the grace period and Windows can still automatically restart outside of active hours if users choose not to schedule restarts. The grace period might not take effect if users already have more than the number of days set as grace period to manage their restart, based on deadline configurations.
+
+You can set the device to delay restarting until both the deadline and grace period have expired.
+
+If you disable or don't configure this policy, devices will get updates and will restart according to the default schedule.
+
+This policy will override the following policies:
+
+1. Specify deadline before auto restart for update installation
+1. Specify Engaged restart transition and notification schedule for updates.
+
+1. Always automatically restart at the scheduled time
+1. Configure Automatic Updates.
+
+
+
-
+
-
+
**Description framework properties**:
| Property name | Property value |
@@ -2734,36 +2565,115 @@ When enabled, devices won't automatically restart outside of active hours until
| Format | `int` |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 0 |
-
+
-
+
**Allowed values**:
| Value | Description |
|:--|:--|
| 0 (Default) | Disabled. |
| 1 | Enabled. |
-
+
-
+
**Group policy mapping**:
| Name | Value |
|:--|:--|
-| Name | ComplianceDeadline |
-| Friendly Name | Specify deadlines for automatic updates and restarts |
+| Name | ComplianceDeadlineForFU |
+| Friendly Name | Specify deadline for automatic updates and restarts for feature update |
| Element Name | Don't auto-restart until end of grace period. |
| Location | Computer Configuration |
| Path | Windows Components > Windows Update > Manage end user experience |
| Registry Key Name | Software\Policies\Microsoft\Windows\WindowsUpdate |
| ADMX File Name | WindowsUpdate.admx |
-
+
-
+
-
+
-
+
+
+
+### ConfigureDeadlineNoAutoRebootForQualityUpdates
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 22H2 [10.0.22621] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/Update/ConfigureDeadlineNoAutoRebootForQualityUpdates
+```
+
+
+
+
+This policy lets you specify the number of days before quality updates are installed on devices automatically, and a grace period after which required restarts occur automatically.
+
+Set deadlines for quality updates to meet your compliance goals. Updates will be downloaded and installed as soon as they're offered and automatic restarts will be attempted outside of active hours. Once the deadline has passed, restarts will occur regardless of active hours, and users won't be able to reschedule. If the deadline is set to 0 days, the update will be installed immediately upon offering, but might not finish within the day due to device availability and network connectivity.
+
+Set a grace period for quality updates to guarantee users a minimum time to manage their restarts once updates are installed. Users will be able to schedule restarts during the grace period and Windows can still automatically restart outside of active hours if users choose not to schedule restarts. The grace period might not take effect if users already have more than the number of days set as grace period to manage their restart, based on deadline configurations.
+
+You can set the device to delay restarting until both the deadline and grace period have expired.
+
+If you disable or don't configure this policy, devices will get updates and will restart according to the default schedule.
+
+This policy will override the following policies:
+
+1. Specify deadline before auto restart for update installation
+1. Specify Engaged restart transition and notification schedule for updates.
+
+1. Always automatically restart at the scheduled time
+1. Configure Automatic Updates.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `int` |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | 0 |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 (Default) | Disabled. |
+| 1 | Enabled. |
+
+
+
+**Group policy mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | ComplianceDeadline |
+| Friendly Name | Specify deadline for automatic updates and restarts for quality update |
+| Element Name | Don't auto-restart until end of grace period. |
+| Location | Computer Configuration |
+| Path | Windows Components > Windows Update > Manage end user experience |
+| Registry Key Name | Software\Policies\Microsoft\Windows\WindowsUpdate |
+| ADMX File Name | WindowsUpdate.admx |
+
+
+
+
+
+
+
### ConfigureFeatureUpdateUninstallPeriod
@@ -3328,7 +3238,7 @@ These policies are not exclusive and can be used in any combination. Together wi
- the IT admin to schedule the time of the update installation. The data type is a integer. Supported values are 0-23, where 0 = 12 AM and 23 = 11 PM. The default value is 3.
+Enables the IT admin to schedule the time of the update installation. The data type is a integer. Supported values are 0-23, where 0 = 12 AM and 23 = 11 PM. The default value is 3.
@@ -3647,6 +3557,68 @@ If you select "Apply only during active hours" in conjunction with Option 1 or 2
## Legacy Policies
+
+### AlwaysAutoRebootAtScheduledTimeMinutes
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 22H2 [10.0.22621] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/Update/AlwaysAutoRebootAtScheduledTimeMinutes
+```
+
+
+
+
+
+- If you enable this policy, a restart timer will always begin immediately after Windows Update installs important updates, instead of first notifying users on the login screen for at least two days.
+
+The restart timer can be configured to start with any value from 15 to 180 minutes. When the timer runs out, the restart will proceed even if the PC has signed-in users.
+
+- If you disable or don't configure this policy, Windows Update won't alter its restart behavior.
+
+If the "No auto-restart with logged-on users for scheduled automatic updates installations" policy is enabled, then this policy has no effect.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `int` |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | Range: `[15-180]` |
+| Default Value | 15 |
+
+
+
+**Group policy mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | AlwaysAutoRebootAtScheduledTime |
+| Friendly Name | Always automatically restart at the scheduled time |
+| Element Name | work (minutes) |
+| Location | Computer Configuration |
+| Path | Windows Components > Windows Update > Legacy Policies |
+| Registry Key Name | Software\Policies\Microsoft\Windows\WindowsUpdate\AU |
+| ADMX File Name | WindowsUpdate.admx |
+
+
+
+
+
+
+
+
### AutoRestartDeadlinePeriodInDays
diff --git a/windows/client-management/mdm/policy-csp-userrights.md b/windows/client-management/mdm/policy-csp-userrights.md
index dc226ea336..c489be1733 100644
--- a/windows/client-management/mdm/policy-csp-userrights.md
+++ b/windows/client-management/mdm/policy-csp-userrights.md
@@ -1,7 +1,8 @@
---
title: UserRights Policy CSP
description: Learn more about the UserRights Area in Policy CSP.
-ms.date: 01/18/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
@@ -9,8 +10,6 @@ ms.date: 01/18/2024
# Policy CSP - UserRights
-[!INCLUDE [Windows Insider tip](includes/mdm-insider-csp-note.md)]
-
User rights are assigned for user accounts or groups. The name of the policy defines the user right in question, and the values are always users or groups. Values can be represented as Security Identifiers (SID) or strings. For more information, see [Well-known SID structures](/openspecs/windows_protocols/ms-dtyp/81d92bba-d22b-4a8c-908a-554ab29148ab).
@@ -258,7 +257,7 @@ This user right allows a process to impersonate any user without authentication.
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
@@ -359,7 +358,7 @@ This user right determines which users can log on to the computer.
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
@@ -460,7 +459,7 @@ This user right determines which users can bypass file, directory, registry, and
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
@@ -567,7 +566,7 @@ This user right determines which users and groups can change the time and date o
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
@@ -1027,7 +1026,7 @@ This security setting determines which service accounts are prevented from regis
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
@@ -1076,7 +1075,7 @@ This security setting determines which accounts are prevented from being able to
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
@@ -1336,7 +1335,7 @@ Assigning this user right to a user allows programs running on behalf of that us
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
@@ -1543,7 +1542,7 @@ This user right determines which accounts can use a process to keep data in phys
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
@@ -1592,7 +1591,7 @@ This security setting allows a user to be logged-on by means of a batch-queue fa
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
@@ -1889,7 +1888,7 @@ This user right determines which users can use performance monitoring tools to m
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
@@ -1987,7 +1986,7 @@ This user right determines which users are allowed to shut down a computer from
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
@@ -2088,7 +2087,7 @@ This user right determines which users can bypass file, directory, registry, and
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
diff --git a/windows/client-management/mdm/policy-csp-virtualizationbasedtechnology.md b/windows/client-management/mdm/policy-csp-virtualizationbasedtechnology.md
index bfea6628c8..2d9385587a 100644
--- a/windows/client-management/mdm/policy-csp-virtualizationbasedtechnology.md
+++ b/windows/client-management/mdm/policy-csp-virtualizationbasedtechnology.md
@@ -1,7 +1,8 @@
---
title: VirtualizationBasedTechnology Policy CSP
description: Learn more about the VirtualizationBasedTechnology Area in Policy CSP.
-ms.date: 01/18/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
diff --git a/windows/client-management/mdm/policy-csp-webthreatdefense.md b/windows/client-management/mdm/policy-csp-webthreatdefense.md
index 0b01461d1e..7b29ec716d 100644
--- a/windows/client-management/mdm/policy-csp-webthreatdefense.md
+++ b/windows/client-management/mdm/policy-csp-webthreatdefense.md
@@ -1,7 +1,8 @@
---
title: WebThreatDefense Policy CSP
description: Learn more about the WebThreatDefense Area in Policy CSP.
-ms.date: 01/31/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
@@ -9,8 +10,6 @@ ms.date: 01/31/2024
# Policy CSP - WebThreatDefense
-[!INCLUDE [Windows Insider tip](includes/mdm-insider-csp-note.md)]
-
> [!NOTE]
@@ -23,7 +22,7 @@ ms.date: 01/31/2024
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
@@ -310,7 +309,7 @@ This policy setting determines whether Enhanced Phishing Protection in Microsoft
- If you disable this policy setting, Enhanced Phishing Protection in Microsoft Defender SmartScreen is off and it won't capture events, send telemetry, or notify users. Additionally, your users are unable to turn it on.
-- If you don't configure this setting, users can decide whether or not they will enable Enhanced Phishing Protection in Microsoft Defender SmartScreen.
+- If you don't configure this setting, users can decide whether or not they'll enable Enhanced Phishing Protection in Microsoft Defender SmartScreen.
diff --git a/windows/client-management/mdm/policy-csp-wifi.md b/windows/client-management/mdm/policy-csp-wifi.md
index 677a40fffb..9629567316 100644
--- a/windows/client-management/mdm/policy-csp-wifi.md
+++ b/windows/client-management/mdm/policy-csp-wifi.md
@@ -1,7 +1,8 @@
---
title: Wifi Policy CSP
description: Learn more about the Wifi Area in Policy CSP.
-ms.date: 01/31/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
@@ -188,10 +189,7 @@ By default, ICS is disabled when you create a remote access connection, but admi
-Allow or disallow connecting to Wi-Fi outside of MDM server-installed networks. Most restricted value is 0.
-
-> [!NOTE]
-> Setting this policy deletes any previously installed user-configured and Wi-Fi sense Wi-Fi profiles from the device. Certain Wi-Fi profiles that aren't user configured nor Wi-Fi sense might not be deleted. In addition, not all non-MDM profiles are completely deleted.
+Allow or block connections to Wi-Fi outside of MDM server-installed networks. If you change this setting to Block, you must deploy enterprise Wi-Fi profiles to the device using the Wi-Fi CSP before you apply this setting. Otherwise, the device will go offline since it won't be able to connect to Wi-Fi. Note that choosing to block Wi-Fi connections will delete any previously installed user-configured Wi-Fi profiles from the device, though not all non-MDM profiles will be deleted.
diff --git a/windows/client-management/mdm/policy-csp-windowsai.md b/windows/client-management/mdm/policy-csp-windowsai.md
index 1d1a1691af..64a8c63abe 100644
--- a/windows/client-management/mdm/policy-csp-windowsai.md
+++ b/windows/client-management/mdm/policy-csp-windowsai.md
@@ -1,7 +1,8 @@
---
title: WindowsAI Policy CSP
description: Learn more about the WindowsAI Area in Policy CSP.
-ms.date: 09/11/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
@@ -15,30 +16,103 @@ ms.date: 09/11/2024
+
+## AllowRecallEnablement
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+
+
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/WindowsAI/AllowRecallEnablement
+```
+
+
+
+
+This policy setting allows you to determine whether the Recall optional component is available for end users to enable on their device. By default, Recall is disabled for managed commercial devices. Recall isn't available on managed devices by default, and individual users can't enable Recall on their own.
+
+- If this policy isn't configured, end users will have the Recall component in a disabled state.
+
+- If this policy is disabled, the Recall component will be in disabled state and the bits for Recall will be removed from the device. If snapshots were previously saved on the device, they'll be deleted when this policy is disabled. Removing Recall requires a device restart.
+
+- If the policy is enabled, end users will have Recall available on their device. Depending on the state of the DisableAIDataAnalysis policy (Turn off saving snapshots for use with Recall), end users will be able to choose if they want to save snapshots of their screen and use Recall to find things they've seen on their device.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `int` |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | 1 |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 | Recall isn't available. |
+| 1 (Default) | Recall is available. |
+
+
+
+**Group policy mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | AllowRecallEnablement |
+| Friendly Name | Allow Recall to be enabled |
+| Location | Computer Configuration |
+| Path | Windows Components > Windows AI |
+| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\WindowsAI |
+| Registry Value Name | AllowRecallEnablement |
+| ADMX File Name | WindowsCopilot.admx |
+
+
+
+
+
+
+
+
## DisableAIDataAnalysis
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ❌ Device ✅ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+| ✅ Device ✅ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
```User
./User/Vendor/MSFT/Policy/Config/WindowsAI/DisableAIDataAnalysis
```
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/WindowsAI/DisableAIDataAnalysis
+```
-
-This policy setting allows you to determine whether end users have the option to allow snapshots to be saved on their PCs.
+
+This policy setting allows you to determine whether snapshots of the screen can be saved for use with Recall. By default, snapshots for Recall aren't enabled. IT administrators can't, on their own, enable saving snapshots on behalf of their users. The choice to enable saving snapshots requires individual user opt-in consent.
-- If disabled, end users will have a choice to save snapshots of their screen on their PC and then use Recall to find things they've seen.
+- If the policy isn't configured, snapshots won't be saved for use with Recall.
-- If the policy is enabled, end users won't be able to save snapshots on their PC.
+- If you enable this policy, snapshots won't be saved for use with Recall. If snapshots were previously saved on the device, they'll be deleted when this policy is enabled.
-- If the policy isn't configured, end users may or may not be able to save snapshots on their PC-depending on other policy configurations.
+If you set this policy to disabled, end users will have a choice to save snapshots of their screen and use Recall to find things they've seen on their device.
@@ -70,7 +144,12 @@ This policy setting allows you to determine whether end users have the option to
| Name | Value |
|:--|:--|
| Name | DisableAIDataAnalysis |
-| Path | WindowsAI > AT > WindowsComponents > WindowsAI |
+| Friendly Name | Turn off saving snapshots for use with Recall |
+| Location | Computer and User Configuration |
+| Path | Windows Components > Windows AI |
+| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\WindowsAI |
+| Registry Value Name | DisableAIDataAnalysis |
+| ADMX File Name | WindowsCopilot.admx |
@@ -141,6 +220,68 @@ This policy setting allows you to control whether Cocreator functionality is dis
+
+## DisableGenerativeFill
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+
+
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/WindowsAI/DisableGenerativeFill
+```
+
+
+
+
+This policy setting allows you to control whether generative fill functionality is disabled in the Windows Paint app.
+
+- If this policy is enabled, generative fill functionality won't be accessible in the Paint app.
+
+- If this policy is disabled or not configured, users will be able to access generative fill functionality.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `int` |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | 0 |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 (Default) | Generative fill is enabled. |
+| 1 | Generative fill is disabled. |
+
+
+
+**Group policy mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | DisableGenerativeFill |
+| Path | WindowsAI > AT > WindowsComponents > Paint |
+
+
+
+
+
+
+
+
## DisableImageCreator
@@ -203,6 +344,350 @@ This policy setting allows you to control whether Image Creator functionality is
+
+## SetCopilotHardwareKey
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ❌ Device ✅ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 22H2 with [KB5044380](https://support.microsoft.com/help/5044380) [10.0.22621.4391] and later |
+
+
+
+```User
+./User/Vendor/MSFT/Policy/Config/WindowsAI/SetCopilotHardwareKey
+```
+
+
+
+
+This policy setting determines which app opens when the user presses the Copilot key on their keyboard.
+
+- If the policy is enabled, the specified app will open when the user presses the Copilot key. Users can change the key assignment in Settings.
+
+- If the policy isn't configured, Copilot will open if it's available in that country or region.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `chr` (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+**Group policy mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | SetCopilotHardwareKey |
+| Friendly Name | Set Copilot Hardware Key |
+| Location | User Configuration |
+| Path | Windows Components > Windows Copilot |
+| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\CopilotKey |
+| ADMX File Name | WindowsCopilot.admx |
+
+
+
+
+
+
+
+
+
+## SetDenyAppListForRecall
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device ✅ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+
+
+
+```User
+./User/Vendor/MSFT/Policy/Config/WindowsAI/SetDenyAppListForRecall
+```
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/WindowsAI/SetDenyAppListForRecall
+```
+
+
+
+
+This policy allows you to define a list of apps that won't be included in snapshots for Recall.
+
+Users will be able to add additional applications to exclude from snapshots using Recall settings.
+
+The list can include Application User Model IDs (AUMID) or name of the executable file.
+
+Use a semicolon-separated list of apps to define the deny app list for Recall.
+
+For example: `code.exe;Microsoft.WindowsNotepad_8wekyb3d8bbwe!App;ms-teams.exe`
+
+> [!IMPORTANT]
+> When configuring this policy setting, changes won't take effect until the device restarts.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `chr` (string) |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | List (Delimiter: `;`) |
+
+
+
+**Group policy mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | SetDenyAppListForRecall |
+| Friendly Name | Set a list of apps to be filtered from snapshots for Recall |
+| Location | Computer and User Configuration |
+| Path | Windows Components > Windows AI |
+| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\WindowsAI |
+| Registry Value Name | SetDenyAppListForRecall |
+| ADMX File Name | WindowsCopilot.admx |
+
+
+
+
+
+
+
+
+
+## SetDenyUriListForRecall
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device ✅ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+
+
+
+```User
+./User/Vendor/MSFT/Policy/Config/WindowsAI/SetDenyUriListForRecall
+```
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/WindowsAI/SetDenyUriListForRecall
+```
+
+
+
+
+This policy setting lets you define a list of URIs that won't be included in snapshots for Recall when a supported browser is used. People within your organization can use Recall settings to add more websites to the list. Define the list using a semicolon to separate URIs.
+
+For example: `https://www.Contoso.com;https://www.WoodgroveBank.com;https://www.Adatum.com`
+
+Adding `https://www.WoodgroveBank.com` to the list would also filter `https://Account.WoodgroveBank.com` and `https://www.WoodgroveBank.com/Account`.
+
+> [!IMPORTANT]
+> Changes to this policy take effect after device restart.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `chr` (string) |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | List (Delimiter: `;`) |
+
+
+
+**Group policy mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | SetDenyUriListForRecall |
+| Friendly Name | Set a list of URIs to be filtered from snapshots for Recall |
+| Location | Computer and User Configuration |
+| Path | Windows Components > Windows AI |
+| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\WindowsAI |
+| Registry Value Name | SetDenyUriListForRecall |
+| ADMX File Name | WindowsCopilot.admx |
+
+
+
+
+
+
+
+
+
+## SetMaximumStorageDurationForRecallSnapshots
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device ✅ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+
+
+
+```User
+./User/Vendor/MSFT/Policy/Config/WindowsAI/SetMaximumStorageDurationForRecallSnapshots
+```
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/WindowsAI/SetMaximumStorageDurationForRecallSnapshots
+```
+
+
+
+
+This policy setting allows you to control the maximum amount of time (in days) that Windows saves snapshots for Recall.
+
+When the policy is enabled, you can configure the maximum storage duration to be 30, 60, 90, or 180 days.
+
+When this policy isn't configured, a time frame isn't set for deleting snapshots.
+
+Snapshots aren't deleted until the maximum storage allocation for Recall is reached, and then the oldest snapshots are deleted first.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `int` |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | 0 |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 (Default) | Let the OS define the maximum amount of time the snapshots will be saved. |
+| 30 | 30 days. |
+| 60 | 60 days. |
+| 90 | 90 days. |
+| 180 | 180 days. |
+
+
+
+**Group policy mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | SetMaximumStorageDurationForRecallSnapshots |
+| Friendly Name | Set maximum duration for storing snapshots used by Recall |
+| Location | Computer and User Configuration |
+| Path | Windows Components > Windows AI |
+| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\WindowsAI |
+| Registry Value Name | SetMaximumStorageDurationForRecallSnapshots |
+| ADMX File Name | WindowsCopilot.admx |
+
+
+
+
+
+
+
+
+
+## SetMaximumStorageSpaceForRecallSnapshots
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device ✅ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+
+
+
+```User
+./User/Vendor/MSFT/Policy/Config/WindowsAI/SetMaximumStorageSpaceForRecallSnapshots
+```
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/WindowsAI/SetMaximumStorageSpaceForRecallSnapshots
+```
+
+
+
+
+This policy setting allows you to control the maximum amount of disk space that can be used by Windows to save snapshots for Recall.
+
+You can set the maximum amount of disk space for snapshots to be 10, 25, 50, 75, 100, or 150 GB.
+
+When this setting isn't configured, the OS configures the storage allocation for snapshots based on the device storage capacity.
+
+25 GB is allocated when the device storage capacity is 256 GB. 75 GB is allocated when the device storage capacity is 512 GB. 150 GB is allocated when the device storage capacity is 1 TB or higher.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `int` |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | 0 |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 (Default) | Let the OS define the maximum storage amount based on hard drive storage size. |
+| 10240 | 10GB. |
+| 25600 | 25GB. |
+| 51200 | 50GB. |
+| 76800 | 75GB. |
+| 102400 | 100GB. |
+| 153600 | 150GB. |
+
+
+
+**Group policy mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | SetMaximumStorageSpaceForRecallSnapshots |
+| Friendly Name | Set maximum storage for snapshots used by Recall |
+| Location | Computer and User Configuration |
+| Path | Windows Components > Windows AI |
+| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\WindowsAI |
+| Registry Value Name | SetMaximumStorageSpaceForRecallSnapshots |
+| ADMX File Name | WindowsCopilot.admx |
+
+
+
+
+
+
+
+
## TurnOffWindowsCopilot
@@ -231,10 +716,10 @@ This policy setting allows you to turn off Windows Copilot.
-
-> [!Note]
-> - The TurnOffWindowsCopilot policy isn't for the [new Copilot experience](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/evolving-copilot-in-windows-for-your-workforce/ba-p/4141999) that's in some [Windows Insider builds](https://blogs.windows.com/windows-insider/2024/05/22/releasing-windows-11-version-24h2-to-the-release-preview-channel/) and that will be gradually rolling out to Windows 11 and Windows 10 devices.
+> [!NOTE]
+> - The TurnOffWindowsCopilot policy isn't for the [new Copilot experience](https://techcommunity.microsoft.com/blog/windows-itpro-blog/evolving-copilot-in-windows-for-your-workforce/4141999) that's in some [Windows Insider builds](https://blogs.windows.com/windows-insider/2024/05/22/releasing-windows-11-version-24h2-to-the-release-preview-channel/) and that will be gradually rolling out to Windows 11 and Windows 10 devices.
+> - This policy also applies to upgrade scenarios to prevent installation of the Copilot app from an image that would have had the Copilot in Windows pane.
diff --git a/windows/client-management/mdm/policy-csp-windowsautopilot.md b/windows/client-management/mdm/policy-csp-windowsautopilot.md
index 1e3b68c37a..f10f3f5b34 100644
--- a/windows/client-management/mdm/policy-csp-windowsautopilot.md
+++ b/windows/client-management/mdm/policy-csp-windowsautopilot.md
@@ -1,7 +1,8 @@
---
title: WindowsAutopilot Policy CSP
description: Learn more about the WindowsAutopilot Area in Policy CSP.
-ms.date: 01/18/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
diff --git a/windows/client-management/mdm/policy-csp-windowsconnectionmanager.md b/windows/client-management/mdm/policy-csp-windowsconnectionmanager.md
index ae7bafe0cf..c6e242ce9b 100644
--- a/windows/client-management/mdm/policy-csp-windowsconnectionmanager.md
+++ b/windows/client-management/mdm/policy-csp-windowsconnectionmanager.md
@@ -1,7 +1,8 @@
---
title: WindowsConnectionManager Policy CSP
description: Learn more about the WindowsConnectionManager Area in Policy CSP.
-ms.date: 01/18/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
diff --git a/windows/client-management/mdm/policy-csp-windowsdefendersecuritycenter.md b/windows/client-management/mdm/policy-csp-windowsdefendersecuritycenter.md
index bc665f2973..5893ab6810 100644
--- a/windows/client-management/mdm/policy-csp-windowsdefendersecuritycenter.md
+++ b/windows/client-management/mdm/policy-csp-windowsdefendersecuritycenter.md
@@ -1,7 +1,8 @@
---
title: WindowsDefenderSecurityCenter Policy CSP
description: Learn more about the WindowsDefenderSecurityCenter Area in Policy CSP.
-ms.date: 01/18/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
diff --git a/windows/client-management/mdm/policy-csp-windowsinkworkspace.md b/windows/client-management/mdm/policy-csp-windowsinkworkspace.md
index c84c0bded7..541efe7904 100644
--- a/windows/client-management/mdm/policy-csp-windowsinkworkspace.md
+++ b/windows/client-management/mdm/policy-csp-windowsinkworkspace.md
@@ -1,7 +1,8 @@
---
title: WindowsInkWorkspace Policy CSP
description: Learn more about the WindowsInkWorkspace Area in Policy CSP.
-ms.date: 01/18/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
diff --git a/windows/client-management/mdm/policy-csp-windowslogon.md b/windows/client-management/mdm/policy-csp-windowslogon.md
index d9c4d40da1..8988bf7de4 100644
--- a/windows/client-management/mdm/policy-csp-windowslogon.md
+++ b/windows/client-management/mdm/policy-csp-windowslogon.md
@@ -1,7 +1,8 @@
---
title: WindowsLogon Policy CSP
description: Learn more about the WindowsLogon Area in Policy CSP.
-ms.date: 04/10/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
@@ -349,7 +350,7 @@ This policy setting allows you to control whether users see the first sign-in an
| Name | Value |
|:--|:--|
| Name | EnableFirstLogonAnimation |
-| Friendly Name | Show first sign-in animation |
+| Friendly Name | Show first sign-in animation |
| Location | Computer Configuration |
| Path | System > Logon |
| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\System |
@@ -380,11 +381,11 @@ This policy setting allows you to control whether users see the first sign-in an
-This policy controls the configuration under which winlogon sends MPR notifications in the system.
+This policy controls whether the user's password is included in the content of MPR notifications sent by winlogon in the system.
-- If you enable this setting or don't configure it, winlogon sends MPR notifications if a credential manager is configured.
+- If you disable this setting or don't configure it, winlogon sends MPR notifications with empty password fields of the user's authentication info.
-- If you disable this setting, winlogon doesn't send MPR notifications.
+- If you enable this setting, winlogon sends MPR notifications containing the user's password in the authentication info.
@@ -415,7 +416,7 @@ This policy controls the configuration under which winlogon sends MPR notificati
| Name | Value |
|:--|:--|
| Name | EnableMPRNotifications |
-| Friendly Name | Enable MPR notifications for the system |
+| Friendly Name | Configure the transmission of the user's password in the content of MPR notifications sent by winlogon. |
| Location | Computer Configuration |
| Path | Windows Components > Windows Logon Options |
| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\System |
diff --git a/windows/client-management/mdm/policy-csp-windowspowershell.md b/windows/client-management/mdm/policy-csp-windowspowershell.md
index 9e4a87efb2..b69ea72761 100644
--- a/windows/client-management/mdm/policy-csp-windowspowershell.md
+++ b/windows/client-management/mdm/policy-csp-windowspowershell.md
@@ -1,7 +1,8 @@
---
title: WindowsPowerShell Policy CSP
description: Learn more about the WindowsPowerShell Area in Policy CSP.
-ms.date: 01/18/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
diff --git a/windows/client-management/mdm/policy-csp-windowssandbox.md b/windows/client-management/mdm/policy-csp-windowssandbox.md
index ffa94e847a..d0946277b5 100644
--- a/windows/client-management/mdm/policy-csp-windowssandbox.md
+++ b/windows/client-management/mdm/policy-csp-windowssandbox.md
@@ -1,7 +1,8 @@
---
title: WindowsSandbox Policy CSP
description: Learn more about the WindowsSandbox Area in Policy CSP.
-ms.date: 01/18/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
@@ -9,8 +10,6 @@ ms.date: 01/18/2024
# Policy CSP - WindowsSandbox
-[!INCLUDE [Windows Insider tip](includes/mdm-insider-csp-note.md)]
-
@@ -21,7 +20,7 @@ ms.date: 01/18/2024
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 21H2 [10.0.22000] and later |
+| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 2004 [10.0.19041.4950] and later ✅ Windows 10, version 20H2 [10.0.19042.4950] and later ✅ Windows 10, version 21H1 [10.0.19043.4950] and later ✅ Windows 11, version 21H2 [10.0.22000] and later |
@@ -56,10 +55,18 @@ Note that there may be security implications of exposing host audio input to the
|:--|:--|
| Format | `int` |
| Access Type | Add, Delete, Get, Replace |
-| Allowed Values | Range: `[0-1]` |
| Default Value | 1 |
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 | Not allowed. |
+| 1 (Default) | Allowed. |
+
+
**Group policy mapping**:
@@ -86,7 +93,7 @@ Note that there may be security implications of exposing host audio input to the
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 21H2 [10.0.22000] and later |
+| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 2004 [10.0.19041.4950] and later ✅ Windows 10, version 20H2 [10.0.19042.4950] and later ✅ Windows 10, version 21H1 [10.0.19043.4950] and later ✅ Windows 11, version 21H2 [10.0.22000] and later |
@@ -119,10 +126,18 @@ This policy setting enables or disables clipboard sharing with the sandbox.
|:--|:--|
| Format | `int` |
| Access Type | Add, Delete, Get, Replace |
-| Allowed Values | Range: `[0-1]` |
| Default Value | 1 |
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 | Not allowed. |
+| 1 (Default) | Allowed. |
+
+
**Group policy mapping**:
@@ -149,7 +164,7 @@ This policy setting enables or disables clipboard sharing with the sandbox.
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
@@ -159,8 +174,18 @@ This policy setting enables or disables clipboard sharing with the sandbox.
-
-Allow mapping folders into Windows Sandbox.
+
+This policy setting enables or disables mapping folders into sandbox.
+
+- If you enable this policy setting, mapping folders from the host into Sandbox will be permitted.
+
+- If you enable this policy setting and disable write to mapped folders, mapping folders from the host into Sandbox will be permitted, but Sandbox will only have permission to read the files.
+
+- If you disable this policy setting, mapping folders from the host into Sandbox won't be permitted.
+
+- If you don't configure this policy setting, mapped folders will be enabled.
+
+Note that there may be security implications of exposing folders from the host into the container.
@@ -174,17 +199,30 @@ Allow mapping folders into Windows Sandbox.
|:--|:--|
| Format | `int` |
| Access Type | Add, Delete, Get, Replace |
-| Allowed Values | Range: `[0-1]` |
| Default Value | 1 |
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 | Not allowed. |
+| 1 (Default) | Allowed. |
+
+
**Group policy mapping**:
| Name | Value |
|:--|:--|
| Name | AllowMappedFolders |
-| Path | WindowsSandbox > AT > WindowsComponents > WindowsSandboxCat |
+| Friendly Name | Allow mapping folders into Windows Sandbox |
+| Location | Computer Configuration |
+| Path | Windows Components > Windows Sandbox |
+| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\Sandbox |
+| Registry Value Name | AllowMappedFolders |
+| ADMX File Name | WindowsSandbox.admx |
@@ -199,7 +237,7 @@ Allow mapping folders into Windows Sandbox.
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 21H2 [10.0.22000] and later |
+| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 2004 [10.0.19041.4950] and later ✅ Windows 10, version 20H2 [10.0.19042.4950] and later ✅ Windows 10, version 21H1 [10.0.19043.4950] and later ✅ Windows 11, version 21H2 [10.0.22000] and later |
@@ -234,10 +272,18 @@ Note that enabling networking can expose untrusted applications to the internal
|:--|:--|
| Format | `int` |
| Access Type | Add, Delete, Get, Replace |
-| Allowed Values | Range: `[0-1]` |
| Default Value | 1 |
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 | Not allowed. |
+| 1 (Default) | Allowed. |
+
+
**Group policy mapping**:
@@ -264,7 +310,7 @@ Note that enabling networking can expose untrusted applications to the internal
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 21H2 [10.0.22000] and later |
+| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 2004 [10.0.19041.4950] and later ✅ Windows 10, version 20H2 [10.0.19042.4950] and later ✅ Windows 10, version 21H1 [10.0.19043.4950] and later ✅ Windows 11, version 21H2 [10.0.22000] and later |
@@ -297,10 +343,18 @@ This policy setting enables or disables printer sharing from the host into the S
|:--|:--|
| Format | `int` |
| Access Type | Add, Delete, Get, Replace |
-| Allowed Values | Range: `[0-1]` |
| Default Value | 1 |
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 | Not allowed. |
+| 1 (Default) | Allowed. |
+
+
**Group policy mapping**:
@@ -327,7 +381,7 @@ This policy setting enables or disables printer sharing from the host into the S
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 21H2 [10.0.22000] and later |
+| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 2004 [10.0.19041.4950] and later ✅ Windows 10, version 20H2 [10.0.19042.4950] and later ✅ Windows 10, version 21H1 [10.0.19043.4950] and later ✅ Windows 11, version 21H2 [10.0.22000] and later |
@@ -362,10 +416,18 @@ Note that enabling virtualized GPU can potentially increase the attack surface o
|:--|:--|
| Format | `int` |
| Access Type | Add, Delete, Get, Replace |
-| Allowed Values | Range: `[0-1]` |
| Default Value | 1 |
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 | Not allowed. |
+| 1 (Default) | Allowed. |
+
+
**Group policy mapping**:
@@ -392,7 +454,7 @@ Note that enabling virtualized GPU can potentially increase the attack surface o
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 21H2 [10.0.22000] and later |
+| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 2004 [10.0.19041.4950] and later ✅ Windows 10, version 20H2 [10.0.19042.4950] and later ✅ Windows 10, version 21H1 [10.0.19043.4950] and later ✅ Windows 11, version 21H2 [10.0.22000] and later |
@@ -427,10 +489,18 @@ Note that there may be security implications of exposing host video input to the
|:--|:--|
| Format | `int` |
| Access Type | Add, Delete, Get, Replace |
-| Allowed Values | Range: `[0-1]` |
| Default Value | 1 |
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 | Not allowed. |
+| 1 (Default) | Allowed. |
+
+
**Group policy mapping**:
@@ -457,7 +527,7 @@ Note that there may be security implications of exposing host video input to the
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
@@ -467,8 +537,18 @@ Note that there may be security implications of exposing host video input to the
-
-Allow Sandbox to write to mapped folders.
+
+This policy setting enables or disables mapping folders into sandbox.
+
+- If you enable this policy setting, mapping folders from the host into Sandbox will be permitted.
+
+- If you enable this policy setting and disable write to mapped folders, mapping folders from the host into Sandbox will be permitted, but Sandbox will only have permission to read the files.
+
+- If you disable this policy setting, mapping folders from the host into Sandbox won't be permitted.
+
+- If you don't configure this policy setting, mapped folders will be enabled.
+
+Note that there may be security implications of exposing folders from the host into the container.
@@ -482,18 +562,31 @@ Allow Sandbox to write to mapped folders.
|:--|:--|
| Format | `int` |
| Access Type | Add, Delete, Get, Replace |
-| Allowed Values | Range: `[0-1]` |
| Default Value | 1 |
| Dependency [WindowsSandbox_AllowWriteToMappedFolders_DependencyGroup] | Dependency Type: `DependsOn` Dependency URI: `Device/Vendor/MSFT/Policy/Config/WindowsSandbox/AllowMappedFolders` Dependency Allowed Value: `[1]` Dependency Allowed Value Type: `Range` |
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 | Not allowed. |
+| 1 (Default) | Allowed. |
+
+
**Group policy mapping**:
| Name | Value |
|:--|:--|
-| Name | AllowWriteToMappedFolders |
-| Path | WindowsSandbox > AT > WindowsComponents > WindowsSandboxCat |
+| Name | AllowMappedFolders |
+| Friendly Name | Allow mapping folders into Windows Sandbox |
+| Location | Computer Configuration |
+| Path | Windows Components > Windows Sandbox |
+| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\Sandbox |
+| Registry Value Name | AllowMappedFolders |
+| ADMX File Name | WindowsSandbox.admx |
diff --git a/windows/client-management/mdm/policy-csp-wirelessdisplay.md b/windows/client-management/mdm/policy-csp-wirelessdisplay.md
index 70e8e67fba..9a7729d8ac 100644
--- a/windows/client-management/mdm/policy-csp-wirelessdisplay.md
+++ b/windows/client-management/mdm/policy-csp-wirelessdisplay.md
@@ -1,7 +1,8 @@
---
title: WirelessDisplay Policy CSP
description: Learn more about the WirelessDisplay Area in Policy CSP.
-ms.date: 01/18/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
diff --git a/windows/client-management/mdm/printerprovisioning-csp.md b/windows/client-management/mdm/printerprovisioning-csp.md
index 8667239d07..6b09526d28 100644
--- a/windows/client-management/mdm/printerprovisioning-csp.md
+++ b/windows/client-management/mdm/printerprovisioning-csp.md
@@ -1,7 +1,8 @@
---
title: PrinterProvisioning CSP
description: Learn more about the PrinterProvisioning CSP.
-ms.date: 08/06/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
diff --git a/windows/client-management/mdm/printerprovisioning-ddf-file.md b/windows/client-management/mdm/printerprovisioning-ddf-file.md
index e4db037ecb..3929db5f29 100644
--- a/windows/client-management/mdm/printerprovisioning-ddf-file.md
+++ b/windows/client-management/mdm/printerprovisioning-ddf-file.md
@@ -1,7 +1,8 @@
---
title: PrinterProvisioning DDF file
description: View the XML file containing the device description framework (DDF) for the PrinterProvisioning configuration service provider.
-ms.date: 06/28/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
diff --git a/windows/client-management/mdm/reboot-csp.md b/windows/client-management/mdm/reboot-csp.md
index b095998bbd..3d72cde805 100644
--- a/windows/client-management/mdm/reboot-csp.md
+++ b/windows/client-management/mdm/reboot-csp.md
@@ -1,7 +1,8 @@
---
title: Reboot CSP
description: Learn more about the Reboot CSP.
-ms.date: 01/18/2024
+ms.date: 02/14/2025
+ms.topic: generated-reference
---
@@ -9,8 +10,6 @@ ms.date: 01/18/2024
# Reboot CSP
-[!INCLUDE [Windows Insider tip](includes/mdm-insider-csp-note.md)]
-
The Reboot configuration service provider is used to configure reboot settings.
@@ -122,7 +121,7 @@ The supported operation is Get.
-Value in ISO8601, time is required. Either setting DailyRecurrent or WeeklyRecurrent is supported but not both at same time. A reboot will be scheduled each day at the configured time starting at the date and time. Setting a null (empty) date will delete the existing schedule.
+Value in ISO8601 date and time format (such as 2025-10-07T10:35:00) is required. While it's supported to set either DailyRecurrent or WeeklyRecurrent schedules, it isn't supported to enable both settings simultaneously. A reboot will be scheduled to occur every day at the configured time starting at the specified date and time. Setting a null (empty) date will delete the existing schedule.
@@ -161,7 +160,7 @@ Value in ISO8601, time is required. Either setting DailyRecurrent or WeeklyRecur
-Value in ISO8601, both the date and time are required. A reboot will be scheduled at the configured date time. Setting a null (empty) date will delete the existing schedule.
+Value in ISO8601 date and time format (such as 2025-10-07T10:35:00) is required. Both the date and time are required. A reboot will be scheduled to occur at the specified date and time. Setting a null (empty) date will delete the existing schedule.
@@ -189,7 +188,7 @@ Value in ISO8601, both the date and time are required. A reboot will be schedule
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
@@ -200,7 +199,7 @@ Value in ISO8601, both the date and time are required. A reboot will be schedule
-Value in ISO8601, time is required. Either setting DailyRecurrent or WeeklyRecurrent is supported but not both at same time. A reboot will be scheduled every week at the configured time starting at the date and time. Setting a null (empty) date will delete the existing schedule.
+Value in ISO8601 date and time format (such as 2025-10-07T10:35:00) is required. While it's supported to set either DailyRecurrent or WeeklyRecurrent schedules, it isn't supported to enable both settings simultaneously. A reboot will be scheduled to occur every week at the configured day and time starting at the specified date and time. Setting a null (empty) date will delete the existing schedule.
diff --git a/windows/client-management/mdm/reboot-ddf-file.md b/windows/client-management/mdm/reboot-ddf-file.md
index ab06e22815..af569e0d56 100644
--- a/windows/client-management/mdm/reboot-ddf-file.md
+++ b/windows/client-management/mdm/reboot-ddf-file.md
@@ -1,7 +1,8 @@
---
title: Reboot DDF file
description: View the XML file containing the device description framework (DDF) for the Reboot configuration service provider.
-ms.date: 06/28/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
@@ -95,7 +96,7 @@ The following XML file contains the device description framework (DDF) for the R
- Value in ISO8601, both the date and time are required. A reboot will be scheduled at the configured date time. Setting a null (empty) date will delete the existing schedule.
+ Value in ISO8601 date and time format (such as 2025-10-07T10:35:00) is required. Both the date and time are required. A reboot will be scheduled to occur at the specified date and time. Setting a null (empty) date will delete the existing schedule.
@@ -122,7 +123,7 @@ The following XML file contains the device description framework (DDF) for the R
- Value in ISO8601, time is required. Either setting DailyRecurrent or WeeklyRecurrent is supported but not both at same time. A reboot will be scheduled each day at the configured time starting at the date and time. Setting a null (empty) date will delete the existing schedule.
+ Value in ISO8601 date and time format (such as 2025-10-07T10:35:00) is required. While it is supported to set either DailyRecurrent or WeeklyRecurrent schedules, it is not supported to enable both settings simultaneously. A reboot will be scheduled to occur every day at the configured time starting at the specified date and time. Setting a null (empty) date will delete the existing schedule.
@@ -149,7 +150,7 @@ The following XML file contains the device description framework (DDF) for the R
- Value in ISO8601, time is required. Either setting DailyRecurrent or WeeklyRecurrent is supported but not both at same time. A reboot will be scheduled every week at the configured time starting at the date and time. Setting a null (empty) date will delete the existing schedule.
+ Value in ISO8601 date and time format (such as 2025-10-07T10:35:00) is required. While it is supported to set either DailyRecurrent or WeeklyRecurrent schedules, it is not supported to enable both settings simultaneously. A reboot will be scheduled to occur every week at the configured day and time starting at the specified date and time. Setting a null (empty) date will delete the existing schedule.
@@ -164,8 +165,8 @@ The following XML file contains the device description framework (DDF) for the R
- 99.9.99999
- 9.9
+ 10.0.26100
+ 1.0
diff --git a/windows/client-management/mdm/remotewipe-csp.md b/windows/client-management/mdm/remotewipe-csp.md
index 1c0afff55f..97af6fd97c 100644
--- a/windows/client-management/mdm/remotewipe-csp.md
+++ b/windows/client-management/mdm/remotewipe-csp.md
@@ -1,7 +1,8 @@
---
title: RemoteWipe CSP
description: Learn more about the RemoteWipe CSP.
-ms.date: 01/18/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
diff --git a/windows/client-management/mdm/remotewipe-ddf-file.md b/windows/client-management/mdm/remotewipe-ddf-file.md
index 6ec9d27e89..40776b4b16 100644
--- a/windows/client-management/mdm/remotewipe-ddf-file.md
+++ b/windows/client-management/mdm/remotewipe-ddf-file.md
@@ -1,7 +1,8 @@
---
title: RemoteWipe DDF file
description: View the XML file containing the device description framework (DDF) for the RemoteWipe configuration service provider.
-ms.date: 01/18/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
diff --git a/windows/client-management/mdm/rootcacertificates-csp.md b/windows/client-management/mdm/rootcacertificates-csp.md
index 6445586c10..6bb6c3faf5 100644
--- a/windows/client-management/mdm/rootcacertificates-csp.md
+++ b/windows/client-management/mdm/rootcacertificates-csp.md
@@ -1,7 +1,8 @@
---
title: RootCATrustedCertificates CSP
description: Learn more about the RootCATrustedCertificates CSP.
-ms.date: 01/18/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
diff --git a/windows/client-management/mdm/rootcacertificates-ddf-file.md b/windows/client-management/mdm/rootcacertificates-ddf-file.md
index 5479190d60..3528cce7c2 100644
--- a/windows/client-management/mdm/rootcacertificates-ddf-file.md
+++ b/windows/client-management/mdm/rootcacertificates-ddf-file.md
@@ -1,7 +1,8 @@
---
title: RootCATrustedCertificates DDF file
description: View the XML file containing the device description framework (DDF) for the RootCATrustedCertificates configuration service provider.
-ms.date: 06/28/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
diff --git a/windows/client-management/mdm/secureassessment-csp.md b/windows/client-management/mdm/secureassessment-csp.md
index 172e2ef819..752bd84fea 100644
--- a/windows/client-management/mdm/secureassessment-csp.md
+++ b/windows/client-management/mdm/secureassessment-csp.md
@@ -1,7 +1,8 @@
---
title: SecureAssessment CSP
description: Learn more about the SecureAssessment CSP.
-ms.date: 01/18/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
diff --git a/windows/client-management/mdm/secureassessment-ddf-file.md b/windows/client-management/mdm/secureassessment-ddf-file.md
index 7d49cb3604..eb02e07a68 100644
--- a/windows/client-management/mdm/secureassessment-ddf-file.md
+++ b/windows/client-management/mdm/secureassessment-ddf-file.md
@@ -1,7 +1,8 @@
---
title: SecureAssessment DDF file
description: View the XML file containing the device description framework (DDF) for the SecureAssessment configuration service provider.
-ms.date: 06/28/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
diff --git a/windows/client-management/mdm/sharedpc-csp.md b/windows/client-management/mdm/sharedpc-csp.md
index bdff7ac7bd..f78f9cba3b 100644
--- a/windows/client-management/mdm/sharedpc-csp.md
+++ b/windows/client-management/mdm/sharedpc-csp.md
@@ -1,7 +1,8 @@
---
title: SharedPC CSP
description: Learn more about the SharedPC CSP.
-ms.date: 01/18/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
diff --git a/windows/client-management/mdm/sharedpc-ddf-file.md b/windows/client-management/mdm/sharedpc-ddf-file.md
index 4412297df6..353d0ba339 100644
--- a/windows/client-management/mdm/sharedpc-ddf-file.md
+++ b/windows/client-management/mdm/sharedpc-ddf-file.md
@@ -1,7 +1,8 @@
---
title: SharedPC DDF file
description: View the XML file containing the device description framework (DDF) for the SharedPC configuration service provider.
-ms.date: 06/28/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
diff --git a/windows/client-management/mdm/supl-csp.md b/windows/client-management/mdm/supl-csp.md
index 3793140f08..7a65e1a5e3 100644
--- a/windows/client-management/mdm/supl-csp.md
+++ b/windows/client-management/mdm/supl-csp.md
@@ -1,7 +1,8 @@
---
title: SUPL CSP
description: Learn more about the SUPL CSP.
-ms.date: 01/18/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
@@ -289,7 +290,7 @@ Required. The AppID for SUPL is automatically set to "ap0004". This is a read-on
-Optional. Determines the full version (X. Y. Z where X, Y and Z are major version, minor version, service indicator, respectively) of the SUPL protocol to use. The default is 1.0.0. If FullVersion is defined, Version field is ignored.
+Optional. Determines the full version (`X.Y.Z` where X, Y and Z are major version, minor version, service indicator, respectively) of the SUPL protocol to use. The default is 1.0.0. If FullVersion is defined, Version field is ignored.
diff --git a/windows/client-management/mdm/supl-ddf-file.md b/windows/client-management/mdm/supl-ddf-file.md
index 0797c3447b..64f70d8fef 100644
--- a/windows/client-management/mdm/supl-ddf-file.md
+++ b/windows/client-management/mdm/supl-ddf-file.md
@@ -1,7 +1,8 @@
---
title: SUPL DDF file
description: View the XML file containing the device description framework (DDF) for the SUPL configuration service provider.
-ms.date: 06/28/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
diff --git a/windows/client-management/mdm/surfacehub-csp.md b/windows/client-management/mdm/surfacehub-csp.md
index 663982ef0f..b13fdc33e3 100644
--- a/windows/client-management/mdm/surfacehub-csp.md
+++ b/windows/client-management/mdm/surfacehub-csp.md
@@ -1,7 +1,8 @@
---
title: SurfaceHub CSP
description: Learn more about the SurfaceHub CSP.
-ms.date: 08/16/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
diff --git a/windows/client-management/mdm/surfacehub-ddf-file.md b/windows/client-management/mdm/surfacehub-ddf-file.md
index 1193b28214..575f8e582a 100644
--- a/windows/client-management/mdm/surfacehub-ddf-file.md
+++ b/windows/client-management/mdm/surfacehub-ddf-file.md
@@ -1,7 +1,8 @@
---
title: SurfaceHub DDF file
description: View the XML file containing the device description framework (DDF) for the SurfaceHub configuration service provider.
-ms.date: 08/16/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
diff --git a/windows/client-management/mdm/toc.yml b/windows/client-management/mdm/toc.yml
index eba37a1745..4b5c7ff09c 100644
--- a/windows/client-management/mdm/toc.yml
+++ b/windows/client-management/mdm/toc.yml
@@ -48,12 +48,12 @@ items:
- name: Protocol
expanded: true
items:
- - name: Overview
- href: ../declared-configuration.md
- - name: Discovery
- href: ../declared-configuration-discovery.md
- - name: Enrollment
- href: ../declared-configuration-enrollment.md
+ - name: Overview
+ href: ../declared-configuration.md
+ - name: Discovery
+ href: ../declared-configuration-discovery.md
+ - name: Enrollment
+ href: ../declared-configuration-enrollment.md
- name: Extensibility
href: ../declared-configuration-extensibility.md
- name: Resource access
@@ -387,7 +387,7 @@ items:
href: policy-csp-authentication.md
- name: Autoplay
href: policy-csp-autoplay.md
- - name: BitLocker
+ - name: Bitlocker
href: policy-csp-bitlocker.md
- name: BITS
href: policy-csp-bits.md
@@ -537,6 +537,8 @@ items:
href: policy-csp-settingssync.md
- name: SmartScreen
href: policy-csp-smartscreen.md
+ - name: SpeakForMe
+ href: policy-csp-speakforme.md
- name: Speech
href: policy-csp-speech.md
- name: Start
@@ -835,10 +837,10 @@ items:
items:
- name: PassportForWork DDF file
href: passportforwork-ddf.md
- - name: PDE
+ - name: Personal Data Encryption
href: personaldataencryption-csp.md
items:
- - name: PDE DDF file
+ - name: Personal Data Encryption DDF file
href: personaldataencryption-ddf-file.md
- name: Personalization
href: personalization-csp.md
diff --git a/windows/client-management/mdm/vpnv2-csp.md b/windows/client-management/mdm/vpnv2-csp.md
index 58d6463c97..9c7df2dfd8 100644
--- a/windows/client-management/mdm/vpnv2-csp.md
+++ b/windows/client-management/mdm/vpnv2-csp.md
@@ -1,7 +1,8 @@
---
title: VPNv2 CSP
description: Learn more about the VPNv2 CSP.
-ms.date: 01/18/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
@@ -863,11 +864,7 @@ Returns the type of App/Id. This value can be either of the following: PackageFa
-False: Don't Bypass for Local traffic.
-
-True: ByPass VPN Interface for Local Traffic.
-
-Optional. When this setting is True, requests to local resources that are available on the same Wi-Fi network as the VPN client can bypass the VPN. For example, if enterprise policy for VPN requires force tunnel for VPN, but enterprise intends to allow the remote user to connect locally to media center in their home, then this option should be set to True. The user can bypass VPN for local subnet traffic. When this is set to False, the setting is disabled and no subnet exceptions are allowed.
+Not supported.
@@ -5160,11 +5157,7 @@ Returns the type of App/Id. This value can be either of the following: PackageFa
-False: Don't Bypass for Local traffic.
-
-True: ByPass VPN Interface for Local Traffic.
-
-Optional. When this setting is True, requests to local resources that are available on the same Wi-Fi network as the VPN client can bypass the VPN. For example, if enterprise policy for VPN requires force tunnel for VPN, but enterprise intends to allow the remote user to connect locally to media center in their home, then this option should be set to True. The user can bypass VPN for local subnet traffic. When this is set to False, the setting is disabled and no subnet exceptions are allowed.
+Not supported.
diff --git a/windows/client-management/mdm/vpnv2-ddf-file.md b/windows/client-management/mdm/vpnv2-ddf-file.md
index abe39e405a..2b6a1f45d4 100644
--- a/windows/client-management/mdm/vpnv2-ddf-file.md
+++ b/windows/client-management/mdm/vpnv2-ddf-file.md
@@ -1,7 +1,8 @@
---
title: VPNv2 DDF file
description: View the XML file containing the device description framework (DDF) for the VPNv2 configuration service provider.
-ms.date: 06/28/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
@@ -1156,10 +1157,7 @@ The following XML file contains the device description framework (DDF) for the V
- False : Do not Bypass for Local traffic
- True : ByPass VPN Interface for Local Traffic
-
- Optional. When this setting is True, requests to local resources that are available on the same Wi-Fi network as the VPN client can bypass the VPN. For example, if enterprise policy for VPN requires force tunnel for VPN, but enterprise intends to allow the remote user to connect locally to media center in their home, then this option should be set to True. The user can bypass VPN for local subnet traffic. When this is set to False, the setting is disabled and no subnet exceptions are allowed.
+ Not supported.
@@ -4425,10 +4423,7 @@ A device tunnel profile must be deleted before another device tunnel profile can
- False : Do not Bypass for Local traffic
- True : ByPass VPN Interface for Local Traffic
-
- Optional. When this setting is True, requests to local resources that are available on the same Wi-Fi network as the VPN client can bypass the VPN. For example, if enterprise policy for VPN requires force tunnel for VPN, but enterprise intends to allow the remote user to connect locally to media center in their home, then this option should be set to True. The user can bypass VPN for local subnet traffic. When this is set to False, the setting is disabled and no subnet exceptions are allowed.
+ Not supported.
diff --git a/windows/client-management/mdm/wifi-csp.md b/windows/client-management/mdm/wifi-csp.md
index da583b8cd9..33d21ef260 100644
--- a/windows/client-management/mdm/wifi-csp.md
+++ b/windows/client-management/mdm/wifi-csp.md
@@ -1,7 +1,8 @@
---
title: WiFi CSP
description: Learn more about the WiFi CSP.
-ms.date: 01/18/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
diff --git a/windows/client-management/mdm/wifi-ddf-file.md b/windows/client-management/mdm/wifi-ddf-file.md
index a2a8cf4407..5b19466938 100644
--- a/windows/client-management/mdm/wifi-ddf-file.md
+++ b/windows/client-management/mdm/wifi-ddf-file.md
@@ -1,7 +1,8 @@
---
title: WiFi DDF file
description: View the XML file containing the device description framework (DDF) for the WiFi configuration service provider.
-ms.date: 06/28/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
diff --git a/windows/client-management/mdm/windowsdefenderapplicationguard-csp.md b/windows/client-management/mdm/windowsdefenderapplicationguard-csp.md
index 10546d7713..0e493f19d0 100644
--- a/windows/client-management/mdm/windowsdefenderapplicationguard-csp.md
+++ b/windows/client-management/mdm/windowsdefenderapplicationguard-csp.md
@@ -1,7 +1,8 @@
---
title: WindowsDefenderApplicationGuard CSP
description: Learn more about the WindowsDefenderApplicationGuard CSP.
-ms.date: 01/18/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
diff --git a/windows/client-management/mdm/windowsdefenderapplicationguard-ddf-file.md b/windows/client-management/mdm/windowsdefenderapplicationguard-ddf-file.md
index 06f96f2518..9af969aacd 100644
--- a/windows/client-management/mdm/windowsdefenderapplicationguard-ddf-file.md
+++ b/windows/client-management/mdm/windowsdefenderapplicationguard-ddf-file.md
@@ -1,7 +1,8 @@
---
title: WindowsDefenderApplicationGuard DDF file
description: View the XML file containing the device description framework (DDF) for the WindowsDefenderApplicationGuard configuration service provider.
-ms.date: 06/28/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
diff --git a/windows/client-management/mdm/windowslicensing-csp.md b/windows/client-management/mdm/windowslicensing-csp.md
index 91e5d7b4ea..bef27c7ed9 100644
--- a/windows/client-management/mdm/windowslicensing-csp.md
+++ b/windows/client-management/mdm/windowslicensing-csp.md
@@ -1,7 +1,8 @@
---
title: WindowsLicensing CSP
description: Learn more about the WindowsLicensing CSP.
-ms.date: 08/06/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
diff --git a/windows/client-management/mdm/windowslicensing-ddf-file.md b/windows/client-management/mdm/windowslicensing-ddf-file.md
index d2abdc9fc4..22e3081e8b 100644
--- a/windows/client-management/mdm/windowslicensing-ddf-file.md
+++ b/windows/client-management/mdm/windowslicensing-ddf-file.md
@@ -1,7 +1,8 @@
---
title: WindowsLicensing DDF file
description: View the XML file containing the device description framework (DDF) for the WindowsLicensing configuration service provider.
-ms.date: 06/28/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
diff --git a/windows/client-management/mdm/wirednetwork-csp.md b/windows/client-management/mdm/wirednetwork-csp.md
index 12bac7c750..253819df28 100644
--- a/windows/client-management/mdm/wirednetwork-csp.md
+++ b/windows/client-management/mdm/wirednetwork-csp.md
@@ -1,7 +1,8 @@
---
title: WiredNetwork CSP
description: Learn more about the WiredNetwork CSP.
-ms.date: 01/18/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
diff --git a/windows/client-management/mdm/wirednetwork-ddf-file.md b/windows/client-management/mdm/wirednetwork-ddf-file.md
index 178bba80f3..9c796c3f69 100644
--- a/windows/client-management/mdm/wirednetwork-ddf-file.md
+++ b/windows/client-management/mdm/wirednetwork-ddf-file.md
@@ -1,7 +1,8 @@
---
title: WiredNetwork DDF file
description: View the XML file containing the device description framework (DDF) for the WiredNetwork configuration service provider.
-ms.date: 06/28/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
diff --git a/windows/client-management/mobile-device-enrollment.md b/windows/client-management/mobile-device-enrollment.md
index 214a73f052..5c3f785c04 100644
--- a/windows/client-management/mobile-device-enrollment.md
+++ b/windows/client-management/mobile-device-enrollment.md
@@ -1,7 +1,7 @@
---
title: Mobile device enrollment
description: Learn how mobile device enrollment verifies that only authenticated and authorized devices are managed by the enterprise.
-ms.topic: conceptual
+ms.topic: article
ms.date: 07/08/2024
ms.collection:
- highpri
diff --git a/windows/client-management/new-in-windows-mdm-enrollment-management.md b/windows/client-management/new-in-windows-mdm-enrollment-management.md
index 053a0dd779..7be08881f7 100644
--- a/windows/client-management/new-in-windows-mdm-enrollment-management.md
+++ b/windows/client-management/new-in-windows-mdm-enrollment-management.md
@@ -1,7 +1,7 @@
---
title: What's new in MDM enrollment and management
description: Discover what's new and breaking changes in mobile device management (MDM) enrollment and management experience across all Windows devices.
-ms.topic: conceptual
+ms.topic: whats-new
ms.localizationpriority: medium
ms.date: 07/08/2024
---
diff --git a/windows/client-management/oma-dm-protocol-support.md b/windows/client-management/oma-dm-protocol-support.md
index 5caf42c5f0..7095cd64e9 100644
--- a/windows/client-management/oma-dm-protocol-support.md
+++ b/windows/client-management/oma-dm-protocol-support.md
@@ -1,7 +1,7 @@
---
title: OMA DM protocol support
description: See how the OMA DM client communicates with the server over HTTPS and uses DM Sync (OMA DM v1.2) as the message payload.
-ms.topic: conceptual
+ms.topic: article
ms.date: 07/08/2024
---
diff --git a/windows/client-management/on-premise-authentication-device-enrollment.md b/windows/client-management/on-premise-authentication-device-enrollment.md
index e6c445b43c..16f7ade83e 100644
--- a/windows/client-management/on-premise-authentication-device-enrollment.md
+++ b/windows/client-management/on-premise-authentication-device-enrollment.md
@@ -1,7 +1,7 @@
---
title: On-premises authentication device enrollment
description: This section provides an example of the mobile device enrollment protocol using on-premises authentication policy.
-ms.topic: conceptual
+ms.topic: article
ms.date: 07/08/2024
---
diff --git a/windows/client-management/push-notification-windows-mdm.md b/windows/client-management/push-notification-windows-mdm.md
index e0842698e8..9d21cb1322 100644
--- a/windows/client-management/push-notification-windows-mdm.md
+++ b/windows/client-management/push-notification-windows-mdm.md
@@ -1,7 +1,7 @@
---
title: Push notification support for device management
description: The DMClient CSP supports the ability to configure push-initiated device management sessions.
-ms.topic: conceptual
+ms.topic: how-to
ms.date: 07/08/2024
---
diff --git a/windows/client-management/recall-sensitive-information-filtering.md b/windows/client-management/recall-sensitive-information-filtering.md
new file mode 100644
index 0000000000..e6d8c32969
--- /dev/null
+++ b/windows/client-management/recall-sensitive-information-filtering.md
@@ -0,0 +1,190 @@
+---
+title: Sensitive information filtering in Recall
+description: Learn about the types of potentially sensitive information Recall detects.
+ms.topic: reference
+ms.subservice: windows-copilot
+ms.date: 11/22/2024
+ms.author: mstewart
+author: mestew
+ms.collection:
+ - windows-copilot
+ - magic-ai-copilot
+appliesto:
+- ✅ Copilot+ PCs
+---
+
+
+# Reference for sensitive information filtering in Recall
+
+This article provides information about the types of potentially sensitive information that [Recall](manage-recall.md) detects when the **Sensitive Information Filtering** setting is enabled.
+
+## Types of potentially sensitive information
+
+Types of potentially sensitive information that Recall detects and filters include:
+
+ABA Routing Number
+Argentina National Identity (DNI) Number
+Argentina Unique Tax Identification Key (CUIT/CUIL)
+Australia Bank Account Number
+Australia Drivers License Number
+Australia Tax File Number
+Austria Driver's License Number
+Austria Identity Card
+Austria Social Security Number
+Austria Tax Identification Number
+Austria Value Added Tax
+Azure Document DB Auth Key
+Azure IAAS Database Connection String and Azure SQL Connection String
+Azure IoT Connection String
+Azure Redis Cache Connection String
+Azure SAS
+Azure Secrets (Generic)
+Azure Service Bus Connection String
+Azure Storage Account Key
+Belgium Driver's License Number
+Belgium National Number
+Belgium Value Added Tax Number
+Brazil CPF Number
+Brazil Legal Entity Number (CNPJ)
+Brazil National ID Card (RG)
+Bulgaria Driver's License Number
+Bulgaria Uniform Civil Number
+Canada Bank Account Number
+Canada Driver's License Number
+Canada Social Insurance Number
+Chile Identity Card Number
+China Resident Identity Card (PRC) Number
+Colombia National ID
+Credit Card Number
+Croatia Driver's License Number
+Croatia Identity Card Number
+Croatia Personal Identification (OIB) Number
+Cyprus Driver's License Number
+Cyprus Identity Card
+Cyprus Tax Identification Number
+Czech Driver's License Number
+Czech Personal Identity Number
+DEA Number
+Denmark Driver's License Number
+Denmark Personal Identification Number
+Ecuador Unique Identification Number
+Estonia Driver's License Number
+Estonia Personal Identification Code
+EU Debit Card Number
+EU Driver's License Number
+EU National Id Card
+EU SSN or Equivalent Number
+EU Tax File Number
+Finland Driver's License Number
+Finnish National ID
+France CNI
+France Driver's License Number
+France INSEE
+France Tax Identification Number (numéro SPI.)
+France Value Added Tax Number
+General Password
+German Driver's License Number
+Germany Identity Card Number
+Germany Tax Identification Number
+Germany Value Added Tax Number
+Greece Driver's License Number
+Greece National ID Card
+Greece Social Security Number (AMKA)
+Greek Tax Identification Number
+Hong Kong Identity Card (HKID) number
+Hungarian Social Security Number (TAJ)
+Hungarian Value Added Tax Number
+Hungary Driver's License Number
+Hungary Personal Identification Number
+Hungary Tax Identification Number
+IBAN
+India Driver's License Number
+India GST number
+India Permanent Account Number
+India Unique Identification (Aadhaar) number
+India Voter Id Card
+Indonesia Drivers License Number
+Indonesia Identity Card (KTP) Number
+Ireland Driver's License Number
+Ireland Personal Public Service (PPS) Number
+Israel Bank Account Number
+Israel National ID Number
+Italy Driver's license Number
+Italy Fiscal Code
+Italy Value Added Tax
+Japan Bank Account Number
+Japan Driver's License Number
+Japan Residence Card Number
+Japan Resident Registration Number
+Japan Social Insurance Number
+Japanese My Number – Corporate
+Japanese My Number – Personal
+Latvia Driver's License Number
+Latvia Personal Code
+Lithuania Driver's License Number
+Lithuania Personal Code
+Luxembourg Driver's License Number
+Luxembourg National Identification Number (Natural persons)
+Luxembourg National Identification Number (Non-natural persons)
+Malaysia ID Card Number
+Malta Driver's License Number
+Malta Identity Card Number
+Malta Tax ID Number
+Mexico Unique Population Registry Code (CURP)
+Netherlands Citizen's Service (BSN) Number
+Netherlands Driver's License Number
+Netherlands Tax Identification Number
+Netherlands Value Added Tax Number
+New Zealand Bank Account Number
+New Zealand Driver License Number
+New Zealand Inland Revenue Number
+Newzealand Social Welfare Number
+Norway Identification Number
+Philippines National ID
+Philippines Passport Number
+Philippines Unified Multi-Purpose ID number
+Poland Driver's License Number
+Poland Identity Card
+Poland National ID (PESEL)
+Poland Tax Identification Number
+Polish REGON Number
+Portugal Citizen Card Number
+Portugal Driver's License Number
+Portugal Tax Identification Number
+Qatari ID Card Number
+Romania Driver's License Number
+Romania Personal Numerical Code (CNP)
+Saudi Arabia National ID
+Singapore Driving License Number
+Singapore National Registration Identity Card (NRIC) Number
+Slovakia Driver's License Number
+Slovakia Personal Number
+Slovenia Driver's License Number
+Slovenia Tax Identification Number
+Slovenia Unique Master Citizen Number
+South Africa Identification Number
+South Korea Driver's License Number
+South Korea Resident Registration Number
+Spain DNI
+Spain Driver's License Number
+Spain SSN
+Spain Tax Identification Number
+Sweden Driver's License Number
+Sweden National ID
+Sweden Tax Identification Number
+SWIFT Code
+Swiss SSN AHV Number
+Taiwan Resident Certificate (ARC/TARC)
+Taiwanese National ID
+Thai Citizen ID
+Turkish National Identity
+U.K. Driver's License Number
+U.K. Electoral Number
+U.K. NHS Number
+U.K. NINO
+U.K. Unique Taxpayer Reference Number
+U.S. Bank Account Number
+U.S. Driver's License Number
+U.S. Individual Taxpayer Identification Number (ITIN)
+U.S. Social Security Number
+UAE Identity Card Number
diff --git a/windows/client-management/server-requirements-windows-mdm.md b/windows/client-management/server-requirements-windows-mdm.md
index 92e09679f4..8931bdcdbf 100644
--- a/windows/client-management/server-requirements-windows-mdm.md
+++ b/windows/client-management/server-requirements-windows-mdm.md
@@ -1,7 +1,7 @@
---
title: Server requirements for using OMA DM to manage Windows devices
description: Learn about the general server requirements for using OMA DM to manage Windows devices, including the supported versions of OMA DM.
-ms.topic: conceptual
+ms.topic: article
ms.date: 07/08/2024
---
diff --git a/windows/client-management/structure-of-oma-dm-provisioning-files.md b/windows/client-management/structure-of-oma-dm-provisioning-files.md
index a1fcf0777c..2079c53f5a 100644
--- a/windows/client-management/structure-of-oma-dm-provisioning-files.md
+++ b/windows/client-management/structure-of-oma-dm-provisioning-files.md
@@ -1,7 +1,7 @@
---
title: Structure of OMA DM provisioning files
description: Learn about the structure of OMA DM provisioning files, for example how each message is composed of a header, specified by the SyncHdr element, and a message body.
-ms.topic: conceptual
+ms.topic: how-to
ms.date: 07/08/2024
---
diff --git a/windows/client-management/toc.yml b/windows/client-management/toc.yml
index 4aa913ef53..955dee1921 100644
--- a/windows/client-management/toc.yml
+++ b/windows/client-management/toc.yml
@@ -48,10 +48,12 @@ items:
href: enterprise-app-management.md
- name: Manage updates
href: device-update-management.md
- - name: Updated Windows and Microsoft Copilot experience
+ - name: Updated Windows and Microsoft 365 Copilot Chat experience
href: manage-windows-copilot.md
- name: Manage Recall
- href: manage-recall.md
+ href: manage-recall.md
+ - name: Reference for sensitive information filtering in Recall
+ href: recall-sensitive-information-filtering.md
- name: Secured-Core PC Configuration Lock
href: config-lock.md
- name: Certificate renewal
diff --git a/windows/client-management/understanding-admx-backed-policies.md b/windows/client-management/understanding-admx-backed-policies.md
index f327359fe3..26f9a581c9 100644
--- a/windows/client-management/understanding-admx-backed-policies.md
+++ b/windows/client-management/understanding-admx-backed-policies.md
@@ -1,7 +1,7 @@
---
title: Understanding ADMX policies
description: You can use ADMX policies for Windows mobile device management (MDM) across Windows devices.
-ms.topic: conceptual
+ms.topic: concept-article
ms.date: 07/08/2024
---
diff --git a/windows/client-management/using-powershell-scripting-with-the-wmi-bridge-provider.md b/windows/client-management/using-powershell-scripting-with-the-wmi-bridge-provider.md
index ca347147ab..e404a8bacd 100644
--- a/windows/client-management/using-powershell-scripting-with-the-wmi-bridge-provider.md
+++ b/windows/client-management/using-powershell-scripting-with-the-wmi-bridge-provider.md
@@ -1,7 +1,7 @@
---
title: Using PowerShell scripting with the WMI Bridge Provider
description: This article covers using PowerShell Cmdlet scripts to configure per-user and per-device policy settings, and how to invoke methods through the WMI Bridge Provider.
-ms.topic: conceptual
+ms.topic: article
ms.date: 07/08/2024
---
diff --git a/windows/client-management/win32-and-centennial-app-policy-configuration.md b/windows/client-management/win32-and-centennial-app-policy-configuration.md
index 363072d68c..eebd880b1e 100644
--- a/windows/client-management/win32-and-centennial-app-policy-configuration.md
+++ b/windows/client-management/win32-and-centennial-app-policy-configuration.md
@@ -1,7 +1,7 @@
---
title: Win32 and Desktop Bridge app ADMX policy Ingestion
description: Ingest ADMX files and set ADMX policies for Win32 and Desktop Bridge apps.
-ms.topic: conceptual
+ms.topic: article
ms.date: 07/08/2024
---
diff --git a/windows/client-management/windows-mdm-enterprise-settings.md b/windows/client-management/windows-mdm-enterprise-settings.md
index a9b47a78e9..a86920ff45 100644
--- a/windows/client-management/windows-mdm-enterprise-settings.md
+++ b/windows/client-management/windows-mdm-enterprise-settings.md
@@ -1,7 +1,7 @@
---
title: Enterprise settings and policy management
description: The DMClient manages the interaction between a device and a server. Learn more about the client-server management workflow.
-ms.topic: conceptual
+ms.topic: article
ms.date: 07/08/2024
---
diff --git a/windows/client-management/wmi-providers-supported-in-windows.md b/windows/client-management/wmi-providers-supported-in-windows.md
index 610f0e36b9..e9a528a68b 100644
--- a/windows/client-management/wmi-providers-supported-in-windows.md
+++ b/windows/client-management/wmi-providers-supported-in-windows.md
@@ -1,7 +1,7 @@
---
title: WMI providers supported in Windows
description: Manage settings and applications on devices that subscribe to the Mobile Device Management (MDM) service with Windows Management Infrastructure (WMI).
-ms.topic: conceptual
+ms.topic: article
ms.date: 07/08/2024
---
diff --git a/windows/configuration/assigned-access/configuration-file.md b/windows/configuration/assigned-access/configuration-file.md
index 3d2532b2af..26cb548ff8 100644
--- a/windows/configuration/assigned-access/configuration-file.md
+++ b/windows/configuration/assigned-access/configuration-file.md
@@ -3,7 +3,7 @@ title: Create an Assigned Access configuration file
description: Learn how to create an XML file to configure Assigned Access.
ms.topic: how-to
zone_pivot_groups: windows-versions-11-10
-ms.date: 03/04/2024
+ms.date: 10/31/2024
appliesto:
---
diff --git a/windows/configuration/assigned-access/examples.md b/windows/configuration/assigned-access/examples.md
index 3c0c865d64..0970cd2d90 100644
--- a/windows/configuration/assigned-access/examples.md
+++ b/windows/configuration/assigned-access/examples.md
@@ -1,7 +1,7 @@
---
title: Assigned Access examples
description: Practical examples of XML files to configure Assigned Access.
-ms.date: 03/04/2024
+ms.date: 10/31/2024
ms.topic: reference
zone_pivot_groups: windows-versions-11-10
appliesto:
diff --git a/windows/configuration/assigned-access/images/restricted-user-experience-example.png b/windows/configuration/assigned-access/images/restricted-user-experience-example.png
new file mode 100644
index 0000000000..e2863c0f06
Binary files /dev/null and b/windows/configuration/assigned-access/images/restricted-user-experience-example.png differ
diff --git a/windows/configuration/assigned-access/images/restricted-user-experience-windows-11.png b/windows/configuration/assigned-access/images/restricted-user-experience-windows-11.png
index 6105c7bdd7..6deca437a7 100644
Binary files a/windows/configuration/assigned-access/images/restricted-user-experience-windows-11.png and b/windows/configuration/assigned-access/images/restricted-user-experience-windows-11.png differ
diff --git a/windows/configuration/assigned-access/index.md b/windows/configuration/assigned-access/index.md
index e8f3ecf20b..198d5e431c 100644
--- a/windows/configuration/assigned-access/index.md
+++ b/windows/configuration/assigned-access/index.md
@@ -2,7 +2,7 @@
title: Windows kiosks and restricted user experiences
description: Learn about the options available in Windows to configure kiosks and restricted user experiences.
ms.topic: overview
-ms.date: 03/04/2024
+ms.date: 10/31/2024
---
# Windows kiosks and restricted user experiences
@@ -43,6 +43,8 @@ Windows offers two different features to configure a kiosk experience:
This option loads the Windows desktop, but it only allows to run a defined set of applications. When the designated user signs in, the user can only run the apps that are allowed. The Start menu is customized to show only the apps that are allowed to execute. With this approach, you can configure a locked-down experience for different account types. This option is sometimes referred to as *multi-app kiosk*.
+:::image type="content" source="images/restricted-user-experience-example.png" alt-text="Screenshot of a restricted user experience in Windows 11." border="false":::
+
To configure a restricted user experience, you use the **Assigned Access** feature.
## Choose the right experience
diff --git a/windows/configuration/assigned-access/overview.md b/windows/configuration/assigned-access/overview.md
index 12ed03cf42..9e87bd19a5 100644
--- a/windows/configuration/assigned-access/overview.md
+++ b/windows/configuration/assigned-access/overview.md
@@ -1,7 +1,7 @@
---
title: What is Assigned Access?
description: Learn how to configure a Windows kiosk for single-app and multi-app scenarios with Assigned Access.
-ms.date: 06/14/2024
+ms.date: 10/31/2024
ms.topic: overview
---
@@ -298,35 +298,6 @@ To change the default time for Assigned Access to resume, add *IdleTimeOut* (DWO
The Breakout Sequence of Ctrl + Alt + Del is the default, but this sequence can be configured to be a different sequence of keys. The breakout sequence uses the format **modifiers + keys**. An example breakout sequence is CTRL + ALT + A, where CTRL + ALT are the modifiers, and A is the key value. To learn more, see [Create an Assigned Access configuration XML file](configuration-file.md).
-### Keyboard shortcuts
-
-The following keyboard shortcuts are blocked for the user accounts with Assigned Access:
-
-| Keyboard shortcut | Action |
-|------------------------------------------------------|-----------------------------------------------------------------------------------------------|
-| Ctrl + Shift + Esc | Open Task Manager |
-| WIN + , (comma) | Temporarily peek at the desktop |
-| WIN + A | Open Action center |
-| WIN + Alt + D | Display and hide the date and time on the desktop |
-| WIN + Ctrl + F | Find computer objects in Active Directory |
-| WIN + D | Display and hide the desktop |
-| WIN + E | Open File Explorer |
-| WIN + F | Open Feedback Hub |
-| WIN + G | Open Game bar when a game is open |
-| WIN + I | Open Settings |
-| WIN + J | Set focus to a Windows tip when one is available |
-| WIN + O | Lock device orientation |
-| WIN + Q | Open search |
-| WIN + R | Open the Run dialog box |
-| WIN + S | Open search |
-| WIN + Shift + C | Open Cortana in listening mode |
-| WIN + X | Open the Quick Link menu |
-| LaunchApp1 | Open the app that is assigned to this key |
-| LaunchApp2 | Open the app that is assigned to this key. On many Microsoft keyboards, the app is Calculator |
-| LaunchMail | Open the default mail client |
-
-For information on how to customize keyboard shortcuts, see [Assigned Access recommendations](recommendations.md#keyboard-shortcuts).
-
## Remove Assigned Access
Deleting the restricted user experience removes the policy settings associated with the users, but it can't revert all the configurations. For example, the Start menu configuration is maintained.
diff --git a/windows/configuration/assigned-access/policy-settings.md b/windows/configuration/assigned-access/policy-settings.md
index 0bf8a93e30..41072ae848 100644
--- a/windows/configuration/assigned-access/policy-settings.md
+++ b/windows/configuration/assigned-access/policy-settings.md
@@ -2,7 +2,7 @@
title: Assigned Access policy settings
description: Learn about the policy settings enforced on a device configured with Assigned Access.
ms.topic: reference
-ms.date: 03/04/2024
+ms.date: 02/25/2025
---
# Assigned Access policy settings
@@ -20,6 +20,7 @@ The following policy settings are applied at the device level when you deploy a
| Type | Path | Name/Description |
|---------|----------------------------------------------------------------------------|---------------------------------------------------------------------------|
+| **CSP** | `./Vendor/MSFT/Policy/Config/Settings/AllowOnlineTips` | Allow Online Tips |
| **CSP** | `./Vendor/MSFT/Policy/Config/Experience/AllowCortana` | Disable Cortana |
| **CSP** | `./Vendor/MSFT/Policy/Config/Start/AllowPinnedFolderDocuments` | Disable Start documents icon |
| **CSP** | `./Vendor/MSFT/Policy/Config/Start/AllowPinnedFolderDownloads` | Disable Start downloads icon |
@@ -39,21 +40,23 @@ The following policy settings are applied at the device level when you deploy a
## User policy settings
-The following policy settings are applied to any nonadministrator account when you deploy a restricted user experience:
+The following policy settings are applied to targeted user accounts when you deploy a restricted user experience:
| Type | Path | Name/Description |
|---------|----------------------------------------------------------------------------------|-------------------------------------------------------------------|
| **CSP** | `./User/Vendor/MSFT/Policy/Config/Start/DisableContextMenus` | Disable Context Menu for Start menu apps |
| **CSP** | `./User/Vendor/MSFT/Policy/Config/Start/HidePeopleBar` | Hide People Bar from appearing on taskbar |
-| **CSP** | `./User/Vendor/MSFT/Policy/Config/Start/HideRecentlyAddedApps` | Hide recently added apps from appearing on the Start menu |
| **CSP** | `./User/Vendor/MSFT/Policy/Config/Start/HideRecentJumplists` | Hide recent jumplists from appearing on the Start menu/taskbar |
+| **CSP** | `./User/Vendor/MSFT/Policy/Config/Start/HideRecentlyAddedApps` | Hide recently added apps from appearing on the Start menu |
+| **CSP** | User Configuration\Administrative Templates\Windows Components\Windows Copilot | Turn off Windows Copilot |
+| **GPO** | User Configuration\Administrative Templates\Desktop | Hide and disable all items on the desktop |
| **GPO** | User Configuration\Administrative Templates\Start Menu and Taskbar | Clear history of recently opened documents on exit |
-| **GPO** | User Configuration\Administrative Templates\Start Menu and Taskbar | Disable showing balloon notifications as toast |
+| **GPO** | User Configuration\Administrative Templates\Start Menu and Taskbar | Disable showing balloon notifications as toasts |
| **GPO** | User Configuration\Administrative Templates\Start Menu and Taskbar | Do not allow pinning items in Jump Lists |
| **GPO** | User Configuration\Administrative Templates\Start Menu and Taskbar | Do not allow pinning programs to the Taskbar |
| **GPO** | User Configuration\Administrative Templates\Start Menu and Taskbar | Do not display or track items in Jump Lists from remote locations |
| **GPO** | User Configuration\Administrative Templates\Start Menu and Taskbar | Hide and disable all items on the desktop |
-| **GPO** | User Configuration\Administrative Templates\Start Menu and Taskbar | Hide the Task View button |
+| **GPO** | User Configuration\Administrative Templates\Start Menu and Taskbar | Hide the TaskView button |
| **GPO** | User Configuration\Administrative Templates\Start Menu and Taskbar | Lock all taskbar settings |
| **GPO** | User Configuration\Administrative Templates\Start Menu and Taskbar | Lock the Taskbar |
| **GPO** | User Configuration\Administrative Templates\Start Menu and Taskbar | Prevent users from adding or removing toolbars |
@@ -69,21 +72,24 @@ The following policy settings are applied to any nonadministrator account when y
| **GPO** | User Configuration\Administrative Templates\Start Menu and Taskbar | Remove Notification and Action Center |
| **GPO** | User Configuration\Administrative Templates\Start Menu and Taskbar | Remove Quick Settings |
| **GPO** | User Configuration\Administrative Templates\Start Menu and Taskbar | Remove Run menu from Start Menu |
-| **GPO** | User Configuration\Administrative Templates\Start Menu and Taskbar | Remove the Security and Maintenance icon |
| **GPO** | User Configuration\Administrative Templates\Start Menu and Taskbar | Turn off all balloon notifications |
| **GPO** | User Configuration\Administrative Templates\Start Menu and Taskbar | Turn off feature advertisement balloon notifications |
+| **GPO** | User Configuration\Administrative Templates\Start Menu and Taskbar\Notifications | Hide the TaskView button |
| **GPO** | User Configuration\Administrative Templates\Start Menu and Taskbar\Notifications | Turn off toast notifications |
| **GPO** | User Configuration\Administrative Templates\System\Ctrl+Alt+Del Options | Remove Change Password |
| **GPO** | User Configuration\Administrative Templates\System\Ctrl+Alt+Del Options | Remove Logoff |
| **GPO** | User Configuration\Administrative Templates\System\Ctrl+Alt+Del Options | Remove Task Manager |
+| **GPO** | User Configuration\Administrative Templates\Windows Components\File Explorer | Prevent access to drives from My Computer |
| **GPO** | User Configuration\Administrative Templates\Windows Components\File Explorer | Remove *Map network drive* and *Disconnect Network Drive* |
| **GPO** | User Configuration\Administrative Templates\Windows Components\File Explorer | Remove File Explorer's default context menu |
+| **GPO** | User Configuration\Administrative Templates\Windows Components\Windows Copilot | Turn off Windows Copilot |
+| **GPO** | User Configuration\Administrative Templates\WindowsComponents\File Explorer | Prevent access to drives from My Computer |
The following policy settings are applied to the kiosk account when you configure a kiosk experience with Microsoft Edge:
| Type | Path | Name/Description |
|---------|-----------------------------------------------------------------------------------|--------------------------------------------------------|
-| **GPO** | User Configuration\Administrative Templates\Start Menu and Taskbar\Notifications | Run only specified Windows applications > `msedge.exe` |
+| **GPO** | User Configuration\Administrative Templates\System | Run only specified Windows applications > `msedge.exe` |
| **GPO** | User Configuration\Administrative Templates\System | Turn off toast notifications |
| **GPO** | User Configuration\Administrative Templates\Windows Components\Attachment Manager | Default risk level for file attachments > High risk |
| **GPO** | User Configuration\Administrative Templates\Windows Components\Attachment Manager | Inclusion list for low file types > `.pdf;.epub` |
@@ -112,3 +118,32 @@ The deny list is used to prevent the user from accessing the apps, which are cur
1. The default rule is to allow all users to launch the desktop programs signed with *Microsoft Certificate* for the system to boot and function. The rule also allows the admin user group to launch all desktop programs.
1. There's a predefined inbox desktop app deny list for the Assigned Access user account, which is updated based on the *desktop app allow list* that you defined in the Assigned Access configuration
1. Enterprise-defined allowed desktop apps are added in the AppLocker allow list
+
+## Keyboard shortcuts
+
+The following keyboard shortcuts are blocked for the user accounts with Assigned Access:
+
+| Keyboard shortcut | Action |
+|------------------------------------------------------|-----------------------------------------------------------------------------------------------|
+| Ctrl + Shift + Esc | Open Task Manager |
+| WIN + , (comma) | Temporarily peek at the desktop |
+| WIN + A | Open Action center |
+| WIN + Alt + D | Display and hide the date and time on the desktop |
+| WIN + Ctrl + F | Find computer objects in Active Directory |
+| WIN + D | Display and hide the desktop |
+| WIN + E | Open File Explorer |
+| WIN + F | Open Feedback Hub |
+| WIN + G | Open Game bar when a game is open |
+| WIN + I | Open Settings |
+| WIN + J | Set focus to a Windows tip when one is available |
+| WIN + O | Lock device orientation |
+| WIN + Q | Open search |
+| WIN + R | Open the Run dialog box |
+| WIN + S | Open search |
+| WIN + Shift + C | Open Cortana in listening mode |
+| WIN + X | Open the Quick Link menu |
+| LaunchApp1 | Open the app that is assigned to this key |
+| LaunchApp2 | Open the app that is assigned to this key. On many Microsoft keyboards, the app is Calculator |
+| LaunchMail | Open the default mail client |
+
+For information on how to customize keyboard shortcuts, see [Assigned Access recommendations](recommendations.md#keyboard-shortcuts).
diff --git a/windows/configuration/assigned-access/quickstart-kiosk.md b/windows/configuration/assigned-access/quickstart-kiosk.md
index 0dd9ff9fa7..b0583377da 100644
--- a/windows/configuration/assigned-access/quickstart-kiosk.md
+++ b/windows/configuration/assigned-access/quickstart-kiosk.md
@@ -2,7 +2,7 @@
title: "Quickstart: configure a kiosk experience with Assigned Access"
description: Learn how to configure a kiosk experience with Assigned Access using the Assigned Access configuration service provider (CSP), Microsoft Intune, PowerShell, or group policy (GPO).
ms.topic: quickstart
-ms.date: 03/04/2024
+ms.date: 10/31/2024
---
# Quickstart: configure a kiosk with Assigned Access
diff --git a/windows/configuration/assigned-access/quickstart-restricted-user-experience.md b/windows/configuration/assigned-access/quickstart-restricted-user-experience.md
index de5573c281..75d9bb74c1 100644
--- a/windows/configuration/assigned-access/quickstart-restricted-user-experience.md
+++ b/windows/configuration/assigned-access/quickstart-restricted-user-experience.md
@@ -2,7 +2,7 @@
title: "Quickstart: configure a restricted user experience with Assigned Access"
description: Learn how to configure a restricted user experience with Assigned Access using the Assigned Access configuration service provider (CSP), Microsoft Intune, PowerShell, or group policy (GPO).
ms.topic: quickstart
-ms.date: 03/04/2024
+ms.date: 10/31/2024
appliesto:
zone_pivot_groups: windows-versions-11-10
---
diff --git a/windows/configuration/assigned-access/recommendations.md b/windows/configuration/assigned-access/recommendations.md
index 64b2ce4d5c..10a4e13dcf 100644
--- a/windows/configuration/assigned-access/recommendations.md
+++ b/windows/configuration/assigned-access/recommendations.md
@@ -2,7 +2,7 @@
title: Assigned Access recommendations
description: Learn about the recommended kiosk and restricted user experience configuration options.
ms.topic: best-practice
-ms.date: 03/11/2024
+ms.date: 10/31/2024
---
# Assigned Access recommendations
diff --git a/windows/configuration/assigned-access/shell-launcher/configuration-file.md b/windows/configuration/assigned-access/shell-launcher/configuration-file.md
index d63efdb85b..459b26e0a2 100644
--- a/windows/configuration/assigned-access/shell-launcher/configuration-file.md
+++ b/windows/configuration/assigned-access/shell-launcher/configuration-file.md
@@ -1,7 +1,7 @@
---
title: Create a Shell Launcher configuration file
description: Learn how to create an XML file to configure a device with Shell Launcher.
-ms.date: 02/12/2024
+ms.date: 10/31/2024
ms.topic: how-to
---
diff --git a/windows/configuration/assigned-access/shell-launcher/includes/quickstart-intune.md b/windows/configuration/assigned-access/shell-launcher/includes/quickstart-intune.md
index eb3b1a1b04..67b1c7788a 100644
--- a/windows/configuration/assigned-access/shell-launcher/includes/quickstart-intune.md
+++ b/windows/configuration/assigned-access/shell-launcher/includes/quickstart-intune.md
@@ -1,7 +1,7 @@
---
author: paolomatarazzo
ms.author: paoloma
-ms.date: 02/05/2024
+ms.date: 10/31/2024
ms.topic: include
---
diff --git a/windows/configuration/assigned-access/shell-launcher/includes/quickstart-ps.md b/windows/configuration/assigned-access/shell-launcher/includes/quickstart-ps.md
index c783de00f6..d6c03611c6 100644
--- a/windows/configuration/assigned-access/shell-launcher/includes/quickstart-ps.md
+++ b/windows/configuration/assigned-access/shell-launcher/includes/quickstart-ps.md
@@ -1,7 +1,7 @@
---
author: paolomatarazzo
ms.author: paoloma
-ms.date: 02/05/2024
+ms.date: 10/31/2024
ms.topic: include
---
diff --git a/windows/configuration/assigned-access/shell-launcher/includes/quickstart-xml.md b/windows/configuration/assigned-access/shell-launcher/includes/quickstart-xml.md
index 80e9dd0bb8..085c937378 100644
--- a/windows/configuration/assigned-access/shell-launcher/includes/quickstart-xml.md
+++ b/windows/configuration/assigned-access/shell-launcher/includes/quickstart-xml.md
@@ -1,7 +1,7 @@
---
author: paolomatarazzo
ms.author: paoloma
-ms.date: 02/05/2024
+ms.date: 10/31/2024
ms.topic: include
---
diff --git a/windows/configuration/assigned-access/shell-launcher/index.md b/windows/configuration/assigned-access/shell-launcher/index.md
index 4a51fa2143..5ffc4c6801 100644
--- a/windows/configuration/assigned-access/shell-launcher/index.md
+++ b/windows/configuration/assigned-access/shell-launcher/index.md
@@ -1,7 +1,7 @@
---
title: What is Shell Launcher?
description: Learn how to configure devices with Shell Launcher.
-ms.date: 06/18/2024
+ms.date: 10/31/2024
ms.topic: overview
---
@@ -78,7 +78,7 @@ $shellLauncherConfiguration = @"
$namespaceName="root\cimv2\mdm\dmmap"
$className="MDM_AssignedAccess"
$obj = Get-CimInstance -Namespace $namespaceName -ClassName $className
-$obj.Configuration = [System.Net.WebUtility]::HtmlEncode($shellLauncherConfiguration)
+$obj.ShellLauncher = [System.Net.WebUtility]::HtmlEncode($shellLauncherConfiguration)
$obj = Set-CimInstance -CimInstance $obj -ErrorVariable cimSetError -ErrorAction SilentlyContinue
if($cimSetError) {
Write-Output "An ERROR occurred. Displaying error record and attempting to retrieve error logs...`n"
@@ -86,6 +86,7 @@ if($cimSetError) {
$timeout = New-TimeSpan -Seconds 30
$stopwatch = [System.Diagnostics.Stopwatch]::StartNew()
+ $eventLogFilterHashTable = @{ LogName='Microsoft-Windows-AssignedAccess/Admin' }
do{
$events = Get-WinEvent -FilterHashtable $eventLogFilterHashTable -ErrorAction Ignore
} until ($events.Count -or $stopwatch.Elapsed -gt $timeout) # wait for the log to be available
diff --git a/windows/configuration/assigned-access/shell-launcher/quickstart-kiosk.md b/windows/configuration/assigned-access/shell-launcher/quickstart-kiosk.md
index f217d88363..c843e767a5 100644
--- a/windows/configuration/assigned-access/shell-launcher/quickstart-kiosk.md
+++ b/windows/configuration/assigned-access/shell-launcher/quickstart-kiosk.md
@@ -2,7 +2,7 @@
title: "Quickstart: configure a kiosk experience with Shell Launcher"
description: Learn how to configure a kiosk experience with Shell Launcher, using the Assigned Access configuration service provider (CSP), Microsoft Intune, PowerShell, or group policy (GPO).
ms.topic: quickstart
-ms.date: 02/05/2024
+ms.date: 10/31/2024
---
# Quickstart: configure a kiosk experience with Shell Launcher
diff --git a/windows/configuration/assigned-access/shell-launcher/xsd.md b/windows/configuration/assigned-access/shell-launcher/xsd.md
index ef624ae434..3dcc586570 100644
--- a/windows/configuration/assigned-access/shell-launcher/xsd.md
+++ b/windows/configuration/assigned-access/shell-launcher/xsd.md
@@ -2,7 +2,7 @@
title: Shell Launcher XML Schema Definition (XSD)
description: Shell Launcher XSD reference article.
ms.topic: reference
-ms.date: 02/15/2024
+ms.date: 10/31/2024
---
# Shell Launcher XML Schema Definition (XSD)
diff --git a/windows/configuration/assigned-access/xsd.md b/windows/configuration/assigned-access/xsd.md
index 5cd75dccbe..36c51137aa 100644
--- a/windows/configuration/assigned-access/xsd.md
+++ b/windows/configuration/assigned-access/xsd.md
@@ -2,7 +2,7 @@
title: Assigned Access XML Schema Definition (XSD)
description: Assigned Access XSD reference article.
ms.topic: reference
-ms.date: 04/08/2024
+ms.date: 10/31/2024
---
# Assigned Access XML Schema Definition (XSD)
diff --git a/windows/configuration/cellular/provisioning-apn.md b/windows/configuration/cellular/provisioning-apn.md
index 8fcf389cf7..860024c72c 100644
--- a/windows/configuration/cellular/provisioning-apn.md
+++ b/windows/configuration/cellular/provisioning-apn.md
@@ -2,7 +2,7 @@
title: Configure cellular settings
description: Learn how to provision cellular settings for devices with built-in modems or plug-in USB modem dongles.
ms.topic: concept-article
-ms.date: 04/23/2024
+ms.date: 12/05/2024
---
# Configure cellular settings
diff --git a/windows/configuration/custom-logon/images/customlogoncad.jpg b/windows/configuration/custom-logon/images/customlogoncad.jpg
new file mode 100644
index 0000000000..0f610d3b57
Binary files /dev/null and b/windows/configuration/custom-logon/images/customlogoncad.jpg differ
diff --git a/windows/configuration/custom-logon/index.md b/windows/configuration/custom-logon/index.md
new file mode 100644
index 0000000000..536cdcb8f9
--- /dev/null
+++ b/windows/configuration/custom-logon/index.md
@@ -0,0 +1,133 @@
+---
+title: Custom Logon
+description: Custom Logon
+ms.date: 03/05/2024
+ms.topic: overview
+---
+
+# Custom Logon
+
+You can use the Custom Logon feature to suppress Windows UI elements that relate to the Welcome screen and shutdown screen. For example, you can suppress all elements of the Welcome screen UI and provide a custom logon UI. You can also suppress the Blocked Shutdown Resolver (BSDR) screen and automatically end applications while the OS waits for applications to close before a shutdown.
+
+Custom Logon settings don't modify the credential behavior of **Winlogon**, so you can use any credential provider that is compatible with Windows 10 to provide a custom sign-in experience for your device. For more information about creating a custom logon experience, see [Winlogon and Credential Providers](/windows/win32/secauthn/winlogon-and-credential-providers).
+
+## Requirements
+
+Custom Logon can be enabled on:
+
+- Windows 10 Enterprise
+- Windows 10 IoT Enterprise
+- Windows 10 Education
+- Windows 11 Enterprise
+- Windows 11 IoT Enterprise
+- Windows 11 Education
+
+## Terminology
+
+**Turn on, enable:** To make the feature available and optionally apply settings to the device. Generally *turn on* is used in the user interface or control panel, whereas *enable* is used for command line.
+
+**Configure:** To customize the setting or subsettings.
+
+**Embedded Logon:** This feature is called Embedded Logon in Windows 10, version 1511.
+
+**Custom Logon:** This feature is called Custom Logon in Windows 10, version 1607 and later.
+
+## Turn on Custom Logon
+
+Custom Logon is an optional component and isn't turned on by default in Windows 10. It must be turned on prior to configuring. You can turn on and configure Custom Logon in a customized Windows 10 image (.wim) if Microsoft Windows hasn't been installed. If Windows has already been installed and you're applying a provisioning package to configure Custom Logon, you must first turn on Custom Logon in order for a provisioning package to be successfully applied.
+
+The Custom Logon feature is available in the Control Panel. You can set Custom Logon by following these steps:
+
+### Turn on Custom Logon in Control Panel
+
+1. In the Windows search bar, type **Turn Windows features on or off** and either press **Enter** or tap or select **Turn Windows features on or off** to open the **Windows Features** window.
+1. In the **Windows Features** window, expand the **Device Lockdown** node, and select (to turn on) or clear (to turn off) the checkbox for **Custom Logon**.
+1. Select **OK**. The **Windows Features** window indicates that Windows is searching for required files and displays a progress bar. Once found, the window indicates that Windows is applying the changes. When completed, the window indicates the requested changes are completed.
+
+### Turn on Custom Logon using DISM
+
+1. Open a command prompt with administrator rights.
+1. Enable the feature using the following command.
+
+ ```cmd
+ dism /online /enable-feature /featureName:Client-EmbeddedLogon
+ ```
+
+## Configure Custom Logon
+
+### Configure Custom Logon settings using Unattend
+
+You can configure the Unattend settings in the [Microsoft-Windows-Embedded-EmbeddedLogon](/windows-hardware/customize/desktop/unattend/microsoft-windows-embedded-embeddedlogon) component to add custom logon features to your image during the design or imaging phase. You can manually create an Unattend answer file or use Windows System Image Manager (Windows SIM) to add the appropriate settings to your answer file. For more information about the custom logon settings and XML examples, see the settings in Microsoft-Windows-Embedded-EmbeddedLogon.
+
+The following example shows how to disable all Welcome screen UI elements and the **Switch user** button.
+
+```xml
+
+
+ 17
+ 1
+ 1
+ 1
+ 1
+
+
+```
+
+### Remove buttons from Logon screen
+
+To remove buttons from the Welcome screen, set the appropriate value for **BrandingNeutral** in the following registry key:
+
+```text
+HKLM\Software\Microsoft\Windows Embedded\EmbeddedLogon
+```
+
+1. Make sure you have enabled Custom Logon following the instructions in [Turn on Custom Logon](#turn-on-custom-logon).
+1. In the Windows search bar, type "Registry Editor" to open the **Registry Editor** window.
+1. Use the file navigation in the left pane to access **HKLM\Software\Microsoft\Windows Embedded\EmbeddedLogon**.
+1. In the right pane, right click on **BrandingNeutral** and select **Modify**.
+1. Select the correct **Base** and enter the value for your desired customizations according to the following table, and click **OK** to apply the changes.
+
+> [!NOTE]
+> Changing the **Base** of **BrandingNeutral** will automatically convert the value field to the selected base. To ensure you are getting the correct value, select the base before entering the value.
+
+The following table shows the possible values. To disable multiple Logon screen UI elements together, you can select the **Decimal** base when modifying the **BrandingNeutral** value, and combine actions by adding the decimal values of the desired actions and inputting the sum as the value of **BrandingNeutral**. For example, to disable the Power button and the Language button, select the decimal option for the base, then add the decimal values of each, in this case 2 and 4 respectively, and input the total (6) as the value for **BrandingNeutral**.
+
+| Action |Description| Registry value (Hexadecimal) | Registry value (Decimal)|
+|--------|------------|----|---|
+| Disable all Logon screen UI elements |Disables the Power, Language, and Ease of Access buttons on the Logon and Ctrl+Alt+Del screens. |`0x1` | 1|
+| Disable the Power button |Disables the Power button on the Logon and Ctrl+Alt+Del screens.|`0x2` |2|
+| Disable the Language button |Disables the Language button on the Logon and Ctrl+Alt+Del screens.|`0x4` |4|
+| Disable the Ease of Access button |Disables the Ease of Access button on the Logon and Ctrl+Alt+Del screens.|`0x8` |8|
+| Disable the Switch user button |Disables the Switch User button from the Ctrl+Alt+Del screen, preventing a user from switching accounts. | `0x10` |16|
+|Disable the Blocked Shutdown Resolver (BSDR) screen|Disables the Blocked Shutdown Resolver (BSDR) screen so that restarting or shutting down the system causes the OS to immediately force close any open applications that are blocking system shut down. No UI is displayed, and users aren't given a chance to cancel the shutdown process. | `0x20` |32|
+
+In the following image of the `[ctrl + alt + del]` screen, you can see the Switch user button highlighted by a light green outline, the Language button highlighted by an orange outline, the Ease of Access button highlighted by a red outline, and the power button highlighted by a yellow outline. If you disable these buttons, they're hidden from the UI.
+
+
+
+You can remove the Wireless UI option from the Welcome screen by using Group Policy.
+
+### Remove Wireless UI from Logon screen
+
+You use the following steps to remove Wireless UI from the Welcome screen
+
+1. From a command prompt, run gpedit.msc to open the Local Group Policy Editor.
+1. In the Local Group Policy Editor, under **Computer Configuration**, expand **Administrative Templates**, expand **System**, and then tap or click **Logon**.
+1. Double-tap or click **Do not display network selection UI**.
+
+## Additional Customizations
+
+The following table shows additional customizations that can be made using registry keys.
+
+|Action |Path |Registry Key and Value |
+|---------|---------|---------|
+|Hide Autologon UI |HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Embedded\EmbeddedLogon |`HideAutoLogonUI = 1`|
+|Hide First Logon Animation |HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Embedded\EmbeddedLogon |`HideFirstLogonAnimation = 1` |
+|Disable Authentication Animation |HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Authentication\LogonUI |`AnimationDisabled = 1` |
+|Disable Lock Screen | HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization |`NoLockScreen = 1` |
+
+## Related articles
+
+- [Troubleshooting Custom Logon](troubleshoot.md)
+- [Unbranded Boot](../unbranded-boot/index.md)
+- [Shell Launcher](../shell-launcher/index.md)
diff --git a/windows/configuration/custom-logon/troubleshoot.md b/windows/configuration/custom-logon/troubleshoot.md
new file mode 100644
index 0000000000..abb65828de
--- /dev/null
+++ b/windows/configuration/custom-logon/troubleshoot.md
@@ -0,0 +1,105 @@
+---
+title: Troubleshooting Custom Logon
+description: Troubleshooting Custom Logon
+ms.date: 05/02/2017
+ms.topic: troubleshooting
+---
+
+# Troubleshooting Custom Logon
+
+This section highlights some common issues that you may encounter when using Custom Logon.
+
+## When automatic sign-in is enabled, the device asks for a password when resuming from sleep or hibernate
+
+This can occur when your device is configured to require a password when waking up from a sleep state.
+
+### To disable password protection on wake-up
+
+1. If you have write filters enabled on your device, perform the following steps to disable them so that you can save setting changes:
+
+ 1. At an administrator command prompt, type the following command:
+
+ ```cmd
+ uwfmgr.exe filter disable
+ ```
+
+ 1. To restart the device, type the following command:
+
+ ```cmd
+ uwfmgr.exe restart
+ ```
+
+1. In **Contol Panel**, search for **Power Options** , and then select the Power Options heading.
+
+1. Under the **Power Options** heading, select **Require a password on wake up**.
+
+1. On the **Define power buttons and turn on password protection** page, under **Password protection on wakeup**, select **Don't require a password**.
+
+1. If you have disabled write filters, perform the following steps to enable them again:
+
+ 1. At an administrator command prompt, type the following command:
+
+ ```cmd
+ uwfmgr.exe filter enable
+ ```
+
+ 1. To restart the device, type the following command:
+
+ ```cmd
+ uwfmgr.exe restart
+ ```
+
+## The device displays a black screen during setup
+
+Set the **HideAutoLogonUI** and **AnimationDisabled** settings to **0** (zero). The device will then display a default screen during setup.
+
+## The device displays a black screen when Ctrl+Alt+Del is pressed
+
+**HideAutoLogonUI** and**ForceAutoLogon** have known issues when used together. To avoid a black screen, we recommend you use Keyboard Filter to block this key combination.
+
+## The device displays a black screen when Windows key + L is used to lock the device
+
+**HideAutoLogonUI** and **ForceAutoLogon** have known issues when used together. To avoid a black screen, we recommend you use Keyboard Filter to block this key combination.
+
+### The device displays a black screen when Notepad is opened, any characters are typed and the current user signs out, or the device is rebooted, or the device is shut down
+
+**HideAutoLogonUI** and **ForceAutoLogon** have known issues when used together. To avoid a black screen, we recommend you disable the Blocked Shutdown Resolver Screen (BSDR).
+
+> [!WARNING]
+> When the BSDR screen is disabled, restarting, or shutting down the device causes the OS to immediately force close any open applications that are blocking system shutdown. No UI is displayed, and users aren't given a chance to cancel the shutdown process. This can result in lost data if any open applications have unsaved data.
+
+## The device displays a black screen when the device is suspended and then resumed
+
+**HideAutoLogonUI** and **ForceAutoLogon** have known issues when used together. To avoid a black screen, we recommend you disable the password protection on wake-up.
+
+### To disable password protection on wake-up
+
+1. In **Control Panel**, select **Power Options**.
+
+1. In the **Power Options** item, select **Require a password on wake up**.
+
+1. On the **Define power buttons and turn on password protection** page, under **Password protection on wake up**, select **Don't require a password**.
+
+### The device displays a black screen when a password expiration screen is displayed
+
+**HideAutoLogonUI** has a known issue. To avoid a black screen, we recommend you set the password to never expire.
+
+### To set a password to never expire on an individual user account
+
+1. On your device, open a command prompt with administrator privileges.
+
+1. Type the following, replacing *<accountname>* with the name of the account you want to remove the password expiration from.
+
+ ```cmd
+ net accounts /expires:never
+ ```
+
+### To set passwords to never expire on all user accounts
+
+1. On your device, open a command prompt with administrator privileges.
+
+1. Type the following
+
+ ```cmd
+ net accounts /MaxPWAge:unlimited
+ ```
diff --git a/windows/configuration/docfx.json b/windows/configuration/docfx.json
index 32f9c41247..22924a43cc 100644
--- a/windows/configuration/docfx.json
+++ b/windows/configuration/docfx.json
@@ -80,12 +80,18 @@
"assigned-access//**/*.yml": "paolomatarazzo",
"cellular//**/*.md": "paolomatarazzo",
"cellular//**/*.yml": "paolomatarazzo",
+ "custom-logon//**/*.md": "terrywarwick",
+ "custom-logon//**/*.yml": "terrywarwick",
+ "keyboard-filter//**/*.md": "terrywarwick",
+ "keyboard-filter//**/*.yml": "terrywarwick",
"lock-screen//**/*.md": "paolomatarazzo",
"lock-screen//**/*.yml": "paolomatarazzo",
"provisioning-packages//**/*.md": "vinaypamnani-msft",
"provisioning-packages//**/*.yml": "vinaypamnani-msft",
"shared-pc//**/*.md": "paolomatarazzo",
"shared-pc//**/*.yml": "paolomatarazzo",
+ "shell-launcher//**/*.md": "terrywarwick",
+ "shell-launcher//**/*.yml": "terrywarwick",
"start//**/*.md": "paolomatarazzo",
"start//**/*.yml": "paolomatarazzo",
"store//**/*.md": "paolomatarazzo",
@@ -94,6 +100,10 @@
"taskbar//**/*.yml": "paolomatarazzo",
"tips//**/*.md": "paolomatarazzo",
"tips//**/*.yml": "paolomatarazzo",
+ "unbranded-boot//**/*.md": "terrywarwick",
+ "unbranded-boot//**/*.yml": "terrywarwick",
+ "unified-write-filter//**/*.md": "terrywarwick",
+ "unified-write-filter//**/*.yml": "terrywarwick",
"wcd//**/*.md": "vinaypamnani-msft",
"wcd//**/*.yml": "vinaypamnani-msft"
},
@@ -104,12 +114,18 @@
"assigned-access//**/*.yml": "paoloma",
"cellular//**/*.md": "paoloma",
"cellular//**/*.yml": "paoloma",
+ "custom-logon//**/*.md": "twarwick",
+ "custom-logon//**/*.yml": "twarwick",
"lock-screen//**/*.md": "paoloma",
+ "keyboard-filter//**/*.md": "twarwick",
+ "keyboard-filter//**/*.yml": "twarwick",
"lock-screen//**/*.yml": "paoloma",
"provisioning-packages//**/*.md": "vinpa",
"provisioning-packages//**/*.yml": "vinpa",
"shared-pc//**/*.md": "paoloma",
"shared-pc//**/*.yml": "paoloma",
+ "shell-launcher//**/*.md": "twarwick",
+ "shell-launcher//**/*.yml": "twarwick",
"start//**/*.md": "paoloma",
"start//**/*.yml": "paoloma",
"store//**/*.md": "paoloma",
@@ -118,6 +134,10 @@
"taskbar//**/*.yml": "paoloma",
"tips//**/*.md": "paoloma",
"tips//**/*.yml": "paoloma",
+ "unbranded-boot//**/*.md": "twarwick",
+ "unbranded-boot//**/*.yml": "twarwick",
+ "unified-write-filter//**/*.md": "twarwick",
+ "unified-write-filter//**/*.yml": "twarwick",
"wcd//**/*.md": "vinpa",
"wcd//**/*.yml": "vinpa"
},
diff --git a/windows/configuration/index.yml b/windows/configuration/index.yml
index fa1a297ecf..a1e1606862 100644
--- a/windows/configuration/index.yml
+++ b/windows/configuration/index.yml
@@ -11,7 +11,7 @@ metadata:
author: paolomatarazzo
ms.author: paoloma
manager: aaroncz
- ms.date: 04/25/2024
+ ms.date: 12/05/2024
# linkListType: architecture | concept | deploy | download | get-started | how-to-guide | learn | overview | quickstart | reference | tutorial | video | whats-new
diff --git a/windows/configuration/keyboard-filter/disable-all-blocked-key-combinations.md b/windows/configuration/keyboard-filter/disable-all-blocked-key-combinations.md
new file mode 100644
index 0000000000..9a5c32fb35
--- /dev/null
+++ b/windows/configuration/keyboard-filter/disable-all-blocked-key-combinations.md
@@ -0,0 +1,74 @@
+---
+title: Disable all blocked key combinations
+description: Disable all blocked key combinations
+ms.date: 01/13/2025
+ms.topic: reference
+---
+
+# Disable all blocked key combinations
+
+[!INCLUDE [supported-os-enterprise-plus](../../../includes/iot/supported-os-enterprise-plus.md)]
+
+The following sample Windows PowerShell script uses the WMI providers to disable all blocked key combinations for Keyboard Filter by using the Windows Management Instrumentation (WMI) providers for Keyboard Filter. The key combination configurations aren't removed, but Keyboard Filter stops blocking any keys.
+
+## Disable-all-rules.ps1
+
+```powershell
+#
+# Copyright (C) Microsoft. All rights reserved.
+#
+
+<#
+.Synopsis
+ This Windows PowerShell script shows how to enumerate all existing keyboard filter
+ rules and how to disable them by setting the Enabled property directly.
+.Description
+ For each instance of WEKF_PredefinedKey, WEKF_CustomKey, and WEKF_Scancode,
+ set the Enabled property to false/0 to disable the filter rule, thus
+ allowing all key sequences through the filter.
+.Parameter ComputerName
+ Optional parameter to specify the remote computer that this script should
+ manage. If not specified, the script will execute all WMI operations
+ locally.
+#>
+
+param(
+ [String]$ComputerName
+)
+
+$CommonParams = @{"namespace"="root\standardcimv2\embedded"}
+$CommonParams += $PSBoundParameters
+
+Get-WMIObject -class WEKF_PredefinedKey @CommonParams |
+ foreach {
+ if ($_.Enabled) {
+ $_.Enabled = 0;
+ $_.Put() | Out-Null;
+ Write-Host Disabled $_.Id
+ }
+ }
+
+Get-WMIObject -class WEKF_CustomKey @CommonParams |
+ foreach {
+ if ($_.Enabled) {
+ $_.Enabled = 0;
+ $_.Put() | Out-Null;
+ Write-Host Disabled $_.Id
+ }
+ }
+
+Get-WMIObject -class WEKF_Scancode @CommonParams |
+ foreach {
+ if ($_.Enabled) {
+ $_.Enabled = 0;
+ $_.Put() | Out-Null;
+ "Disabled {0}+{1:X4}" -f $_.Modifiers,$_.Scancode
+ }
+ }
+```
+
+## Related articles
+
+- [Windows PowerShell script samples for keyboard filter](keyboardfilter-powershell-script-samples.md)
+- [Keyboard filter WMI provider reference](keyboardfilter-wmi-provider-reference.md)
+- [Keyboard filter](index.md)
diff --git a/windows/configuration/keyboard-filter/index.md b/windows/configuration/keyboard-filter/index.md
new file mode 100644
index 0000000000..6f7d3cc589
--- /dev/null
+++ b/windows/configuration/keyboard-filter/index.md
@@ -0,0 +1,144 @@
+---
+title: Keyboard Filter
+description: Keyboard Filter
+ms.date: 01/13/2025
+ms.topic: overview
+---
+
+# Keyboard Filter
+
+[!INCLUDE [supported-os-enterprise-plus](../../../includes/iot/supported-os-enterprise-plus.md)]
+
+You can use Keyboard Filter to suppress undesirable key presses or key combinations. Normally, a customer can use certain Microsoft Windows key combinations like Ctrl+Alt+Delete or Ctrl+Shift+Tab to alter the operation of a device by locking the screen or using Task Manager to close a running application. This behavior might not be desirable if your device is intended for a dedicated purpose.
+
+The Keyboard Filter feature works with physical keyboards, the Windows on-screen keyboard, and the touch keyboard. Switching from one language to another might cause the location of suppressed keys on the keyboard layout to change. Keyboard Filter detects these dynamic layout changes and continues to suppress keys correctly.
+
+> [!NOTE]
+> Keyboard filter is not supported in a remote desktop session.
+
+## Terminology
+
+- **Turn on, enable:** Make the setting available to the device and optionally apply the settings to the device. Generally *turn on* is used in the user interface or control panel, whereas *enable* is used for command line
+- **Configure:** To customize the setting or subsettings
+- **Embedded Keyboard Filter:** This feature is called Embedded Keyboard Filter in Windows 10, version 1511
+- **Keyboard Filter:** This feature is called Keyboard Filter in Windows 10, version 1607 and later
+
+## Turn on Keyboard Filter
+
+By default, Keyboard Filter isn't turned on. You can turn Keyboard Filter on or off for your device by using the following steps.
+
+Turning on an off Keyboard Filter requires that you restart your device. Keyboard Filter is automatically enabled after the restart.
+
+### Turn on Keyboard Filter by using Control Panel
+
+1. In the Windows search bar, type **Turn Windows features on or off** and either press **Enter** or tap or select **Turn Windows features on or off** to open the **Windows Features** window.
+1. In the **Windows Features** window, expand the **Device Lockdown** node, and select (to turn on) or clear (to turn off) the checkbox for **Keyboard Filter**.
+1. Select **OK**. The **Windows Features** window indicates that Windows is searching for required files and displays a progress bar. Once found, the window indicates that Windows is applying the changes. When completed, the window indicates the requested changes are completed.
+1. Restart your device to apply the changes.
+
+### Configure Keyboard using Unattend
+
+1. You can configure the Unattend settings in the [Microsoft-Windows-Embedded-KeyboardFilterService](/windows-hardware/customize/desktop/unattend/microsoft-windows-embedded-keyboardfilterservice) component to add Keyboard Filter features to your image during the design or imaging phase.
+1. You can manually create an Unattend answer file or use Windows System Image Manager (Windows SIM) to add the appropriate settings to your answer file. For more information about the keyboard filter settings and XML examples, see the settings in [Microsoft-Windows-Embedded-KeyboardFilterService](/windows-hardware/customize/desktop/unattend/microsoft-windows-embedded-keyboardfilterservice).
+
+### Turn on and configure Keyboard Filter using Windows Configuration Designer
+
+The Keyboard Filter settings are also available as Windows provisioning settings so you can configure these settings to be applied during the image deployment time or runtime. You can set one or all keyboard filter settings by creating a provisioning package using Windows Configuration Designer and then applying the provisioning package during image deployment time or runtime.
+
+1. Build a provisioning package in Windows Configuration Designer by following the instructions in [Create a provisioning package](/windows/configuration/provisioning-packages/provisioning-create-package), selecting the **Advanced Provisioning** option.
+
+ > [!Note]
+ > In the **Choose which settings to view and configure** window, choose **Common to all Windows desktop editions**.
+
+1. On the **Available customizations** page, select **Runtime settings** > **SMISettings**, and then set the desired values for the keyboard filter settings.
+1. Once you have finished configuring the settings and building the provisioning package, you can apply the package to the image deployment time or runtime. For more information, see [Apply a provisioning package](/windows/configuration/provisioning-packages/provisioning-apply-package).
+
+This example uses a Windows image called install.wim, but you can use the same procedure to apply a provisioning package. For more information on DISM, see [What Is Deployment Image Servicing and Management](/windows-hardware/manufacture/desktop/what-is-dism).
+
+### Turn on and configure Keyboard Filter by using DISM
+
+1. Open a command prompt with administrator privileges.
+1. Enable the feature using the following command.
+
+ ```cmd
+ Dism /online /Enable-Feature /FeatureName:Client-KeyboardFilter
+ ```
+
+1. Once the script completes, restart the device to apply the change.
+
+## Keyboard Filter features
+
+Keyboard Filter has the following features:
+
+- Supports hardware keyboards, the standard Windows on-screen keyboard, and the touch keyboard (TabTip.exe)
+- Suppresses key combinations even when they come from multiple keyboards
+
+ For example, if a user presses the Ctrl key and the Alt key on a hardware keyboard, while at the same time pressing Delete on a software keyboard, Keyboard Filter can still detect and suppress the Ctrl+Alt+Delete functionality.
+
+- Supports numeric keypads and keys designed to access media player and browser functionality
+- Can configure a key to breakout of a locked down user session to return to the Welcome screen
+- Automatically handles dynamic layout changes
+- Can be enabled or disabled for administrator accounts
+- Can force disabling of Ease of Access functionality
+- Supports x86 and x64 architectures
+
+## Keyboard scan codes and layouts
+
+When a key is pressed on a physical keyboard, the keyboard sends a scan code to the keyboard driver. The driver then sends the scan code to the OS and the OS converts the scan code into a virtual key based on the current active layout. The layout defines the mapping of keys on the physical keyboard, and has many variants. A key on a keyboard always sends the same scan code when pressed, however this scan code can map to different virtual keys for different layouts. For example, in the English (United States) keyboard layout, the key to the right of the P key maps to `{`. However, in the Swedish (Sweden) keyboard layout, the same key maps to `Å`.
+
+Keyboard Filter can block keys either by the scan code or the virtual key. Blocking keys by the scan code is useful for custom keyboards that have special scan codes that don't translate into any single virtual key. Blocking keys by the virtual key is more convenient because it's easier to read and Keyboard Filter suppresses the key correctly even when the location of the key changes because of a layout change.
+
+When you configure Keyboard Filter to block keys by using the virtual key, you must use the English names for the virtual keys. For more information about the names of the virtual keys, see keyboard filter key names.
+
+For the Windows on-screen keyboard, keyboard filter converts each keystroke into a scan code based on the layout, and back into a virtual key. This allows keyboard filter to suppress the on-screen keyboard keys in the same manner as physical keyboard keys if they're configured with either scan code or virtual key.
+
+## Keyboard Filter and ease of access features
+
+By default, ease of access features are enabled and Keyboard Filter is disabled for administrator accounts.
+
+If Sticky Keys are enabled, a user can bypass Keyboard Filter in certain situations. You can configure keyboard filter to disable all ease of access features and prevent users from enabling them.
+
+You can enable ease of access features for administrator accounts, while still disabling them for standard user accounts, by making sure that Keyboard Filter is disabled for administrator accounts.
+
+## Keyboard Filter configuration
+
+You can configure the following options for Keyboard Filter:
+
+- Set/unset predefined key combinations to be suppressed
+- Add/remove custom defined key combinations to be suppressed
+- Enable/disable keyboard filter for administrator accounts
+- Force disabling ease of access features
+- Configure a breakout key sequence to break out of a locked down account
+
+Most configuration changes take effect immediately. Some changes, such as enabling or disabling Keyboard Filter for administrators, don't take effect until the user signs out of the account and then back in. If you change the breakout key scan code, you must restart the device before the change take effect.
+
+You can configure keyboard filter by using Windows Management Instrumentation (WMI) providers. You can use the Keyboard Filter WMI providers directly in a PowerShell script or in an application.
+
+For more information about Keyboard Filter WMI providers, see [Keyboard Filter WMI provider reference](keyboardfilter-wmi-provider-reference.md).
+
+## Keyboard breakout
+
+You may need to sign in to a locked down device with a different account in order to service or configure the device. You can configure a breakout key to break out of a locked down account by specifying a key scan code. A user can press this key consecutively five times to switch to the Welcome screen so that you can sign in to a different account.
+
+The breakout key is set to the scan code for the left Windows logo key by default. You can use the [WEKF_Settings](wekf-settings.md) WMI class to change the breakout key scan code. If you change the breakout key scan code, you must restart the device before the change takes effect.
+
+## Keyboard Filter considerations
+
+Starting a device in Safe Mode bypasses keyboard filter. The Keyboard Filter service isn't loaded in Safe Mode, and keys aren't blocked in Safe Mode.
+
+Keyboard filter can't block the Sleep key.
+
+Some hardware keys, such as rotation lock, don't have a defined virtual key. You can still block these keys by using the scan code of the key.
+
+The add (+), multiply (\*), subtract (-), divide (/), and decimal (.) keys have different virtual keys and scan codes on the numeric keypad than on the main keyboard. You must block both keys to block these keys. For example, to block the multiply key, you must add a rule to block "\*" and a rule to block Multiply.
+
+When locking the screen by using the on-screen keyboard, or a combination of a physical keyboard and the on-screen keyboard, the on-screen keyboard sends an extra Windows logo key keystroke to the OS. If your device is using the Windows 10 shell and you use keyboard filter to block Windows logo key+L, the extra Windows logo key keystroke causes the shell to switch between the **Start** screen and the last active app when a user attempts to lock the device by using the on-screen keyboard, which may be unexpected behavior.
+
+Some custom keyboard software, such as Microsoft IntelliType Pro, can install Keyboard Filter drivers that prevent Keyboard Filter from being able to block some or all keys, typically extended keys like BrowserHome and Search.
+
+## In this section
+
+- [Keyboard Filter key names](keyboardfilter-key-names.md)
+- [Predefined key combinations](predefined-key-combinations.md)
+- [Keyboard Filter WMI provider reference](keyboardfilter-wmi-provider-reference.md)
+- [Windows PowerShell script samples for Keyboard Filter](keyboardfilter-powershell-script-samples.md)
\ No newline at end of file
diff --git a/windows/configuration/keyboard-filter/keyboardfilter-add-blocked-key-combinations.md b/windows/configuration/keyboard-filter/keyboardfilter-add-blocked-key-combinations.md
new file mode 100644
index 0000000000..129b6e271b
--- /dev/null
+++ b/windows/configuration/keyboard-filter/keyboardfilter-add-blocked-key-combinations.md
@@ -0,0 +1,160 @@
+---
+title: Add blocked key combinations
+description: Add blocked key combinations
+ms.date: 01/13/2025
+ms.topic: reference
+---
+
+# Add blocked key combinations
+
+[!INCLUDE [supported-os-enterprise-plus](../../../includes/iot/supported-os-enterprise-plus.md)]
+
+The following sample Windows PowerShell script uses the Windows Management Instrumentation (WMI) providers for Keyboard Filter to create three functions to configure Keyboard Filter so that Keyboard Filter blocks key combinations. It demonstrates several ways to use each function.
+
+The first function, `Enable-Predefine-Key`, blocks key combinations that are predefined for Keyboard Filter.
+
+The second function, `Enable-Custom-Key`, blocks custom key combinations by using the English key names.
+
+The third function, `Enable-Scancode`, blocks custom key combinations by using the keyboard scan code for the key.
+
+## Enable-rules.ps1
+
+```powershell
+#
+# Copyright (C) Microsoft. All rights reserved.
+#
+
+<#
+.Synopsis
+ This script shows how to use the built in WMI providers to enable and add
+ keyboard filter rules through Windows PowerShell on the local computer.
+.Parameter ComputerName
+ Optional parameter to specify a remote machine that this script should
+ manage. If not specified, the script will execute all WMI operations
+ locally.
+#>
+param (
+ [String] $ComputerName
+)
+
+$CommonParams = @{"namespace"="root\standardcimv2\embedded"}
+$CommonParams += $PSBoundParameters
+
+function Enable-Predefined-Key($Id) {
+ <#
+ .Synopsis
+ Toggle on a Predefined Key keyboard filter Rule
+ .Description
+ Use Get-WMIObject to enumerate all WEKF_PredefinedKey instances,
+ filter against key value "Id", and set that instance's "Enabled"
+ property to 1/true.
+ .Example
+ Enable-Predefined-Key "Ctrl+Alt+Del"
+ Enable CAD filtering
+#>
+
+ $predefined = Get-WMIObject -class WEKF_PredefinedKey @CommonParams |
+ where {
+ $_.Id -eq "$Id"
+ };
+
+ if ($predefined) {
+ $predefined.Enabled = 1;
+ $predefined.Put() | Out-Null;
+ Write-Host Enabled $Id
+ } else {
+ Write-Error "$Id is not a valid predefined key"
+ }
+}
+
+
+function Enable-Custom-Key($Id) {
+ <#
+ .Synopsis
+ Toggle on a Custom Key keyboard filter Rule
+ .Description
+ Use Get-WMIObject to enumerate all WEKF_CustomKey instances,
+ filter against key value "Id", and set that instance's "Enabled"
+ property to 1/true.
+
+ In the case that the Custom instance does not exist, add a new
+ instance of WEKF_CustomKey using Set-WMIInstance.
+ .Example
+ Enable-Custom-Key "Ctrl+V"
+ Enable filtering of the Ctrl + V sequence.
+#>
+
+ $custom = Get-WMIObject -class WEKF_CustomKey @CommonParams |
+ where {
+ $_.Id -eq "$Id"
+ };
+
+ if ($custom) {
+# Rule exists. Just enable it.
+ $custom.Enabled = 1;
+ $custom.Put() | Out-Null;
+ "Enabled Custom Filter $Id.";
+
+ } else {
+ Set-WMIInstance `
+ -class WEKF_CustomKey `
+ -argument @{Id="$Id"} `
+ @CommonParams | Out-Null
+ "Added Custom Filter $Id.";
+ }
+}
+
+function Enable-Scancode($Modifiers, [int]$Code) {
+ <#
+ .Synopsis
+ Toggle on a Scancode keyboard filter Rule
+ .Description
+ Use Get-WMIObject to enumerate all WEKF_Scancode instances,
+ filter against key values of "Modifiers" and "Scancode", and set
+ that instance's "Enabled" property to 1/true.
+
+ In the case that the Scancode instance does not exist, add a new
+ instance of WEKF_Scancode using Set-WMIInstance.
+ .Example
+ Enable-Scancode "Ctrl" 37
+ Enable filtering of the Ctrl + keyboard scancode 37 (base-10)
+ sequence.
+#>
+
+ $scancode =
+ Get-WMIObject -class WEKF_Scancode @CommonParams |
+ where {
+ ($_.Modifiers -eq $Modifiers) -and ($_.Scancode -eq $Code)
+ }
+
+ if($scancode) {
+ $scancode.Enabled = 1
+ $scancode.Put() | Out-Null
+ "Enabled Custom Scancode {0}+{1:X4}" -f $Modifiers, $Code
+ } else {
+ Set-WMIInstance `
+ -class WEKF_Scancode `
+ -argument @{Modifiers="$Modifiers"; Scancode=$Code} `
+ @CommonParams | Out-Null
+
+ "Added Custom Scancode {0}+{1:X4}" -f $Modifiers, $Code
+ }
+}
+
+# Some example uses of the functions defined above.
+Enable-Predefined-Key "Ctrl+Alt+Del"
+Enable-Predefined-Key "Ctrl+Esc"
+Enable-Custom-Key "Ctrl+V"
+Enable-Custom-Key "Numpad0"
+Enable-Custom-Key "Shift+Numpad1"
+Enable-Custom-Key "%"
+Enable-Scancode "Ctrl" 37
+```
+
+## Related topics
+
+[Windows PowerShell script samples for keyboard filter](keyboardfilter-powershell-script-samples.md)
+
+[Keyboard filter WMI provider reference](keyboardfilter-wmi-provider-reference.md)
+
+[Keyboard filter](index.md)
diff --git a/windows/configuration/keyboard-filter/keyboardfilter-key-names.md b/windows/configuration/keyboard-filter/keyboardfilter-key-names.md
new file mode 100644
index 0000000000..9fe1380150
--- /dev/null
+++ b/windows/configuration/keyboard-filter/keyboardfilter-key-names.md
@@ -0,0 +1,179 @@
+---
+title: Keyboard Filter key names
+description: Keyboard Filter key names
+ms.date: 01/13/2025
+ms.topic: reference
+---
+
+# Keyboard Filter key names
+
+[!INCLUDE [supported-os-enterprise-plus](../../../includes/iot/supported-os-enterprise-plus.md)]
+
+You can configure Keyboard Filter to block keys or key combinations. A key combination consists of one or more modifier keys, separated by a plus sign (+), and either a key name or a key scan code. In addition to the keys listed in the following tables, you can use the predefined key combinations names as custom key combinations. However, we recommend using the predefined key settings when enabling or disabling predefined key combinations.
+
+The key names are grouped as follows:
+
+- [Modifier keys](#modifier-keys)
+- [System keys](#system-keys)
+- [Cursor and edit keys](#cursor-and-edit-keys)
+- [State keys](#state-keys)
+- [OEM keys](#oem-keys)
+- [Function keys](#function-keys)
+- [Numeric keypad keys](#numeric-keypad-keys)
+
+## Modifier keys
+
+You can use the modifier keys listed in the following table when you configure keyboard filter. Multiple modifiers are separated by a plus sign (+). You can also configure Keyboard Filter to block any modifier key even if it's not part of a key combination.
+
+| Modifier key name | Virtual key | Description |
+| ----------------- | ----------- | ----------- |
+| `Ctrl` | VK_CONTROL | The Ctrl key |
+| `LCtrl` | VK_LCONTROL | The left Ctrl key |
+| `RCtrl` | VK_RCONTROL | The right Ctrl key |
+| `Control` | VK_CONTROL | The Ctrl key |
+| `LControl` | VK_LCONTROL | The left Ctrl key |
+| `RControl` | VK_RCONTROL | The right Ctrl key |
+| `Alt` | VK_MENU | The Alt key |
+| `LAlt` | VK_LMENU | The left Alt key |
+| `RAlt` | VK_RMENU | The right Alt key |
+| `Shift` | VK_SHIFT | The Shift key |
+| `LShift` | VK_LSHIFT | The left Shift key |
+| `RShift` | VK_RSHIFT | The right Shift key |
+| `Win` | VK_WIN | The Windows logo key |
+| `LWin` | VK_LWIN | The left Windows logo key |
+| `RWin` | VK_RWIN | The right Windows logo key |
+| `Windows` | VK_WIN | The Windows logo key |
+| `LWindows` | VK_LWIN | The left Windows logo key |
+| `RWindows` | VK_RWIN | The right Windows key |
+
+## System keys
+
+| Modifier key name | Virtual key | Description |
+| ----------------- | ----------- | ----------- |
+| `Ctrl` | VK_CONTROL | The Ctrl key |
+| `LCtrl` | VK_LCONTROL | The left Ctrl key |
+| `RCtrl` | VK_RCONTROL | The right Ctrl key |
+| `Control` | VK_CONTROL | The Ctrl key |
+| `LControl` | VK_LCONTROL | The left Ctrl key |
+| `RControl` | VK_RCONTROL | The right Ctrl key |
+| `Alt` | VK_MENU | The Alt key |
+| `LAlt` | VK_LMENU | The left Alt key |
+| `RAlt` | VK_RMENU | The right Alt key |
+| `Shift` | VK_SHIFT | The Shift key |
+| `LShift` | VK_LSHIFT | The left Shift key |
+| `RShift` | VK_RSHIFT | The right Shift key |
+| `Win` | VK_WIN | The Windows logo key |
+| `LWin` | VK_LWIN | The left Windows logo key |
+| `RWin` | VK_RWIN | The right Windows logo key |
+| `Windows` | VK_WIN | The Windows logo key |
+| `LWindows` | VK_LWIN | The left Windows logo key |
+| `RWindows` | VK_RWIN | The right Windows logo key |
+
+## Cursor and edit keys
+
+| Key name | Virtual key | Description |
+| ----------------- | ----------- | ----------- |
+| `PageUp` | VK_PRIOR | The Page Up key |
+| `Prior` | VK_PRIOR | The Page Up key |
+| `PgUp` | VK_PRIOR | The Page Up key |
+| `PageDown` | VK_NEXT | The Page Down key |
+| `PgDown` | VK_NEXT | The Page Down key |
+| `Next` | VK_NEXT | The Page Down key |
+| `End` | VK_END | The End key |
+| `Home` | VK_HOME | The Home key |
+| `Left` | VK_LEFT | The Left Arrow key |
+| `Up` | VK_UP | The Up Arrow key |
+| `Right` | VK_RIGHT | The Right Arrow key |
+| `Down` | VK_DOWN | The Down Arrow key |
+| `Insert` | VK_INSERT | The Insert key |
+| `Delete` | VK_DELETE | The Delete key |
+| `Del` | VK_DELETE | The Delete key |
+| `Separator` | VK_SEPARATOR | The Separator key |
+
+## State keys
+
+| Key name | Virtual key | Description |
+| ----------------- | ----------- | ----------- |
+| `NumLock` | VK_NUMLOCK | The Num Lock key |
+| `ScrollLock` | VK_SCROLL | The Scroll Lock key |
+| `Scroll` | VK_SCROLL | The Scroll Lock key |
+| `CapsLock` | VK_CAPITAL | The Caps Lock key |
+| `Capital` | VK_CAPITAL | The Caps Lock key |
+
+## OEM keys
+
+| Key name | Virtual key | Description |
+| ----------------- | ----------- | ----------- |
+| `KeypadEqual` | VK_OEM_NEC_EQUAL | The Equals (=) key on the numeric keypad (OEM-specific) |
+| `Dictionary` | VK_OEM_FJ_JISHO | The Dictionary key (OEM-specific) |
+| `Unregister` | VK_OEM_FJ_MASSHOU | The Unregister Word key (OEM-specific) |
+| `Register` | VK_OEM_FJ_TOUROKU | The Register Word key (OEM-specific) |
+| `LeftOyayubi` | VK_OEM_FJ_LOYA | The Left OYAYUBI key (OEM-specific) |
+| `RightOyayubi` | VK_OEM_FJ_ROYA | The Right OYAYUBI key (OEM-specific) |
+| `OemPlus` | VK_OEM_PLUS | For any country/region, the Plus Sign (+) key |
+| `OemComma` | VK_OEM_COMMA | For any country/region, the Comma (,) key |
+| `OemMinus` | VK_OEM_MINUS | For any country/region, the Minus Sign (-) key |
+| `OemPeriod` | VK_OEM_PERIOD | For any country/region, the Period (.) key |
+| `Oem1` | VK_OEM_1 | Varies by keyboard |
+| `Oem2` | VK_OEM_2 | Varies by keyboard |
+| `Oem3` | VK_OEM_3 | Varies by keyboard |
+| `Oem4` | VK_OEM_4 | Varies by keyboard |
+| `Oem5` | VK_OEM_5 | Varies by keyboard |
+| `Oem6` | VK_OEM_6 | Varies by keyboard |
+| `Oem7` | VK_OEM_7 | Varies by keyboard |
+| `Oem8` | VK_OEM_8 | Varies by keyboard |
+| `OemAX` | VK_OEM_AX | The AX key on a Japanese AX keyboard |
+| `Oem102` | VK_OEM_102 | Either the angle bracket key or the backslash key on the RT 102-key keyboard |
+
+## Function keys
+
+| Key name | Virtual key | Description |
+| ----------------- | ----------- | ----------- |
+| `F1` | VK_F1 | The F1 key |
+| `F2` | VK_F2 | The F2 key |
+| `F3` | VK_F3 | The F3 key |
+| `F4` | VK_F4 | The F4 key |
+| `F5` | VK_F5 | The F5 key |
+| `F6` | VK_F6 | The F6 key |
+| `F7` | VK_F7 | The F7 key |
+| `F8` | VK_F8 | The F8 key |
+| `F9` | VK_F9 | The F9 key |
+| `F10` | VK_F10 | The F10 key |
+| `F11` | VK_F11 | The F11 key |
+| `F12` | VK_F12 | The F12 key |
+| `F13` | VK_F13 | The F13 key |
+| `F14` | VK_F14 | The F14 key |
+| `F15` | VK_F15 | The F15 key |
+| `F16` | VK_F16 | The F16 key |
+| `F17` | VK_F17 | The F17 key |
+| `F18` | VK_F18 | The F18 key |
+| `F19` | VK_F19 | The F19 key |
+| `F20` | VK_F20 | The F20 key |
+| `F21` | VK_F21 | The F21 key |
+| `F22` | VK_F22 | The F22 key |
+| `F23` | VK_F23 | The F23 key |
+| `F24` | VK_F24 | The F24 key |
+
+## Numeric keypad keys
+
+| Key name | Virtual key | Description |
+| ----------------- | ----------- | ----------- |
+| `Numpad0` | VK_NUMPAD0 | The 0 key on the numeric keypad |
+| `Numpad1` | VK_NUMPAD1 | The 1 key on the numeric keypad |
+| `Numpad2` | VK_NUMPAD2 | The 2 key on the numeric keypad |
+| `Numpad3` | VK_NUMPAD3 | The 3 key on the numeric keypad |
+| `Numpad4` | VK_NUMPAD4 | The 4 key on the numeric keypad |
+| `Numpad5` | VK_NUMPAD5 | The 5 key on the numeric keypad |
+| `Numpad6` | VK_NUMPAD6 | The 6 key on the numeric keypad |
+| `Numpad7` | VK_NUMPAD7 | The 7 key on the numeric keypad |
+| `Numpad8` | VK_NUMPAD8 | The 8 key on the numeric keypad |
+| `Numpad9` | VK_NUMPAD9 | The 9 key on the numeric keypad |
+| `Multiply` | VK_MULTIPLY | The Multiply (*) key on the numeric keypad |
+| `Add` | VK_ADD | The Add (+) key on the numeric keypad |
+| `Subtract` | VK_SUBTRACT | The Subtract (-) key on the numeric keypad |
+| `Decimal` | VK_DECIMAL | The Decimal (.) key on the numeric keypad |
+| `Divide` | VK_DIVIDE | The Divide (/) key on the numeric keypad |
+
+## Related articles
+
+- [Keyboard filter](index.md)
diff --git a/windows/configuration/keyboard-filter/keyboardfilter-list-all-configured-key-combinations.md b/windows/configuration/keyboard-filter/keyboardfilter-list-all-configured-key-combinations.md
new file mode 100644
index 0000000000..35788409b1
--- /dev/null
+++ b/windows/configuration/keyboard-filter/keyboardfilter-list-all-configured-key-combinations.md
@@ -0,0 +1,71 @@
+---
+title: List all configured key combinations
+description: List all configured key combinations
+ms.date: 01/13/2025
+ms.topic: reference
+---
+
+# List all configured key combinations
+
+[!INCLUDE [supported-os-enterprise-plus](../../../includes/iot/supported-os-enterprise-plus.md)]
+
+The following sample Windows PowerShell script uses the Windows Management Instrumentation (WMI) providers for Keyboard Filter to displays all key combination configurations for Keyboard Filter.
+
+## List-rules.ps1
+
+```powershell
+#
+# Copyright (C) Microsoft. All rights reserved.
+#
+
+<#
+.Synopsis
+ Enumerate all active keyboard filter rules on the system.
+.Description
+ For each instance of WEKF_PredefinedKey, WEKF_CustomKey, and WEKF_Scancode,
+ get the Enabled property. If Enabled, then output a short description
+ of the rule.
+.Parameter ComputerName
+ Optional parameter to specify the remote machine that this script should
+ manage. If not specified, the script will execute all WMI operations
+ locally.
+#>
+param (
+ [String] $ComputerName
+)
+
+$CommonParams = @{"namespace"="root\standardcimv2\embedded"}
+$CommonParams += $PSBoundParameters
+
+write-host Enabled Predefined Keys -foregroundcolor cyan
+Get-WMIObject -class WEKF_PredefinedKey @CommonParams |
+ foreach {
+ if ($_.Enabled) {
+ write-host $_.Id
+ }
+ }
+
+write-host Enabled Custom Keys -foregroundcolor cyan
+Get-WMIObject -class WEKF_CustomKey @CommonParams |
+ foreach {
+ if ($_.Enabled) {
+ write-host $_.Id
+ }
+ }
+
+write-host Enabled Scancodes -foregroundcolor cyan
+Get-WMIObject -class WEKF_Scancode @CommonParams |
+ foreach {
+ if ($_.Enabled) {
+ "{0}+{1:X4}" -f $_.Modifiers, $_.Scancode
+ }
+ }
+```
+
+## Related articles
+
+[Windows PowerShell script samples for keyboard filter](keyboardfilter-powershell-script-samples.md)
+
+[Keyboard filter WMI provider reference](keyboardfilter-wmi-provider-reference.md)
+
+[Keyboard filter](index.md)
diff --git a/windows/configuration/keyboard-filter/keyboardfilter-powershell-script-samples.md b/windows/configuration/keyboard-filter/keyboardfilter-powershell-script-samples.md
new file mode 100644
index 0000000000..7547ba9614
--- /dev/null
+++ b/windows/configuration/keyboard-filter/keyboardfilter-powershell-script-samples.md
@@ -0,0 +1,26 @@
+---
+title: Windows PowerShell script samples for Keyboard Filter
+description: Windows PowerShell script samples for Keyboard Filter
+ms.date: 01/13/2025
+ms.topic: reference
+---
+
+# Windows PowerShell script samples for Keyboard Filter
+
+[!INCLUDE [supported-os-enterprise-plus](../../../includes/iot/supported-os-enterprise-plus.md)]
+
+The list below describes sample Windows PowerShell scripts that demonstrate how to use the Windows Management Instrumentation (WMI) providers for Keyboard Filter.
+
+| Script | Description |
+| ------ | ----------- |
+| [Add blocked key combinations](keyboardfilter-add-blocked-key-combinations.md) | Demonstrates how to block key combinations for Keyboard Filter.|
+| [Disable all blocked key combinations](disable-all-blocked-key-combinations.md) | Demonstrates how to disable all blocked key combinations for Keyboard Filter. |
+| [List all configured key combinations](keyboardfilter-list-all-configured-key-combinations.md) | Demonstrates how to list all defined key combination configurations for Keyboard Filter. |
+| [Modify global settings](modify-global-settings.md) | Demonstrates how to modify global settings for Keyboard Filter. |
+| [Remove key combination configurations](remove-key-combination-configurations.md) | Demonstrates how to remove a custom defined key combination configuration for Keyboard Filter. |
+
+## Related articles
+
+[Keyboard Filter WMI provider reference](keyboardfilter-wmi-provider-reference.md)
+
+[Keyboard Filter](index.md)
diff --git a/windows/configuration/keyboard-filter/keyboardfilter-wmi-provider-reference.md b/windows/configuration/keyboard-filter/keyboardfilter-wmi-provider-reference.md
new file mode 100644
index 0000000000..eeff8800eb
--- /dev/null
+++ b/windows/configuration/keyboard-filter/keyboardfilter-wmi-provider-reference.md
@@ -0,0 +1,23 @@
+---
+title: Keyboard Filter WMI provider reference
+description: Keyboard Filter WMI provider reference
+ms.date: 01/13/2025
+ms.topic: reference
+---
+
+# Keyboard Filter WMI provider reference
+
+[!INCLUDE [supported-os-enterprise-plus](../../../includes/iot/supported-os-enterprise-plus.md)]
+
+Describes the Windows Management Instrumentation (WMI) provider classes that you use to configure Keyboard Filter during run time.
+
+| WMI Provider Class | Description |
+| ------------------ | ----------- |
+| [WEKF_CustomKey](wekf-customkey.md) | Blocks or unblocks custom defined key combinations. |
+| [WEKF_PredefinedKey](wekf-predefinedkey.md) | Blocks or unblocks predefined key combinations. |
+| [WEKF_Scancode](wekf-scancode.md) | Blocks or unblocks key combinations by using keyboard scan codes. |
+| [WEKF_Settings](wekf-settings.md) | Enables or disables settings for Keyboard Filter. |
+
+## Related topics
+
+[Keyboard filter](index.md)
diff --git a/windows/configuration/keyboard-filter/modify-global-settings.md b/windows/configuration/keyboard-filter/modify-global-settings.md
new file mode 100644
index 0000000000..39d26be872
--- /dev/null
+++ b/windows/configuration/keyboard-filter/modify-global-settings.md
@@ -0,0 +1,172 @@
+---
+title: Modify global settings
+description: Modify global settings
+ms.date: 01/13/2025
+ms.topic: how-to
+---
+
+# Modify global settings
+
+[!INCLUDE [supported-os-enterprise-plus](../../../includes/iot/supported-os-enterprise-plus.md)]
+
+The following sample Windows PowerShell scripts use the Windows Management Instrumentation (WMI) providers to modify global settings for Keyboard Filter.
+
+The function **Get-Setting** retrieves the value of a global setting for Keyboard Filter.
+
+In the first script, the function **Set-DisableKeyboardFilterForAdministrators** modifies the value of the **DisableKeyboardFilterForAdministrators** setting.
+
+In the second script, the function **Set-ForceOffAccessibility** modifies the value of the **ForceOffAccessibility** setting.
+
+## Set-DisableKeyboardFilterForAdministrators.ps1
+
+```powershell
+#
+# Copyright (C) Microsoft. All rights reserved.
+#
+
+<#
+.Synopsis
+ This script shows how to enumerate WEKF_Settings to find global settings
+ that can be set on the keyboard filter. In this specific script, the
+ global setting to be set is "DisableKeyboardFilterForAdministrators".
+.Parameter ComputerName
+ Optional parameter to specify a remote computer that this script should
+ manage. If not specified, the script will execute all WMI operations
+ locally.
+.Parameter On
+ Switch if present that sets "DisableKeyboardFilterForAdministrators" to
+ true. If not present, sets the setting to false.
+#>
+
+param (
+ [Switch] $On = $False,
+ [String] $ComputerName
+)
+
+$CommonParams = @{"namespace"="root\standardcimv2\embedded"};
+if ($PSBoundParameters.ContainsKey("ComputerName")) {
+ $CommonParams += @{"ComputerName" = $ComputerName};
+}
+
+function Get-Setting([String] $Name) {
+ <#
+ .Synopsis
+ Get a WMIObject by name from WEKF_Settings
+ .Parameter Name
+ The name of the setting, which is the key for the WEKF_Settings class.
+#>
+ $Entry = Get-WMIObject -class WEKF_Settings @CommonParams |
+ where {
+ $_.Name -eq $Name
+ }
+
+ return $Entry
+}
+
+function Set-DisableKeyboardFilterForAdministrators([Bool] $Value) {
+ <#
+ .Synopsis
+ Set the DisableKeyboardFilterForAdministrators setting to true or
+ false.
+ .Description
+ Set DisableKeyboardFilterForAdministrators to true or false based
+ on $Value
+ .Parameter Value
+ A Boolean value
+#>
+
+ $Setting = Get-Setting("DisableKeyboardFilterForAdministrators")
+ if ($Setting) {
+ if ($Value) {
+ $Setting.Value = "true"
+ } else {
+ $Setting.Value = "false"
+ }
+ $Setting.Put() | Out-Null;
+ } else {
+ Write-Error "Unable to find DisableKeyboardFilterForAdministrators setting";
+ }
+}
+
+Set-DisableKeyboardFilterForAdministrators $On
+```
+
+## Set-ForceOffAccessibility.ps1
+
+```powershell
+#
+# Copyright (C) Microsoft. All rights reserved.
+#
+
+<#
+.Synopsis
+ This script shows how to enumerate WEKF_Settings to find global settings
+ that can be set on the keyboard filter. In this specific script, the
+ global setting to be set is "ForceOffAccessibility".
+.Parameter ComputerName
+ Optional parameter to specify a remote computer that this script should
+ manage. If not specified, the script will execute all WMI operations
+ locally.
+.Parameter Enabled
+ Switch if present that sets "ForceOffAccessibility" to true. If not
+ present, sets the setting to false.
+#>
+
+param (
+ [Switch] $Enabled = $False,
+ [String] $ComputerName
+)
+
+$CommonParams = @{"namespace"="root\standardcimv2\embedded"};
+if ($PSBoundParameters.ContainsKey("ComputerName")) {
+ $CommonParams += @{"ComputerName" = $ComputerName};
+}
+
+function Get-Setting([String] $Name) {
+ <#
+ .Synopsis
+ Get a WMIObject by name from WEKF_Settings
+ .Parameter Name
+ The name of the setting, which is the key for the WEKF_Settings class.
+#>
+ $Entry = Get-WMIObject -class WEKF_Settings @CommonParams |
+ where {
+ $_.Name -eq $Name
+ }
+
+ return $Entry
+}
+
+function Set-ForceOffAccessibility([Bool] $Value) {
+ <#
+ .Synopsis
+ Set the ForceOffAccessibility setting to true or false.
+ .Description
+ Set ForceOffAccessibility to true or false based on $Value
+ .Parameter Value
+ A Boolean value
+#>
+
+ $Setting = Get-Setting("ForceOffAccessibility")
+ if ($Setting) {
+ if ($Value) {
+ $Setting.Value = "true"
+ } else {
+ $Setting.Value = "false"
+ }
+ $Setting.Put() | Out-Null;
+ } else {
+ Write-Error "Unable to find ForceOffAccessibility setting";
+ }
+}
+
+Set-ForceOffAccessibility $Enabled
+```
+
+## Related topics
+
+[Windows PowerShell script samples for keyboard filter](keyboardfilter-powershell-script-samples.md)
+
+[WEKF_Settings](wekf-settings.md)
+
+[Keyboard filter](index.md)
diff --git a/windows/configuration/keyboard-filter/predefined-key-combinations.md b/windows/configuration/keyboard-filter/predefined-key-combinations.md
new file mode 100644
index 0000000000..eb25a41a53
--- /dev/null
+++ b/windows/configuration/keyboard-filter/predefined-key-combinations.md
@@ -0,0 +1,160 @@
+---
+title: Predefined key combinations
+description: Predefined key combinations
+ms.date: 01/13/2025
+ms.topic: reference
+---
+
+# Predefined key combinations
+
+[!INCLUDE [supported-os-enterprise-plus](../../../includes/iot/supported-os-enterprise-plus.md)]
+
+This topic lists a set of key combinations that are predefined by a keyboard filter. You can list the value of the WEKF_PredefinedKey.Id to get a complete list of key combinations defined by a keyboard filter.
+
+You can use the values in the WEKF_PredefinedKey.Id column to configure the Windows Management Instrumentation (WMI) class [WEKF_PredefinedKey](wekf-predefinedkey.md).
+
+## Accessibility keys
+
+The following table contains predefined key combinations for accessibility:
+
+| Key combination | WEKF_PredefinedKey.Id | Blocked behavior |
+|:-------------------------------------|:--------------------------|:----------------------------|
+| Left Alt + Left Shift + Print Screen | **LShift+LAlt+PrintScrn** | Open High Contrast. |
+| Left Alt + Left Shift + Num Lock | **LShift+LAlt+NumLock** | Open Mouse Keys. |
+| Windows logo key + U | **Win+U** | Open Ease of Access Center. |
+
+## Application keys
+
+The following table contains predefined key combinations for controlling application state:
+
+| Key combination | WEKF_PredefinedKey.Id | Blocked behavior |
+|:----------------------|:----------------------|:-------------------|
+| Alt + F4 | **Alt+F4** | Close application. |
+| Ctrl + F4 | **Ctrl+F4** | Close window. |
+| Windows logo key + F1 | **Win+F1** | Open Windows Help. |
+
+## Shell keys
+
+The following table contains predefined key combinations for general UI control:
+
+| Key combination | WEKF_PredefinedKey.Id | Blocked behavior |
+|:---------------------------------------|:----------------------|:-------------------------------------------------------------------------------------------------------------------------------------|
+| Alt + Spacebar | **Alt+Space** | Open shortcut menu for the active window. |
+| Ctrl + Esc | **Ctrl+Esc** | Open the Start screen. |
+| Ctrl + Windows logo key + F | **Ctrl+Win+F** | Open Find Computers. |
+| Windows logo key + Break | **Win+Break** | Open System dialog box. |
+| Windows logo key + E | **Win+E** | Open Windows Explorer. |
+| Windows + F | **Win+F** | Open Search. |
+| Windows logo key + P | **Win+P** | Cycle through Presentation Mode. Also blocks the Windows logo key + Shift + P and the Windows logo key + Ctrl + P key combinations. |
+| Windows logo key + R | **Win+R** | Open Run dialog box. |
+| Alt + Tab | **Alt+Tab** | Switch task. Also blocks the Alt + Shift + Tab key combination. |
+| Ctrl + Tab | **Ctrl+Tab** | Switch window. |
+| Windows logo key + Tab | **Win+Tab** | Cycle through Microsoft Store apps. Also blocks the Windows logo key + Ctrl + Tab and Windows logo key + Shift + Tab key combinations. |
+| Windows logo key + D | **Win+D** | Show desktop. |
+| Windows logo key + M | **Win+M** | Minimize all windows. |
+| Windows logo key + Home | **Win+Home** | Minimize or restore all inactive windows. |
+| Windows logo key + T | **Win+T** | Set focus on taskbar and cycle through programs. |
+| Windows logo key + B | **Win+B** | Set focus in the notification area. |
+| Windows logo key + Minus Sign | **Win+-** | Zoom out. |
+| Windows logo key + Plus Sign | **Win++** | Zoom in. |
+| Windows logo key + Esc | **Win+Esc** | Close Magnifier application. |
+| Windows logo key + Up Arrow | **Win+Up** | Maximize the active window. |
+| Windows logo key + Down Arrow | **Win+Down** | Minimize the active window. |
+| Windows logo key + Left Arrow | **Win+Left** | Snap the active window to the left half of screen. |
+| Windows logo key + Right Arrow | **Win+Right** | Snap the active window to the right half of screen. |
+| Windows logo key + Shift + Up Arrow | **Win+Shift+Up** | Maximize the active window vertically. |
+| Windows logo key + Shift + Down Arrow | **Win+Shift+Down** | Minimize the active window. |
+| Windows logo key + Shift + Left Arrow | **Win+Shift+Left** | Move the active window to left monitor. |
+| Windows logo key + Shift + Right Arrow | **Win+Shift+Right** | Move the active window to right monitor. |
+| Windows logo key + Spacebar | **Win+Space** | Switch layout. |
+| Windows logo key + O | **Win+O** | Lock device orientation. |
+| Windows logo key + Page Up | **Win+PageUp** | Move a Microsoft Store app to the left monitor. |
+| Windows logo key + Page Down | **Win+PageDown** | Move a Microsoft Store app to right monitor. |
+| Windows logo key + Period | **Win+.** | Snap the current screen to the left or right gutter. Also blocks the Windows logo key + Shift + Period key combination. |
+| Windows logo key + C | **Win+C** | Activate Cortana in listening mode (after user has enabled the shortcut through the UI). |
+| Windows logo key + I | **Win+I** | Open Settings charm. |
+| Windows logo key + K | **Win+K** | Open Connect charm. |
+| Windows logo key + H | **Win+H** | Start dictation. |
+| Windows logo key + Q | **Win+Q** | Open Search charm. |
+| Windows logo key + W | **Win+W** | Open Windows Ink workspace. |
+| Windows logo key + Z | **Win+Z** | Open app bar. |
+| Windows logo key + / | **Win+/** | Open input method editor (IME). |
+| Windows logo key + J | **Win+J** | Swap between snapped and filled applications. |
+| Windows logo key + Comma | **Win+,** | Peek at the desktop. |
+| Windows logo key + V | **Win+V** | Cycle through toasts in reverse order. |
+
+## Modifier keys
+
+The following table contains predefined key combinations for modifier keys (such as Shift and Ctrl):
+
+| Key combination | WEKF_PredefinedKey.Id | Blocked key |
+|:-----------------|:----------------------|:-----------------------|
+| Alt | **Alt** | Both Alt keys |
+| Application | **Application** | Application key |
+| Ctrl | **Ctrl** | Both Ctrl keys |
+| Shift | **Shift** | Both Shift keys |
+| Windows logo key | **Windows** | Both Windows logo keys |
+
+## Security keys
+
+The following table contains predefined key combinations for OS security:
+
+| Key combination | WEKF_PredefinedKey.Id | Blocked behavior |
+|:-----------------------|:----------------------|:----------------------------------|
+| Ctrl + Alt + Delete | **Ctrl+Alt+Del** | Open the Windows Security screen. |
+| Ctrl + Shift + Esc | **Shift+Ctrl+Esc** | Open Task Manager. |
+| Windows logo key + L | **Win+L** | Lock the device. |
+
+## Extended shell keys
+
+The following table contains predefined key combinations for extended shell functions (such as automatically opening certain apps):
+
+| Key combination | WEKF_PredefinedKey.Id | Blocked key |
+|:--------------------|:----------------------|:------------------------|
+| LaunchMail | **LaunchMail** | Start Mail key |
+| LaunchMediaSelect | **LaunchMediaSelect** | Select Media key |
+| LaunchApp1 | **LaunchApp1** | Start Application 1 key |
+| LaunchApp2 | **LaunchApp2** | Start Application 2 key |
+
+## Browser keys
+
+The following table contains predefined key combinations for controlling the browser:
+
+| Key combination | WEKF_PredefinedKey.Id | Blocked key |
+|:-----------------|:----------------------|:---------------------------|
+| BrowserBack | **BrowserBack** | Browser Back key |
+| BrowserForward | **BrowserForward** | Browser Forward key |
+| BrowserRefresh | **BrowserRefresh** | Browser Refresh key |
+| BrowserStop | **BrowserStop** | Browser Stop key |
+| BrowserSearch | **BrowserSearch** | Browser Search key |
+| BrowserFavorites | **BrowserFavorites** | Browser Favorites key |
+| BrowserHome | **BrowserHome** | Browser Start and Home key |
+
+## Media keys
+
+The following table contains predefined key combinations for controlling media playback:
+
+| Key combination | WEKF_PredefinedKey.Id | Blocked key |
+|:----------------|:----------------------|:---------------------|
+| VolumeMute | **VolumeMute** | Volume Mute key |
+| VolumeDown | **VolumeDown** | Volume Down key |
+| VolumeUp | **VolumeUp** | Volume Up key |
+| MediaNext | **MediaNext** | Next Track key |
+| MediaPrev | **MediaPrev** | Previous Track key |
+| MediaStop | **MediaStop** | Stop Media key |
+| MediaPlayPause | **MediaPlayPause** | Play/Pause Media key |
+
+## Microsoft Surface keyboard keys
+
+The following table contains predefined key combinations for Microsoft Surface devices:
+
+| Key combination | WEKF_PredefinedKey.Id | Blocked key |
+|:------------------------------|:----------------------|:-------------|
+| Left Alt + Windows logo key | **AltWin** | Share key |
+| Left Ctrl + Windows logo key | **CtrlWin** | Devices key |
+| Left Shift + Windows logo key | **ShiftWin** | Search key |
+| F21 | **F21** | Settings key |
+
+## Related topics
+
+[Keyboard filter](index.md)
diff --git a/windows/configuration/keyboard-filter/remove-key-combination-configurations.md b/windows/configuration/keyboard-filter/remove-key-combination-configurations.md
new file mode 100644
index 0000000000..624edc69f4
--- /dev/null
+++ b/windows/configuration/keyboard-filter/remove-key-combination-configurations.md
@@ -0,0 +1,106 @@
+---
+title: Remove key combination configurations
+description: Remove key combination configurations
+ms.date: 01/13/2025
+ms.topic: reference
+---
+
+# Remove key combination configurations
+
+[!INCLUDE [supported-os-enterprise-plus](../../../includes/iot/supported-os-enterprise-plus.md)]
+
+The following sample Windows PowerShell script uses the Windows Management Instrumentation (WMI) providers for Keyboard Filter to create two functions to remove custom-defined key combination configurations from Keyboard Filter. It demonstrates several ways to use each function.
+
+The first function, **Remove-Custom-Key**, removes custom key combination configurations.
+
+The second function, **Remove-Scancode**, removes custom scan code configurations.
+
+You can't remove the predefined key combination configurations for Keyboard Filter, but you can disable them.
+
+## Remove-rules.ps1
+
+```powershell
+#
+# Copyright (C) Microsoft. All rights reserved.
+#
+
+<#
+.Synopsis
+ This script shows how to use the build in WMI providers to remove keyboard filter rules. Rules of type WEKF_PredefinedKey cannot be removed.
+.Parameter ComputerName
+ Optional parameter to specify the remote computer that this script should
+ manage. If not specified, the script will execute all WMI operations
+ locally.
+#>
+
+param(
+ [string] $ComputerName
+)
+
+$CommonParams = @{"namespace"="root\standardcimv2\embedded"}
+$CommonParams += $PSBoundParameters
+
+function Remove-Custom-Key($Id) {
+ <#
+ .Synopsis
+ Remove an instance of WEKF_CustomKey
+ .Description
+ Enumerate all instances of WEKF_CustomKey. When an instance has an
+ Id that matches $Id, delete it.
+ .Example
+ Remove-Custom-Key "Ctrl+V"
+
+ This removes the instance of WEKF_CustomKey with a key Id of "Ctrl+V"
+#>
+
+ $customInstance = Get-WMIObject -class WEKF_CustomKey @CommonParams |
+ where {$_.Id -eq $Id}
+
+ if ($customInstance) {
+ $customInstance.Delete();
+ "Removed Custom Filter $Id.";
+ } else {
+ "Custom Filter $Id does not exist.";
+ }
+}
+
+function Remove-Scancode($Modifiers, [int]$Code) {
+ <#
+ .Synopsis
+ Remove and instance of WEKF_Scancode
+ .Description
+ Enumerate all instances of WEKF_Scancode. When an instance has a
+ matching modifiers and code, delete it.
+ .Example
+ Remove-Scancode "Ctrl" 37
+
+ This removes the instance of WEKF_Scancode with Modifiers="Ctrl" and
+ Scancode=37.
+#>
+
+ $scancodeInstance = Get-WMIObject -class WEKF_Scancode @CommonParams |
+ where {($_.Modifiers -eq $Modifiers) -and ($_.Scancode -eq $Code)}
+
+ if ($scancodeInstance) {
+ $scancodeInstance.Delete();
+ "Removed Scancode $Modifiers+$Code.";
+ } else {
+ "Scancode $Modifiers+$Code does not exist.";
+ }
+}
+
+# Some example uses of the functions defined above.
+Remove-Custom-Key "Ctrl+V"
+Remove-Custom-Key "Numpad0"
+Remove-Custom-Key "Shift+Numpad1"
+Remove-Custom-Key "%"
+Remove-Scancode "Ctrl" 37
+```
+
+## Related articles
+
+[Windows PowerShell script samples for keyboard filter](keyboardfilter-powershell-script-samples.md)
+
+[Keyboard filter WMI provider reference](keyboardfilter-wmi-provider-reference.md)
+
+[Keyboard filter](index.md)
diff --git a/windows/configuration/keyboard-filter/toc.yml b/windows/configuration/keyboard-filter/toc.yml
new file mode 100644
index 0000000000..7c09e1a75c
--- /dev/null
+++ b/windows/configuration/keyboard-filter/toc.yml
@@ -0,0 +1,53 @@
+items:
+- name: Keyboard Filter
+ items:
+ - name: About keyboard filter
+ href: index.md
+ - name: Key Names
+ href: keyboardfilter-key-names.md
+ - name: Predefined Key Combinations
+ href: keyboardfilter-list-all-configured-key-combinations.md
+ - name: WMI Provider Reference
+ items:
+ - name: Overview
+ href: keyboardfilter-wmi-provider-reference.md
+ - name: Class WEKF_CustomKey
+ items:
+ - name: Overview
+ href: wekf-customkey.md
+ - name: Add
+ href: wekf-customkeyadd.md
+ - name: Remove
+ href: wekf-customkeyremove.md
+ - name: Class WEKF_PredefinedKey
+ items:
+ - name: Overview
+ href: wekf-predefinedkey.md
+ - name: Disable
+ href: wekf-predefinedkeydisable.md
+ - name: Enable
+ href: wekf-predefinedkeyenable.md
+ - name: Class WEKF_Scancode
+ items:
+ - name: Overview
+ href: wekf-scancode.md
+ - name: Add
+ href: wekf-scancodeadd.md
+ - name: Remove
+ href: wekf-scancoderemove.md
+ - name: Class WEKF-Settings
+ href: wekf-settings.md
+ - name: PowerShell script samples
+ items:
+ - name: Overview
+ href: keyboardfilter-powershell-script-samples.md
+ - name: Add blocked key Combinations
+ href: keyboardfilter-add-blocked-key-combinations.md
+ - name: Disable all blocked key Combinations
+ href: disable-all-blocked-key-combinations.md
+ - name: List all configured key combinations
+ href: keyboardfilter-list-all-configured-key-combinations.md
+ - name: Modify global settings
+ href: modify-global-settings.md
+ - name: Remove key combination configurations
+ href: remove-key-combination-configurations.md
\ No newline at end of file
diff --git a/windows/configuration/keyboard-filter/wekf-customkey.md b/windows/configuration/keyboard-filter/wekf-customkey.md
new file mode 100644
index 0000000000..dcc812049e
--- /dev/null
+++ b/windows/configuration/keyboard-filter/wekf-customkey.md
@@ -0,0 +1,128 @@
+---
+title: WEKF_CustomKey
+description: WEKF_CustomKey
+ms.date: 01/13/2025
+ms.topic: reference
+---
+
+
+# WEKF_CustomKey
+
+[!INCLUDE [supported-os-enterprise-plus](../../../includes/iot/supported-os-enterprise-plus.md)]
+
+Adds or removes custom-defined key combinations.
+
+## Syntax
+
+```powershell
+class WEKF_CustomKey {
+ [Static] uint32 Add(
+ [In] string CustomKey
+ );
+ [Static] uint32 Remove(
+ [In] string CustomKey
+ );
+
+ [Key] string Id;
+ [Read, Write] boolean Enabled;
+};
+```
+
+## Members
+
+The following tables list any methods and properties that belong to this class.
+
+### Methods
+
+| Methods | Description |
+|---------|-------------|
+| [WEKF_CustomKey.Add](wekf-customkeyadd.md) | Creates a new custom key combination and enables Keyboard Filter to block the new key combination. |
+| [WEKF_CustomKey.Remove](wekf-customkeyremove.md) | Removes the specified custom key combination. Keyboard Filter stops blocking the key combination that was removed. |
+
+### Properties
+
+| Property | Data type | Qualifiers | Description |
+|----------|----------------|------------|--------------|
+| **Id** | string | [key] | The name of the custom key combination. |
+| **Enabled** | Boolean | [read, write] | Indicates if the key is blocked or unblocked. This property can be one of the following values - **true** Indicates that the key is blocked.- **false** Indicates that the key isn't blocked. |
+
+### Remarks
+
+You can specify key combinations by including the modifier keys in the name. The most common modifier names are >Ctrl, >Shift, >Alt, and >Win. You can't block a combination of non-modifier keys. For example, you can block a key combination of >Ctrl+>Shift+>F, but you can't block a key combination of >A+>D.
+
+When you block a >Shift-modified key, you must enter the key as >Shift + the unmodified key. For example, to block the >% key on an English keyboard layout, you must specify the key as >Shift+>5. Attempting to block >%, results in Keyboard Filter blocking >5 instead.
+
+When you specify the key combination to block, you must use the English names for the keys. For a list of the key names you can specify, see Keyboard Filter key names.
+
+## Example
+
+The following code demonstrates how to add or enable a custom key combination that Keyboard Filter will block by using the Windows Management Instrumentation (WMI) providers for Keyboard Filter. This example modifies the properties directly and doesn't call any of the methods defined in **WEKF_CustomKey**.
+
+```powershell
+<#
+.Synopsis
+ This script shows how to use the WMI provider to enable and add
+ Keyboard Filter rules through Windows PowerShell on the local computer.
+.Parameter ComputerName
+ Optional parameter to specify a remote machine that this script should
+ manage. If not specified, the script will execute all WMI operations
+ locally.
+#>
+param (
+ [String] $ComputerName
+)
+
+$CommonParams = @{"namespace"="root\standardcimv2\embedded"}
+$CommonParams += $PSBoundParameters
+
+function Enable-Custom-Key($Id) {
+ <#
+ .Synopsis
+ Toggle on a Custom Key Keyboard Filter Rule
+ .Description
+ Use Get-WMIObject to enumerate all WEKF_CustomKey instances,
+ filter against key value "Id", and set that instance's "Enabled"
+ property to 1/true.
+
+ In the case that the Custom instance does not exist, add a new
+ instance of WEKF_CustomKey using Set-WMIInstance.
+ .Example
+ Enable-Custom-Key "Ctrl+V"
+
+ Enable filtering of the Ctrl + V sequence.
+#>
+
+ $custom = Get-WMIObject -class WEKF_CustomKey @CommonParams |
+ where {
+ $_.Id -eq "$Id"
+ };
+
+ if ($custom) {
+# Rule exists. Just enable it.
+ $custom.Enabled = 1;
+ $custom.Put() | Out-Null;
+ "Enabled Custom Filter $Id.";
+
+ } else {
+ Set-WMIInstance `
+ -class WEKF_CustomKey `
+ -argument @{Id="$Id"} `
+ @CommonParams | Out-Null
+
+ "Added Custom Filter $Id.";
+ }
+}
+
+
+# Some example uses of the function defined above.
+
+Enable-Custom-Key "Ctrl+V"
+Enable-Custom-Key "Numpad0"
+Enable-Custom-Key "Shift+Numpad1"
+```
+
+## Related articles
+
+[Keyboard Filter WMI provider reference](keyboardfilter-wmi-provider-reference.md)
+
+[Keyboard Filter key names](keyboardfilter-key-names.md)
diff --git a/windows/configuration/keyboard-filter/wekf-customkeyadd.md b/windows/configuration/keyboard-filter/wekf-customkeyadd.md
new file mode 100644
index 0000000000..a48eeedb72
--- /dev/null
+++ b/windows/configuration/keyboard-filter/wekf-customkeyadd.md
@@ -0,0 +1,94 @@
+---
+title: WEKF_CustomKey.Add
+description: WEKF_CustomKey.Add
+ms.date: 01/13/2025
+ms.topic: reference
+---
+
+# WEKF_CustomKey.Add
+
+[!INCLUDE [supported-os-enterprise-plus](../../../includes/iot/supported-os-enterprise-plus.md)]
+
+Creates a new custom key combination and enables Keyboard Filter to block the new key combination.
+
+## Syntax
+
+```powershell
+[Static] uint32 Add(
+ [In] string CustomKey
+);
+```
+
+## Parameters
+
+**CustomKey**\[in\] The custom key combination to add. For a list of valid key names, see [Keyboard Filter key names](keyboardfilter-key-names.md).
+
+## Return Value
+
+Returns an HRESULT value that indicates a [WMI Non-Error Constant](/windows/win32/wmisdk/wmi-non-error-constants) or a [WMI Error Constant](/windows/win32/wmisdk/wmi-error-constants).
+
+## Remarks
+
+**WEKF_CustomKey.Add** creates a new **WEKF_CustomKey** object and sets the **Enabled** property of the new object to **true**, and the **Id** property to *CustomKey*.
+
+If a **WEKF_CustomKey** object already exists with the **Id** property equal to *CustomKey*, then **WEKF_CustomKey.Add** returns an error code and doesn't create a new object or modify any properties of the existing object. If the existing **WEKF_CustomKey** object has the **Enabled** property set to **false**, Keyboard Filter does not block the custom key combination.
+
+## Example
+
+The following code demonstrates how to add or enable a custom key that Keyboard Filter will block by using the Windows Management Instrumentation (WMI) providers for Keyboard Filter.
+
+```powershell
+$COMPUTER = "localhost"
+$NAMESPACE = "root\standardcimv2\embedded"
+
+# Create a handle to the class instance so we can call the static methods
+$classCustomKey = [wmiclass]"\\$COMPUTER\${NAMESPACE}:WEKF_CustomKey"
+
+# Create a function to add or enable a key combination for Keyboard Filter to block
+function Enable-Custom-Key($KeyId) {
+
+# Check to see if the custom key object already exists
+ $objCustomKey = Get-WMIObject -namespace $NAMESPACE -class WEKF_CustomKey |
+ where {$_.Id -eq "$KeyId"};
+
+ if ($objCustomKey) {
+
+# The custom key already exists, so just enable it
+ $objCustomKey.Enabled = 1;
+ $objCustomKey.Put() | Out-Null;
+ "Enabled ${KeyId}.";
+
+ } else {
+
+# Create a new custom key object by calling the static Add method
+ $retval = $classCustomKey.Add($KeyId);
+
+# Check the return value to verify that the Add is successful
+ if ($retval.ReturnValue -eq 0) {
+ "Added ${KeyID}."
+ } else {
+ "Unknown Error: " + "{0:x0}" -f $retval.ReturnValue
+ }
+ }
+}
+
+# Enable Keyboard Filter to block several custom keys
+
+Enable-Custom-Key "Ctrl+v"
+Enable-Custom-Key "Ctrl+v"
+Enable-Custom-Key "Shift+4"
+Enable-Custom-Key "Ctrl+Alt+w"
+
+# List all the currently existing custom keys
+
+$objCustomKeyList = get-WMIObject -namespace $NAMESPACE -class WEKF_CustomKey
+foreach ($objCustomKeyItem in $objCustomKeyList) {
+ "Custom key: " + $objCustomKeyItem.Id
+ " enabled: " + $objCustomKeyItem.Enabled
+ }
+```
+
+## Related articles
+
+- [WEKF_CustomKey](wekf-customkey.md)
+- [Keyboard Filter](index.md)
diff --git a/windows/configuration/keyboard-filter/wekf-customkeyremove.md b/windows/configuration/keyboard-filter/wekf-customkeyremove.md
new file mode 100644
index 0000000000..26b1d35bdc
--- /dev/null
+++ b/windows/configuration/keyboard-filter/wekf-customkeyremove.md
@@ -0,0 +1,86 @@
+---
+title: WEKF_CustomKey.Remove
+description: WEKF_CustomKey.Remove
+ms.date: 01/13/2025
+ms.topic: reference
+---
+
+# WEKF_CustomKey.Remove
+
+[!INCLUDE [supported-os-enterprise-plus](../../../includes/iot/supported-os-enterprise-plus.md)]
+
+Removes a custom key combination, causing Keyboard Filter to stop blocking the removed key combination.
+
+## Syntax
+
+```powershell
+[Static] uint32 Remove(
+ [In] string CustomKey
+);
+```
+
+## Parameters
+
+**CustomKey**\[in\] The custom key combination to remove.
+
+## Return Value
+
+Returns an HRESULT value that indicates [WMI status](/windows/win32/wmisdk/wmi-non-error-constants) or a [WMI error](/windows/win32/wmisdk/wmi-error-constants).
+
+## Remarks
+
+**WEKF_CustomKey.Remove** removes an existing **WEKF_CustomKey** object. If the object doesn't exist, **WEKF_CustomKey.Remove** returns an error with the value 0x8007007B.
+
+Because this method is static, you can't call it on an object instance, but must instead call it at the class level.
+
+## Example
+
+The following code demonstrates how to remove a custom key from Keyboard Filter so it's no longer blocked by using the Windows Management Instrumentation (WMI) providers for Keyboard Filter.
+
+```powershell
+$COMPUTER = "localhost"
+$NAMESPACE = "root\standardcimv2\embedded"
+
+# Create a handle to the class instance so we can call the static methods
+$classCustomKey = [wmiclass]"\\$COMPUTER\${NAMESPACE}:WEKF_CustomKey"
+
+# Create a function to remove a key combination
+function Remove-Custom-Key($KeyId) {
+
+# Call the static Remove() method on the class reference
+ $retval = $classCustomKey.Remove($KeyId)
+
+# Check the return value for status
+ if ($retval.ReturnValue -eq 0) {
+
+# Custom key combination removed successfully
+ "Removed ${KeyID}."
+ } elseif ($retval.ReturnValue -eq 2147942523) {
+
+# No object exists with the specified custom key
+ "Failed to remove ${KeyID}. No object found."
+ } else {
+
+# Unknown error, report error code in hexadecimal
+ "Failed to remove ${KeyID}. Unknown Error: " + "{0:x0}" -f $retval.ReturnValue
+ }
+}
+
+
+# Example of removing a custom key so that Keyboard Filter stops blocking it
+Remove-Custom-Key "Ctrl+Alt+w"
+
+# Example of removing all custom keys that have the Enabled property set to false
+$objDisabledCustomKeys = Get-WmiObject -Namespace $NAMESPACE -Class WEKF_CustomKey;
+
+foreach ($objCustomKey in $objDisabledCustomKeys) {
+ if (!$objCustomKey.Enabled) {
+ Remove-Custom-Key($objCustomKey.Id);
+ }
+}
+```
+
+## Related topics
+
+- [WEKF_CustomKey](wekf-customkey.md)
+- [Keyboard Filter](index.md)
diff --git a/windows/configuration/keyboard-filter/wekf-predefinedkey.md b/windows/configuration/keyboard-filter/wekf-predefinedkey.md
new file mode 100644
index 0000000000..dd5de7d93a
--- /dev/null
+++ b/windows/configuration/keyboard-filter/wekf-predefinedkey.md
@@ -0,0 +1,112 @@
+---
+title: WEKF_PredefinedKey
+description: WEKF_PredefinedKey
+ms.date: 01/13/2025
+ms.topic: reference
+---
+
+# WEKF_PredefinedKey
+
+[!INCLUDE [supported-os-enterprise-plus](../../../includes/iot/supported-os-enterprise-plus.md)]
+
+This class blocks or unblocks predefined key combinations, such as Ctrl+Alt+Delete.
+
+## Syntax
+
+```powershell
+class WEKF_PredefinedKey {
+ [Static] uint32 Enable (
+ [In] string PredefinedKey
+ );
+ [Static] uint32 Disable (
+ [In] string PredefinedKey
+ );
+
+ [Key] string Id;
+ [Read, Write] boolean Enabled;
+};
+```
+
+## Members
+
+The following tables list any constructors, methods, fields, and properties that belong to this class.
+
+### Methods
+
+| Methods | Description |
+|:-----------------------------------------------------------|:---------------------------------------|
+| [WEKF_PredefinedKey.Enable](wekf-predefinedkeyenable.md) | Blocks the specified predefined key. |
+| [WEKF_PredefinedKey.Disable](wekf-predefinedkeydisable.md) | Unblocks the specified predefined key. |
+
+### Properties
+
+| Property | Data type | Qualifiers | Description |
+|:------------|:----------|:--------------|:----------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| **Id** | string | [key] | The name of the predefined key combination. |
+| **Enabled** | Boolean | [read, write] | Indicates whether the key is blocked or unblocked. To indicate that the key is blocked, specify **true**. To indicate that the key isn't blocked, specify **false**. |
+
+### Remarks
+
+All accounts have read access to the **WEKF_PRedefinedKey** class, but only administrator accounts can modify the class.
+
+For a list of predefined key combinations for Keyboard Filter, see [Predefined key combinations](predefined-key-combinations.md).
+
+## Example
+
+The following sample Windows PowerShell script blocks the Ctrl+Alt+Delete and the Ctrl+Esc key combinations when the Keyboard Filter service is running.
+
+```powershell
+<#
+.Synopsis
+ This script shows how to use the built in WMI providers to enable and add
+ Keyboard Filter rules through Windows PowerShell on the local computer.
+.Parameter ComputerName
+ Optional parameter to specify a remote machine that this script should
+ manage. If not specified, the script will execute all WMI operations
+ locally.
+#>
+param (
+ [String] $ComputerName
+)
+
+$CommonParams = @{"namespace"="root\standardcimv2\embedded"}
+$CommonParams += $PSBoundParameters
+
+function Enable-Predefined-Key($Id) {
+ <#
+ .Synposis
+ Toggle on a Predefined Key Keyboard Filter Rule
+ .Description
+ Use Get-WMIObject to enumerate all WEKF_PredefinedKey instances,
+ filter against key value "Id", and set that instance's "Enabled"
+ property to 1/true.
+ .Example
+ Enable-Predefined-Key "Ctrl+Alt+Delete"
+
+ Enable CAD filtering
+#>
+
+ $predefined = Get-WMIObject -class WEKF_PredefinedKey @CommonParams |
+ where {
+ $_.Id -eq "$Id"
+ };
+
+ if ($predefined) {
+ $predefined.Enabled = 1;
+ $predefined.Put() | Out-Null;
+ Write-Host Enabled $Id
+ } else {
+ Write-Error $Id is not a valid predefined key
+ }
+}
+
+# Some example uses of the function defined above.
+
+Enable-Predefined-Key "Ctrl+Alt+Delete"
+Enable-Predefined-Key "Ctrl+Esc"
+```
+
+## Related articles
+
+- [Keyboard Filter WMI provider reference](keyboardfilter-wmi-provider-reference.md)
+- [Keyboard Filter](index.md)
diff --git a/windows/configuration/keyboard-filter/wekf-predefinedkeydisable.md b/windows/configuration/keyboard-filter/wekf-predefinedkeydisable.md
new file mode 100644
index 0000000000..b49d3383f0
--- /dev/null
+++ b/windows/configuration/keyboard-filter/wekf-predefinedkeydisable.md
@@ -0,0 +1,34 @@
+---
+title: WEKF_PredefinedKey.Disable
+description: WEKF_PredefinedKey.Disable
+ms.date: 01/13/2025
+ms.topic: reference
+---
+
+# WEKF_PredefinedKey.Disable
+
+[!INCLUDE [supported-os-enterprise-plus](../../../includes/iot/supported-os-enterprise-plus.md)]
+
+Unblocks the specified predefined key combination.
+
+## Syntax
+
+```powershell
+[Static] uint32 Disable(
+ [In] string PredefinedKey
+);
+```
+
+## Parameters
+
+**PredefinedKey**\[in\] The predefined key combination to unblock. For a list of predefined keys, see [Predefined key combinations](predefined-key-combinations.md).
+
+## Return Value
+
+Returns an HRESULT value that indicates [WMI Non-error constant](/windows/win32/wmisdk/wmi-non-error-constants) or a [WMI error constant](/windows/win32/wmisdk/wmi-error-constants).
+
+
+## Related articles
+
+- [WEKF_PredefinedKey](wekf-predefinedkey.md)
+- [Keyboard Filter](index.md)
diff --git a/windows/configuration/keyboard-filter/wekf-predefinedkeyenable.md b/windows/configuration/keyboard-filter/wekf-predefinedkeyenable.md
new file mode 100644
index 0000000000..a674afda86
--- /dev/null
+++ b/windows/configuration/keyboard-filter/wekf-predefinedkeyenable.md
@@ -0,0 +1,33 @@
+---
+title: WEKF_PredefinedKey.Enable
+description: WEKF_PredefinedKey.Enable
+ms.date: 01/13/2025
+ms.topic: reference
+---
+
+# WEKF_PredefinedKey.Enable
+
+[!INCLUDE [supported-os-enterprise-plus](../../../includes/iot/supported-os-enterprise-plus.md)]
+
+This method blocks the specified predefined key combination.
+
+## Syntax
+
+```powershell
+[Static] uint32 Enable(
+ [In] string PredefinedKey
+);
+```
+
+## Parameters
+
+**PredefinedKey**The predefined key combination to block. For a list of predefined keys, see [Predefined key combinations](predefined-key-combinations.md).
+
+## Return Value
+
+Returns an HRESULT value that indicates [WMI non-error constant](/windows/win32/wmisdk/wmi-non-error-constants) or a [WMI error constant](/windows/win32/wmisdk/wmi-error-constants).
+
+## Related articles
+
+- [WEKF_PredefinedKey](wekf-predefinedkey.md)
+- [Keyboard Filter](index.md)
diff --git a/windows/configuration/keyboard-filter/wekf-scancode.md b/windows/configuration/keyboard-filter/wekf-scancode.md
new file mode 100644
index 0000000000..8cfb7b0f6e
--- /dev/null
+++ b/windows/configuration/keyboard-filter/wekf-scancode.md
@@ -0,0 +1,126 @@
+---
+title: WEKF_Scancode
+description: WEKF_Scancode
+ms.date: 01/13/2025
+ms.topic: reference
+---
+
+# WEKF_Scancode
+
+[!INCLUDE [supported-os-enterprise-plus](../../../includes/iot/supported-os-enterprise-plus.md)]
+
+Blocks or unblocks key combinations by using the keyboard scan code, which is an integer number that is generated whenever a key is pressed or released.
+
+## Syntax
+
+```powershell
+class WEKF_Scancode {
+ [Static] uint32 Add(
+ [In] string Modifiers,
+ [In] uint16 scancode
+ );
+ [Static] uint32 Remove(
+ [In] string Modifiers,
+ [In] uint16 Scancode
+ );
+
+ [Key] string Modifiers;
+ [Key] uint16 Scancode;
+ [Read, Write] boolean Enabled;
+}
+```
+
+## Members
+
+The following tables list any constructors, methods, fields, and properties that belong to this class.
+
+### Methods
+
+| Methods | Description |
+|---------|-------------|
+| [WEKF_Scancode.Add](wekf-scancodeadd.md) | Adds a new custom scan code combination and enables Keyboard Filter to block the new scan code combination. |
+| [WEKF_Scancode.Remove](wekf-scancoderemove.md) | Removes the specified custom scan code combination. Keyboard Filter stops blocking the scan code combination that was removed. |
+
+### Properties
+
+| Property | Data type | Qualifiers | Description |
+|----------|----------------|------------|-------------|
+| **Modifiers** | string | [key] | The modifier keys that are part of the key combination to block. |
+| **Scancode** | uint16 | [key] | The scan code part of the key combination to block. |
+| **Enabled** | Boolean | [read, write] | Indicates whether the scan code is blocked or unblocked. This property can be one of the following values:- **true** Indicates that the scan code is blocked.- **false** Indicates that the scan code isn't blocked. |
+
+### Remarks
+
+Scan codes are generated by the keyboard whenever a key is pressed. The same physical key will always generate the same scan code, regardless of which keyboard layout is currently being used by the system.
+
+You can specify key combinations by including the modifier keys in the *Modifiers* parameter of the **Add** method or by modifying the **Modifiers** property. The most common modifier names are >Ctrl, >Shift, >Alt, and >Win.
+
+## Example
+
+The following code demonstrates how to add or enable a keyboard scan code that Keyboard Filter will block by using the Windows Management Instrumentation (WMI) providers for Keyboard Filter. This example modifies the properties directly, and doesn't call any of the methods defined in **WEKF_Scancode**.
+
+```powershell
+<#
+.Synopsis
+ This script shows how to use the WMI provider to enable and add
+ Keyboard Filter rules through Windows Powershell on the local computer.
+.Parameter ComputerName
+ Optional parameter to specify a remote machine that this script should
+ manage. If not specified, the script will execute all WMI operations
+ locally.
+#>
+param (
+ [String] $ComputerName
+)
+
+$CommonParams = @{"namespace"="root\standardcimv2\embedded"}
+$CommonParams += $PSBoundParameters
+
+
+function Enable-Scancode($Modifiers, [int]$Code) {
+ <#
+ .Synopsis
+ Toggle on a Scancode Keyboard Filter Rule
+ .Description
+ Use Get-WMIObject to enumerate all WEKF_Scancode instances,
+ filter against key values of "Modifiers" and "Scancode", and set
+ that instance's "Enabled" property to 1/true.
+
+ In the case that the Scancode instance does not exist, add a new
+ instance of WEKF_Scancode using Set-WMIInstance.
+ .Example
+ Enable-Predefined-Key "Ctrl+V"
+
+ Enable filtering of the Ctrl + V sequence.
+#>
+
+ $scancode =
+ Get-WMIObject -class WEKF_Scancode @CommonParams |
+ where {
+ ($_.Modifiers -eq $Modifiers) -and ($_.Scancode -eq $Code)
+ }
+
+ if($scancode) {
+ $scancode.Enabled = 1
+ $scancode.Put() | Out-Null
+ "Enabled Custom Scancode {0}+{1:X4}" -f $Modifiers, $Code
+ } else {
+ Set-WMIInstance `
+ -class WEKF_Scancode `
+ -argument @{Modifiers="$Modifiers"; Scancode=$Code} `
+ @CommonParams | Out-Null
+
+ "Added Custom Scancode {0}+{1:X4}" -f $Modifiers, $Code
+ }
+}
+
+# Some example uses of the function defined above.
+
+Enable-Scancode "Ctrl" 37
+```
+
+## Related articles
+
+[Keyboard Filter WMI provider reference](keyboardfilter-wmi-provider-reference.md)
+
+[Keyboard Filter](index.md)
diff --git a/windows/configuration/keyboard-filter/wekf-scancodeadd.md b/windows/configuration/keyboard-filter/wekf-scancodeadd.md
new file mode 100644
index 0000000000..cd4b70efe8
--- /dev/null
+++ b/windows/configuration/keyboard-filter/wekf-scancodeadd.md
@@ -0,0 +1,42 @@
+---
+title: WEKF_Scancode.Add
+description: WEKF_Scancode.Add
+ms.date: 01/13/2025
+ms.topic: reference
+---
+
+# WEKF_Scancode.Add
+
+[!INCLUDE [supported-os-enterprise-plus](../../../includes/iot/supported-os-enterprise-plus.md)]
+
+This method adds a new custom scan code combination and enables Keyboard Filter to block the new combination.
+
+## Syntax
+
+```powershell
+[Static] uint32 Add(
+ [In] string Modifiers,
+ [In] uint16 Scancode
+);
+```
+
+## Parameters
+
+**Modifers**The modifier keys that are part of the key combination to block.
+
+**Scancode**The hardware scan code of the key to block.
+
+## Return Value
+
+Returns an HRESULT value that indicates [WMI non-error constant](/windows/win32/wmisdk/wmi-non-error-constants) or a [WMI error constant](/windows/win32/wmisdk/wmi-error-constants).
+
+## Remarks
+
+**WEKF_Scancode.Add** creates a new **WEKF_Scancode** object and sets the **Enabled** property of the new object to **true**.
+
+If a **WEKF_Scancode** object already exists with same *Modifiers* and *Scancode* properties, then **WEKF_Scancode.Add** returns an error code and doesn't create a new object or modify any properties of the existing object. If the existing **WEKF_Scancode** object has the **Enabled** property set to **false**, Keyboard Filter doesn't block the scan code.
+
+## Related articles
+
+- [WEKF_Scancode](wekf-scancode.md)
+- [Keyboard Filter](index.md)
diff --git a/windows/configuration/keyboard-filter/wekf-scancoderemove.md b/windows/configuration/keyboard-filter/wekf-scancoderemove.md
new file mode 100644
index 0000000000..18bc6d3514
--- /dev/null
+++ b/windows/configuration/keyboard-filter/wekf-scancoderemove.md
@@ -0,0 +1,42 @@
+---
+title: WEKF_Scancode.Remove
+description: WEKF_Scancode.Remove
+ms.date: 01/13/2025
+ms.topic: reference
+---
+
+# WEKF_Scancode.Remove
+
+[!INCLUDE [supported-os-enterprise-plus](../../../includes/iot/supported-os-enterprise-plus.md)]
+
+This method removes a custom scan code key combination, causing Keyboard Filter to stop blocking the removed combination.
+
+## Syntax
+
+```powershell
+[Static] uint32 Remove(
+ [In] string Modifiers,
+ [In] uint16 Scancode
+);
+```
+
+## Parameters
+
+**Modifiers**The modifier keys of the combination to remove.
+
+**Scancode**The scan code of the combination to remove.
+
+## Return Value
+
+Returns an HRESULT value that indicates [WMI non-error constant](/windows/win32/wmisdk/wmi-non-error-constants) or a [WMI error constant](/windows/win32/wmisdk/wmi-error-constants).
+
+## Remarks
+
+**WEKF_Scancode.Remove** removes an existing **WEKF_Scancode** object. If the object doesn't exist, **WEKF_Scancode.Remove** returns an error with the value 0x8007007B.
+
+Because this method is static, you can't call it on an object instance, but must instead call it at the class level.
+
+## Related articles
+
+- [WEKF_Scancode](wekf-scancode.md)
+- [Keyboard Filter](index.md)
diff --git a/windows/configuration/keyboard-filter/wekf-settings.md b/windows/configuration/keyboard-filter/wekf-settings.md
new file mode 100644
index 0000000000..df43feb21e
--- /dev/null
+++ b/windows/configuration/keyboard-filter/wekf-settings.md
@@ -0,0 +1,95 @@
+---
+title: WEKF_Settings
+description: WEKF_Settings
+ms.date: 01/13/2025
+ms.topic: reference
+---
+
+# WEKF_Settings
+
+[!INCLUDE [supported-os-enterprise-plus](../../../includes/iot/supported-os-enterprise-plus.md)]
+
+Enables or disables settings for Keyboard Filter.
+
+## Syntax
+
+```powershell
+class WEKF_Settings {
+ [Key] string Name;
+ [Read, Write] string Value;
+};
+```
+
+## Members
+
+The following tables list any methods and properties that belong to this class.
+
+### Properties
+
+| Property | Data type | Qualifiers | Description |
+|----------|----------------|------------|-------------|
+| **Name** | string | [key] | Indicates the name of the Keyboard Filter setting that this object represents. See the Remarks section for a list of valid setting names. |
+| **Value** | string | [read, write] | Represents the value of the **Name** setting. The value isn't case-sensitive. See the Remarks section for a list of valid values for each setting. |
+
+### Remarks
+
+You must be signed in to an administrator account to make any changes to this class.
+
+Each **WEKF_Settings** object represents a single Keyboard Filter setting. You can enumerate across all **WEKF_Settings** objects to see the value of all Keyboard Filter settings.
+
+The following table lists all settings available for Keyboard Filter.
+
+| Setting name | Description |
+|--------------|-------------|
+| **DisableKeyboardFilterForAdministrators** | This setting specifies whether Keyboard Filter is enabled or disabled for administrator accounts. Set to **true** to disable Keyboard Filter for administrator accounts; otherwise, set to **false**. Set to **true** by default. |
+| **ForceOffAccessibility** | This setting specifies whether Keyboard Filter blocks users from enabling Ease of Access features. Set to **true** to force disabling the Ease of Access features. Set to **false** to allow enabling the Ease of Access features. Set to **false** by default.Changing this setting to **false** doesn't automatically enable Ease of Access features; you must manually enable them. |
+| **BreakoutKeyScanCode** | This setting specifies the scan code of the key that enables a user to break out of an account that is locked down with Keyboard Filter. A user can press this key consecutively five times to switch to the Welcome screen.By default, the BreakoutKeyScanCode is set to the scan code for the left Windows logo key. |
+
+One instance of the **WEKF_Settings** class exists for each valid setting.
+
+Changes to the **DisableKeyboardFilterForAdministrator** setting are applied when an administrator account signs in, and applies to all applications run during the user session. If a user without an administrator account runs an application as an administrator, Keyboard Filter is still enabled, regardless of the **DisableKeyboardFilterForAdministrator** setting.
+
+Changes to the **BreakoutKeyScanCode** setting don't take effect until you restart the device.
+
+If the **BreakoutKeyScanCode** is set to the scan code for either the left Windows logo key or the right Windows logo key, both Windows Logo keys will work as the breakout key.
+
+The **BreakoutKeyScanCode** setting only applies to accounts where Keyboard Filter is active. If the scan code is set to a value that doesn't map to any key, such as 0 (zero), then you must use another method to access the Welcome screen if you need to service the device, such as remotely connecting, or restarting the device if automatic sign-in isn't enabled.
+
+> [!IMPORTANT]
+> On some devices, if the breakout key is pressed too rapidly, the key presses may not register. We recommend that you include a slight pause between each breakout key press.
+
+> [!WARNING]
+> When setting the **BreakoutKeyScanCode**, be sure to use the scan code of the key, and not the virtual key value.
+
+### Example
+
+The following Windows PowerShell script demonstrates how to use this class to modify the breakout mode key for Keyboard Filter. This example sets the **BreakoutKeyScanCode** setting to the scan code for the Home key on a standard keyboard.
+
+```powershell
+#---Define variables---
+
+$COMPUTER = "localhost"
+$NAMESPACE = "root\standardcimv2\embedded"
+
+# Define the decimal scan code of the Home key
+
+$HomeKeyScanCode = 71
+
+# Get the BreakoutKeyScanCode setting from WEKF_Settings
+
+$BreakoutMode = get-wmiobject -class wekf_settings -namespace $NAMESPACE | where {$_.name -eq "BreakoutKeyScanCode"}
+
+# Set the breakout key to the Home key.
+
+$BreakoutMode.value = $HomeKeyScanCode
+
+# Push the change into the WMI configuration. You must restart your device before this change takes effect.
+
+$BreakoutMode.put()
+```
+
+## Related articles
+
+[Keyboard Filter WMI provider reference](keyboardfilter-wmi-provider-reference.md)
+
+[Keyboard Filter](index.md)
diff --git a/windows/configuration/provisioning-packages/provision-pcs-with-apps.md b/windows/configuration/provisioning-packages/provision-pcs-with-apps.md
index 3ffeaa9b73..97c7612c30 100644
--- a/windows/configuration/provisioning-packages/provision-pcs-with-apps.md
+++ b/windows/configuration/provisioning-packages/provision-pcs-with-apps.md
@@ -12,7 +12,7 @@ You can install multiple Universal Windows Platform (UWP) apps and Windows deskt
When you add an app in a Windows Configuration Designer wizard, the appropriate settings are displayed based on the app that you select. For instructions on adding an app using the advanced editor in Windows Configuration Designer, see [Add an app using advanced editor](#add-a-windows-desktop-application-using-advanced-editor).
> [!IMPORTANT]
-> If you plan to use Intune to manage your devices, we recommend using Intune to install Microsoft 365 Apps for enterprise. Apps that are installed using a provisioning package cannot be managed or modified using Intune. [Learn how to add Microsoft 365 Apps to Windows devices with Microsoft Intune.](/intune/apps-add-office365)
+> If you plan to use Intune to manage your devices, we recommend using Intune to install Microsoft 365 Apps for enterprise. Apps that are installed using a provisioning package cannot be managed or modified using Intune. [Learn how to add Microsoft 365 Apps to Windows devices with Microsoft Intune.](/mem/intune/apps/apps-add-office365)
## Settings for UWP apps
diff --git a/windows/configuration/provisioning-packages/provisioning-how-it-works.md b/windows/configuration/provisioning-packages/provisioning-how-it-works.md
index ec61311214..6c82ea8c13 100644
--- a/windows/configuration/provisioning-packages/provisioning-how-it-works.md
+++ b/windows/configuration/provisioning-packages/provisioning-how-it-works.md
@@ -1,7 +1,7 @@
---
title: How provisioning works in Windows
description: Learn more about how provisioning package work on Windows client devices. A provisioning package (.ppkg) is a container for a collection of configuration settings.
-ms.topic: conceptual
+ms.topic: article
ms.date: 07/09/2024
---
diff --git a/windows/configuration/provisioning-packages/provisioning-packages.md b/windows/configuration/provisioning-packages/provisioning-packages.md
index a226b877f3..14273f9e99 100644
--- a/windows/configuration/provisioning-packages/provisioning-packages.md
+++ b/windows/configuration/provisioning-packages/provisioning-packages.md
@@ -2,7 +2,7 @@
title: Provisioning packages overview
description: With Windows, you can create provisioning packages that let you quickly and efficiently configure a device without having to install a new image. Learn about what provisioning packages are and what they do.
ms.reviewer: kevinsheehan
-ms.topic: conceptual
+ms.topic: install-set-up-deploy
ms.date: 07/08/2024
---
diff --git a/windows/configuration/provisioning-packages/provisioning-powershell.md b/windows/configuration/provisioning-packages/provisioning-powershell.md
index d8292d3413..26ceb503e8 100644
--- a/windows/configuration/provisioning-packages/provisioning-powershell.md
+++ b/windows/configuration/provisioning-packages/provisioning-powershell.md
@@ -1,7 +1,7 @@
---
title: PowerShell cmdlets for provisioning packages in Windows
description: Learn more about the Windows PowerShell cmdlets that you can use with Provisioning packages on Windows devices.
-ms.topic: conceptual
+ms.topic: article
ms.date: 07/09/2024
---
diff --git a/windows/configuration/provisioning-packages/provisioning-uninstall-package.md b/windows/configuration/provisioning-packages/provisioning-uninstall-package.md
index a4f68379ee..b203b2e332 100644
--- a/windows/configuration/provisioning-packages/provisioning-uninstall-package.md
+++ b/windows/configuration/provisioning-packages/provisioning-uninstall-package.md
@@ -1,7 +1,7 @@
---
title: Settings changed when you uninstall a provisioning package
description: This article lists the settings that are reverted when you uninstall a provisioning package on Windows desktop client devices.
-ms.topic: conceptual
+ms.topic: install-set-up-deploy
ms.date: 07/09/2024
---
diff --git a/windows/configuration/shared-pc/set-up-shared-or-guest-pc.md b/windows/configuration/shared-pc/set-up-shared-or-guest-pc.md
index 15c139b82e..4d13b9b87e 100644
--- a/windows/configuration/shared-pc/set-up-shared-or-guest-pc.md
+++ b/windows/configuration/shared-pc/set-up-shared-or-guest-pc.md
@@ -1,7 +1,7 @@
---
title: Configure a shared or guest Windows device
description: Description of how to configured Shared PC mode, which is a Windows feature that optimizes devices for shared use scenarios.
-ms.date: 09/06/2024
+ms.date: 10/31/2024
ms.topic: how-to
---
diff --git a/windows/configuration/shared-pc/shared-devices-concepts.md b/windows/configuration/shared-pc/shared-devices-concepts.md
index fdb4b3ed52..84659c4325 100644
--- a/windows/configuration/shared-pc/shared-devices-concepts.md
+++ b/windows/configuration/shared-pc/shared-devices-concepts.md
@@ -1,7 +1,7 @@
---
title: Manage multi-user and guest Windows devices
description: options to optimize Windows devices used in shared scenarios, such touchdown spaces in an enterprise, temporary customer use in retail or shared devices in a school.
-ms.date: 02/06/2024
+ms.date: 10/31/2024
ms.topic: concept-article
---
diff --git a/windows/configuration/shared-pc/shared-pc-technical.md b/windows/configuration/shared-pc/shared-pc-technical.md
index 62edc9d451..dbd8ff2fd7 100644
--- a/windows/configuration/shared-pc/shared-pc-technical.md
+++ b/windows/configuration/shared-pc/shared-pc-technical.md
@@ -1,7 +1,7 @@
---
title: Shared PC technical reference
description: List of policies and settings applied by the Shared PC options.
-ms.date: 02/06/2024
+ms.date: 10/31/2024
ms.topic: reference
---
diff --git a/windows/configuration/shell-launcher/browser-support.md b/windows/configuration/shell-launcher/browser-support.md
new file mode 100644
index 0000000000..1c3b383033
--- /dev/null
+++ b/windows/configuration/shell-launcher/browser-support.md
@@ -0,0 +1,47 @@
+---
+title: Browser Support
+ms.date: 03/30/2023
+ms.topic: concept-article
+description: Learn about browser support in Kiosk Mode
+---
+
+# Browser Support
+
+Today, you can use two browsers, Internet Explorer 11 and [Microsoft Edge](/deployedge/microsoft-edge-configure-kiosk-mode) to create an assigned access single-app or multi-app kiosk experience.
+
+## Microsoft Edge Kiosk Mode
+
+> Available for LTSC starting in [Windows 10 IoT Enterprise 2021 LTSC](/windows/iot/iot-enterprise/whats-new/Windows-10-IoT-Enterprise-LTSC-2021)
+
+[Microsoft Edge kiosk mode](/deployedge/microsoft-edge-configure-kiosk-mode) offers two lockdown experiences of the browser so organizations can create, manage, and provide the best experience for their customers. The following lockdown experiences are available:
+
+* Digital/Interactive Signage experience - Displays a specific site in full-screen mode.
+* Public-Browsing experience - Runs a limited multi-tab version of Microsoft Edge.
+
+Both experiences are running a Microsoft Edge InPrivate session, which protects user data.
+
+## Internet Explorer 11
+
+[Internet Explorer 11](/internet-explorer/internet-explorer) is considered a legacy browser, in subsequent releases.
+
+In anticipation of that, you can use [Internet Explorer (IE) mode](/deployedge/edge-ie-mode) on Microsoft Edge. IE mode allows you to run legacy web apps and modern web apps in a single browser.
+
+> [!NOTE]
+> For in-support Windows 10 IoT Enterprise [Semi-Annual Channel (SAC) releases](/lifecycle/products/windows-10-iot-enterprise), Internet Explorer 11 will reach end of support on June 15, 2022.
+>
+> Internet Explorer 11 follows the Long-Term-Servicing-Channel (LTSC) Lifecycle for [Windows 10 IoT Enterprise LTSC](/lifecycle/products/?terms=Windows%2010%20IoT%20Enterprise%20LTSC) products.
+
+## Supported Versions
+
+| Browser | Internet Explorer 11 | Microsoft Edge Legacy | Microsoft Edge |
+|--|--|--|--|
+| OS Release | [IE11 App](/internet-explorer/internet-explorer) | [Edge Browser - Legacy](/deployedge/microsoft-edge-kiosk-mode-transition-plan) | [New Edge Browser](/deployedge/microsoft-edge-configure-kiosk-mode) |
+| Windows 10 IoT Enterprise LTSC 2019 | [Follows OS Release Support Lifecycle](/lifecycle/products/windows-10-iot-enterprise-ltsc-2019) | No browser security updates after March, 9, 2021 (removed where applicable). In-box engine supported until OS end of service | Microsoft Edge and WebView2 Runtime not in-box (requires app migration from EdgeHTML) |
+| Windows 10 IoT Enterprise, version 21H2 | End of support June 15, 2022 | Removed & replaced with New Microsoft Edge Browser in May 2021 Update | Included in-box or installed with May 2021 Update |
+| Windows 10 IoT Enterprise LTSC 2021 | [Follows OS Release Support Lifecycle](/lifecycle/products/windows-10-iot-enterprise-ltsc-2021) | Not included | Microsoft Edge included in-box and follows [Modern Lifecycle Policy](/lifecycle/policies/modern) |
+| Windows 11 IoT Enterprise | N/A | N/A | Microsoft Edge included in-box and follows [Modern Lifecycle Policy](/lifecycle/policies/modern) |
+
+## Additional Resources
+
+* [Configure Microsoft Edge kiosk mode](/deployedge/microsoft-edge-configure-kiosk-mode)
+* [Plan your kiosk mode transition](/deployedge/microsoft-edge-kiosk-mode-transition-plan)
diff --git a/windows/configuration/shell-launcher/index.md b/windows/configuration/shell-launcher/index.md
new file mode 100644
index 0000000000..50eeb99ef6
--- /dev/null
+++ b/windows/configuration/shell-launcher/index.md
@@ -0,0 +1,344 @@
+---
+title: Shell Launcher
+description: Shell Launcher
+ms.date: 06/07/2018
+ms.topic: overview
+---
+
+# Shell Launcher
+
+Using Shell Launcher, you can configure a kiosk device to use almost any application or executable as your custom shell. The application that you specify replaces the default shell (explorer.exe) that usually runs when a user logs on.
+
+You can also configure Shell Launcher to launch different shell applications for different users or user groups.
+
+There are a few exceptions to the applications and executables you can use as a custom shell:
+
+- You can't use the following executable as a custom shell: `C:\\Windows\\System32\\Eshell.exe`. Using Eshell.exe as the default shell will result in a blank screen after user signs in.
+- You can't use a Universal Windows app as a custom shell.
+- You can't use a custom shell to launch Universal Windows apps, for example, the Settings app.
+- You can't use an application that launches a different process and exits as a custom shell. For example, you can't specify **write.exe** in Shell Launcher. Shell Launcher launches a custom shell and monitors the process to identify when the custom shell exits. **Write.exe** creates a 32-bit wordpad.exe process and exits. Because Shell Launcher isn't aware of the newly created wordpad.exe process, Shell Launcher takes action based on the exit code of **Write.exe**, and restart the custom shell.
+- You can't prevent the system from shutting down. For Shell Launcher V1 and V2, you can't block the session ending by returning FALSE upon receiving the [WM_QUERYENDSESSION](/windows/win32/shutdown/wm-queryendsession) message in a graphical application or returning FALSE in the [handler routine](/windows/console/handlerroutine) that is added through the [SetConsoleCtrlHandler](/windows/console/setconsolectrlhandler) function in a console application.
+
+> [!NOTE]
+> You cannot configure both Shell Launcher and assigned access on the same system.
+>
+> Use **Shell Launcher V2**, you can specify a Universal Windows app as a custom shell. Check [Use Shell Launcher to create a Windows 10 kiosk](/windows/configuration/kiosk-shelllauncher) for the differences between Shell Launcher v1 and Shell Launcher V2.
+
+Shell Launcher processes the **Run** and **RunOnce** registry keys before starting the custom shell, so your custom shell doesn't need to handle the automatic startup of other applications and services.
+
+Shell Launcher also handles the behavior of the system when your custom shell exits. You can configure the shell exit behavior if the default behavior doesn't meet your needs.
+
+Methods of controlling access to other desktop applications and system components can be used in addition to using the Shell Launcher such as, [Group Policy](https://www.microsoft.com/download/details.aspx?id=25250), [AppLocker](/windows/iot/iot-enterprise/customize/application-control#applocker), and [Mobile Device Management](/windows/client-management/mdm/)
+
+> [!NOTE]
+>
+> In Shell Launcher v1, available in Windows 10, you can only specify a Windows desktop application as the replacement shell. In Shell Launcher v2, available in Windows 10, version 1809 and above, you can also specify a UWP app as the replacement shell.
+>
+> To use Shell Launcher v2 in version 1809, you need to install the [KB4551853 update](https://support.microsoft.com/topic/may-12-2020-kb4551853-os-build-17763-1217-c2ea33f7-4506-dd13-2739-d9c7bb80b26d).
+
+## Differences between Shell Launcher v1 and Shell Launcher v2
+
+Shell Launcher v1 replaces ```explorer.exe```, the default shell, with ```eshell.exe```, which can launch a Windows desktop application.
+Shell Launcher v2 replaces ```explorer.exe``` with ```customshellhost.exe```. This new executable file can launch a Windows desktop application or a UWP app.
+In addition to allowing you to use a UWP app for your replacement shell, Shell Launcher v2 offers more enhancements:
+
+- You can use a custom Windows desktop application that can then launch UWP apps, such as Settings and Touch Keyboard.
+- From a custom UWP shell, you can launch secondary views and run on multiple monitors.
+- The custom shell app runs in full screen, and can run other apps in full screen on user's demand.
+For sample XML configurations for the different app combinations, see [Samples for Shell Launcher v2](https://github.com/microsoft/Windows-IoT-Samples/tree/master/samples/ShellLauncher/ShellLauncherV2).
+
+## Requirements
+
+Windows 10 Enterprise or Windows 10 Education.
+
+## Terminology
+
+- **Turn on, enable:** To make the setting available to the device and optionally apply the settings to the device.
+- **Configure:** To customize the setting or subsettings.
+- **Embedded Shell Launcher:** This feature is called Embedded Shell Launcher in Windows 10, version 1511.
+- **Custom Shell Launcher:** This feature is called Shell Launcher in Windows 10, version 1607 and later.
+
+## Turn on Shell Launcher
+
+Shell Launcher is an optional component and isn't turned on by default in Windows 10. It must be turned on prior to configuring. You can turn on and configure Shell Launcher in a customized Windows 10 image (.wim) if Microsoft Windows hasn't been installed. If Windows has already been installed, you must turn on Shell Launcher before applying a provisioning package to configure Shell Launcher.
+
+### Enable Shell Launcher using Control Panel
+
+1. In the **Search the web and Windows** field, type **Programs and Features** and either press **Enter** or tap or select **Programs and Features** to open it.
+1. In the **Programs and Features** window, select **Turn Windows features on or off**.
+1. In the **Windows Features** window, expand the **Device Lockdown** node, select or clear the checkbox for **Shell Launcher**, and then select **OK.**
+1. The **Windows Features** window indicates that Windows is searching for required files and displays a progress bar. Once found, the window indicates that Windows is applying the changes. When completed, the window indicates the requested changes are completed.
+1. Select **Close** to close the **Windows Features** window.
+
+> [!NOTE]
+> Turning on Shell Launcher does not require a device restart.
+
+### Enable Shell Launcher by calling WESL_UserSetting
+
+1. Enable or disable Shell Launcher by calling the WESL_UserSetting.SetEnabled function in the Windows Management Instrumentation (WMI) class WESL_UserSetting.
+1. If you enable or disable Shell Launcher using WESL_UserSetting, the changes don't affect any sessions that are currently signed in; you must sign out and sign back in.
+
+This example uses a Windows image called install.wim, but you can use the same procedure to apply a provisioning package (for more information on DISM, see [What Is Deployment Image Servicing and Management](/windows-hardware/manufacture/desktop/what-is-dism).
+
+### Enable Shell Launcher using DISM
+
+1. Open a command prompt with administrator privileges.
+1. Copy install.wim to a temporary folder on hard drive (in the following steps, we assume it's called C:\\wim).
+1. Create a new directory.
+
+ ```CMD
+ md c:\wim
+ ```
+
+1. Mount the image.
+
+ ```CMD
+ dism /mount-wim /wimfile:c:\bootmedia\sources\install.wim /index:1 /MountDir:c:\wim
+ ```
+
+1. Enable the feature.
+
+ ```CMD
+ dism /image:c:\wim /enable-feature /all /featureName:Client-EmbeddedShellLauncher
+ ```
+
+1. Commit the change.
+
+ ```CMD
+ dism /unmount-wim /MountDir:c:\wim /Commit
+ ```
+
+### Enable Shell Launcher using Windows Configuration Designer
+
+The Shell Launcher settings are also available as Windows provisioning settings so you can configure these settings to be applied during the image runtime. You can set one or all Shell Launcher settings by creating a provisioning package using Windows Configuration Designer and then applying the provisioning package during image deployment time or runtime. If Windows hasn't been installed and you're using Windows Configuration Designer to create installation media with settings for Shell Launcher included in the image or you're applying a provisioning package during setup, you must enable Shell Launcher on the installation media with DISM in order for a provisioning package to successfully apply.
+
+Use the following steps to create a provisioning package that contains the ShellLauncher settings.
+
+1. Build a provisioning package in Windows Configuration Designer by following the instructions in [Create a provisioning package for Windows 10](/windows/configuration/provisioning-packages/provisioning-create-package).
+1. In the **Available customizations** page, select **Runtime settings** > **SMISettings** > **ShellLauncher**.
+1. Set the value of **Enable** to **ENABLE**. More options to configure Shell Launcher appears, and you can set the values as desired.
+1. Once you have finished configuring the settings and creating the provisioning package, you can apply the package to the image deployment time or runtime. See the [Apply a provisioning package](/windows/configuration/provisioning-packages/provisioning-apply-package) for more information. The process for applying the package to a Windows 10 Enterprise image is the same.
+
+## Configure Shell Launcher
+
+There are two ways you can configure Shell Launcher:
+
+1. In Windows 10, version 1803, you can configure Shell Launcher using the **ShellLauncher** node of the Assigned Access Configuration Service Provider (CSP). See [AssignedAccess CSP](/windows/client-management/mdm/assignedaccess-csp) for details. Configuring Shell Launcher using this method also automatically enables Shell Launcher on the device, if the device supports it.
+1. Use the Shell Launcher WMI providers directly in a PowerShell script or application.
+
+You can configure the following options for Shell Launcher:
+
+- Enable or disable Shell Launcher.
+- Specify a shell configuration for a specific user or group.
+- Remove a shell configuration for a specific user or group.
+- Change the default shell configuration.
+- Get information on a shell configuration for a specific user or group.
+
+Any changes don't take effect until a user signs in.
+
+## Launch different shells for different user accounts
+
+By default, Shell Launcher runs the default shell, which is specified when you create the OS image at design time. The default shell is set to Cmd.exe, but you can specify any executable file to be the default shell.
+
+You can configure Shell Launcher to launch a different shell for specific users or groups if you don't want to run the default shell. For example, you might configure a device to run a custom application shell for guest accounts, but run the standard Windows Explorer shell for administrator accounts in order to service the device.
+
+If you use the WMI providers to configure Shell Launcher for a user or group at run time, you must use the security identifier (SID) for that user or group; you can't use the user name or group name.
+
+For more information about common security identifiers, see [Well-known SIDs](/windows/win32/secauthz/well-known-sids).
+
+When the current signed in account belongs to two or more groups that have different configurations defined for each group, Shell Launcher uses the first configuration it finds. The search order isn't defined, so we recommend that you avoid assigning a user to multiple groups with different Shell Launcher configurations.
+
+## Perform an action when the shell exits
+
+When a custom shell exits, Shell Launcher can perform one of four actions:
+
+|Action|Description|
+|:---:|:---|
+|0|Restart the shell.|
+|1|Restart the device.|
+|2|Shut down the device.|
+|3|Do nothing.|
+
+> [!IMPORTANT]
+> Make sure that your shell application does not automatically exit and is not automatically closed by any features such as Dialog Filter, as this can lead to an infinite cycle of exiting and restarting, unless the return code action is set to do nothing.
+
+### Default return code action
+
+You can define a default return code action for Shell Launcher with the DefaultReturnCodeAction setting. If you don't change the initial value, the default return code action is set to 0 (zero), which indicates that Shell Launcher restarts the shell when the shell exits.
+
+### Map the exit code to a Shell Launcher action
+
+Shell Launcher can take a specific action based on the exit code returned by the shell. For any given exit code returned by the shell, you can configure the action that Shell Launcher takes by mapping that exit code to one of the shell exit actions.
+
+If the exit code doesn't match a defined value, Shell Launcher performs the default return code action.
+
+For example, your shell might return exit code values of -1, 0, 1, or 255 depending on how the shell exits. You can configure Shell Launcher to:
+
+- restart the device (1) when the shell returns an exit code of value -1
+- restart the shell (0) when the shell returns an exit code of value 0
+- do nothing (3) when the shell returns an exit code of value 1
+- shut down the device (2) when the shell returns an exit code of value 255
+
+Your custom return code action mapping would look like this:
+
+|Exit code|Action|
+|:----:|----|
+|-1|1 (restart the device)|
+|0|0 (restart the shell)|
+|1|3 (do nothing)|
+|255|2 (shut down the device)|
+
+## Set your custom shell
+
+Modify the following PowerShell script as appropriate and run the script on the device.
+
+```PowerShell
+# Check if shell launcher license is enabled
+function Check-ShellLauncherLicenseEnabled
+{
+ [string]$source = @"
+using System;
+using System.Runtime.InteropServices;
+
+static class CheckShellLauncherLicense
+{
+ const int S_OK = 0;
+
+ public static bool IsShellLauncherLicenseEnabled()
+ {
+ int enabled = 0;
+
+ if (NativeMethods.SLGetWindowsInformationDWORD("EmbeddedFeature-ShellLauncher-Enabled", out enabled) != S_OK) {
+ enabled = 0;
+ }
+ return (enabled != 0);
+ }
+
+ static class NativeMethods
+ {
+ [DllImport("Slc.dll")]
+ internal static extern int SLGetWindowsInformationDWORD([MarshalAs(UnmanagedType.LPWStr)]string valueName, out int value);
+ }
+
+}
+"@
+
+ $type = Add-Type -TypeDefinition $source -PassThru
+
+ return $type[0]::IsShellLauncherLicenseEnabled()
+}
+
+[bool]$result = $false
+
+$result = Check-ShellLauncherLicenseEnabled
+"`nShell Launcher license enabled is set to " + $result
+if (-not($result))
+{
+ "`nThis device doesn't have required license to use Shell Launcher"
+ exit
+}
+
+$COMPUTER = "localhost"
+$NAMESPACE = "root\standardcimv2\embedded"
+
+# Create a handle to the class instance so we can call the static methods.
+try {
+ $ShellLauncherClass = [wmiclass]"\\$COMPUTER\${NAMESPACE}:WESL_UserSetting"
+ } catch [Exception] {
+ write-host $_.Exception.Message;
+ write-host "Make sure Shell Launcher feature is enabled"
+ exit
+ }
+
+
+# This well-known security identifier (SID) corresponds to the BUILTIN\Administrators group.
+
+$Admins_SID = "S-1-5-32-544"
+
+# Create a function to retrieve the SID for a user account on a machine.
+
+function Get-UsernameSID($AccountName) {
+
+ $NTUserObject = New-Object System.Security.Principal.NTAccount($AccountName)
+ $NTUserSID = $NTUserObject.Translate([System.Security.Principal.SecurityIdentifier])
+
+ return $NTUserSID.Value
+}
+
+# Get the SID for a user account named "Cashier". Rename "Cashier" to an existing account on your system to test this script.
+
+$Cashier_SID = Get-UsernameSID("Cashier")
+
+# Define actions to take when the shell program exits.
+
+$restart_shell = 0
+$restart_device = 1
+$shutdown_device = 2
+$do_nothing = 3
+
+# Examples. You can change these examples to use the program that you want to use as the shell.
+
+# This example sets the command prompt as the default shell, and restarts the device if the command prompt is closed.
+
+$ShellLauncherClass.SetDefaultShell("cmd.exe", $restart_device)
+
+# Display the default shell to verify that it was added correctly.
+
+$DefaultShellObject = $ShellLauncherClass.GetDefaultShell()
+
+"`nDefault Shell is set to " + $DefaultShellObject.Shell + " and the default action is set to " + $DefaultShellObject.defaultaction
+
+# Set Internet Explorer as the shell for "Cashier", and restart the machine if Internet Explorer is closed.
+
+$ShellLauncherClass.SetCustomShell($Cashier_SID, "c:\program files\internet explorer\iexplore.exe www.microsoft.com", ($null), ($null), $restart_shell)
+
+# Set Explorer as the shell for administrators.
+
+$ShellLauncherClass.SetCustomShell($Admins_SID, "explorer.exe")
+
+# View all the custom shells defined.
+
+"`nCurrent settings for custom shells:"
+Get-WmiObject -namespace $NAMESPACE -computer $COMPUTER -class WESL_UserSetting | Select Sid, Shell, DefaultAction
+
+# Enable Shell Launcher
+
+$ShellLauncherClass.SetEnabled($TRUE)
+
+$IsShellLauncherEnabled = $ShellLauncherClass.IsEnabled()
+
+"`nEnabled is set to " + $IsShellLauncherEnabled.Enabled
+
+# Remove the new custom shells.
+
+$ShellLauncherClass.RemoveCustomShell($Admins_SID)
+
+$ShellLauncherClass.RemoveCustomShell($Cashier_SID)
+
+# Disable Shell Launcher
+
+$ShellLauncherClass.SetEnabled($FALSE)
+
+$IsShellLauncherEnabled = $ShellLauncherClass.IsEnabled()
+
+"`nEnabled is set to " + $IsShellLauncherEnabled.Enabled
+```
+
+> [!NOTE]
+> The previous script includes examples of multiple configuration options, including removing a custom shell and disabling Shell Launcher. It is not intended to be run as-is.
+
+## Shell Launcher user rights
+
+A custom shell is launched with the same level of user rights as the account that is signed in. This means that a user with administrator rights can perform any system action that requires administrator rights, including launching other applications with administrator rights, while a user without administrator rights can't.
+
+> [!WARNING]
+> If your shell application requires administrator rights and needs to be elevated, and User Account Control (UAC) is present on your device, you must disable UAC in order for Shell Launcher to launch the shell application.
+
+## Related articles
+
+- [Unbranded Boot](../unbranded-boot/index.md)
+- [Custom Logon](../custom-logon/index.md)
+- [Use Shell Launcher to create a Windows 10 Kiosk](/windows/configuration/kiosk-shelllauncher)
+- [Launch different shells for different user accounts](/windows-hardware/customize/enterprise/shell-launcher#launch-different-shells-for-different-user-accounts)
+- [Perform an action when the shell exits](/windows-hardware/customize/enterprise/shell-launcher#perform-an-action-when-the-shell-exits)
+- [Shell Launcher user rights](/windows-hardware/customize/enterprise/shell-launcher#shell-launcher-user-rights)
diff --git a/windows/configuration/shell-launcher/kiosk-mode.md b/windows/configuration/shell-launcher/kiosk-mode.md
new file mode 100644
index 0000000000..d5285fa51d
--- /dev/null
+++ b/windows/configuration/shell-launcher/kiosk-mode.md
@@ -0,0 +1,61 @@
+---
+title: Kiosk Mode
+ms.date: 01/18/2024
+ms.topic: overview
+description: Learn about Kiosk Mode in Windows IoT Enterprise.
+---
+
+# Kiosk mode
+
+Windows IoT Enterprise allows you to build fixed purpose devices such as ATM machines, point-of-sale terminals, medical devices, digital signs, or kiosks. Kiosk mode helps you create a dedicated and locked down user experience on these fixed purpose devices. Windows IoT Enterprise offers a set of different locked-down experiences for public or specialized use: [assigned access single-app kiosks](single-app-kiosk.md), [assigned access multi-app kiosks](multi-app-kiosk.md), or [shell launcher](index.md).
+
+Kiosk configurations are based upon either [assigned access](../assigned-access/overview.md) or [shell launcher](index.md). There are several kiosk configuration methods that you can choose from, depending on your answers to the following questions.
+
+> [!NOTE]
+>
+> A benefit of using an assigned access kiosk mode is [these policies](/windows/configuration/kiosk-policies) are automatically applied to the device to optimize the lock-down experience.
+
+## Which type of app will your kiosk run?
+
+Your kiosk can run a Universal Windows Platform (UWP) app or a Windows desktop application. For [digital signage](/windows/configuration/setup-digital-signage), select a digital sign player as your kiosk app. Check out the [Guidelines for Kiosk Apps](/windows/configuration/guidelines-for-assigned-access-app).
+
+## Which type of kiosk do you need?
+
+If you want your kiosk to run a single app for anyone to see or use, consider an [assigned-access single-app kiosk](/windows/configuration/shell-launcher/single-app-kiosk) that runs either a [Universal Windows Platform (UWP) app](/windows/configuration/kiosk-methods#uwp) or a [Windows desktop application](/windows/configuration/kiosk-methods#classic).
+
+For a kiosk that people can sign in to with their accounts or that runs more than one app, consider an [assigned access multi-app kiosk](/windows/configuration/kiosk-methods#desktop).
+
+## Which type of user account will be the kiosk account?
+
+The kiosk account can be a local standard user account, a domain account, or an Azure Active Directory (Azure AD) account, depending on the method that you use to configure the kiosk. If you want people to sign in and authenticate on the device, you should use an assigned access multi-app kiosk configuration. The assigned access single-app kiosk configuration doesn't require people to sign in to the device, although they can sign in to the kiosk app if you select an app that has a sign-in method.
+
+## Kiosk capabilities for Windows 10 IoT Enterprise
+
+| Mode | Features | Description | Customer Usage |
+|------|----------|------------ |-----------------|
+| Assigned access | Single-app kiosk (UWP) | Auto launches a UWP app in full screen and prevents access to other system functions, while monitoring the lifecycle of the kiosk app. Only supports one single-app kiosk profile under one account per device. | Digital signs & single function devices
+| Assigned access | Single-app kiosk (Microsoft Edge) | Auto launches Microsoft Edge and prevents access to other system functions, while monitoring the lifecycle of browser. Only supports one single-app kiosk profile under one account per device. | Public browsing kiosks & digital signs |
+| Assigned access | Multi-app kiosk (Restricted User Experience) | Windows 10: Always auto launches a restricted Start menu in full screen with the list of allowed app tiles. Windows 11: Presents the familiar Windows desktop experience with a restricted set of apps. | Frontline Worker shared devices |
+| Shell launcher | Shell launcher | Auto launches an app that the customer specifies and monitors the lifecycle of this app. App can be used as a "shell" if desired. No default lockdown policies like hotkey blocking are enforced in Shell Launcher. | Fixed purpose devices with a custom shell experience |
+
+## How to configure your device for kiosk mode?
+
+Visit the following documentation to set up a kiosk according to your scenario:
+
+* [Configure kiosks and digital signs](/windows/configuration/kiosk-methods)
+* [Set up a single-app kiosk](/windows/configuration/kiosk-single-app)
+* [Set up a multi-app kiosk](/windows/configuration/lock-down-windows-10-to-specific-apps)
+* [Configure Microsoft Edge kiosk mode](/deployedge/microsoft-edge-configure-kiosk-mode)
+
+## Additional Resources
+
+* [Find the Application User Model ID of an installed app](/windows/configuration/find-the-application-user-model-id-of-an-installed-app)
+* [Validate your kiosk configuration](/windows/configuration/kiosk-validate)
+* [Guidelines for choosing an app for assigned access (kiosk mode)](/windows/configuration/guidelines-for-assigned-access-app)
+* [Policies enforced on kiosk devices](/windows/configuration/kiosk-policies)
+* [Assigned access XML reference](/windows/configuration/kiosk-xml)
+* [Use AppLocker to create a Windows 10 kiosk](/windows/configuration/lock-down-windows-10-applocker)
+* [Use Shell Launcher to create a Windows 10 kiosk](/windows/configuration/kiosk-shelllauncher)
+* [Use MDM Bridge WMI Provider to create a Windows 10 kiosk](/windows/configuration/kiosk-mdm-bridge)
+* [Troubleshoot kiosk mode issues](/windows/configuration/kiosk-troubleshoot)
+* [Plan your kiosk mode transition to Microsoft Edge](/deployedge/microsoft-edge-kiosk-mode-transition-plan)
diff --git a/windows/configuration/shell-launcher/multi-app-kiosk.md b/windows/configuration/shell-launcher/multi-app-kiosk.md
new file mode 100644
index 0000000000..b77d2fd604
--- /dev/null
+++ b/windows/configuration/shell-launcher/multi-app-kiosk.md
@@ -0,0 +1,39 @@
+---
+title: Multi-App Kiosk
+ms.date: 08/16/2023
+ms.topic: concept-article
+description: Learn about the Multi-App Kiosk in Windows IoT Enterprise.
+---
+
+# Assigned access multi-app kiosk
+
+An assigned access multi-app kiosk runs one or more apps from the desktop. People using the kiosk see a customized Start that shows only the tiles for the apps that are allowed. With this approach, you can configure a locked-down experience for different account types. A multi-app kiosk is appropriate for devices that are shared by multiple people. Here's a [guide](/windows/configuration/lock-down-windows-10-to-specific-apps) on how to set up a multi-app kiosk.
+
+> [!NOTE]
+> Multi-app kiosk mode isn't available for Windows 11 IoT Enterprise, version 21H2, or 22H2. Refer to [What's new for subsequent releases](/windows/iot/iot-enterprise/whats-new/release-history#windows-11-iot-enterprise) for information about its return.
+>
+> **Update** - [Multi-app kiosk mode is now available in Windows 11](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/multi-app-kiosk-mode-now-available-in-windows-11/ba-p/3845558)., version 22H2 as part of the Windows continuous innovation releases. To learn how you can take advantage of features introduced via Windows continuous innovation, see more about how you can access this feature in Windows 11 IoT Enterprise, version 22H2, see [Delivering continuous innovation in Windows 11](https://support.microsoft.com/windows/delivering-continuous-innovation-in-windows-11-b0aa0a27-ea9a-4365-9224-cb155e517f12).
+
+## Benefits of using a multi-app kiosk
+
+The benefit of a kiosk that runs multiple specified apps is to provide an easy-to-understand experience for individuals by showing them only the things they need to use, and removing the things they don't need to access.
+
+A multi-app kiosk is appropriate for devices that are shared by multiple people. Each user can authenticate with the device and receive a customized lockdown experience based on the configuration.
+
+## Configuring your multi-app kiosk
+
+* [Configure a kiosk in Microsoft Intune](/windows/configuration/lock-down-windows-10-to-specific-apps#configure-a-kiosk-in-microsoft-intune)
+* [Configure a kiosk using a provisioning package](/windows/configuration/lock-down-windows-10-to-specific-apps#configure-a-kiosk-using-a-provisioning-package)
+
+> [!NOTE]
+>
+> When you configure a multi-app kiosk, [specific policies](/windows/configuration/kiosk-policies) are enforced that affects all nonadministrator users on the device.
+
+## More Resources
+
+* [New features and improvements](/windows/configuration/lock-down-windows-10-to-specific-apps)
+* [Set up a multi-app kiosk](/windows/configuration/lock-down-windows-10-to-specific-apps)
+* [Kiosk apps for assigned access: Best practices](/windows-hardware/drivers/partnerapps/create-a-kiosk-app-for-assigned-access)
+* [Guidelines for choosing an app for assigned access](/windows/configuration/guidelines-for-assigned-access-app)
+* [Configure kiosks and digital signs](/windows/configuration/kiosk-methods)
+* [More kiosk methods and reference information](/windows/configuration/kiosk-additional-reference)
diff --git a/windows/configuration/shell-launcher/single-app-kiosk.md b/windows/configuration/shell-launcher/single-app-kiosk.md
new file mode 100644
index 0000000000..541fb49a2e
--- /dev/null
+++ b/windows/configuration/shell-launcher/single-app-kiosk.md
@@ -0,0 +1,38 @@
+---
+title: Assigned access Single-App Kiosk
+ms.date: 03/30/2023
+ms.topic: concept-article
+description: Learn about the Single-App Kiosk in Windows IoT Enterprise.
+---
+
+# Assigned access single-app kiosk
+
+A single-app kiosk uses the assigned access feature to run a single app above the lock screen. When the kiosk account signs in, the app is launched automatically. The person using the kiosk can't do anything on the device outside of the kiosk app.
+
+> [!NOTE]
+>
+> Assigned access single-app kiosk mode is not supported over a remote desktop connection. Your kiosk users must sign in on the physical device that is set up as a kiosk.
+
+## Benefits of using a single-app kiosk
+
+A single-app kiosk is ideal for public use. Using [shell launcher](./index.md), you can configure a kiosk device that runs a Windows desktop application as the user interface. The application that you specify replaces the default shell (explorer.exe) that usually runs when a user logs on. This type of single-app kiosk runs above the lock screen, and users have access to only this app and nothing else on the system. This experience is often used for public-facing kiosk machines. Check out [Set up a kiosk on Windows 10 Pro, Enterprise, or Education](/windows/configuration/set-up-a-kiosk-for-windows-10-for-desktop-editions) for more information.
+
+## Configuring your single-app kiosks
+
+You have several options for configuring your single-app kiosk.
+
+* [Settings App](/windows/configuration/kiosk-single-app#local)
+* [PowerShell](/windows/configuration/kiosk-single-app#powershell)
+* [Kiosk Wizard in Windows Configuration Designer](/windows/configuration/kiosk-single-app#wizard)
+* [Microsoft Intune or other MDM providers](/windows/configuration/kiosk-single-app#mdm)
+
+> [!TIP]
+> You can also configure a kiosk account and app for single-app kiosk within [XML in a provisioning package](/windows/configuration/lock-down-windows-10-to-specific-apps) by using a [kiosk profile](/windows/configuration/lock-down-windows-10-to-specific-apps#profile).
+
+## Additional Resources
+
+* [Set up a single-app kiosk](/windows/configuration/kiosk-single-app)
+* [Guidelines for choosing an app for assigned access](/windows/configuration/guidelines-for-assigned-access-app)
+* [Kiosk apps for assigned access: Best practices](/windows-hardware/drivers/partnerapps/create-a-kiosk-app-for-assigned-access)
+* [Configure kiosks and digital signs](/windows/configuration/kiosk-methods)
+* [More kiosk methods and reference information](/windows/configuration/kiosk-additional-reference)
diff --git a/windows/configuration/shell-launcher/toc.yml b/windows/configuration/shell-launcher/toc.yml
new file mode 100644
index 0000000000..07c18e4e82
--- /dev/null
+++ b/windows/configuration/shell-launcher/toc.yml
@@ -0,0 +1,25 @@
+
+items:
+- name: Shell Launcher
+ items:
+ - name: Overview
+ href: index.md
+ - name: WMI Provider Reference
+ items:
+ - name: Class WESL_UserSetting
+ href: wesl-usersetting.md
+ - name: GetCustomShell
+ href: wesl-usersettinggetcustomshell.md
+ - name: GetDefaultShell
+ href: wesl-usersettinggetdefaultshell.md
+ - name: IsEnabled
+ href: wesl-usersettingisenabled.md
+ - name: RemoveCustomShell
+ href: wesl-usersettingremovecustomshell.md
+ - name: SetCustomShell
+ href: wesl-usersettingsetcustomshell.md
+ - name: SetDefaultShell
+ href: wesl-usersettingsetdefaultshell.md
+ - name: SetEnabled
+ href: wesl-usersettingsetenabled.md
+
diff --git a/windows/configuration/shell-launcher/wedl-assignedaccess.md b/windows/configuration/shell-launcher/wedl-assignedaccess.md
new file mode 100644
index 0000000000..acdd00a9df
--- /dev/null
+++ b/windows/configuration/shell-launcher/wedl-assignedaccess.md
@@ -0,0 +1,133 @@
+---
+title: WEDL_AssignedAccess
+description: WEDL_AssignedAccess
+ms.date: 02/25/2025
+ms.topic: reference
+---
+
+# WEDL_AssignedAccess
+
+This Windows Management Instrumentation (WMI) provider class configures settings for assigned access.
+
+[!INCLUDE [shell-launcher](../../../includes/licensing/assigned-access.md)]
+
+## Syntax
+
+```powershell
+class WEDL_AssignedAccess {
+ [Key] string UserSID;
+ [Read, Write] string AppUserModelId;
+ [Read] sint32 Status;
+};
+```
+
+## Members
+
+The following tables list any methods and properties that belong to this class.
+
+### Methods
+
+This class contains no methods.
+
+### Properties
+
+| Property | Data type | Qualifiers | Description |
+|----------|----------------|------------|-------------|
+| **UserSID** | string | [key] | The security identifier (SID) for the user account that you want to use as the assigned access account. |
+| **AppUserModelId** | string | [read, write] | The Application User Model ID (AUMID) of the Windows app to launch for the assigned access account. |
+| **Status** | Boolean | none | Indicates the current status of the assigned access configuration |
+
+| Value | Description |
+|:-----:|-------------|
+| 0 | A valid account is configured, but no Windows app is specified. Assigned access is not enabled. |
+| 1 | Assigned access is enabled. |
+| 0x100 | UserSID error: cannot find the account. |
+| 0x103 | UserSID error: the account profile does not exist. |
+| 0x200 | AppUserModelID error: cannot find the Windows app. |
+| 0x201 | Task Scheduler error: Could not schedule task. Make sure that the Task Scheduler service is running. |
+| 0xffffffff | Unspecified error.|
+
+### Remarks
+
+Changes to assigned access do not affect any sessions that are currently signed in; you must sign out and sign back in.
+
+## Example
+
+The following Windows PowerShell script demonstrates how to use this class to set up an assigned access account.
+
+```powershell
+#
+#---Define variables---
+#
+
+$COMPUTER = "localhost"
+$NAMESPACE = "root\standardcimv2\embedded"
+
+# Define the assigned access account.
+# To use a different account, change $AssignedAccessAccount to a user account that is present on your device.
+
+$AssignedAccessAccount = "KioskAccount"
+
+# Define the Windows app to launch, in this example, use the Application Model User ID (AUMID) for Windows Calculator.
+# To use a different Windows app, change $AppAUMID to the AUMID of the Windows app to launch.
+# The Windows app must be installed for the account.
+
+$AppAUMID = "Microsoft.WindowsCalculator_8wekyb3d8bbwe!App"
+
+#
+#---Define helper functions---
+#
+
+function Get-UsernameSID($AccountName) {
+
+# This function retrieves the SID for a user account on a machine.
+# This function does not check to verify that the user account actually exists.
+
+ $NTUserObject = New-Object System.Security.Principal.NTAccount($AccountName)
+ $NTUserSID = $NTUserObject.Translate([System.Security.Principal.SecurityIdentifier])
+
+ return $NTUserSID.Value
+}
+
+#
+#---Set up the new assigned access account---
+#
+
+# Get the SID for the assigned access account.
+
+$AssignedAccessUserSID = Get-UsernameSID($AssignedAccessAccount)
+
+# Check to see if an assigned access account is already set up, and if so, clear it.
+
+$AssignedAccessConfig = get-WMIObject -namespace $NAMESPACE -computer $COMPUTER -class WEDL_AssignedAccess
+
+if ($AssignedAccessConfig) {
+
+# Configuration already exists. Delete it so that we can create a new one, since only one assigned access account can be set up at a time.
+
+ $AssignedAccessConfig.delete();
+
+}
+
+# Configure assigned access to launch the specified Windows app for the specified account.
+
+Set-WmiInstance -class WEDL_AssignedAccess -ComputerName $COMPUTER -Namespace $NAMESPACE -Arguments @{
+ UserSID = $AssignedAccessUserSID;
+ AppUserModelId = $AppAUMID
+ } | Out-Null;
+
+# Confirm that the settings were created properly.
+
+$AssignedAccessConfig = get-WMIObject -namespace $NAMESPACE -computer $COMPUTER -class WEDL_AssignedAccess
+
+if ($AssignedAccessConfig) {
+
+ "Set up assigned access for the " + $AssignedAccessAccount + " account."
+ " UserSID = " + $AssignedAccessConfig.UserSid
+ " AppModelId = " + $AssignedAccessConfig.AppUserModelId
+
+} else {
+
+ "Could not set up assigned access account."
+}
+```
diff --git a/windows/configuration/shell-launcher/wesl-usersetting.md b/windows/configuration/shell-launcher/wesl-usersetting.md
new file mode 100644
index 0000000000..ce3019dbf0
--- /dev/null
+++ b/windows/configuration/shell-launcher/wesl-usersetting.md
@@ -0,0 +1,162 @@
+---
+title: WESL_UserSetting
+description: WESL_UserSetting
+ms.date: 02/25/2025
+ms.topic: reference
+---
+
+# WESL_UserSetting
+
+This class configures which application Shell Launcher starts based on the security identifier (SID) of the signed in user, and also configures the set of return codes and return actions that Shell Launcher performs when the application exits.
+
+[!INCLUDE [shell-launcher](../../../includes/licensing/shell-launcher.md)]
+
+## Syntax
+
+```powershell
+class WESL_UserSetting {
+ [read, write, Required] string Sid;
+ [read, write, Required] string Shell;
+ [read, write] Sint32 CustomReturnCodes[];
+ [read, write] Sint32 CustomReturnCodesAction[];
+ [read, write] sint32 DefaultAction;
+
+ [Static] uint32 SetCustomShell(
+ [In, Required] string Sid,
+ [In, Required] string Shell,
+ [In] sint32 CustomReturnCodes[],
+ [In] sint32 CustomReturnCodesAction[],
+ [In] sint32 DefaultAction
+ );
+ [Static] uint32 GetCustomShell(
+ [In, Required] string Sid,
+ [Out, Required] string Shell,
+ [Out, Required] sint32 CustomReturnCodes[],
+ [Out, Required] sint32 CustomReturnCodesAction[],
+ [Out, Required] sint32 DefaultAction
+ );
+ [Static] uint32 RemoveCustomShell(
+ [In, Required] string Sid
+ );
+ [Static] uint32 GetDefaultShell(
+ [Out, Required] string Shell,
+ [Out, Required] sint32 DefaultAction
+ );
+ [Static] uint32 SetDefaultShell(
+ [In, Required] string Shell,
+ [In, Required] sint32 DefaultAction
+ );
+ [Static] uint32 IsEnabled(
+ [Out, Required] boolean Enabled
+ );
+ [Static] uint32 SetEnabled(
+ [In, Required] boolean Enabled);
+ );
+};
+```
+
+## Members
+
+The following tables list any methods and properties that belong to this class.
+
+### Methods
+
+| Methods | Description |
+|---------|-------------|
+| [WESL_UserSetting.SetCustomShell](wesl-usersettingsetcustomshell.md) | Configures Shell Launcher for a specific user or group, based on SID. |
+| [WESL_UserSetting.GetCustomShell](wesl-usersettinggetcustomshell.md) | Retrieves the Shell Launcher configuration for a specific user or group, based on the SID. |
+| [WESL_UserSetting.RemoveCustomShell](wesl-usersettingremovecustomshell.md) | Removes a Shell Launcher configuration for a specific user or group, based on the SID. |
+| [WESL_UserSetting.GetDefaultShell](wesl-usersettinggetdefaultshell.md) | Retrieves the default Shell Launcher configuration. |
+| [WESL_UserSetting.SetDefaultShell](wesl-usersettingsetdefaultshell.md) | Sets the default Shell Launcher configuration. |
+| [WESL_UserSetting.IsEnabled](wesl-usersettingisenabled.md) | Retrieves a value that indicates if Shell Launcher is enabled or disabled. |
+| [WESL_UserSetting.SetEnabled](wesl-usersettingsetenabled.md) | Enables or disables Shell Launcher. |
+
+### Properties
+
+| Property | Data type | Qualifiers | Description |
+|----------|----------------|------------|-------------|
+| **Sid** | string | [read, write, required] | User or group SID. |
+| **shell** | string | [read, write, required] | The application to start as the shell.The **shell** property can be a filename in the *Path* environment variable, or it can contain a fully qualified path to the application. You can also use environment variables in the path.Any spaces in the **shell** property must be part of a quote-delimited string. |
+| **CustomReturnCodes** | Sint32[] |[read, write] | An array of custom return codes that can be returned by the shell. |
+| **CustomReturnCodesAction** | Sint32[] | [read, write] | An array of custom return code actions that determine what action Shell Launcher takes when the shell exits. The custom actions map to the array of **CustomReturnCodes**.The possible actions are:0 - Restart the shell.1 - Restart the device.2 - Shut down the device.3 - Do nothing. |
+| **DefaultAction** | Sint32 | [read, write] | The default action Shell Launcher takes when the shell exits.The possible actions are defined as follows:0 - Restart the shell.1 - Restart the device.2 - Shut down the device.3 - Do nothing. |
+
+### Remarks
+
+Only one **WESL_UserSetting** instance exists on a device with Shell Launcher.
+
+Shell Launcher uses the custom configuration defined for the SID of the user currently signed in, if one exists. Otherwise, Shell Launcher uses a custom configuration defined for a group SID that the user is a member of, if any exist. If multiple group custom configurations for the user exist, Shell Launcher uses the first valid configuration it finds. The search order is not defined.
+
+If there is no custom configuration for the user's SID or any group SIDs that the user is a member of, Shell Launcher uses the default configuration.
+
+You can find the SID for a user and any groups that the user is a member of by using the [whoami](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc771299(v=ws.10)) command-line tool.
+
+## Example
+
+The following Windows PowerShell script demonstrates how to add and remove custom shell configurations for Shell Launcher by using the Windows Management Instrumentation (WMI) providers for Shell Launcher.
+
+```powershell
+$COMPUTER = "localhost"
+$NAMESPACE = "root\standardcimv2\embedded"
+
+# Create a handle to the class instance so we can call the static methods.
+$ShellLauncherClass = [wmiclass]"\\$COMPUTER\${NAMESPACE}:WESL_UserSetting"
+
+
+# This well-known security identifier (SID) corresponds to the BUILTIN\Administrators group.
+
+$Admins_SID = "S-1-5-32-544"
+
+# Create a function to retrieve the SID for a user account on a machine.
+
+function Get-UsernameSID($AccountName) {
+
+ $NTUserObject = New-Object System.Security.Principal.NTAccount($AccountName)
+ $NTUserSID = $NTUserObject.Translate([System.Security.Principal.SecurityIdentifier])
+
+ return $NTUserSID.Value
+
+}
+
+# Get the SID for a user account named "Cashier". Rename "Cashier" to an existing account on your system to test this script.
+
+$Cashier_SID = Get-UsernameSID("Cashier")
+
+# Define actions to take when the shell program exits.
+
+$restart_shell = 0
+$restart_device = 1
+$shutdown_device = 2
+$do_nothing = 3
+
+# Examples
+
+# Set the command prompt as the default shell, and restart the device if it's closed.
+
+$ShellLauncherClass.SetDefaultShell("cmd.exe", $restart_device)
+
+# Display the default shell to verify that it was added correctly.
+
+$DefaultShellObject = $ShellLauncherClass.GetDefaultShell()
+
+"`nDefault Shell is set to " + $DefaultShellObject.Shell + " and the default action is set to " + $DefaultShellObject.defaultaction
+
+# Set Internet Explorer as the shell for "Cashier", and restart the machine if it's closed.
+
+$ShellLauncherClass.SetCustomShell($Cashier_SID, "c:\program files\internet explorer\iexplore.exe www.microsoft.com", ($null), ($null), $restart_shell)
+
+# Set Explorer as the shell for administrators.
+
+$ShellLauncherClass.SetCustomShell($Admins_SID, "explorer.exe")
+
+# View all the custom shells defined.
+
+"`nCurrent settings for custom shells:"
+Get-WmiObject -namespace $NAMESPACE -computer $COMPUTER -class WESL_UserSetting | Select Sid, Shell, DefaultAction
+
+# Remove the new custom shells.
+
+$ShellLauncherClass.RemoveCustomShell($Admins_SID)
+
+$ShellLauncherClass.RemoveCustomShell($Cashier_SID)
+```
diff --git a/windows/configuration/shell-launcher/wesl-usersettinggetcustomshell.md b/windows/configuration/shell-launcher/wesl-usersettinggetcustomshell.md
new file mode 100644
index 0000000000..6be4813c8c
--- /dev/null
+++ b/windows/configuration/shell-launcher/wesl-usersettinggetcustomshell.md
@@ -0,0 +1,64 @@
+---
+title: WESL_UserSetting.GetCustomShell
+description: WESL_UserSetting.GetCustomShell
+ms.date: 02/25/2025
+ms.topic: reference
+---
+
+# WESL_UserSetting.GetCustomShell
+
+This method retrieves the Shell Launcher configuration for a specific user or group, based on the security identifier (SID).
+
+[!INCLUDE [shell-launcher](../../../includes/licensing/shell-launcher.md)]
+
+## Syntax
+
+```powershell
+[Static] uint32 GetCustomShell (
+ [In, Required] string Sid,
+ [Out, Required] string Shell,
+ [Out, Required] sint32 CustomReturnCodes[],
+ [Out, Required] sint32 CustomReturnCodesAction[],
+ [Out, Required] sint32 DefaultAction
+);
+```
+
+## Parameters
+
+**Sid**\[in, required\] A string containing the security identifier (SID) of the user or group that Shell Launcher is configured for.
+
+**Shell**\[out, required\] The application or executable that Shell Launcher starts as the shell.
+
+**CustomReturnCodes**\[out, required\] An array of custom return codes returned by the shell application.
+
+**CustomReturnCodesAction**\[out, required\] An array of custom return code actions that determine the action that Shell Launcher takes when the shell application exits. The custom actions map to the array of *CustomReturnCodes*.
+
+The possible actions are defined in the following table:
+
+| Value | Description |
+|:-----:|-------------|
+| 0 | Restart the shell. |
+| 1 | Restart the device. |
+| 2 | Shut down the device. |
+| 3 | Do nothing. |
+
+**DefaultAction**\[out, required\] The default action that Shell Launcher takes when the shell application exits.
+
+The possible actions are defined in the following table:
+
+| Value | Description |
+|:------:|-------------|
+| 0 | Restart the shell. |
+| 1 | Restart the device. |
+| 2 | Shut down the device. |
+| 3 | Do nothing. |
+
+## Return Value
+
+Returns an HRESULT value that indicates [WMI status](/windows/win32/wmisdk/wmi-non-error-constants) or a [WMI error](/windows/win32/wmisdk/wmi-error-constants).
+
+## Remarks
+
+Shell Launcher uses the *CustomReturnCodes* and *CustomReturnCodesAction* arrays to determine the system behavior when the shell application exits, based on the return value of the application.
+
+If the return value does not exist in *CustomReturnCodes*, or if the corresponding action defined in *CustomReturnCodesAction* is not a valid value, Shell Launcher uses *DefaultAction* to determine system behavior. If *DefaultAction* is not defined, or is not a valid value, Shell Launcher restarts the shell application.
diff --git a/windows/configuration/shell-launcher/wesl-usersettinggetdefaultshell.md b/windows/configuration/shell-launcher/wesl-usersettinggetdefaultshell.md
new file mode 100644
index 0000000000..c32948ad15
--- /dev/null
+++ b/windows/configuration/shell-launcher/wesl-usersettinggetdefaultshell.md
@@ -0,0 +1,44 @@
+---
+title: WESL_UserSetting.GetDefaultShell
+description: WESL_UserSetting.GetDefaultShell
+ms.date: 02/25/2025
+ms.topic: reference
+---
+
+# WESL_UserSetting.GetDefaultShell
+
+This method retrieves the default Shell Launcher configuration.
+
+[!INCLUDE [shell-launcher](../../../includes/licensing/shell-launcher.md)]
+
+## Syntax
+
+```powershell
+[Static] uint32 GetDefaultShell (
+ [Out, Required] string Shell,
+ [Out, Required] sint32 DefaultAction
+);
+```
+
+## Parameters
+
+**Shell**\[out, required\] The application or executable that Shell Launcher starts as the shell.
+
+**DefaultAction**\[out, required\] The default action Shell Launcher takes when the shell application exits.
+
+The possible actions are defined in the following table:
+
+| Value | Description |
+|:-----:|-------------|
+| 0 | Restart the shell. |
+| 1 | Restart the device. |
+| 2 | Shut down the device. |
+| 3 | Do nothing. |
+
+## Return Value
+
+Returns an HRESULT value that indicates [WMI status](/windows/win32/wmisdk/wmi-non-error-constants) or a [WMI error](/windows/win32/wmisdk/wmi-error-constants).
+
+## Remarks
+
+Shell Launcher uses the default configuration when the security identifier (SID) of the user who is currently signed in does not match any custom defined Shell Launcher configurations.
diff --git a/windows/configuration/shell-launcher/wesl-usersettingisenabled.md b/windows/configuration/shell-launcher/wesl-usersettingisenabled.md
new file mode 100644
index 0000000000..1125bb1d92
--- /dev/null
+++ b/windows/configuration/shell-launcher/wesl-usersettingisenabled.md
@@ -0,0 +1,28 @@
+---
+title: WESL_UserSetting.IsEnabled
+description: WESL_UserSetting.IsEnabled
+ms.date: 02/25/2025
+ms.topic: reference
+---
+
+# WESL_UserSetting.IsEnabled
+
+This method retrieves a value that indicates if Shell Launcher is enabled or disabled.
+
+[!INCLUDE [shell-launcher](../../../includes/licensing/shell-launcher.md)]
+
+## Syntax
+
+```powershell
+[Static] uint32 IsEnabled(
+ [Out, Required] boolean Enabled
+);
+```
+
+## Parameters
+
+**Enabled**\[out, required\] A Boolean value that indicates if Shell Launcher is enabled.
+
+## Return Value
+
+Returns an HRESULT value that indicates [WMI status](/windows/win32/wmisdk/wmi-non-error-constants) or a [WMI error](/windows/win32/wmisdk/wmi-error-constants).
diff --git a/windows/configuration/shell-launcher/wesl-usersettingremovecustomshell.md b/windows/configuration/shell-launcher/wesl-usersettingremovecustomshell.md
new file mode 100644
index 0000000000..e5058577a9
--- /dev/null
+++ b/windows/configuration/shell-launcher/wesl-usersettingremovecustomshell.md
@@ -0,0 +1,32 @@
+---
+title: WESL_UserSetting.RemoveCustomShell
+description: WESL_UserSetting.RemoveCustomShell
+ms.date: 02/25/2025
+ms.topic: reference
+---
+
+# WESL_UserSetting.RemoveCustomShell
+
+This method removes a Shell Launcher configuration for a specific user or group, based on the security identifier (SID).
+
+[!INCLUDE [shell-launcher](../../../includes/licensing/shell-launcher.md)]
+
+## Syntax
+
+```powershell
+[Static] uint32 RemoveCustomShell (
+ [In, Required] string Sid
+);
+```
+
+## Parameters
+
+**Sid**\[in, required\] A string containing the security identifier (SID) of the user or group that Shell Launcher is configured for.
+
+## Return Value
+
+Returns an HRESULT value that indicates [WMI status](/windows/win32/wmisdk/wmi-non-error-constants) or a [WMI error](/windows/win32/wmisdk/wmi-error-constants).
+
+## Remarks
+
+You must restart your device for the changes to take effect.
diff --git a/windows/configuration/shell-launcher/wesl-usersettingsetcustomshell.md b/windows/configuration/shell-launcher/wesl-usersettingsetcustomshell.md
new file mode 100644
index 0000000000..5b788c9295
--- /dev/null
+++ b/windows/configuration/shell-launcher/wesl-usersettingsetcustomshell.md
@@ -0,0 +1,64 @@
+---
+title: WESL_UserSetting.SetCustomShell
+description: WESL_UserSetting.SetCustomShell
+ms.date: 02/25/2025
+ms.topic: reference
+---
+
+# WESL_UserSetting.SetCustomShell
+
+This method configures Shell Launcher for a specific user or group, based on the security identifier (SID).
+
+[!INCLUDE [shell-launcher](../../../includes/licensing/shell-launcher.md)]
+
+## Syntax
+
+```powershell
+[Static] uint32 SetCustomShell (
+ [In, Required] string Sid,
+ [In, Required] string Shell,
+ [In] sint32 CustomReturnCodes[],
+ [In] sint32 CustomReturnCodesAction[],
+ [In] sint32 DefaultAction
+);
+```
+
+## Parameters
+
+**Sid**\[in, required\] A string containing the security identifier (SID) of the user or group that Shell Launcher is being configured for.
+
+**Shell**\[in, required\] The application or executable that Shell Launcher starts as the shell.
+
+**CustomReturnCodes**\[in\] An array of custom return codes that can be returned by the shell application.
+
+**CustomReturnCodesAction**\[in\] An array of custom return code actions that determine the action that Shell Launcher takes when the shell application exits. The custom actions map to the array of *CustomReturnCodes*.
+
+The possible actions are defined in the following table:
+
+| Value | Description |
+|:-----:|-------------|
+| 0 | Restart the shell. |
+| 1 | Restart the device. |
+| 2 | Shut down the device. |
+| 3 | Do nothing. |
+
+**DefaultAction**\[In\] The default action that Shell Launcher takes when the shell application exits.
+
+The possible actions are defined in the following table:
+
+| Value | Description |
+|:-----:|-------------|
+| 0 | Restart the shell.|
+| 1 | Restart the device. |
+| 2 | Shut down the device. |
+| 3 | Do nothing. |
+
+## Return Value
+
+Returns an HRESULT value that indicates [WMI status](/windows/win32/wmisdk/wmi-non-error-constants) or a [WMI error](/windows/win32/wmisdk/wmi-error-constants).
+
+## Remarks
+
+Shell Launcher uses the *CustomReturnCodes* and *CustomReturnCodesAction* arrays to determine the system behavior when the shell application exits, based on the return value of the shell application.
+
+If the return value does not exist in *CustomReturnCodes*, or if the corresponding action defined in *CustomReturnCodesAction* is not a valid value, Shell Launcher uses *DefaultAction* to determine system behavior. If *DefaultAction* is not defined, or is not a valid value, Shell Launcher restarts the shell application.
diff --git a/windows/configuration/shell-launcher/wesl-usersettingsetdefaultshell.md b/windows/configuration/shell-launcher/wesl-usersettingsetdefaultshell.md
new file mode 100644
index 0000000000..d829d7d717
--- /dev/null
+++ b/windows/configuration/shell-launcher/wesl-usersettingsetdefaultshell.md
@@ -0,0 +1,44 @@
+---
+title: WESL_UserSetting.SetDefaultShell
+description: WESL_UserSetting.SetDefaultShell
+ms.date: 02/25/2025
+ms.topic: reference
+---
+
+# WESL_UserSetting.SetDefaultShell
+
+This method sets the default Shell Launcher configuration.
+
+[!INCLUDE [shell-launcher](../../../includes/licensing/shell-launcher.md)]
+
+## Syntax
+
+```powershell
+[Static] uint32 SetDefaultShell (
+ [In, Required] string Shell,
+ [In, Required] sint32 DefaultAction
+);
+```
+
+## Parameters
+
+**Shell**\[in, required\] The application or executable that Shell Launcher starts as the shell.
+
+**DefaultAction**\[in, required\] The default action that Shell Launcher takes when the *Shell* application exits.
+
+The possible actions are defined in the following table:
+
+| Value | Description |
+|:-------:|-------------|
+| 0 | Restart the shell. |
+| 1 | Restart the device. |
+| 2 | Shut down the device. |
+| 3 | Do nothing. |
+
+## Return Value
+
+Returns an HRESULT value that indicates [WMI status](/windows/win32/wmisdk/wmi-non-error-constants) or a [WMI error](/windows/win32/wmisdk/wmi-error-constants).
+
+## Remarks
+
+Shell Launcher uses the default configuration when the security identifier (SID) of the user who is currently signed in does not match any custom defined Shell Launcher configurations.
diff --git a/windows/configuration/shell-launcher/wesl-usersettingsetenabled.md b/windows/configuration/shell-launcher/wesl-usersettingsetenabled.md
new file mode 100644
index 0000000000..64d952bf88
--- /dev/null
+++ b/windows/configuration/shell-launcher/wesl-usersettingsetenabled.md
@@ -0,0 +1,34 @@
+---
+title: WESL_UserSetting.SetEnabled
+description: WESL_UserSetting.SetEnabled
+ms.date: 02/25/2025
+ms.topic: reference
+---
+
+# WESL_UserSetting.SetEnabled
+
+This method enables or disables Shell Launcher.
+
+[!INCLUDE [shell-launcher](../../../includes/licensing/shell-launcher.md)]
+
+## Syntax
+
+```powershell
+[Static] uint32 SetEnabled(
+ [In, Required] boolean Enabled
+);
+```
+
+## Parameters
+
+**Enabled**\[in, required\] A Boolean value that indicates whether to enable or disable Shell Launcher.
+
+## Return Value
+
+Returns an HRESULT value that indicates [WMI status](/windows/win32/wmisdk/wmi-non-error-constants) or a [WMI error](/windows/win32/wmisdk/wmi-error-constants).
+
+## Remarks
+
+This method enables or disables Shell Launcher by modifying the **Shell** value in the registry key `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon`. If Unified Write Filter (UWF) is enabled, you may need to disable UWF or commit this registry key by using [UWF_RegistryFilter.CommitRegistry](../unified-write-filter/uwf-registryfiltercommitregistry.md) in order to enable or disable Shell Launcher.
+
+Enabling or disabling Shell Launcher does not take effect until a user signs in.
diff --git a/windows/configuration/start/includes/disable-account-notifications.md b/windows/configuration/start/includes/disable-account-notifications.md
new file mode 100644
index 0000000000..02d3427ef9
--- /dev/null
+++ b/windows/configuration/start/includes/disable-account-notifications.md
@@ -0,0 +1,25 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 11/04/2024
+ms.topic: include
+---
+
+### Disable Account Notifications
+
+This policy controls the notifications to Microsoft account (MSA) and local users in the Start's user tile:
+
+- When enabled, Windows doesn't send account related notifications for local and MSA users to the user tile in Start
+- Wen disabled or not configured, Windows sends account related notifications for local and MSA users to the user tile in Start
+
+Notifications include getting users to:
+
+- reauthenticate
+- back up their device
+- manage cloud storage quotas
+- manage their Microsoft 365 or XBOX subscription
+
+| | Path |
+|--|--|
+| **CSP** | `./User/Vendor/MSFT/Policy/Config/Notifications/`[DisableAccountNotifications](/windows/client-management/mdm/policy-csp-notifications#disableaccountnotifications) |
+| **GPO** | **User Configuration** > **Administrative Templates** > **Windows Components** > **Account Notifications** > **Turn off account notifications in Start** |
diff --git a/windows/configuration/start/includes/hide-recently-added-apps.md b/windows/configuration/start/includes/hide-recently-added-apps.md
index 43c642e888..8dac911b1b 100644
--- a/windows/configuration/start/includes/hide-recently-added-apps.md
+++ b/windows/configuration/start/includes/hide-recently-added-apps.md
@@ -1,15 +1,16 @@
---
author: paolomatarazzo
ms.author: paoloma
-ms.date: 04/10/2024
+ms.date: 02/25/2025
ms.topic: include
---
### Hide recently added apps
-With this policy setting, you can prevent the Start menu from displaying a list of recently installed applications.
+With this policy setting, you can prevent the Start menu from displaying a list of recently installed applications:
-If you enable this policy, the Start menu doesn't display the **Recently added** list. The corresponding setting is also disabled in Settings.
+- If **enabled**, the Start menu doesn't display the **Recently added** list. The corresponding option in Settings can't be configured (grayed out)
+- If **disabled** or **not configured**, the Start menu displays the **Recently added** list. The corresponding option in Settings can be configured
| | Path |
|--|--|
diff --git a/windows/configuration/start/index.md b/windows/configuration/start/index.md
index 0627e33663..2294ebe5cc 100644
--- a/windows/configuration/start/index.md
+++ b/windows/configuration/start/index.md
@@ -1,8 +1,8 @@
---
-title: Configure the Start menu
+title: Configure The Windows Start Menu With Policy Settings
description: Learn how to configure the Windows Start menu to provide quick access to the tools and applications that users need most.
ms.topic: overview
-ms.date: 04/10/2024
+ms.date: 12/02/2024
zone_pivot_groups: windows-versions-11-10
ms.collection:
- essentials-manage
diff --git a/windows/configuration/start/layout.md b/windows/configuration/start/layout.md
index 30baa389a1..af0a608300 100644
--- a/windows/configuration/start/layout.md
+++ b/windows/configuration/start/layout.md
@@ -1,8 +1,8 @@
---
-title: Customize the Start layout
+title: Customize The Start Layout For Managed Windows Devices
description: Learn how to customize the Windows Start layout, export its configuration, and deploy the customization to other devices.
ms.topic: how-to
-ms.date: 04/10/2024
+ms.date: 12/02/2024
zone_pivot_groups: windows-versions-11-10
appliesto:
---
@@ -304,10 +304,10 @@ Column="2"/>
You can use the `start:SecondaryTile` tag to pin a web link through a Microsoft Edge secondary tile. This method doesn't require more actions compared to the method of using legacy `.url` shortcuts (through the `start:DesktopApplicationTile` tag).
-The following example shows how to create a tile of the Web site's URL using the Microsoft Edge secondary tile:
+The following example shows how to create a tile of the Web site's URL using the Microsoft Edge secondary tile. Ensure to replace `<--Microsoft Edge AUMID-->` with the AUMID of Microsoft Edge (learn how to [Find the Application User Model ID of an installed app](../store/find-aumid.md)):
```XML
-Windows 10
---
diff --git a/windows/configuration/store/find-aumid.md b/windows/configuration/store/find-aumid.md
index 2e19c3355e..39b513db4c 100644
--- a/windows/configuration/store/find-aumid.md
+++ b/windows/configuration/store/find-aumid.md
@@ -2,7 +2,9 @@
title: Find the Application User Model ID of an installed app
description: Learn how to find the Application User Model ID (AUMID) of the applications installed on a Windows device.
ms.topic: how-to
-ms.date: 02/06/2024
+ms.date: 10/31/2024
+appliesto:
+zone_pivot_groups: windows-versions-11-10
---
# Find the Application User Model ID of an installed app
@@ -90,6 +92,8 @@ Get-AppAUMID -AppName Word
Get-AppAUMID
```
+::: zone pivot="windows-10"
+
# [:::image type="icon" source="../images/icons/explorer.svg"::: **Explorer**](#tab/explorer)
To get the names and AUMIDs for all apps installed for the current user, perform the following steps:
@@ -99,7 +103,7 @@ To get the names and AUMIDs for all apps installed for the current user, perform
1. In the **Choose Details** window, select **AppUserModelId**, and then select **OK**. (You might need to c
1. Change the **View** setting from **Tiles** to **Details**
-:::image type="content" source="images/aumid-file-explorer.png" alt-text="Screenshot of the File Explorer showing the AUMID details." border="false":::
+::: zone-end
# [:::image type="icon" source="../images/icons/registry.svg"::: **Registry**](#tab/registry)
diff --git a/windows/configuration/store/images/aumid-file-explorer.png b/windows/configuration/store/images/aumid-file-explorer.png
deleted file mode 100644
index 0361cd9bfe..0000000000
Binary files a/windows/configuration/store/images/aumid-file-explorer.png and /dev/null differ
diff --git a/windows/configuration/store/index.md b/windows/configuration/store/index.md
index 09c92aea0f..b6b7609319 100644
--- a/windows/configuration/store/index.md
+++ b/windows/configuration/store/index.md
@@ -1,8 +1,8 @@
---
-title: Configure access to the Microsoft Store app
+title: Configure Access To The Microsoft Store App For Windows Devices
description: Learn how to configure access to the Microsoft Store app.
ms.topic: how-to
-ms.date: 03/13/2024
+ms.date: 12/02/2024
---
# Configure access to the Microsoft Store app
diff --git a/windows/configuration/taskbar/includes/show-notification-bell-icon.md b/windows/configuration/taskbar/includes/show-notification-bell-icon.md
new file mode 100644
index 0000000000..e6b888ea52
--- /dev/null
+++ b/windows/configuration/taskbar/includes/show-notification-bell-icon.md
@@ -0,0 +1,23 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 02/25/2025
+ms.topic: include
+---
+
+### Show notification bell icon
+
+This policy setting allows you to show the notification bell icon in the system tray:
+
+- If you enable this policy setting, the notification icon is always displayed
+- If you disable or don't configure this policy setting, the notification icon is only displayed when there's a special status (for example, when *do not disturb* is turned on)
+
+> [!NOTE]
+> A reboot is required for this policy setting to take effect.
+
+| | Path |
+|--|--|
+| **CSP** |- `./User/Vendor/MSFT/Policy/Config/Start/`[AlwaysShowNotificationIcon](/windows/client-management/mdm/policy-csp-start#AlwaysShowNotificationIcon) |
+| **GPO** |- **User Configuration** > **Administrative Templates** > **Start Menu and Taskbar** |
+
+
+
+1. Select the Microsoft Connected Cache for Enterprise resource. When prompted, choose the subscription, resource group, and location for the resource. Then enter a name for the resource, then select Review + Create.
+
+1. After a few moments, you'll see a "Validation successful" message, indicating you can move onto the next step and select Create.
+
+1. The creation of the resource might take a few minutes. After a successful creation, you'll see a page stating the deployment is complete. Select **Go to resource** to create cache nodes.
+
+
+# [Azure CLI](#tab/cli)
+
+### Prerequisites
+
+* An Azure CLI environment:
+
+ * Use the Bash environment in [Azure Cloud Shell](/azure/cloud-shell/get-started/classic).
+
+ * Or, if you prefer to run CLI reference commands locally, [install the Azure CLI](/cli/azure/install-azure-cli)
+
+ * Sign in to the Azure CLI by using the [az login](/cli/azure/reference-index#az-login) command.
+
+ * Run [az version](/cli/azure/reference-index#az-version) to find the version and dependent libraries that are installed. To upgrade to the latest version, run [az upgrade](/cli/azure/reference-index#az-upgrade).
+
+ * Install Azure CLI extension **mcc** by following the instructions [here](/cli/azure/azure-cli-extensions-overview#how-to-install-extensions).
+
+ * Resource group under which a Connected Cache resource can be created. Use the [az group create](/cli/azure/group#az-group-create) command to create a new Resource group if you don't already have one.
+
+#### Create Connected Cache Azure resource
+
+Replace the following placeholders with your own information:
+* *\*: Name of an existing resource group in your subscription.
+* *\*: A name for your Microsoft Connected Cache for Enterprise resource.
+* *\*: The Azure region where your Microsoft Connected Cache will be located.
+
+```azurecli-interactive
+az mcc ent resource create --mcc-resource-name --resource-group --location
+```
+
+---
+
+## Create Connected Cache cache node
+
+# [Azure portal](#tab/portal)
+
+ 1. Open Azure portal and navigate to the Microsoft Connected Cache for Enterprise resource that you created.
+ 1. Under Cache Node Management, select **Cache Nodes** then **Create Cache Node**.
+
+ 1. Provide a name for your cache node and select the host OS you plan to deploy the cache node on, then select **Create**. Note, cache node names have to be unique under the Microsoft Connected Cache resource.
+
+ The creation of the cache node might take a few minutes. Select **Refresh** to see your recently created cache node.
+Once the cache node state changes to **Not Configured**, you can now configure your cache node.
+For more information about different cache node states, see [Cache node states](#cache-node-states).
+
+
+# [Azure CLI](#tab/cli)
+
+Use the following command to create a new cache node if you don't already have one.
+
+Replace the following placeholders with your own information:
+* *\*: Name of existing resource group in your subscription.
+* *\*: Name of the Microsoft Connected Cache for Enterprise resource.
+* *\*: A name for your Microsoft Connected Cache node.
+* *\*: The OS on which cache node will be provisioned.
+ Accepted values: `windows`, `linux`
+
+```azurecli-interactive
+az mcc ent node create --cache-node-name --mcc-resource-name --resource-group --host-os
+```
+
+
+
+>[!NOTE]
+>To ensure cache node has been created successfully, run the following command before continuing with cache node configuration.
+>```azurecli-interactive
+>az mcc ent node show --cache-node-name --mcc-resource-name --resource-group
+>```
+>In the output look for **cacheNodeState**. If ***cacheNodeState = Not Configured***, you can continue with cache node configuration.
+>If ***cacheNodeState = Registration in Progress***, then the cache node is still in process of being created. Wait a couple of minutes and run the command again.
+>To know more about different cache node state, see [Cache node states](#cache-node-states).
+
+---
+
+## Configure Connected Cache node
+
+# [Azure portal](#tab/portal)
+Enter required values to configure your cache node. For more information about the definitions of each field, review the [Configuration fields](#general-configuration-fields) at the bottom of this article.
+Don't forget to select save after adding configuration information.
+
+
+# [Azure CLI](#tab/cli)
+
+### Configure Linux-hosted Connected Cache node
+Use the following command to configure cache node for deployment to a **Linux** host machine.
+
+Replace the following placeholders with your own information:
+
+* *\*: Name of the resource group in your subscription.
+* *\*: Name of your Microsoft Connected Cache for Enterprise resource.
+* *\*: Name for your Microsoft Connected Cache node.
+* *\*: The cache drive path. You can add up to nine cache drives.
+* *\*: The size of cache drive. Must be at least 50 Gb.
+* *\*: If proxy needs to be enabled or not.
+ Accepted values: `enabled`, `disabled`
+ Proxy should be set to enabled if the cache node will need to pass through a network proxy to download content. The provided proxy will also be used during deployment of the Connected Cache cache node to your host machine.
+* *\*: The proxy host name or ip address. Required if proxy is set to enabled.
+* *\*: Proxy port number. Required if proxy is set to enabled.
+* *\*: Update ring the cache node should have.
+ Accepted values: `slow`, `fast`.
+ If update ring is set to slow, you must provide the day of week, time of day and week of month the cache node should be updated.
+* *\*: The day of the week cache node should be updated. Week starts from Monday.
+ Accepted values: 1,2,3,4,5,6,7
+* *\*: The time of day cache node should be updated in 24 hour format (hh:mm)
+* *\*: The week of month cache node should be updated.
+ Accepted values: 1,2,3,4
+
+```azurecli-interactive
+az mcc ent node update --cache-node-name --mcc-resource-name --resource-group
+--cache-drive "[{physical-path:,size-in-gb:},{,size-in-gb:}...]"> --proxy --proxy-host <"proxy host name"> --proxy-port --auto-update-day --auto-update-time
Managed by either Intune or ConfigMgr co-management
ConfigMgr co-management workloads
Last communication with Intune
Personal or non-Windows devices
|
Windows OS (build, architecture, and edition)
Windows updates & Office Group Policy Object (GPO) versus Intune mobile device management (MDM) policy conflict
Bind network endpoints (Microsoft Defender, Microsoft Teams, Microsoft Edge, Microsoft Office)
Internet connectivity
|
@@ -66,7 +66,7 @@ A healthy or active device in Windows Autopatch is:
- Actively sending data
- Passes all post-device registration readiness checks
-The post-device registration readiness checks are powered by the **Microsoft Cloud Managed Desktop Extension**. It's installed right after devices are successfully registered with Windows Autopatch. The **Microsoft Cloud Managed Desktop Extension** has the Device Readiness Check Plugin. The Device Readiness Check Plugin is responsible for performing the readiness checks and reporting the results back to the service. The **Microsoft Cloud Managed Desktop Extension** is a subcomponent of the overall Windows Autopatch service.
+The post-device registration readiness checks are powered by the **Microsoft Cloud Managed Desktop Extension**. It's installed right after devices are successfully registered with Windows Autopatch. The **Microsoft Cloud Managed Desktop Extension** and **Windows Autopatch Client Broker** has the Device Readiness Check Plugin. The Device Readiness Check Plugin is responsible for performing the readiness checks and reporting the results back to the service. The **Microsoft Cloud Managed Desktop Extension** and **Windows Autopatch Client Broker** are subcomponents of the overall Windows Autopatch service.
The following list of post-device registration readiness checks is performed in Windows Autopatch:
@@ -90,8 +90,8 @@ See the following diagram for the post-device registration readiness checks work
| Step | Description |
| ----- | ----- |
| **Steps 1-7** | For more information, see the [Device registration overview diagram](windows-autopatch-device-registration-overview.md).|
-| **Step 8: Perform readiness checks** |
Once devices are successfully registered with Windows Autopatch, the devices are added to the **Ready** tab.
The Microsoft Cloud Managed Desktop Extension agent performs readiness checks against devices in the **Ready** tab every 24 hours.
|
-| **Step 9: Check readiness status** |
The Microsoft Cloud Managed Desktop Extension service evaluates the readiness results gathered by its agent.
The readiness results are sent from the Microsoft Cloud Managed Desktop Extension service component to the Device Readiness component within the Windows Autopatch's service.
|
+| **Step 8: Perform readiness checks** |
Once devices are successfully registered with Windows Autopatch, the devices are added to the **Ready** tab.
The Microsoft Cloud Managed Desktop Extension and Windows Autopatch Client Broker agents perform readiness checks against devices in the **Ready** tab every 24 hours.
|
+| **Step 9: Check readiness status** |
The Microsoft Cloud Managed Desktop Extension and Windows Autopatch Client Broker service evaluates the readiness results gathered by its agent.
The readiness results are sent from the Microsoft Cloud Managed Desktop Extension and Windows Autopatch Client Broker service component to the Device Readiness component within the Windows Autopatch's service.
|
| **Step 10: Add devices to the Not ready** | When devices don't pass one or more readiness checks, even if they're registered with Windows Autopatch, they're added to the **Not ready** tab so IT admins can remediate devices based on Windows Autopatch recommendations. |
| **Step 11: IT admin understands what the issue is and remediates** | The IT admin checks and remediates issues in the Devices blade (**Not ready** tab). It can take up to 24 hours for devices to show in the **Ready** tab. |
@@ -99,7 +99,7 @@ See the following diagram for the post-device registration readiness checks work
| Question | Answer |
| ----- | ----- |
-| **How frequent are the post-device registration readiness checks performed?** |
The **Microsoft Cloud Managed Desktop Extension** agent collects device readiness statuses when it runs (once a day).
Once the agent collects results for the post-device registration readiness checks, it generates readiness results in the device in the `%programdata%\Microsoft\CMDExtension\Plugins\DeviceReadinessPlugin\Logs\DRCResults.json.log`.
The readiness results are sent over to the **Microsoft Cloud Managed Desktop Extension service**.
The **Microsoft Cloud Managed Desktop Extension** service component sends the readiness results to the Device Readiness component. The results appear in the Windows Autopatch Devices blade (**Not ready** tab).
|
+| **How frequent are the post-device registration readiness checks performed?** |
The **Microsoft Cloud Managed Desktop Extension** and **Windows Autopatch Client Broker** agents collect device readiness statuses when it runs (once a day).
Once the agent collects results for the post-device registration readiness checks, it generates readiness results in the device in the `%programdata%\Microsoft\CMDExtension\Plugins\DeviceReadinessPlugin\Logs\DRCResults.json.log`.
The readiness results are sent over to **Microsoft Cloud Managed Desktop Extension** and **Windows Autopatch Client Broker** service.
The **Microsoft Cloud Managed Desktop Extension** and **Windows Autopatch Client Broker** service component sends the readiness results to the Device Readiness component. The results appear in the Windows Autopatch Devices blade (**Not ready** tab).
|
| **What to expect when one or more checks fail?** | Devices are automatically sent to the **Ready** tab once they're successfully registered with Windows Autopatch. When devices don't meet one or more post-device registration readiness checks, the devices are moved to the **Not ready** tab. IT admins can learn about these devices and take appropriate actions to remediate them. Windows Autopatch provides information about the failure and how to potentially remediate devices.
Once devices are remediated, it can take up to **24 hours** to appear in the **Ready** tab.
|
## Additional resources
diff --git a/windows/deployment/windows-autopatch/manage/windows-autopatch-hotpatch-updates.md b/windows/deployment/windows-autopatch/manage/windows-autopatch-hotpatch-updates.md
new file mode 100644
index 0000000000..0cf0c9260b
--- /dev/null
+++ b/windows/deployment/windows-autopatch/manage/windows-autopatch-hotpatch-updates.md
@@ -0,0 +1,110 @@
+---
+title: Hotpatch updates
+description: Use Hotpatch updates to receive security updates without restarting your device
+ms.date: 02/03/2025
+ms.service: windows-client
+ms.subservice: autopatch
+ms.topic: how-to
+ms.localizationpriority: medium
+author: tiaraquan
+ms.author: tiaraquan
+manager: aaroncz
+ms.reviewer: adnich
+ms.collection:
+ - highpri
+ - tier1
+---
+
+# Hotpatch updates (public preview)
+
+[!INCLUDE [windows-autopatch-applies-to-all-licenses](../includes/windows-autopatch-applies-to-all-licenses.md)]
+
+> [!IMPORTANT]
+> This feature is in public preview. It's being actively developed and might not be complete. They're made available on a "Preview" basis. You can test and use these features in production environments and scenarios and provide feedback.
+
+Hotpatch updates are designed to reduce downtime and disruptions. Hotpatch updates are [Monthly B release security updates](/windows/deployment/update/release-cycle#monthly-security-update-release) that install and take effect without requiring you to restart the device. By minimizing the need to restart, these updates help ensure faster compliance, making it easier for organizations to maintain security while keeping workflows uninterrupted.
+
+Hotpatch is an extension of Windows Update and requires Autopatch to create and deploy hotpatches to devices enrolled in the Autopatch quality update policy.
+
+> [!NOTE]
+> Hotpatch is also available on Windows Server and Windows 365. For more information, see [Hotpatch for Windows Server Azure Edition](/windows-server/get-started/enable-hotpatch-azure-edition).
+
+## Key benefits
+
+- Hotpatch updates streamline the installation process and enhance compliance efficiency.
+- No changes are required to your existing update ring configurations. Your existing ring configurations are honored alongside Hotpatch policies.
+- The [Hotpatch quality update report](../monitor/windows-autopatch-hotpatch-quality-update-report.md) provides a per policy level view of the current update statuses for all devices that receive Hotpatch updates.
+
+## Release cycles
+
+For more information about the release calendar for Hotpatch updates, see [Release notes for Hotpatch](https://support.microsoft.com/topic/release-notes-for-hotpatch-public-preview-on-windows-11-version-24h2-enterprise-clients-c117ee02-fd35-4612-8ea9-949c5d0ba6d1).
+
+| Quarter | Baseline updates (requires restart) | Hotpatch (no restart required) |
+| ----- | ----- | ----- |
+| 1 | January | February and March |
+| 2 | April | May and June |
+| 3 | July | August and September |
+| 4 | October | November and December |
+
+## Operating system configuration prerequisites
+
+To prepare a device to receive Hotpatch updates, configure the following operating system settings on the device. You must configure these settings for the device to be offered the Hotpatch update and to apply all Hotpatch updates.
+
+### Virtualization based security (VBS)
+
+VBS must be turned on for a device to be offered Hotpatch updates. For information on how to set and detect if VBS is enabled, see [Virtualization-based Security (VBS)](/windows/security/hardware-security/enable-virtualization-based-protection-of-code-integrity?tabs=security).
+
+### Arm 64 devices must disable compiled hybrid PE usage (CHPE) (Arm 64 CPU Only)
+
+This requirement only applies to Arm 64 CPU devices when using Hotpatch updates. Hotpatch updates aren't compatible with servicing CHPE OS binaries located in the `%SystemRoot%\SyChpe32` folder. To ensure all the Hotpatch updates are applied, you must set the CHPE disable flag and restart the device to disable CHPE usage. You only need to set this flag one time. The registry setting remains applied through updates. To disable CHPE, create and/or set the following DWORD registry key:
+Path: `HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management`
+DWORD key value: HotPatchRestrictions=1
+
+> [!IMPORTANT]
+> This setting is required because it forces the operating system to use the emulation x86-only binaries instead of CHPE binaries on Arm 64 devices. CHPE binaries include native Arm 64 code to improve performance, excluding the CHPE binaries might affect performance or compatibility. Be sure to test application compatibility and performance before rolling out Hotpatch updates widely on Arm 64 CPU based devices.
+
+If you choose to no longer use Hotpatch updates, clear the CHPE disable flag (`HotPatchRestrictions=0`) then restart the device to turn on CHPE usage.
+
+## Eligible devices
+
+To benefit from Hotpatch updates, devices must meet the following prerequisites:
+
+- Operating System: Devices must be running Windows 11 24H2 or later.
+- VBS (Virtualization-based security): VBS must be enabled to ensure secure installation of Hotpatch updates.
+- Latest Baseline Release: Devices must be on the latest baseline release version to qualify for Hotpatch updates. Microsoft releases Baseline updates quarterly as standard cumulative updates. For more information on the latest schedule for these releases, see [Release notes for Hotpatch](https://support.microsoft.com/topic/release-notes-for-hotpatch-in-azure-automanage-for-windows-server-2022-4e234525-5bd5-4171-9886-b475dabe0ce8?preview=true).
+
+## Ineligible devices
+
+Devices that don't meet one or more prerequisites automatically receive the Latest Cumulative Update (LCU) instead. Latest Cumulative Update (LCU) contains monthly updates that supersede the previous month's updates containing both security and nonsecurity releases.
+
+LCUs requires you to restart the device, but the LCU ensures that the device remains fully secure and compliant.
+
+> [!NOTE]
+> If devices aren't eligible for Hotpatch updates, these devices are offered the LCU. The LCU keeps your configured Update ring settings, it doesn't change the settings.
+
+## Enroll devices to receive Hotpatch updates
+
+> [!NOTE]
+> If you're using Autopatch groups and want your devices to receive Hotpatch updates, you must create a Hotpatch policy and assign devices to it. Turning on Hotpatch updates doesn't change the deferral setting applied to devices within an Autopatch group.
+
+**To enroll devices to receive Hotpatch updates:**
+
+1. Go to the [Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
+1. Select **Devices** from the left navigation menu.
+1. Under the **Manage updates** section, select **Windows updates**.
+1. Go to the **Quality updates** tab.
+1. Select **Create**, and select **Windows quality update policy (preview)**.
+1. Under the **Basics** section, enter a name for your new policy and select Next.
+1. Under the **Settings** section, set **"When available, apply without restarting the device ("Hotpatch")** to **Allow**. Then, select **Next**.
+1. Select the appropriate Scope tags or leave as Default and select **Next**.
+1. Assign the devices to the policy and select **Next**.
+1. Review the policy and select **Create**.
+
+These steps ensure that targeted devices, which are [eligible](#eligible-devices) to receive Hotpatch updates, are configured properly. [Ineligible devices](#ineligible-devices) are offered the latest cumulative updates (LCU).
+
+> [!NOTE]
+> Turning on Hotpatch updates doesn't change the existing deadline-driven or scheduled install configurations on your managed devices. Deferral and active hour settings still apply.
+
+## Roll back a hotpatch update
+
+Automatic rollback of a Hotpatch update isn’t supported but you can uninstall them. If you experience an unexpected issue with hotpatch updates, you can investigate by uninstalling the hotpatch update and installing the latest standard cumulative update (LCU) and restart. Uninstalling a hotpatch update is quick, however, it does require a device restart.
diff --git a/windows/deployment/windows-autopatch/manage/windows-autopatch-manage-autopatch-groups.md b/windows/deployment/windows-autopatch/manage/windows-autopatch-manage-autopatch-groups.md
index cce3435eec..ffcd082e07 100644
--- a/windows/deployment/windows-autopatch/manage/windows-autopatch-manage-autopatch-groups.md
+++ b/windows/deployment/windows-autopatch/manage/windows-autopatch-manage-autopatch-groups.md
@@ -78,6 +78,9 @@ Before you start managing Autopatch groups, ensure you meet the [Windows Autopat
> [!IMPORTANT]
> Windows Autopatch creates the device-based Microsoft Entra ID assigned groups based on the choices made in the deployment ring composition page. Additionally, the service assigns the update ring policies for each deployment ring created in the Autopatch group based on the choices made in the Windows Update settings page as part of the Autopatch group guided end-user experience.
+> [!CAUTION]
+> If a device that was previously added to an Autopatch group uses an Entra group (via Assigned groups or Dynamic distribution method) is removed from the Entra group, the device is removed and de-registered from the Autopatch service. The removed device no longer has any Autopatch service-created policies applied to it and the device won't appear in the Autopatch devices reports.
+
## Rename an Autopatch group
**To rename an Autopatch group:**
diff --git a/windows/deployment/windows-autopatch/manage/windows-autopatch-manage-driver-and-firmware-updates.md b/windows/deployment/windows-autopatch/manage/windows-autopatch-manage-driver-and-firmware-updates.md
index ddab13c440..e968491819 100644
--- a/windows/deployment/windows-autopatch/manage/windows-autopatch-manage-driver-and-firmware-updates.md
+++ b/windows/deployment/windows-autopatch/manage/windows-autopatch-manage-driver-and-firmware-updates.md
@@ -68,7 +68,7 @@ For deployment rings set to **Automatic**, you can choose the deferral period fo
The deferral period allows you to delay the installation of driver and firmware updates on the devices in the specified deployment ring in case you want to test the update on a smaller group of devices first or avoid potential disruptions during a busy period.
-The deferral period can be set from 0 to 14 days, and it can be different for each deployment ring.
+The deferral period can be set from 0 to 30 days, and it can be different for each deployment ring.
> [!NOTE]
> The deferral period only applies to automatically approved driver and firmware updates. An admin must specify the date to start offering a driver with any manual approval.
diff --git a/windows/deployment/windows-autopatch/manage/windows-autopatch-update-rings.md b/windows/deployment/windows-autopatch/manage/windows-autopatch-update-rings.md
index e68df90cbb..81669a6614 100644
--- a/windows/deployment/windows-autopatch/manage/windows-autopatch-update-rings.md
+++ b/windows/deployment/windows-autopatch/manage/windows-autopatch-update-rings.md
@@ -1,7 +1,7 @@
---
title: Manage Update rings
description: How to manage update rings
-ms.date: 09/16/2024
+ms.date: 12/10/2024
ms.service: windows-client
ms.subservice: autopatch
ms.topic: how-to
@@ -43,7 +43,7 @@ Imported rings automatically register all targeted devices into Windows Autopatc
2. Select **Devices** from the left navigation menu.
3. Under the **Manage updates** section, select **Windows updates**.
4. In the **Windows updates** blade, go to the **Update rings** tab.
-5. Select **Enroll policies**.
+5. Select **Enroll policies**. **This step only applies if you've gone through [feature activation](../prepare/windows-autopatch-feature-activation.md)**.
6. Select the existing rings you would like to import.
7. Select **Import**.
diff --git a/windows/deployment/windows-autopatch/manage/windows-autopatch-windows-feature-update-overview.md b/windows/deployment/windows-autopatch/manage/windows-autopatch-windows-feature-update-overview.md
index cd90f48781..b5259a8275 100644
--- a/windows/deployment/windows-autopatch/manage/windows-autopatch-windows-feature-update-overview.md
+++ b/windows/deployment/windows-autopatch/manage/windows-autopatch-windows-feature-update-overview.md
@@ -1,7 +1,7 @@
---
title: Windows feature updates overview
description: This article explains how Windows feature updates are managed
-ms.date: 09/16/2024
+ms.date: 11/20/2024
ms.service: windows-client
ms.subservice: autopatch
ms.topic: overview
@@ -21,6 +21,9 @@ ms.collection:
Windows Autopatch provides tools to assist with the controlled roll out of annual Windows feature updates. These policies provide tools to allow version targeting, phased releases, and even Windows 10 to Windows 11 update options. For more information about how to configure feature update profiles, see [Feature updates for Windows 10 and later policy in Intune](/mem/intune/protect/windows-10-feature-updates).
+> [!IMPORTANT]
+> Windows Autopatch supports registering [Windows 10 and Windows 11 Long-Term Servicing Channel (LTSC)](/windows/whats-new/ltsc/overview) devices that are being currently serviced by the [Windows 10 LTSC](/windows/release-health/release-information) or [Windows 11 LTSC](/windows/release-health/windows11-release-information). The service only supports managing the [Windows quality updates](../operate/windows-autopatch-windows-quality-update-overview.md) workload for devices currently serviced by the LTSC. Windows Update for Business service and Windows Autopatch don't offer Windows feature updates for devices that are part of the LTSC. You must either use [LTSC media](https://www.microsoft.com/evalcenter/evaluate-windows-10-enterprise) or the [Configuration Manager Operating System Deployment capabilities to perform an in-place upgrade](/windows/deployment/deploy-windows-cm/upgrade-to-windows-10-with-configuration-manager) for Windows devices that are part of the LTSC.
+
## Multi-phase feature update
Multi-phase feature update allows you to create customizable feature update deployments using multiple phases for your [existing Autopatch groups](../manage/windows-autopatch-manage-autopatch-groups.md). These phased releases can be tailored to meet your organizational unique needs.
@@ -117,6 +120,9 @@ For more information about Windows feature update policies that are created for
## Pause and resume a release
+> [!IMPORTANT]
+> **Due to a recent change, we have identified an issue that prevents the Paused and Pause status columns from being displayed** in reporting. Until a fix is deployed, **you must keep track of your paused releases so you can resume them at a later date**. The team is actively working on resolving this issue and we'll provide an update when a fix is deployed.
+
> [!IMPORTANT]
> **Pausing or resuming an update can take up to eight hours to be applied to devices**. Windows Autopatch uses Microsoft Intune as its device management solution and that's the average frequency Windows devices take to communicate back to Microsoft Intune with new instructions to pause, resume or rollback updates. For more information, see [how long does it take for devices to get a policy, profile, or app after they are assigned from Microsoft Intune](/mem/intune/configuration/device-profile-troubleshoot#how-long-does-it-take-for-devices-to-get-a-policy-profile-or-app-after-they-are-assigned).
diff --git a/windows/deployment/windows-autopatch/manage/windows-autopatch-windows-feature-update-policies.md b/windows/deployment/windows-autopatch/manage/windows-autopatch-windows-feature-update-policies.md
index 37b1203eff..47810fe194 100644
--- a/windows/deployment/windows-autopatch/manage/windows-autopatch-windows-feature-update-policies.md
+++ b/windows/deployment/windows-autopatch/manage/windows-autopatch-windows-feature-update-policies.md
@@ -42,12 +42,12 @@ These policies control the minimum target version of Windows that a device is me
You can see the following default policies created by the service in the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431):
-| Policy name | Phase mapping | Feature update version | Rollout options | First deployment ring availability | Final deployment ring availability | Day between deployment rings | Support end date |
-| ----- | ----- | ----- | ----- | ----- | ----- | ----- | ----- |
-| Windows Autopatch - DSS Policy [Test] | Phase 1 | Windows 10 21H2 | Make update available as soon as possible | May 9, 2023 | N/A | N/A | June 11, 2024 |
-| Windows Autopatch - DSS Policy [First] | Phase 2 | Windows 10 21H2 | Make update available as soon as possible | May 16, 2023 | N/A | N/A | June 11, 2024 |
-| Windows Autopatch - DSS Policy [Fast] | Phase 3 | Windows 10 21H2 | Make update available as soon as possible | May 23, 2023 | N/A | N/A | June 11, 2024 |
-| Windows Autopatch - DSS Policy [Broad] | Phase 4 | Windows 10 21H2 | Make update available as soon as possible | May 30, 2023 | N/A | N/A | June 11, 2024 |
+| Policy name | Phase mapping | Feature update version | Rollout options | Support end date |
+| ----- | ----- | ----- | ----- | ----- |
+| Windows Autopatch - DSS Policy [Test] | Phase 1 | Windows 10 22H2 | Make update available as soon as possible | October 14, 2025 |
+| Windows Autopatch - DSS Policy [First] | Phase 2 | Windows 10 22H2 | Make update available as soon as possible | October 14, 2025 |
+| Windows Autopatch - DSS Policy [Fast] | Phase 3 | Windows 10 22H2 | Make update available as soon as possible | October 14, 2025 |
+| Windows Autopatch - DSS Policy [Broad] | Phase 4 | Windows 10 22H2 | Make update available as soon as possible | October 14, 2025 |
> [!NOTE]
> Gradual rollout settings aren't configured in the default Windows Update feature policy. If the date of the final group availability is changed to a past date, all remaining devices are offered the update as soon as possible. For more information, see [rollout options for Windows Updates in Microsoft Intune](/mem/intune/protect/windows-update-rollout-options#make-updates-available-gradually).
@@ -56,9 +56,9 @@ You can see the following default policies created by the service in the [Micros
Windows Autopatch configures the values for its global Windows feature update policy. See the following default policies created by the service in the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431):
-| Policy name | Feature update version | Rollout options | First deployment ring availability | Final deployment ring availability | Day between deployment rings | Support end date |
-| ----- | ----- | ----- | ----- | ----- | ----- | ----- |
-| Windows Autopatch - Global DSS Policy [Test] | Windows 10 21H2 | Make update available as soon as possible | N/A | N/A | N/A | June 11, 2024 |
+| Policy name | Feature update version | Rollout options | Support end date |
+| ----- | ----- | ----- | ----- |
+| Windows Autopatch - Global DSS Policy [Test] | Windows 10 22H2 | Make update available as soon as possible | October 14, 2025 |
> [!NOTE]
> Gradual rollout settings aren't configured in the default Windows Update feature policy. If the date of the final group availability is changed to be a past date, all remaining devices are offered the update as soon as possible. For more information, see [rollout options for Windows Updates in Microsoft Intune](/mem/intune/protect/windows-update-rollout-options#make-updates-available-gradually).
@@ -101,11 +101,11 @@ These policies can be viewed in the [Microsoft Intune admin center](https://go.m
The following table is an example of the Windows feature update policies that were created for phases within a release:
-| Policy name | Feature update version | Rollout options | First deployment date| Final deployment date availability | Day between groups | Support end date |
-| ----- | ----- | ----- | ----- | ----- | ----- | ----- |
-| Windows Autopatch - DSS Policy - My feature update release - Phase 1 | Windows 10 21H2 | Make update available as soon as possible | April 24, 2023 | April 24, 2023 | N/A | June 11, 2024 |
-| Windows Autopatch - DSS Policy - My feature update release - Phase 2 | Windows 10 21H2 | Make update available as soon as possible | June 26, 2023 | July 17, 2023 | 7 | June 11, 2024 |
-| Windows Autopatch - DSS Policy - My feature update release - Phase 3 | Windows 10 21H2 | Make update available as soon as possible | July 24, 2023 | August 14, 2023 | 7 | June 11, 2024 |
-| Windows Autopatch - DSS Policy - My feature update release - Phase 4 | Windows 10 21H2 | Make update available as soon as possible | August 28, 2023 | September 10, 2023 | 7 | June 11, 2024 |
-| Windows Autopatch - DSS Policy - My feature update release - Phase 5 | Windows 10 21H2 | Make update available as soon as possible | September 25, 2023 | October 16, 2023 | 7 | June 11, 2024 |
+| Policy name | Feature update version | Rollout options| Day between groups | Support end date |
+| ----- | ----- | ----- | ----- | ----- |
+| Windows Autopatch - DSS Policy - My feature update release - Phase 1 | Windows 10 22H2 | Make update available as soon as possible| N/A | October 14, 2025 |
+| Windows Autopatch - DSS Policy - My feature update release - Phase 2 | Windows 10 22H2 | Make update available as soon as possible | 7 | October 14, 2025 |
+| Windows Autopatch - DSS Policy - My feature update release - Phase 3 | Windows 10 22H2 | Make update available as soon as possible | 7 | October 14, 2025 |
+| Windows Autopatch - DSS Policy - My feature update release - Phase 4 | Windows 10 22H2 | Make update available as soon as possible | 7 | October 14, 2025 |
+| Windows Autopatch - DSS Policy - My feature update release - Phase 5 | Windows 10 22H2 | Make update available as soon as possible | 7 | October 14, 2025 |
diff --git a/windows/deployment/windows-autopatch/manage/windows-autopatch-windows-quality-update-end-user-exp.md b/windows/deployment/windows-autopatch/manage/windows-autopatch-windows-quality-update-end-user-exp.md
index 665fc298c0..6e8b915912 100644
--- a/windows/deployment/windows-autopatch/manage/windows-autopatch-windows-quality-update-end-user-exp.md
+++ b/windows/deployment/windows-autopatch/manage/windows-autopatch-windows-quality-update-end-user-exp.md
@@ -1,10 +1,10 @@
---
title: Windows quality update end user experience
description: This article explains the Windows quality update end user experience
-ms.date: 09/16/2024
+ms.date: 11/04/2024
ms.service: windows-client
ms.subservice: autopatch
-ms.topic: conceptual
+ms.topic: article
ms.localizationpriority: medium
author: tiaraquan
ms.author: tiaraquan
@@ -32,9 +32,7 @@ In this section we review what an end user would see in the following three scen
### Typical update experience
-The Windows quality update is published and devices in the Broad ring have a deferral period of nine days. Devices wait nine days before downloading the latest quality update.
-
-In the following example, the user:
+In the following example, the Windows quality update is published and devices in the Broad ring have a deferral period of seven days. Devices wait seven days before downloading the latest quality update.
| Day | Description |
| --- | --- |
@@ -46,7 +44,7 @@ In the following example, the user:
### Quality update deadline forces an update
-In the following example, the user:
+In the following example:
| Day | Description |
| --- | --- |
@@ -58,7 +56,7 @@ In the following example, the user:
### Quality update grace period
-In the following example, the user:
+In the following example:
| Day | Description |
| --- | --- |
@@ -69,6 +67,11 @@ In the following example, the user:
:::image type="content" source="../media/windows-quality-update-grace-period.png" alt-text="Windows quality update grace period" lightbox="../media/windows-quality-update-grace-period.png":::
+> [!TIP]
+> For optimal end-user experience, the recommeded settings are 2-day Deadline and 3-day Grace Period for update deployments.
+
## Minimize user disruption due to updates
-Windows Autopatch understands the importance of not disrupting end users but also updating the devices quickly. To achieve this goal, updates are automatically downloaded and installed at an optimal time determined by the device. By default, [Active hours](/windows/client-management/mdm/policy-csp-update#activehoursstart) are configured dynamically based on device usage patterns. Device restarts occur outside of active hours until the deadline is reached.
+Windows Autopatch understands the importance of not disrupting end users but also updating the devices quickly. To achieve this goal, updates are automatically downloaded and installed at an optimal time determined by the device. By default, [Active hours](/windows/client-management/mdm/policy-csp-update#activehoursstart) are configured dynamically based on device usage patterns. Device restarts occur outside of active hours until the deadline is reached.
+
+Windows Autopatch doesn't modify the existing Windows Update notifications. If you wish to modify the end-user update notification experience, see [Use CSPs and MDMs to configure Windows Update for Business](/windows/deployment/update/waas-wufb-csp-mdm).
diff --git a/windows/deployment/windows-autopatch/manage/windows-autopatch-windows-quality-update-overview.md b/windows/deployment/windows-autopatch/manage/windows-autopatch-windows-quality-update-overview.md
index 942d898c05..31a02381ec 100644
--- a/windows/deployment/windows-autopatch/manage/windows-autopatch-windows-quality-update-overview.md
+++ b/windows/deployment/windows-autopatch/manage/windows-autopatch-windows-quality-update-overview.md
@@ -1,10 +1,10 @@
---
title: Windows quality updates overview
description: This article explains how Windows quality updates are managed
-ms.date: 09/16/2024
+ms.date: 11/20/2024
ms.service: windows-client
ms.subservice: autopatch
-ms.topic: conceptual
+ms.topic: article
ms.localizationpriority: medium
author: tiaraquan
ms.author: tiaraquan
@@ -54,7 +54,7 @@ The service level objective for each of these states is calculated as:
> Targeted deployment ring refers to the deployment ring value of the device in question. If a device has a five day deferral with a two day deadline, and two day grace period, the SLO for the device would be calculated to `5 + 2 + 5 = 12`-day service level objective from the second Tuesday of the month. The five day reporting period is one established by Windows Autopatch to allow enough time for device check-in reporting and data evaluation within the service.
> [!IMPORTANT]
-> Windows Autopatch supports registering [Windows 10 Long-Term Servicing Channel (LTSC)](/windows/whats-new/ltsc/) devices that are being currently serviced by the [Windows LTSC](/windows/release-health/release-information). The service only supports managing the [Windows quality updates](../operate/windows-autopatch-windows-quality-update-overview.md) workload for devices currently serviced by the LTSC. Windows Update for Business service and Windows Autopatch don't offer Windows feature updates for devices that are part of the LTSC. You must either use [LTSC media](https://www.microsoft.com/evalcenter/evaluate-windows-10-enterprise) or the [Configuration Manager Operating System Deployment capabilities to perform an in-place upgrade](/windows/deployment/deploy-windows-cm/upgrade-to-windows-10-with-configuration-manager) for Windows devices that are part of the LTSC.
+> Windows Autopatch supports registering [Windows 10 and Windows 11 Long-Term Servicing Channel (LTSC)](/windows/whats-new/ltsc/overview) devices that are being currently serviced by the [Windows 10 LTSC](/windows/release-health/release-information) or [Windows 11 LTSC](/windows/release-health/windows11-release-information). The service only supports managing the [Windows quality updates](../operate/windows-autopatch-windows-quality-update-overview.md) workload for devices currently serviced by the LTSC. Windows Update for Business service and Windows Autopatch don't offer Windows feature updates for devices that are part of the LTSC. You must either use [LTSC media](https://www.microsoft.com/evalcenter/evaluate-windows-10-enterprise) or the [Configuration Manager Operating System Deployment capabilities to perform an in-place upgrade](/windows/deployment/deploy-windows-cm/upgrade-to-windows-10-with-configuration-manager) for Windows devices that are part of the LTSC.
## Out of Band releases
@@ -62,11 +62,14 @@ The service level objective for each of these states is calculated as:
Windows Autopatch schedules and deploys required Out of Band (OOB) updates released outside of the normal schedule.
-For the deployment rings that pass quality updates deferral date, the OOB release schedule is expedited and deployed on the same day. For the deployment rings that have deferral upcoming, OOBs are released as per the set deferral dates.
+For the deployment rings that pass quality updates deferral date, the OOB release schedule is expedited and deployed on the same day. For the deployment rings that have deferral upcoming, OOBs are released as per the specified deferral dates.
## Pause and resume a release
-The service-level pause is driven by the various software update deployment-related signals Windows Autopatch receives from Windows Update for Business, and several other product groups within Microsoft.
+> [!IMPORTANT]
+> **Due to a recent change, we have identified an issue that prevents the Paused and Pause status columns from being displayed** in reporting. Until a fix is deployed, **you must keep track of your paused releases so you can resume them at a later date**. The team is actively working on resolving this issue and we'll provide an update when a fix is deployed.
+
+The service-level pause is driven by the various software update deployment-related signals. Windows Autopatch receives from Windows Update for Business, and several other product groups within Microsoft.
If Windows Autopatch detects a significant issue with a release, we might decide to pause that release.
@@ -81,10 +84,8 @@ If Windows Autopatch detects a significant issue with a release, we might decide
1. Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
1. Select **Devices** from the left navigation menu.
1. Under the **Manage updates** section, select **Windows updates**.
-1. In the **Windows updates** blade, select the **Quality updates** tab.
-1. Select the Autopatch group or deployment ring that you want to pause or resume. Select either: **Pause** or **Resume**. Alternatively, you can select the **horizontal ellipses (...)** of the Autopatch group or deployment ring you want to pause or resume. Select, **Pause, or **Resume** from the dropdown menu.
-1. Optional. Enter the justification about why you're pausing or resuming the selected update.
-1. Optional. Select **This pause is related to Windows Update**. When you select this checkbox, you must provide information about how the pause is related to Windows Update.
+1. In the **Windows updates** blade, select the **Update rings** tab.
+1. Select the Autopatch group or deployment ring that you want to pause or resume. Select either: **Pause** or **Resume**. Alternatively, you can select the **horizontal ellipses (...)** of the Autopatch group or deployment ring you want to pause or resume. Select, **Pause**, or **Resume** from the dropdown menu.
1. If you're resuming an update, you can select one or more Autopatch groups or deployment rings.
1. Select **Pause or Resume deployment**.
diff --git a/windows/deployment/windows-autopatch/manage/windows-autopatch-windows-quality-update-programmatic-controls.md b/windows/deployment/windows-autopatch/manage/windows-autopatch-windows-quality-update-programmatic-controls.md
index 77acf64924..2aefa858cc 100644
--- a/windows/deployment/windows-autopatch/manage/windows-autopatch-windows-quality-update-programmatic-controls.md
+++ b/windows/deployment/windows-autopatch/manage/windows-autopatch-windows-quality-update-programmatic-controls.md
@@ -14,7 +14,7 @@ ms.localizationpriority: medium
appliesto:
- ✅ Windows 11
- ✅ Windows 10
-ms.date: 09/24/2024
+ms.date: 12/10/2024
---
# Programmatic controls for expedited Windows quality updates
@@ -34,6 +34,9 @@ In this article, you will:
All of the [Windows Autopatch prerequisites](../prepare/windows-autopatch-prerequisites.md) must be met, including ensuring that the *Update Health Tools* is installed on the clients.
+> [!IMPORTANT]
+> This step isn't required if your device is running Windows 11 24H2 and later.
+
- The *Update Health Tools* are installed starting with [KB4023057](https://support.microsoft.com/kb/4023057). To confirm the presence of the Update Health Tools on a device, use one of the following methods:
- Run a [readiness test for expedited updates](#readiness-test-for-expediting-updates)
- Look for the folder **C:\Program Files\Microsoft Update Health Tools** or review *Add Remove Programs* for **Microsoft Update Health Tools**.
@@ -269,7 +272,7 @@ The request returns a 201 Created response code and a [deployment](/graph/api/re
## Add members to the deployment audience
-The **Audience ID**, `d39ad1ce-0123-4567-89ab-cdef01234567`, was created when the deployment was created. The **Audience ID** is used to add members to the deployment audience. After the deployment audience is updated, Windows Update starts offering the update to the devices according to the deployment settings. As long as the deployment exists and the device is in the audience, the update will be expedited.
+The **Audience ID**, `d39ad1ce-0123-4567-89ab-cdef01234567`, was created when the deployment was created. The **Audience ID** is used to add members to the deployment audience. After the deployment audience is updated, Windows Update starts offering the update to the devices according to the deployment settings. As long as the deployment exists and the device is in the audience, the update is expedited.
The following example adds two devices to the deployment audience using the **Microsoft Entra ID** for each device:
@@ -299,7 +302,7 @@ To verify the devices were added to the audience, run the following query using
## Delete a deployment
-To stop an expedited deployment, DELETE the deployment. Deleting the deployment will prevent the content from being offered to devices if they haven't already received it. To resume offering the content, a new approval will need to be created.
+To stop an expedited deployment, DELETE the deployment. Deleting the deployment prevents the content from being offered to devices if they haven't already received it. To resume offering the content, a new approval must be created.
The following example deletes the deployment with a **Deployment ID** of `de910e12-3456-7890-abcd-ef1234567890`:
@@ -309,7 +312,7 @@ DELETE https://graph.microsoft.com/beta/admin/windows/updates/deployments/de910e
## Readiness test for expediting updates
-You can verify the readiness of clients to receive expedited updates by using [isReadinessTest](/graph/api/resources/windowsupdates-expeditesettings). Create a deployment that specifies it's an expedite readiness test, then add members to the deployment audience. The service will check to see if the clients meet the prerequisites for expediting updates. The results of the test are displayed in the [Windows Update for Business reports workbook](/windows/deployment/update/wufb-reports-workbook#quality-updates-tab). Under the **Quality updates** tab, select the **Expedite status** tile, which opens a flyout with a **Readiness** tab with the readiness test results.
+You can verify the readiness of clients to receive expedited updates by using [isReadinessTest](/graph/api/resources/windowsupdates-expeditesettings). Create a deployment that specifies it's an expedite readiness test, then add members to the deployment audience. The service checks to see if the clients meet the prerequisites for expediting updates. The results of the test are displayed in the [Windows Update for Business reports workbook](/windows/deployment/update/wufb-reports-workbook#quality-updates-tab). Under the **Quality updates** tab, select the **Expedite status** tile, which opens a flyout with a **Readiness** tab with the readiness test results.
```msgraph-interactive
POST https://graph.microsoft.com/beta/admin/windows/updates/deployments
diff --git a/windows/deployment/windows-autopatch/monitor/windows-autopatch-hotpatch-quality-update-report.md b/windows/deployment/windows-autopatch/monitor/windows-autopatch-hotpatch-quality-update-report.md
new file mode 100644
index 0000000000..afa0dfe072
--- /dev/null
+++ b/windows/deployment/windows-autopatch/monitor/windows-autopatch-hotpatch-quality-update-report.md
@@ -0,0 +1,67 @@
+---
+title: Hotpatch quality update report
+description: Use the Hotpatch quality update report to view the current update statuses for all devices that receive Hotpatch updates
+ms.date: 11/19/2024
+ms.service: windows-client
+ms.subservice: autopatch
+ms.topic: how-to
+ms.localizationpriority: medium
+author: tiaraquan
+ms.author: tiaraquan
+manager: aaroncz
+ms.reviewer: adnich
+ms.collection:
+ - highpri
+ - tier1
+---
+
+# Hotpatch quality update report (public preview)
+
+[!INCLUDE [windows-autopatch-applies-to-all-licenses](../includes/windows-autopatch-applies-to-all-licenses.md)]
+
+> [!IMPORTANT]
+> This feature is in public preview. It is being actively developed and might not be complete. They're made available on a "Preview" basis. You can test and use these features in production environments and scenarios and provide feedback.
+
+The Hotpatch quality update report provides a per policy level view of the current update statuses for all devices that receive Hotpatch updates. For more information about Hotpatching, see [Hotpatch updates](../manage/windows-autopatch-hotpatch-updates.md).
+
+**To view the Hotpatch quality update status report:**
+
+1. Go to the [Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
+1. Navigate to **Reports** > **Windows Autopatch** > **Windows quality updates**.
+1. Select the **Reports** tab.
+1. Select **Hotpatch quality updates (preview)**.
+
+> [!NOTE]
+> The data in this report is refreshed every four hours with data received by your Windows Autopatch managed devices. The last refreshed on date/time can be seen at the top of the page. For more information about how often Windows Autopatch receives data from your managed devices, see [Data latency](../monitor/windows-autopatch-windows-quality-and-feature-update-reports-overview.md#about-data-latency).
+
+## Report information
+
+The Hotpatch quality update report provides a visual representation of the update status trend for all devices over the last 90 days.
+
+### Default columns
+
+> [!IMPORTANT]
+> **Due to a recent change, we have identified an issue that prevents the Paused column from being displayed**. Until a fix is deployed, **you must keep track of your paused releases so you can resume them at a later date**. The team is actively working on resolving this issue and we'll provide an update when a fix is deployed.
+
+The following information is available as default columns in the Hotpatch quality update report:
+
+| Column name | Description |
+| ----- | ----- |
+| Quality update policy | The name of the policy. |
+| Device name | Total number of devices in the policy. |
+| Up to date | Total device count reporting a status of Up to date. For more information, see [Up to Date](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md#up-to-date-devices). |
+| Hotpatched | Total devices that successfully received a Hotpatch update. |
+| Not up to Date | Total device count reporting a status of Not Up to date. For more information, see [Not Up to Date](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md#not-up-to-date-devices). |
+| In progress | Total device counts reporting the In progress status. For more information, see [In progress](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md#up-to-date-sub-statuses). |
+| % with the latest quality update | Percent of [Up to Date](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md#up-to-date-devices) devices on the most current Windows release and its build number |
+| Not ready | Total device count reporting the Not ready status. For more information, see [Not ready](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md#not-up-to-date-devices). |
+| Paused | Total device count reporting the status of the pause whether it's Service or Customer initiated. For more information, see [Up to Date](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md#up-to-date-devices). |
+
+## Report options
+
+The following options are available:
+
+| Option | Description |
+| ----- | ----- |
+| By percentage | Select **By percentage** to show your trending graphs and indicators by percentage. |
+| By device count | Select **By device count** to show your trending graphs and indicators by numeric value. |
diff --git a/windows/deployment/windows-autopatch/monitor/windows-autopatch-reliability-report.md b/windows/deployment/windows-autopatch/monitor/windows-autopatch-reliability-report.md
deleted file mode 100644
index c483164956..0000000000
--- a/windows/deployment/windows-autopatch/monitor/windows-autopatch-reliability-report.md
+++ /dev/null
@@ -1,122 +0,0 @@
----
-title: Reliability report
-description: This article describes the reliability score for each Windows quality update cycle based on stop error codes detected on managed devices.
-ms.date: 04/09/2024
-ms.service: windows-client
-ms.subservice: autopatch
-ms.topic: how-to
-ms.localizationpriority: medium
-author: tiaraquan
-ms.author: tiaraquan
-manager: aaroncz
-ms.reviewer: hathind
-ms.collection:
- - highpri
- - tier1
----
-
-# Reliability report (public preview)
-
-[!INCLUDE [windows-autopatch-enterprise-e3-f3-licenses](../includes/windows-autopatch-enterprise-e3-f3-licenses.md)]
-
-> [!IMPORTANT]
-> This feature is in **public preview**. It's being actively developed, and might not be complete.
-
-The Reliability report provides a reliability score for each Windows quality update cycle based on [stop error codes](/troubleshoot/windows-client/performance/stop-error-or-blue-screen-error-troubleshooting) detected on managed devices. Scores are determined at both the service and tenant level. Details on modules associated with stop error codes at the tenant level are provided to better understand how devices are affected.
-
-> [!NOTE]
-> **The Reliability report applies to quality updates only**. The Reliability report doesn't currently support Windows feature updates.
Scores used in this report are calculated based on devices running both Windows 10 and Windows 11 versions.
-
-With this feature, IT admins can access the following information:
-
-| Information type | Description |
-| ----- | ----- |
-| Your score | **Your score** is a calculated tenant reliability score based on stop error codes detected on managed devices that updated successfully during the current update cycle. **Your score** is the latest single-day score in the current Windows quality update cycle. The monthly score values can be viewed under the **Trending** tab. |
-| Baseline | Use the **Baseline** to compare your score with past quality update cycles. You can choose the desired historical record from the **Comparison baseline** dropdown menu at the top of the page. **Baseline** is a single-day score calculated the same number of days from the start of patching as your score. |
-| Service-level | Use the **Service-level** to compare **your score** with a score computed across tenants in the Azure Data Scale Unit covering your geographic region. **Service-level** is a single-day score calculated the same number of days from the start of patching as **your score**. |
-| Score details | **Score details** provides information about specific modules associated with stop error code occurrence, occurrence rate, and affected devices. View single-day or multi-day results by selecting from the **Duration** menu. Data can be exported for offline reference. |
-| Trending | **Trending** provides a graphical visualization of reliability scores at both tenant and service level on a customizable timeline of 1 - 12 months. Monthly scores represent the aggregated value for a complete update cycle (second Tuesday of the month). |
-| Insights | **Insights** identifies noteworthy trends that might be useful in implementing reliability improvement opportunities. |
-| Affected devices | **Affected devices** are the number of unique devices associated with stop error code events. |
-
-## Report availability
-
-The Reliability report relies on device policies being configured properly. It's important to confirm that the minimum requirements are met to access the full Reliability report.
-
-| Data collection policies set | Devices registered in Autopatch | Devices updated | Report availability |
-| ----- | ------ | ----- | ----- |
-| No | - | - | No report available.
In this state, a ribbon appears on the landing page alerting the user that the diagnostic data needed to generate a report appears to be turned off. The report is available 24 and 48 hours after the following conditions are met:
[Diagnostic data device configuration policies enabled](../references/windows-autopatch-changes-to-tenant.md#device-configuration-policies)
At least 100 devices registered in Autopatch
At least 100 of these registered devices completed a quality update in the current update cycle (second Tuesday of the month)
|
-| Yes | 0 | - | The report includes only the historical comparison baseline and service-level score. The tenant and module impact scores are unavailable until 100 devices are updated. |
-| Yes | 0 < n < 100 | 0 < n < 100 | The report includes module failure details, historical comparison baseline, and service-level score. The tenant score is unavailable until 100 devices are updated. |
-| Yes | n >= 100 | 0 < n < 100 | The report includes module failure details, historical comparison baseline score, and service-level score. The tenant and module impact scores are unavailable until 100 devices are updated. |
-| Yes | n >= 100 | n >= 100 | Full reporting available |
-
-## View the Reliability report
-
-**To view the Reliability report:**
-
-1. Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
-2. Navigate to **Reports** > **Windows Autopatch** > **Windows quality updates**.
-3. Select the **Reports** tab.
-4. Select **Reliability report**.
-
-> [!NOTE]
-> To use the Reliability report capability, ensure that at least 100 devices are registered in the Windows Autopatch service and capable of successfully completing a quality update. The report relies on device stop error code data being available to Microsoft (transmission of this data may take up to 24 hours).
A score is generated when:
100 or more devices have completed updating to the latest quality update
Windows Autopatch receives the stop error code data related to that update cycle
Windows Autopatch data collection must be enabled according to the [configuration policies](../references/windows-autopatch-changes-to-tenant.md#device-configuration-policies) set during tenant onboarding. For more information about data collection, see [Privacy](../overview/windows-autopatch-privacy.md)
-
-## Report information
-
-The following information is available as default columns in the Reliability report:
-
-> [!NOTE]
-> The report is refreshed no more than once every 24 hours with data received from your Windows Autopatch managed devices. Manual data refresh is not supported. The last refreshed date and time can be found at the top of the page. For more information about how often Windows Autopatch receives data from your managed devices, see [Data latency](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md#about-data-latency).
-
-### Score details
-
-| Column | Description |
-| ----- | ----- |
-| Module name | Name of module associated with stop error code detection. |
-| Version | Version of module associated with stop error code detection. |
-| Unique devices | Number of unique devices seeing a stop error code occurrence associated with a specific module name and version. This information is hyperlinked to the **Devices affected** flyout. |
-| Total events | Total number of stop error codes detected associated with a specific module name and version. |
-| Module score impact | **Your score** associated with specific module name and version. |
-| Timeline | This information is hyperlinked to **Module details** flyout. |
-
-### Export file
-
-| Column | Description |
-| ----- | ----- |
-| DeviceName | Device name |
-| MicrosoftEntraDeviceId | Microsoft Entra device ID |
-| Model | Device model |
-| Manufacturer | Device manufacturer |
-| AutopatchGroup | Autopatch group assignment for the affected device |
-| LatestOccurrence | Time of the most recent reported failure |
-| WindowsVersion | Windows version (Windows 10 or Windows 11) |
-| OSVersion | OS version |
-| ModuleName | Name of the module associated with stop error code detection |
-| Version | Version of the module associated with stop error code detection |
-| BugCheckCode | Bug check code associated with stop error code |
-| TenantId | Your Microsoft Entra tenant ID |
-
-### Devices affected
-
-| Column | Description |
-| ----- | ----- |
-| Device name | Device name |
-| Microsoft Entra device ID | Microsoft Entra device ID |
-| Model | Device model |
-| Manufacturer | Device manufacturer |
-| Autopatch group | Autopatch group assignment for the affected device |
-| Latest occurrence | Time of the most recent reported failure |
-
-### Module details
-
-| Display selection | Description |
-| ----- | ----- |
-| Unique devices | Number of unique devices affected by module failure and the associated version |
-| Total events | Number of occurrences by module failure and the associated version |
-| Module impact | Score impact by module and version representing the relative importance of module failure. Higher positive values describe module failures that have a greater impact on the tenant and should be addressed with higher priority. Negative values describe module failures that have a lower-than-average impact on the tenant and thus can be treated with lower priority. Values around `0` describe module failures with average impact on the tenant. |
-
-## Known limitations
-
-The Reliability report supports tenant and service-level score data going back to September 2023. Data before that date isn't supported. A full 12 months of score data are available to select from the menu dropdowns in September 2024.
diff --git a/windows/deployment/windows-autopatch/monitor/windows-autopatch-windows-feature-update-status-report.md b/windows/deployment/windows-autopatch/monitor/windows-autopatch-windows-feature-update-status-report.md
index 4219401d76..c70e5b8f7a 100644
--- a/windows/deployment/windows-autopatch/monitor/windows-autopatch-windows-feature-update-status-report.md
+++ b/windows/deployment/windows-autopatch/monitor/windows-autopatch-windows-feature-update-status-report.md
@@ -1,7 +1,7 @@
---
title: Feature update status report
-description: Provides a per device view of the current Windows OS upgrade status for all devices registered with Windows Autopatch.
-ms.date: 09/16/2024
+description: Provides a per device view of the current Windows OS upgrade status for all Intune devices.
+ms.date: 11/20/2024
ms.service: windows-client
ms.subservice: autopatch
ms.topic: how-to
@@ -19,7 +19,7 @@ ms.collection:
[!INCLUDE [windows-autopatch-enterprise-e3-f3-licenses](../includes/windows-autopatch-enterprise-e3-f3-licenses.md)]
-The Feature update status report provides a per device view of the current Windows OS upgrade status for all devices registered with Windows Autopatch.
+The Feature update status report provides a per device view of the current Windows OS upgrade status for all Intune devices.
**To view the Feature update status report:**
@@ -32,6 +32,9 @@ The Feature update status report provides a per device view of the current Windo
### Default columns
+> [!IMPORTANT]
+> **Due to a recent change, we have identified an issue that prevents the Pause status column from being displayed**. Until a fix is deployed, **you must keep track of your paused releases so you can resume them at a later date**. The team is actively working on resolving this issue and we'll provide an update when a fix is deployed.
+
The following information is available as default columns in the Feature update status report:
| Column name | Description |
diff --git a/windows/deployment/windows-autopatch/monitor/windows-autopatch-windows-feature-update-summary-dashboard.md b/windows/deployment/windows-autopatch/monitor/windows-autopatch-windows-feature-update-summary-dashboard.md
index 4e65d5e28b..fe310f106a 100644
--- a/windows/deployment/windows-autopatch/monitor/windows-autopatch-windows-feature-update-summary-dashboard.md
+++ b/windows/deployment/windows-autopatch/monitor/windows-autopatch-windows-feature-update-summary-dashboard.md
@@ -1,7 +1,7 @@
---
title: Windows feature update summary dashboard
-description: Provides a broader view of the current Windows OS upgrade status for all devices registered with Windows Autopatch.
-ms.date: 09/16/2024
+description: Provides a broader view of the current Windows OS upgrade status for all Intune devices.
+ms.date: 11/20/2024
ms.service: windows-client
ms.subservice: autopatch
ms.topic: how-to
@@ -19,7 +19,7 @@ ms.collection:
[!INCLUDE [windows-autopatch-enterprise-e3-f3-licenses](../includes/windows-autopatch-enterprise-e3-f3-licenses.md)]
-The Summary dashboard provides a broader view of the current Windows OS update status for all devices registered with Windows Autopatch.
+The Summary dashboard provides a broader view of the current Windows OS update status for all Intune devices.
The first part of the Summary dashboard provides you with an all-devices trend report where you can follow the deployment trends within your organization. You can view if updates were successfully installed, failing, in progress, not ready or have their Windows feature update paused.
@@ -31,6 +31,9 @@ The first part of the Summary dashboard provides you with an all-devices trend r
## Report information
+> [!IMPORTANT]
+> **Due to a recent change, we have identified an issue that prevents the Paused column from being displayed**. Until a fix is deployed, **you must keep track of your paused releases so you can resume them at a later date**. The team is actively working on resolving this issue and we'll provide an update when a fix is deployed.
+
The following information is available in the Summary dashboard:
| Column name | Description |
@@ -45,6 +48,9 @@ The following information is available in the Summary dashboard:
| Not ready | Total device count reporting the Not ready status. For more information, see [Not ready](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md#not-up-to-date-devices). |
| % with the target feature update | Percent of [Up to Date](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md#up-to-date-devices) devices on the targeted feature update. |
+> [!NOTE]
+> The Windows Autopatch feature update report always displays the higher Windows version a device is taking. If target versions are identical, the report shows the most recent release or binding time. Release takes precedence over standalone DSS policy.
+
## Report options
The following options are available:
diff --git a/windows/deployment/windows-autopatch/monitor/windows-autopatch-windows-quality-and-feature-update-reports-overview.md b/windows/deployment/windows-autopatch/monitor/windows-autopatch-windows-quality-and-feature-update-reports-overview.md
index b2b2d8bf42..c678156938 100644
--- a/windows/deployment/windows-autopatch/monitor/windows-autopatch-windows-quality-and-feature-update-reports-overview.md
+++ b/windows/deployment/windows-autopatch/monitor/windows-autopatch-windows-quality-and-feature-update-reports-overview.md
@@ -1,7 +1,7 @@
---
title: Windows quality and feature update reports overview
description: This article details the types of reports available and info about update device eligibility, device update health, device update trends in Windows Autopatch.
-ms.date: 09/16/2024
+ms.date: 03/03/2025
ms.service: windows-client
ms.subservice: autopatch
ms.topic: overview
@@ -19,6 +19,15 @@ ms.collection:
[!INCLUDE [windows-autopatch-enterprise-e3-f3-licenses](../includes/windows-autopatch-enterprise-e3-f3-licenses.md)]
+## Prerequisites
+
+Windows Autopatch requires, and uses Windows diagnostic data to display device update statuses in Autopatch reports.
+
+- Service state and substate data are included for all devices configured for Windows quality and feature updates. No data collection configuration is required.
+- Client and substate data are collected from devices only if Windows data collection data is properly configured.
+
+This data collection configuration method using Windows diagnostic data in Intune is shared across Autopatch reports. To support Autopatch reporting, you must configure the [Enable Windows diagnostic data collection settings](/windows/privacy/configure-windows-diagnostic-data-in-your-organization#diagnostic-data-settings) from devices at the **Required** or higher level.
+
## Windows quality update reports
The Windows quality reports provide you with information about:
@@ -27,7 +36,7 @@ The Windows quality reports provide you with information about:
- Device update health
- Device update alerts
-Together, these reports provide insight into the quality update state and compliance of Windows devices that are enrolled into Windows Autopatch.
+Together, these reports provide insight into the quality update state and compliance of Intune devices.
The Windows quality report types are organized into the following focus areas:
@@ -35,7 +44,6 @@ The Windows quality report types are organized into the following focus areas:
| ----- | ----- |
| Organizational | The [Summary dashboard](../operate/windows-autopatch-groups-windows-quality-update-summary-dashboard.md) provide the current update status summary for all devices.
The [Quality update status report](../operate/windows-autopatch-groups-windows-quality-update-status-report.md) provides the current update status of all devices at the device level. |
| Device trends | The [Quality update trending report](../operate/windows-autopatch-groups-windows-quality-update-trending-report.md) provides the update status trend of all devices over the last 90 days. |
-| [Reliability report](../operate/windows-autopatch-reliability-report.md) | The Reliability report provides a reliability score for each Windows quality update cycle based on stop error codes detected on managed devices. |
## Windows feature update reports
@@ -58,10 +66,13 @@ Users with the following permissions can access the reports:
- Intune Service Administrator
- Global Reader
- Services Support Administrator
+- Policy and Profile Manager
+- Read Only Operator
+- Help Desk Operator
## About data latency
-The data source for these reports is Windows [diagnostic data](../overview/windows-autopatch-privacy.md#microsoft-windows-1011-diagnostic-data). The data typically uploads from enrolled devices once per day. Then, the data is processed in batches before being made available in Windows Autopatch. The maximum end-to-end latency is approximately 48 hours.
+The data source for these reports is Windows [diagnostic data](../overview/windows-autopatch-privacy.md#microsoft-windows-1011-diagnostic-data). The data typically uploads from enrolled devices once per day. Then, the data is processed in batches before being made available in Windows Autopatch. The maximum end-to-end latency is approximately four hours.
## Windows quality and feature update statuses
@@ -84,7 +95,7 @@ Up to date devices are devices that meet all of the following prerequisites:
- Applied the current monthly cumulative updates
> [!NOTE]
-> Device that are [Up to Date](#up-to-date-devices) will remain with the **In Progress** status until either the current monthly cumulative update is applied, or an [alert](../operate/windows-autopatch-device-alerts.md) is received. If the device receives an alert, the device's status will change to [Not up to Date](#not-up-to-date-devices).
+> Devices that are [Up to Date](#up-to-date-devices) remain with the **In Progress** status until either the current monthly cumulative update is applied, or an [alert](../operate/windows-autopatch-device-alerts.md) is received. If the device receives an alert, the device's status changes to [Not up to Date](#not-up-to-date-devices).
#### Up to Date sub statuses
diff --git a/windows/deployment/windows-autopatch/monitor/windows-autopatch-windows-quality-update-status-report.md b/windows/deployment/windows-autopatch/monitor/windows-autopatch-windows-quality-update-status-report.md
index bcd381e6d1..abde6947cc 100644
--- a/windows/deployment/windows-autopatch/monitor/windows-autopatch-windows-quality-update-status-report.md
+++ b/windows/deployment/windows-autopatch/monitor/windows-autopatch-windows-quality-update-status-report.md
@@ -1,7 +1,7 @@
---
title: Quality update status report
-description: Provides a per device view of the current update status for all Windows Autopatch managed devices.
-ms.date: 09/16/2024
+description: Provides a per device view of the current update status for all Intune devices.
+ms.date: 11/20/2024
ms.service: windows-client
ms.subservice: autopatch
ms.topic: how-to
@@ -19,7 +19,7 @@ ms.collection:
[!INCLUDE [windows-autopatch-enterprise-e3-f3-licenses](../includes/windows-autopatch-enterprise-e3-f3-licenses.md)]
-The Quality update status report provides a per device view of the current update status for all Windows Autopatch managed devices.
+The Quality update status report provides a per device view of the current update status for all Intune devices.
**To view the Quality update status report:**
@@ -29,12 +29,15 @@ The Quality update status report provides a per device view of the current updat
1. Select **Quality update status**.
> [!NOTE]
-> The data in this report is refreshed every 24 hours with data received by your Windows Autopatch managed devices. The last refreshed on date/time can be seen at the top of the page. For more information about how often Windows Autopatch receives data from your managed devices, see [Data latency](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md#about-data-latency).
+> The data in this report is refreshed every four hours with data received by your Windows Autopatch managed devices. The last refreshed on date/time can be seen at the top of the page. For more information about how often Windows Autopatch receives data from your managed devices, see [Data latency](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md#about-data-latency).
## Report information
### Default columns
+> [!IMPORTANT]
+> **Due to a recent change, we have identified an issue that prevents the Pause status column from being displayed**. Until a fix is deployed, **you must keep track of your paused releases so you can resume them at a later date**. The team is actively working on resolving this issue and we'll provide an update when a fix is deployed.
+
The following information is available as default columns in the Quality update status report:
| Column name | Description |
diff --git a/windows/deployment/windows-autopatch/monitor/windows-autopatch-windows-quality-update-summary-dashboard.md b/windows/deployment/windows-autopatch/monitor/windows-autopatch-windows-quality-update-summary-dashboard.md
index c145b09b4c..52bb8e8d65 100644
--- a/windows/deployment/windows-autopatch/monitor/windows-autopatch-windows-quality-update-summary-dashboard.md
+++ b/windows/deployment/windows-autopatch/monitor/windows-autopatch-windows-quality-update-summary-dashboard.md
@@ -1,7 +1,7 @@
---
title: Windows quality update summary dashboard
-description: Provides a summary view of the current update status for all Windows Autopatch managed devices.
-ms.date: 09/16/2024
+description: Provides a summary view of the current update status for all Intune devices.
+ms.date: 11/20/2024
ms.service: windows-client
ms.subservice: autopatch
ms.topic: how-to
@@ -19,7 +19,7 @@ ms.collection:
[!INCLUDE [windows-autopatch-enterprise-e3-f3-licenses](../includes/windows-autopatch-enterprise-e3-f3-licenses.md)]
-The Summary dashboard provides a summary view of the current update status for all Windows Autopatch managed devices.
+The Summary dashboard provides a summary view of the current update status for all Intune devices.
**To view the current update status for all your enrolled devices:**
@@ -27,10 +27,13 @@ The Summary dashboard provides a summary view of the current update status for a
1. Navigate to **Reports** > **Windows Autopatch** > **Windows quality updates**.
> [!NOTE]
-> The data in this report is refreshed every 24 hours with data received by your Windows Autopatch managed devices. The last refreshed on date/time can be seen at the top of the page. For more information about how often Windows Autopatch receives data from your managed devices, see [Data latency](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md#about-data-latency).
+> The data in this report is refreshed every four hours with data received by your managed devices. The last refreshed on date/time can be seen at the top of the page. For more information about how often Windows Autopatch receives data from your managed devices, see [Data latency](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md#about-data-latency).
## Report information
+> [!IMPORTANT]
+> **Due to a recent change, we have identified an issue that prevents the Paused column from being displayed**. Until a fix is deployed, **you must keep track of your paused releases so you can resume them at a later date**. The team is actively working on resolving this issue and we'll provide an update when a fix is deployed.
+
The following information is available in the Summary dashboard:
| Column name | Description |
diff --git a/windows/deployment/windows-autopatch/overview/windows-autopatch-overview.md b/windows/deployment/windows-autopatch/overview/windows-autopatch-overview.md
index 386ec22830..78bb2e7125 100644
--- a/windows/deployment/windows-autopatch/overview/windows-autopatch-overview.md
+++ b/windows/deployment/windows-autopatch/overview/windows-autopatch-overview.md
@@ -1,7 +1,7 @@
---
title: What is Windows Autopatch?
description: Details what the service is and shortcuts to articles.
-ms.date: 09/27/2024
+ms.date: 11/20/2024
ms.service: windows-client
ms.subservice: autopatch
ms.topic: overview
@@ -18,7 +18,7 @@ ms.reviewer: hathind
# What is Windows Autopatch?
> [!IMPORTANT]
-> In September, Windows Update for Business deployment service unified under Windows Autopatch. Unification is going through a gradual rollout over the next several weeks. If your experience looks different from the documentation, you didn't receive the unified experience yet. Review [Prerequisites](../prepare/windows-autopatch-prerequisites.md) and [Features and capabilities](#features-and-capabilities) to understand licensing and feature entitlement.
+> In September 2024, Windows Update for Business deployment service unified under Windows Autopatch. Unification is going through a gradual rollout over the next several weeks. If your experience looks different from the documentation, you didn't receive the unified experience yet. Review [Prerequisites](../prepare/windows-autopatch-prerequisites.md) and [Features and capabilities](#features-and-capabilities) to understand licensing and feature entitlement.
Windows Autopatch is a cloud service that automates Windows, Microsoft 365 Apps for enterprise, Microsoft Edge, and Microsoft Teams updates to improve security and productivity across your organization.
@@ -49,7 +49,9 @@ The goal of Windows Autopatch is to deliver software updates to registered devic
| [Windows quality updates](../manage/windows-autopatch-windows-quality-update-overview.md) | With Windows Autopatch, you can manage Windows quality update profiles for Windows 10 and later devices. You can expedite a specific Windows quality update using targeted policies. |
| [Windows feature updates](../manage/windows-autopatch-windows-feature-update-overview.md) | Windows Autopatch provides tools to assist with the controlled roll out of annual Windows feature updates. |
| [Driver and firmware updates](../manage/windows-autopatch-manage-driver-and-firmware-updates.md) | You can manage and control your driver and firmware updates with Windows Autopatch.|
+| [Hotpatch updates](../manage/windows-autopatch-hotpatch-updates.md) | Install [Monthly B release security updates](/windows/deployment/update/release-cycle#monthly-security-update-release) without requiring you to restart the device. |
| [Intune reports](/mem/intune/fundamentals/reports) | Use Intune reports to monitor the health and activity of endpoints in your organization.|
+| [Hotpatch quality update report](../monitor/windows-autopatch-hotpatch-quality-update-report.md) | Hotpatch quality update report provides a per policy level view of the current update statuses for all devices that receive Hotpatch updates. |
> [!IMPORTANT]
> Microsoft 365 Business Premium and Windows 10/11 Education A3 or A5 (included in Microsoft 365 A3 or A5) do **not** have access to all Windows Autopatch features. For more information, see [Features and capabilities](../overview/windows-autopatch-overview.md#features-and-capabilities).
@@ -70,7 +72,7 @@ In addition to the features included in [Business Premium and A3+ licenses](#bus
| [Microsoft Edge updates](../manage/windows-autopatch-edge.md) | Windows Autopatch configures eligible devices to benefit from Microsoft Edge's progressive rollouts on the Stable channel. |
| [Microsoft Teams updates](../manage/windows-autopatch-teams.md) | Windows Autopatch allows eligible devices to benefit from the standard automatic update channel. |
| [Policy health and remediation](../monitor/windows-autopatch-policy-health-and-remediation.md) | When Windows Autopatch detects policies in the tenant are either missing or modified that affects the service, Windows Autopatch raises alerts and detailed recommended actions to ensure healthy operation of the service. |
-| Enhanced [Windows quality and feature update reports](../monitor/windows-autopatch-windows-quality-and-feature-update-reports-overview.md) and [device alerts](../monitor/windows-autopatch-device-alerts.md) | Using Windows quality and feature update reports, you can monitor and remediate Windows Autopatch managed devices that are Not up to Date and resolve any device alerts to bring Windows Autopatch managed devices back into compliance. |
+| Enhanced [Windows quality and feature update reports](../monitor/windows-autopatch-windows-quality-and-feature-update-reports-overview.md) and [device alerts](../monitor/windows-autopatch-device-alerts.md) | Using Windows quality and feature update reports, you can monitor and remediate managed devices that are Not up to Date and resolve any device alerts to bring managed devices back into compliance. |
| [Submit support requests](../manage/windows-autopatch-support-request.md) with the Windows Autopatch Service Engineering Team | When you activate additional Autopatch features, you can submit, manage, and edit support requests. |
## Communications
diff --git a/windows/deployment/windows-autopatch/prepare/windows-autopatch-configure-network.md b/windows/deployment/windows-autopatch/prepare/windows-autopatch-configure-network.md
index 6666b1fe35..7778e7edf0 100644
--- a/windows/deployment/windows-autopatch/prepare/windows-autopatch-configure-network.md
+++ b/windows/deployment/windows-autopatch/prepare/windows-autopatch-configure-network.md
@@ -63,7 +63,7 @@ The following URLs must be on the allowed list of your proxy and firewall so tha
| Microsoft service | URLs required on allowlist |
| ----- | ----- |
-| Windows Autopatch |
mmdcustomer.microsoft.com
mmdls.microsoft.com
logcollection.mmd.microsoft.com
support.mmd.microsoft.com
devicelistenerprod.microsoft.com
login.windows.net
payloadprod*.blob.core.windows.net
|
+| Windows Autopatch |
mmdcustomer.microsoft.com
mmdls.microsoft.com
devicelistenerprod.microsoft.com
login.windows.net
device.autopatch.microsoft.com
|
## Delivery Optimization
diff --git a/windows/deployment/windows-autopatch/prepare/windows-autopatch-prerequisites.md b/windows/deployment/windows-autopatch/prepare/windows-autopatch-prerequisites.md
index 74379f93b0..e66fe153ac 100644
--- a/windows/deployment/windows-autopatch/prepare/windows-autopatch-prerequisites.md
+++ b/windows/deployment/windows-autopatch/prepare/windows-autopatch-prerequisites.md
@@ -1,7 +1,7 @@
---
title: Prerequisites
description: This article details the prerequisites needed for Windows Autopatch
-ms.date: 09/27/2024
+ms.date: 10/30/2024
ms.service: windows-client
ms.subservice: autopatch
ms.topic: concept-article
@@ -135,12 +135,15 @@ For more information about feature entitlement, see [Features and capabilities](
The following Windows 10/11 editions, build version, and architecture are supported when [devices are registered with Windows Autopatch](../deploy/windows-autopatch-register-devices.md):
- Windows 11 Professional, Education, Enterprise, Pro Education, or Pro for Workstations editions
+- Windows 11 IoT Enterprise edition
- Windows 10 Professional, Education, Enterprise, Pro Education, or Pro for Workstations editions
+- Windows 10 IoT Enterprise edition
Windows Autopatch service supports Windows client devices on the **General Availability Channel**.
-> [!NOTE]
-> Windows Autopatch supports registering [Windows 10 Long-Term Servicing Channel (LTSC)](/windows/whats-new/ltsc/) devices that are being currently serviced by the [Windows LTSC](/windows/release-health/release-information). The service only supports managing the [Windows quality updates](../operate/windows-autopatch-windows-quality-update-overview.md) workload for devices currently serviced by the LTSC. Windows Update for Business service and Windows Autopatch don't offer Windows feature updates for devices that are part of the LTSC. You must either use [LTSC media](https://www.microsoft.com/evalcenter/evaluate-windows-10-enterprise) or the [Configuration Manager Operating System Deployment capabilities to perform an in-place upgrade](/windows/deployment/deploy-windows-cm/upgrade-to-windows-10-with-configuration-manager) for Windows devices that are part of the LTSC.
+
+> [!IMPORTANT]
+> Windows Autopatch supports registering [Windows 10 and Windows 11 Long-Term Servicing Channel (LTSC)](/windows/whats-new/ltsc/overview) devices that are being currently serviced by the [Windows 10 LTSC](/windows/release-health/release-information) or [Windows 11 LTSC](/windows/release-health/windows11-release-information). The service only supports managing the [Windows quality updates](../operate/windows-autopatch-windows-quality-update-overview.md) workload for devices currently serviced by the LTSC. Windows Update for Business service and Windows Autopatch don't offer Windows feature updates for devices that are part of the LTSC. You must either use [LTSC media](https://www.microsoft.com/evalcenter/evaluate-windows-10-enterprise) or the [Configuration Manager Operating System Deployment capabilities to perform an in-place upgrade](/windows/deployment/deploy-windows-cm/upgrade-to-windows-10-with-configuration-manager) for Windows devices that are part of the LTSC.
## Configuration Manager co-management requirements
@@ -171,15 +174,18 @@ You can add the *Device configurations* permission with one or more rights to yo
### [Windows Enterprise E3+ and F3](#tab/windows-enterprise-e3-f3-intune-permissions)
+Your account must be assigned an [Intune role-based access control](/mem/intune/fundamentals/role-based-access-control) (RBAC) role that includes the following permissions:
+
+- **Device configurations**:
+ - Assign
+ - Create
+ - Delete
+ - View Reports
+ - Update
+- Read
+
After you [activate Windows Autopatch features](../prepare/windows-autopatch-feature-activation.md#activate-windows-autopatch-features), use the Intune Service Administrator role to register devices, manage your update deployments, and reporting tasks.
-If you want to assign less-privileged user accounts to perform specific tasks in the Windows Autopatch portal, such as register devices with the service, you can add these user accounts into one of the two Microsoft Entra groups created during the [Start using Windows Autopatch](../prepare/windows-autopatch-feature-activation.md) process:
-
-| Microsoft Entra group name | Discover devices | Modify columns | Refresh device list | Export to .CSV | Device actions |
-| --- | --- | --- | --- | --- | --- |
-| Modern Workplace Roles - Service Administrator | Yes | Yes | Yes | Yes | Yes |
-| Modern Workplace Roles - Service Reader | No | Yes | Yes | Yes | Yes |
-
For more information, see [Microsoft Entra built-in roles](/entra/identity/role-based-access-control/permissions-reference) and [Role-based access control (RBAC) with Microsoft Intune](/mem/intune/fundamentals/role-based-access-control).
> [!TIP]
diff --git a/windows/deployment/windows-autopatch/references/windows-autopatch-changes-made-at-feature-activation.md b/windows/deployment/windows-autopatch/references/windows-autopatch-changes-made-at-feature-activation.md
index 822866ede9..432b2cc9ba 100644
--- a/windows/deployment/windows-autopatch/references/windows-autopatch-changes-made-at-feature-activation.md
+++ b/windows/deployment/windows-autopatch/references/windows-autopatch-changes-made-at-feature-activation.md
@@ -1,7 +1,7 @@
---
title: Changes made at feature activation
description: This reference article details the changes made to your tenant when you activate Windows Autopatch
-ms.date: 09/16/2024
+ms.date: 03/03/2025
ms.service: windows-client
ms.subservice: autopatch
ms.topic: concept-article
@@ -49,14 +49,6 @@ The following groups target Windows Autopatch configurations to devices and mana
| Modern Workplace Devices-Windows Autopatch-Fast | Fast deployment ring for quick rollout and adoption |
| Modern Workplace Devices-WindowsAutopatch-Broad | Final deployment ring for broad rollout into the organization |
-## Device configuration policies
-
-- Windows Autopatch - Data Collection
-
-| Policy name | Policy description | Properties | Value |
-| ----- | ----- | ----- | ----- |
-| Windows Autopatch - Data Collection | Windows Autopatch and Telemetry settings processes diagnostic data from the Windows device.
[Limit Enhanced Diagnostic Data Windows Analytics](/windows/client-management/mdm/policy-csp-system#system-limitenhanceddiagnosticdatawindowsanalytics)
|
-
## Windows feature update policies
- Windows Autopatch - Global DSS Policy
@@ -68,7 +60,7 @@ The following groups target Windows Autopatch configurations to devices and mana
## Microsoft Office update policies
> [!IMPORTANT]
-> By default, these policies are not deployed. You can opt-in to deploy these policies when you [activate Windows Autopatch features](../prepare/windows-autopatch-feature-activation.md).
To update Microsoft Office, you must [create at least one Autopatch group](../manage/windows-autopatch-manage-autopatch-groups.md) and the toggle the must be set to [**Allow**](../manage/windows-autopatch-microsoft-365-apps-enterprise.md#allow-or-block-microsoft-365-app-updates).
+> By default, these policies aren't deployed. You can opt in to deploy these policies when you [activate Windows Autopatch features](../prepare/windows-autopatch-feature-activation.md).
To update Microsoft Office, you must [create at least one Autopatch group](../manage/windows-autopatch-manage-autopatch-groups.md) and the toggle must be set to [**Allow**](../manage/windows-autopatch-microsoft-365-apps-enterprise.md#allow-or-block-microsoft-365-app-updates).
- Windows Autopatch - Office Configuration
- Windows Autopatch - Office Update Configuration [Test]
@@ -87,7 +79,7 @@ The following groups target Windows Autopatch configurations to devices and mana
## Microsoft Edge update policies
> [!IMPORTANT]
-> By default, these policies are not deployed. You can opt-in to deploy these policies when you [activate Windows Autopatch features](../prepare/windows-autopatch-feature-activation.md).
To update Microsoft Office, you must [create at least one Autopatch group](../manage/windows-autopatch-manage-autopatch-groups.md) and the toggle the must be set to [**Allow**](../manage/windows-autopatch-edge.md#allow-or-block-microsoft-edge-updates).
+> By default, these policies aren't deployed. You can opt in to deploy these policies when you [activate Windows Autopatch features](../prepare/windows-autopatch-feature-activation.md).
To update Microsoft Edge, you must [create at least one Autopatch group](../manage/windows-autopatch-manage-autopatch-groups.md) and the toggle must be set to [**Allow**](../manage/windows-autopatch-edge.md#allow-or-block-microsoft-edge-updates).
- Windows Autopatch - Edge Update Channel Stable
- Windows Autopatch - Edge Update Channel Beta
@@ -100,7 +92,7 @@ The following groups target Windows Autopatch configurations to devices and mana
## Driver updates for Windows 10 and later
> [!IMPORTANT]
-> By default, these policies are not deployed. You can opt-in to deploy these policies when you [activate Windows Autopatch features](../prepare/windows-autopatch-feature-activation.md).
To update Microsoft Office, you must [create at least one Autopatch group](../manage/windows-autopatch-manage-autopatch-groups.md) and the toggle the must be set to [**Allow**](../manage/windows-autopatch-manage-autopatch-groups.md#create-an-autopatch-group).
+> By default, these policies aren't deployed. You can opt in to deploy these policies when you [activate Windows Autopatch features](../prepare/windows-autopatch-feature-activation.md).
To update drivers and firmware, you must [create at least one Autopatch group](../manage/windows-autopatch-manage-autopatch-groups.md) and the toggle must be set to [**Allow**](../manage/windows-autopatch-manage-autopatch-groups.md#create-an-autopatch-group).
- Windows Autopatch - Driver Update Policy [Test]
- Windows Autopatch - Driver Update Policy [First]
diff --git a/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2023.md b/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2023.md
index 5492f63c14..285c7754e4 100644
--- a/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2023.md
+++ b/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2023.md
@@ -1,7 +1,7 @@
---
title: What's new 2023
description: This article lists the 2023 feature releases and any corresponding Message center post numbers.
-ms.date: 12/14/2023
+ms.date: 10/07/2024
ms.service: windows-client
ms.subservice: autopatch
ms.topic: whats-new
@@ -70,7 +70,6 @@ Minor corrections such as typos, style, or formatting issues aren't listed.
| ----- | ----- |
| [MC678305](https://admin.microsoft.com/adminportal/home#/MessageCenter) | September 2023 Windows Autopatch baseline configuration update |
| [MC678303](https://admin.microsoft.com/adminportal/home#/MessageCenter) | Windows Autopatch availability within Microsoft Intune Admin Center |
-| [MC674422](https://admin.microsoft.com/adminportal/home#/MessageCenter) | Public Preview: Windows Autopatch Reliability Report |
| [MC672750](https://admin.microsoft.com/adminportal/home#/MessageCenter) | August 2023 Windows Autopatch baseline configuration update |
## August 2023
diff --git a/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2024.md b/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2024.md
index f7ca1e60c8..f9d30352a5 100644
--- a/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2024.md
+++ b/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2024.md
@@ -1,7 +1,7 @@
---
title: What's new 2024
description: This article lists the 2024 feature releases and any corresponding Message center post numbers.
-ms.date: 09/27/2024
+ms.date: 02/27/2025
ms.service: windows-client
ms.subservice: autopatch
ms.topic: whats-new
@@ -21,6 +21,14 @@ This article lists new and updated feature releases, and service releases, with
Minor corrections such as typos, style, or formatting issues aren't listed.
+## November 2024
+
+### November feature releases or updates
+
+| Article | Description |
+| ----- | ----- |
+| Hotpatch |
|
+
## September 2024
### September feature releases or updates
@@ -29,14 +37,6 @@ Minor corrections such as typos, style, or formatting issues aren't listed.
| ----- | ----- |
| All articles | Windows Update for Business deployment service unified under Windows Autopatch. Unification is going through a gradual rollout over the next several weeks. If your experience looks different from the documentation, you didn't receive the unified experience yet. Review [Prerequisites](../prepare/windows-autopatch-prerequisites.md) and [Features and capabilities](../overview/windows-autopatch-overview.md#features-and-capabilities) to understand licensing and feature entitlement.|
-## March 2024
-
-### March feature releases or updates
-
-| Article | Description |
-| ----- | ----- |
-| [Reliability report](../operate/windows-autopatch-reliability-report.md) | Added the [Reliability report](../operate/windows-autopatch-reliability-report.md) feature |
-
## February 2024
## February service releases
diff --git a/windows/deployment/windows-deployment-scenarios-and-tools.md b/windows/deployment/windows-deployment-scenarios-and-tools.md
index 4794ab6ddf..22734dbc08 100644
--- a/windows/deployment/windows-deployment-scenarios-and-tools.md
+++ b/windows/deployment/windows-deployment-scenarios-and-tools.md
@@ -5,7 +5,7 @@ manager: aaroncz
ms.author: frankroj
author: frankroj
ms.service: windows-client
-ms.topic: conceptual
+ms.topic: install-set-up-deploy
ms.date: 08/30/2024
ms.subservice: itpro-deploy
---
diff --git a/windows/deployment/windows-deployment-scenarios.md b/windows/deployment/windows-deployment-scenarios.md
index 857188ae38..faec964678 100644
--- a/windows/deployment/windows-deployment-scenarios.md
+++ b/windows/deployment/windows-deployment-scenarios.md
@@ -6,8 +6,8 @@ ms.author: frankroj
author: frankroj
ms.service: windows-client
ms.localizationpriority: medium
-ms.topic: conceptual
-ms.date: 02/13/2024
+ms.topic: install-set-up-deploy
+ms.date: 02/27/2025
ms.subservice: itpro-deploy
appliesto:
- ✅ Windows 11
diff --git a/windows/deployment/windows-missing-fonts.md b/windows/deployment/windows-missing-fonts.md
index eabee6f44f..11091fa358 100644
--- a/windows/deployment/windows-missing-fonts.md
+++ b/windows/deployment/windows-missing-fonts.md
@@ -6,8 +6,8 @@ ms.localizationpriority: medium
author: frankroj
ms.author: frankroj
manager: aaroncz
-ms.topic: conceptual
-ms.date: 03/28/2024
+ms.topic: how-to
+ms.date: 02/27/2025
ms.subservice: itpro-deploy
zone_pivot_groups: windows-versions-11-10
appliesto:
diff --git a/windows/hub/index.yml b/windows/hub/index.yml
index 2fc576e11b..a20075e2cf 100644
--- a/windows/hub/index.yml
+++ b/windows/hub/index.yml
@@ -15,7 +15,7 @@ metadata:
author: aczechowski
ms.author: aaroncz
manager: aaroncz
- ms.date: 08/27/2024
+ ms.date: 10/01/2024
highlightedContent:
# itemType: architecture | concept | deploy | download | get-started | how-to-guide | training | overview | quickstart | reference | sample | tutorial | video | whats-new
@@ -31,7 +31,7 @@ highlightedContent:
- title: Windows 11, version 24H2 group policy settings reference
itemType: download
- url: https://www.microsoft.com/download/details.aspx?id=105668
+ url: https://www.microsoft.com/download/details.aspx?id=106255
- title: Windows administrative tools
itemType: concept
@@ -73,7 +73,7 @@ conceptualContent:
- title: Privacy in Windows
links:
- - url: /windows/privacy/required-diagnostic-events-fields-windows-11-22h2
+ - url: /windows/privacy/required-diagnostic-events-fields-windows-11-24h2
itemType: reference
text: Windows 11 required diagnostic data
- url: /windows/privacy/configure-windows-diagnostic-data-in-your-organization
diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md
index 92ce858c06..da212c5802 100644
--- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md
+++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md
@@ -7,7 +7,7 @@ ms.localizationpriority: high
author: DHB-MSFT
ms.author: danbrown
manager: laurawi
-ms.date: 04/24/2024
+ms.date: 10/01/2024
ms.topic: reference
ms.collection: privacy-windows
---
@@ -27,6 +27,7 @@ Use this article to learn about diagnostic events, grouped by event area, and th
You can learn more about Windows functional and diagnostic data through these articles:
+- [Required diagnostic events and fields for Windows 11, version 24H2](required-diagnostic-events-fields-windows-11-24H2.md)
- [Required diagnostic events and fields for Windows 11, versions 23H2 and 22H2](required-diagnostic-events-fields-windows-11-22H2.md)
- [Required diagnostic events and fields for Windows 11, version 21H2](required-windows-11-diagnostic-events-and-fields.md)
- [Required diagnostic events and fields for Windows 10, versions 22H2 and 21H2](required-windows-diagnostic-data-events-and-fields-2004.md)
@@ -903,7 +904,7 @@ The following fields are available:
- **DriverAvailableInbox** Is a driver included with the operating system for this PNP device?
- **DriverAvailableOnline** Is there a driver for this PNP device on Windows Update?
- **DriverAvailableUplevel** Is there a driver on Windows Update or included with the operating system for this PNP device?
-- **DriverBlockOverridden** Is there's a driver block on the device that has been overridden?
+- **DriverBlockOverridden** Is there a driver block on the device that has been overridden?
- **NeedsDismissAction** Will the user would need to dismiss a warning during Setup for this device?
- **NotRegressed** Does the device have a problem code on the source OS that is no better than the one it would have on the target OS?
- **SdbDeviceBlockUpgrade** Is there an SDB block on the PNP device that blocks upgrade?
@@ -949,7 +950,6 @@ The following fields are available:
- **DriverShouldNotMigrate** Should the driver package be migrated during upgrade?
- **SdbDriverBlockOverridden** Does the driver package have an SDB block that blocks it from migrating, but that block has been overridden?
-
### Microsoft.Windows.Appraiser.General.DecisionDriverPackageRemove
This event indicates that the DecisionDriverPackage object represented by the objectInstanceId is no longer present. This event is used to make compatibility decisions about driver packages to help keep Windows up to date.
@@ -1763,7 +1763,6 @@ The following fields are available:
The SystemProcessorPopCntStartSync event indicates that a new set of SystemProcessorPopCntAdd events will be sent. This event is used to understand if the system supports the PopCnt CPU requirement for newer versions of Windows.
-
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
The following fields are available:
@@ -2186,7 +2185,7 @@ The following fields are available:
- **IsMDMEnrolled** Whether the device has been MDM Enrolled or not.
- **MPNId** Returns the Partner ID/MPN ID from Regkey. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\DeployID
- **SCCMClientId** This ID correlate systems that send data to Compat Analytics (OMS) and other OMS based systems with systems in an enterprise Configuration Manager environment.
-- **ServerFeatures** Represents the features installed on a Windows Server. This can be used by developers and administrators who need to automate the process of determining the features installed on a set of server computers.
+- **ServerFeatures** Represents the features installed on a Windows Server. This can be used by developers and administrators who need to automate the process of determining the features installed on a set of server computers.
- **SystemCenterID** The Configuration Manager ID is an anonymized one-way hash of the Active Directory Organization identifier
@@ -2626,7 +2625,7 @@ Fires when the compatibility check completes. Gives the results from the check.
The following fields are available:
- **IsRecommended** Denotes whether all compatibility checks have passed and, if so, returns true. Otherwise returns false.
-- **Issues** If compatibility checks failed, provides bit indexed indicators of issues detected. Table located here: [Check results of HVCI default enablement](/windows-hardware/design/device-experiences/oem-hvci-enablement#check-results-of-hvci-default-enablement).
+- **Issues** If compatibility checks failed, provides bit indexed indicators of issues detected. Table located here: [Check results of HVCI default enablement](/windows-hardware/design/device-experiences/oem-hvci-enablement#check-results-of-memory-integrity-default-enablement).
### Microsoft.Windows.Security.CodeIntegrity.HVCISysprep.Enabled
@@ -4759,6 +4758,7 @@ The following fields are available:
- **InventoryVersion** The version of the inventory file generating the events.
+
### Microsoft.Windows.Inventory.Core.InventoryDeviceInterfaceAdd
This event retrieves information about what sensor interfaces are available on the device. The data collected with this event is used to keep Windows performing properly.
@@ -5375,7 +5375,7 @@ This Ping event sends a detailed inventory of software and hardware information
The following fields are available:
- **appAp** Any additional parameters for the specified application. Default: ''.
-- **appAppId** The GUID that identifies the product. Compatible clients must transmit this attribute. Please see the wiki for additional information. Default: undefined.
+- **appAppId** The GUID that identifies the product. Compatible clients must transmit this attribute. Default: undefined.
- **appBrandCode** The brand code under which the product was installed, if any. A brand code is a short (4-character) string used to identify installations that took place as a result of partner deals or website promotions. Default: ''.
- **appChannel** An integer indicating the channel of the installation (i.e. Canary or Dev).
- **appClientId** A generalized form of the brand code that can accept a wider range of values and is used for similar purposes. Default: ''.
@@ -5383,11 +5383,11 @@ The following fields are available:
- **appCohortHint** A machine-readable enum indicating that the client has a desire to switch to a different release cohort. The exact legal values are app-specific and should be shared between the server and app implementations. Limited to ASCII characters 32 to 127 (inclusive) and a maximum length of 1024 characters. Default: ''.
- **appCohortName** A stable non-localized human-readable enum indicating which (if any) set of messages the app should display to the user. For example, an app with a cohort Name of 'beta' might display beta-specific branding to the user. Limited to ASCII characters 32 to 127 (inclusive) and a maximum length of 1024 characters. Default: ''.
- **appConsentState** Bit flags describing the diagnostic data disclosure and response flow where 1 indicates the affirmative and 0 indicates the negative or unspecified data. Bit 1 indicates consent was given, bit 2 indicates data originated from the download page, bit 18 indicates choice for sending data about how the browser is used, and bit 19 indicates choice for sending data about websites visited.
-- **appDayOfInstall** The date-based counting equivalent of appInstallTimeDiffSec (the numeric calendar day that the app was installed on). This value is provided by the server in the response to the first request in the installation flow. The client MAY fuzz this value to the week granularity (e.g. send '0' for 0 through 6, '7' for 7 through 13, etc.). The first communication to the server should use a special value of '-1'. A value of '-2' indicates that this value isn't known. Please see the wiki for additional information. Default: '-2'.
+- **appDayOfInstall** The date-based counting equivalent of appInstallTimeDiffSec (the numeric calendar day that the app was installed on). This value is provided by the server in the response to the first request in the installation flow. The client MAY fuzz this value to the week granularity (e.g. send '0' for 0 through 6, '7' for 7 through 13, etc.). The first communication to the server should use a special value of '-1'. A value of '-2' indicates that this value isn't known. Default: '-2'.
- **appExperiments** A key/value list of experiment identifiers. Experiment labels are used to track membership in different experimental groups, and may be set at install or update time. The experiments string is formatted as a semicolon-delimited concatenation of experiment label strings. An experiment label string is an experiment Name, followed by the '=' character, followed by an experimental label value. For example: 'crdiff=got_bsdiff;optimized=O3'. The client shouldn't transmit the expiration date of any experiments it has, even if the server previously specified a specific expiration date. Default: ''.
- **appInstallTimeDiffSec** The difference between the current time and the install date in seconds. '0' if unknown. Default: '-1'.
- **appLang** The language of the product install, in IETF BCP 47 representation. Default: ''.
-- **appNextVersion** The version of the app that the update flow to which this event belongs attempted to reach, regardless of the success or failure of the update operation. Please see the wiki for additional information. Default: '0.0.0.0'.
+- **appNextVersion** The version of the app that the update flow to which this event belongs attempted to reach, regardless of the success or failure of the update operation. Default: '0.0.0.0'.
- **appPingEventAppSize** The total number of bytes of all downloaded packages. Default: '0'.
- **appPingEventDownloadMetricsDownloadedBytes** For events representing a download, the number of bytes expected to be downloaded. For events representing an entire update flow, the sum of all such expected bytes over the course of the update flow. Default: '0'.
- **appPingEventDownloadMetricsDownloader** A string identifying the download algorithm and/or stack. Example values include: 'bits', 'direct', 'winhttp', 'p2p'. Sent in events that have an event type of '14' only. Default: ''.
@@ -5398,8 +5398,8 @@ The following fields are available:
- **appPingEventDownloadMetricsUrl** For events representing a download, the CDN URL provided by the update server for the client to download the update, the URL is controlled by Microsoft servers and always maps back to either *.delivery.mp.microsoft.com or msedgesetup.azureedge.net. Default: ''.
- **appPingEventDownloadTimeMs** For events representing a download, the time elapsed between the start of the download and the end of the download, in milliseconds. For events representing an entire update flow, the sum of all such download times over the course of the update flow. Sent in events that have an event type of '1', '2', '3', and '14' only. Default: '0'.
- **appPingEventErrorCode** The error code (if any) of the operation, encoded as a signed, base-10 integer. Default: '0'.
-- **appPingEventEventResult** An enum indicating the result of the event. Please see the wiki for additional information. Default: '0'.
-- **appPingEventEventType** An enum indicating the type of the event. Compatible clients MUST transmit this attribute. Please see the wiki for additional information.
+- **appPingEventEventResult** An enum indicating the result of the event. Default: '0'.
+- **appPingEventEventType** An enum indicating the type of the event. Compatible clients MUST transmit this attribute.
- **appPingEventExtraCode1** Additional numeric information about the operation's result, encoded as a signed, base-10 integer. Default: '0'.
- **appPingEventInstallTimeMs** For events representing an install, the time elapsed between the start of the install and the end of the install, in milliseconds. For events representing an entire update flow, the sum of all such durations. Sent in events that have an event type of '2' and '3' only. Default: '0'.
- **appPingEventNumBytesDownloaded** The number of bytes downloaded for the specified application. Default: '0'.
@@ -5409,9 +5409,9 @@ The following fields are available:
- **appUpdateCheckIsUpdateDisabled** The state of whether app updates are restricted by group policy. True if updates have been restricted by group policy or false if they haven't.
- **appUpdateCheckTargetVersionPrefix** A component-wise prefix of a version number, or a complete version number suffixed with the $ character. The server shouldn't return an update instruction to a version number that doesn't match the prefix or complete version number. The prefix is interpreted a dotted-tuple that specifies the exactly-matching elements; it isn't a lexical prefix (for example, '1.2.3' must match '1.2.3.4' but must not match '1.2.34'). Default: ''.
- **appUpdateCheckTtToken** An opaque access token that can be used to identify the requesting client as a member of a trusted-tester group. If non-empty, the request should be sent over SSL or another secure protocol. Default: ''.
-- **appVersion** The version of the product install. Please see the wiki for additional information. Default: '0.0.0.0'.
+- **appVersion** The version of the product install. Default: '0.0.0.0'.
- **EventInfo.Level** The minimum Windows diagnostic data level required for the event where 1 is basic, 2 is enhanced, and 3 is full.
-- **eventType** A string indicating the type of the event. Please see the wiki for additional information.
+- **eventType** A string indicating the type of the event.
- **hwHasAvx** '1' if the client's hardware supports the AVX instruction set. '0' if the client's hardware doesn't support the AVX instruction set. '-1' if unknown. Default: '-1'.
- **hwHasSse** '1' if the client's hardware supports the SSE instruction set. '0' if the client's hardware doesn't support the SSE instruction set. '-1' if unknown. Default: '-1'.
- **hwHasSse2** '1' if the client's hardware supports the SSE2 instruction set. '0' if the client's hardware doesn't support the SSE2 instruction set. '-1' if unknown. Default: '-1'.
@@ -9069,7 +9069,7 @@ The following fields are available:
### Microsoft.Windows.Update.Orchestrator.BlockedByActiveHours
-This event indicates that update activity was blocked because it is within the active hours window. The data collected with this event is used to help keep Windows secure and up to date.
+This event indicates that update activity was blocked because it's within the active hours window. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -10231,7 +10231,4 @@ The following fields are available:
- **LicenseType** The type of licensed used to authorize the app (0 - Unknown, 1 - User, 2 - Subscription, 3 - Offline, 4 - Disc).
- **LicenseXuid** If the license type is 1 (User), this field contains the XUID (Xbox User ID) of the registered owner of the license.
- **ProductGuid** The Xbox product GUID (Globally-Unique ID) of the application.
-- **UserId** The XUID (Xbox User ID) of the current user.
-
-
-
+- **UserId** The XUID (Xbox User ID) of the current user.
\ No newline at end of file
diff --git a/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md b/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md
index 6fa1d2a9e2..6239e43f99 100644
--- a/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md
+++ b/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md
@@ -9,7 +9,7 @@ ms.author: danbrown
manager: laurawi
ms.date: 03/11/2016
ms.collection: highpri
-ms.topic: conceptual
+ms.topic: how-to
---
# Configure Windows diagnostic data in your organization
diff --git a/windows/privacy/index.yml b/windows/privacy/index.yml
index f06366e02f..3f854c689e 100644
--- a/windows/privacy/index.yml
+++ b/windows/privacy/index.yml
@@ -39,7 +39,7 @@ productDirectory:
- title: Windows 11 required diagnostic data
imageSrc: /media/common/i_extend.svg
summary: Learn more about basic Windows diagnostic data events and fields collected.
- url: required-diagnostic-events-fields-windows-11-22H2.md
+ url: required-diagnostic-events-fields-windows-11-24H2.md
- title: Windows 10 required diagnostic data
imageSrc: /media/common/i_build.svg
summary: See what changes Windows is making to align to the new data collection taxonomy
diff --git a/windows/privacy/manage-windows-11-endpoints.md b/windows/privacy/manage-windows-11-endpoints.md
index 7c41ff3d2a..4bf198648c 100644
--- a/windows/privacy/manage-windows-11-endpoints.md
+++ b/windows/privacy/manage-windows-11-endpoints.md
@@ -174,6 +174,7 @@ To view endpoints for non-Enterprise Windows 11 editions, see [Windows 11 connec
|||TLSv1.2/HTTPS/HTTP|*.update.microsoft.com|
||The following endpoint is used for compatibility database updates for Windows.|HTTPS|adl.windows.com|
||The following endpoint is used for content regulation. If you turn off traffic for this endpoint, the Windows Update Agent will be unable to contact the endpoint, and fallback behavior will be used. This may result in content being either incorrectly downloaded or not downloaded at all.|TLSv1.2/HTTPS/HTTP|tsfe.trafficshaping.dsp.mp.microsoft.com|
+||The following endpoint is for a public web API used by Windows and other OS-agnostic products to check for new updates. If you disable this endpoint, these products won't be able to check for and apply software updates.|TLSv1.2/HTTPS/HTTP|*.api.cdp.microsoft.com|
|Xbox Live|||[Learn how to turn off traffic to all of the following endpoint(s) for Xbox Live.](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#26-microsoft-store)|
||The following endpoints are used for Xbox Live.|HTTPS|dlassets-ssl.xboxlive.com|
|||TLSv1.2|da.xboxservices.com|
diff --git a/windows/privacy/required-diagnostic-events-fields-windows-11-22H2.md b/windows/privacy/required-diagnostic-events-fields-windows-11-22H2.md
index 97d13f6d72..446a29e39a 100644
--- a/windows/privacy/required-diagnostic-events-fields-windows-11-22H2.md
+++ b/windows/privacy/required-diagnostic-events-fields-windows-11-22H2.md
@@ -8,7 +8,7 @@ ms.localizationpriority: high
author: DHB-MSFT
ms.author: danbrown
manager: laurawi
-ms.date: 02/29/2024
+ms.date: 10/01/2024
ms.topic: reference
ms.collection: privacy-windows
---
@@ -28,6 +28,7 @@ Use this article to learn about diagnostic events, grouped by event area, and th
You can learn more about Windows functional and diagnostic data through these articles:
+- [Required diagnostic events and fields for Windows 11, version 24H2](required-diagnostic-events-fields-windows-11-24H2.md)
- [Required diagnostic events and fields for Windows 11, version 21H2](required-windows-11-diagnostic-events-and-fields.md)
- [Required diagnostic events and fields for Windows 10, versions 22H2 and 21H2](required-windows-diagnostic-data-events-and-fields-2004.md)
- [Windows 10, version 1809 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1809.md)
@@ -128,6 +129,7 @@ The following fields are available:
- **AppraiserVersion** The version of the appraiser binary generating the events.
+
### Microsoft.Windows.Appraiser.General.DatasourceApplicationFileRemove
This event indicates that the DatasourceApplicationFile object is no longer present. The data collected with this event is used to help keep Windows up to date.
@@ -780,6 +782,7 @@ The following fields are available:
- **AppraiserVersion** Appraiser version.
+
### Microsoft.Windows.Appraiser.General.SystemProcessorPrefetchWAdd
This event sends data indicating whether the system supports the PrefetchW CPU requirement, to help keep Windows up to date.
@@ -1309,7 +1312,6 @@ The following fields are available:
- **uts** A bit field, with 2 bits being assigned to each user ID listed in xid. This field is omitted if all users are retail accounts.
- **xid** A list of base10-encoded XBOX User IDs.
-
## Common data fields
### Ms.Device.DeviceInventoryChange
@@ -1725,7 +1727,7 @@ The following fields are available:
### Microsoft.Windows.HangReporting.AppHangEvent
-This event sends data about hangs for both native and managed applications, to help keep Windows up to date. It doesn't contain any Watson bucketing information. The bucketing information is recorded in a Windows Error Reporting (WER) event that is generated when the WER client reports the hang to the Watson service, and the WER event will contain the same ReportID (see field 13 of hang event, field 19 of WER event) as the hang event for the hang being reported. AppHang is reported only on PC devices. It handles classic Win32 hangs and is emitted only once per report. Some behaviors that may be perceived by a user as a hang are reported by app managers (e.g. PLM/RM/EM) as Watson Generics and will not produce AppHang events.
+This event sends data about hangs for both native and managed applications, to help keep Windows up to date. It doesn't contain any Watson bucketing information. The bucketing information is recorded in a Windows Error Reporting (WER) event that is generated when the WER client reports the hang to the Watson service, and the WER event will contain the same ReportID (see field 13 of hang event, field 19 of WER event) as the hang event for the hang being reported. AppHang is reported only on PC devices. It handles classic Win32 hangs and is emitted only once per report. Some behaviors that may be perceived by a user as a hang are reported by app managers (e.g. PLM/RM/EM) as Watson Generics and won't produce AppHang events.
The following fields are available:
@@ -1751,31 +1753,6 @@ The following fields are available:
## Holographic events
-### Microsoft.Windows.Analog.HydrogenCompositor.ExclusiveMode_Entered
-
-This event sends data indicating the start of augmented reality application experience. The data collected with this event is used to keep Windows performing properly.
-
-The following fields are available:
-
-- **SessionID** Unique value for each attempt.
-- **TargetAsId** The sequence number for the process.
-- **windowInstanceId** Unique value for each window instance.
-
-
-### Microsoft.Windows.Analog.HydrogenCompositor.ExclusiveMode_Leave
-
-This event sends data indicating the end of augmented reality application experience. The data collected with this event is used to keep Windows performing properly.
-
-The following fields are available:
-
-- **EventHistory** Unique number of event history.
-- **ExternalComponentState** State of external component.
-- **LastEvent** Unique number of last event.
-- **SessionID** Unique value for each attempt.
-- **TargetAsId** The sequence number for the process.
-- **windowInstanceId** Unique value for each window instance.
-
-
### Microsoft.Windows.Analog.Spectrum.TelemetryHolographicSpaceCreated
This event indicates the state of Windows holographic scene. The data collected with this event is used to keep Windows performing properly.
@@ -2247,6 +2224,22 @@ The following fields are available:
- **requestUid** A randomly-generated (uniformly distributed) GUID, corresponding to the Omaha user. Each request attempt SHOULD have (with high probability) a unique request id. Default: ''.
+### Microsoft.Edge.Crashpad.HangEvent
+
+This event sends simple Product and Service Performance data on a hanging/frozen Microsoft Edge browser process to help mitigate future instances of the hang.
+
+The following fields are available:
+
+- **app_name** The name of the hanging process.
+- **app_session_guid** Encodes the boot session, process, and process start time.
+- **app_version** The version of the hanging process.
+- **client_id_hash** Hash of the browser client id to help identify the installation.
+- **etag** Identifier to help identify running browser experiments.
+- **hang_source** Identifies how the hang was detected.
+- **process_type** The type of the hanging browser process, for example, gpu-process, renderer, etc.
+- **stack_hash** A hash of the hanging stack. Currently not used or set to zero.
+
+
## OneSettings events
### Microsoft.Windows.OneSettingsClient.Status
@@ -2273,105 +2266,29 @@ The following fields are available:
## Other events
-### Microsoft.Edge.Crashpad.HangEvent
+### Microsoft.Windows.Analog.HydrogenCompositor.ExclusiveMode_Entered
-This event sends simple Product and Service Performance data on a hanging/frozen Microsoft Edge browser process to help mitigate future instances of the hang.
+This event sends data indicating the start of augmented reality application experience. The data collected with this event is used to keep Windows performing properly.
The following fields are available:
-- **app_name** The name of the hanging process.
-- **app_session_guid** Encodes the boot session, process, and process start time.
-- **app_version** The version of the hanging process.
-- **client_id_hash** Hash of the browser client id to help identify the installation.
-- **etag** Identifier to help identify running browser experiments.
-- **hang_source** Identifies how the hang was detected.
-- **process_type** The type of the hanging browser process, for example, gpu-process, renderer, etc.
-- **stack_hash** A hash of the hanging stack. Currently not used or set to zero.
+- **SessionID** Unique value for each attempt.
+- **TargetAsId** The sequence number for the process.
+- **windowInstanceId** Unique value for each window instance.
-### Microsoft.Gaming.Critical.Error
+### Microsoft.Windows.Analog.HydrogenCompositor.ExclusiveMode_Leave
-Common error event used by the Gaming Telemetry Library to provide centralized monitoring for critical errors logged by callers using the library.
+This event sends data indicating the end of augmented reality application experience. The data collected with this event is used to keep Windows performing properly.
The following fields are available:
-- **callStack** List of active subroutines running during error occurrence.
-- **componentName** Friendly name meant to represent what feature area this error should be attributed to. Used for aggregations and pivots of data.
-- **customAttributes** List of custom attributes.
-- **errorCode** Error code.
-- **extendedData** JSON blob representing additional, provider-level properties common to the component.
-- **featureName** Friendly name meant to represent which feature this should be attributed to.
-- **identifier** Error identifier.
-- **message** Error message.
-- **properties** List of properties attributed to the error.
-
-### Microsoft.Gaming.Critical.ProviderRegistered
-
-Indicates that a telemetry provider has been registered with the Gaming Telemetry Library.
-
-The following fields are available:
-
-- **providerNamespace** The telemetry Namespace for the registered provider.
-
-### Microsoft.Gaming.OOBE.HDDBackup
-
-This event describes whether an External HDD back up has been found.
-
-The following fields are available:
-
-- **backupVersion** version number of backup.
-- **extendedData** JSON blob representing additional, provider-level properties common to the component.
-- **hasConsoleSettings** Indicates whether the console settings stored.
-- **hasUserSettings** Indicates whether the user settings stored.
-- **hasWirelessProfile** Indicates whether the wireless profile stored.
-- **hddBackupFound** Indicates whether hdd backup is found.
-- **osVersion** Operating system version.
-
-### Microsoft.Gaming.OOBE.OobeComplete
-
-This event is triggered when OOBE activation is complete.
-
-The following fields are available:
-
-- **allowAutoUpdate** Allows auto update.
-- **allowAutoUpdateApps** Allows auto update for apps.
-- **appliedTransferToken** Applied transfer token.
-- **connectionType** Connection type.
-- **curSessionId** Current session id.
-- **extendedData** JSON blob representing additional, provider-level properties common to the component.
-- **instantOn** Instant on.
-- **moobeAcceptedState** Moobe accepted state.
-- **phaseOneElapsedTimeMs** Total elapsed time in milliseconds for phase 1.
-- **phaseOneVersion** Version of phase 1.
-- **phaseTwoElapsedTimeMs** Total elapsed time in milliseconds for phase 2.
-- **phaseTwoVersion** Version of phase 2.
-- **systemUpdateRequired** Indicates whether a system update required.
-- **totalElapsedTimeMs** Total elapsed time in milliseconds of all phases.
-- **usedCloudBackup** Indicates whether cloud backup is used.
-- **usedHDDBackup** Indicates whether HDD backup is used.
-- **usedOffConsole** Indicates whether off console is used.
-
-
-### Microsoft.Gaming.OOBE.SessionStarted
-
-This event is sent at the start of OOBE session.
-
-The following fields are available:
-
-- **customAttributes** customAttributes.
-- **extendedData** extendedData.
-
-### Microsoft.Surface.Mcu.Prod.CriticalLog
-
-Error information from Surface device firmware.
-
-The following fields are available:
-
-- **CrashLog** MCU crash log
-- **criticalLogSize** Log size
-- **CUtility::GetTargetNameA(target)** Product identifier.
-- **productId** Product identifier
-- **uniqueId** Correlation ID that can be used with Watson to get more details about the failure.
+- **EventHistory** Unique number of event history.
+- **ExternalComponentState** State of external component.
+- **LastEvent** Unique number of last event.
+- **SessionID** Unique value for each attempt.
+- **TargetAsId** The sequence number for the process.
+- **windowInstanceId** Unique value for each window instance.
### Microsoft.Windows.Defender.Engine.Maps.Heartbeat
@@ -2409,6 +2326,7 @@ The following fields are available:
- **Action** Action string indicating place of failure
- **hr** Return HRESULT code
+
### Microsoft.Windows.Security.SBServicing.ApplySecureBootUpdateStarted
Event that indicates secure boot update has started.
@@ -2419,22 +2337,6 @@ The following fields are available:
- **SecureBootUpdateCaller** Enum value indicating if this is a servicing or an upgrade.
-### Microsoft.Windows.UpdateAssistantApp.UpdateAssistantStartState
-
-This event marks the start of an Update Assistant State. The data collected with this event is used to help keep Windows up to date.
-
-The following fields are available:
-
-- **CV** The correlation vector.
-- **GlobalEventCounter** The global event counter for all telemetry on the device.
-- **UpdateAssistantStateDownloading** True at the start Downloading.
-- **UpdateAssistantStateInitializingApplication** True at the start of the state InitializingApplication.
-- **UpdateAssistantStateInitializingStates** True at the start of InitializingStates.
-- **UpdateAssistantStateInstalling** True at the start of Installing.
-- **UpdateAssistantStatePostInstall** True at the start of PostInstall.
-- **UpdateAssistantVersion** Current package version of UpdateAssistant.
-
-
### MicrosoftWindowsCodeIntegrityTraceLoggingProvider.CodeIntegrityHvciSysprepHvciAlreadyEnabled
This event fires when HVCI is already enabled so no need to continue auto-enablement.
@@ -2670,6 +2572,19 @@ The following fields are available:
- **Ver** Schema version.
+### Microsoft.Surface.Mcu.Prod.CriticalLog
+
+Error information from Surface device firmware.
+
+The following fields are available:
+
+- **CrashLog** MCU crash log
+- **criticalLogSize** Log size
+- **CUtility::GetTargetNameA(target)** Product identifier.
+- **productId** Product identifier
+- **uniqueId** Correlation ID that can be used with Watson to get more details about the failure.
+
+
### Microsoft.Surface.SystemReset.Prod.ResetCauseEventV2
This event sends reason for SAM, PCH and SoC reset. The data collected with this event is used to keep Windows performing properly.
@@ -2710,6 +2625,24 @@ The following fields are available:
- **UpdateAttempted** Indicates if installation of the current update has been attempted before.
+## Update Assistant events
+
+### Microsoft.Windows.UpdateAssistantApp.UpdateAssistantStartState
+
+This event marks the start of an Update Assistant State. The data collected with this event is used to help keep Windows up to date.
+
+The following fields are available:
+
+- **CV** The correlation vector.
+- **GlobalEventCounter** The global event counter for all telemetry on the device.
+- **UpdateAssistantStateDownloading** True at the start Downloading.
+- **UpdateAssistantStateInitializingApplication** True at the start of the state InitializingApplication.
+- **UpdateAssistantStateInitializingStates** True at the start of InitializingStates.
+- **UpdateAssistantStateInstalling** True at the start of Installing.
+- **UpdateAssistantStatePostInstall** True at the start of PostInstall.
+- **UpdateAssistantVersion** Current package version of UpdateAssistant.
+
+
## Update events
### Update360Telemetry.FellBackToDownloadingAllPackageFiles
@@ -3574,7 +3507,7 @@ The following fields are available:
- **flightMetadata** Contains the FlightId and the build being flighted.
- **objectId** Unique value for each Update Agent mode.
- **relatedCV** Correlation vector value generated from the latest USO scan.
-- **result** Result of the initialize phase of the update. 0 = Succeeded, 1 = Failed, 2 = Cancelled, 3 = Blocked, 4 = BlockCancelled.
+- **result** Result of the initialize phase of the update. 0 = Succeeded, 1 = Failed, 2 = Canceled, 3 = Blocked, 4 = BlockCancelled.
- **scenarioId** The scenario ID. Example: MobileUpdate, DesktopLanguagePack, DesktopFeatureOnDemand, or DesktopDriverUpdate.
- **sessionData** Contains instructions to update agent for processing FODs and DUICs (Null for other scenarios).
- **sessionId** Unique value for each Update Agent mode attempt.
@@ -3758,6 +3691,3 @@ The following fields are available:
- **SessionId** The UpdateAgent “SessionId” value.
- **UpdateId** Unique identifier for the Update.
- **WuId** Unique identifier for the Windows Update client.
-
-
-
diff --git a/windows/privacy/required-diagnostic-events-fields-windows-11-24H2.md b/windows/privacy/required-diagnostic-events-fields-windows-11-24H2.md
new file mode 100644
index 0000000000..cf3ffdba05
--- /dev/null
+++ b/windows/privacy/required-diagnostic-events-fields-windows-11-24H2.md
@@ -0,0 +1,4266 @@
+---
+description: Learn more about the diagnostic data gathered for Windows 11, version 24H2.
+title: Required diagnostic events and fields for Windows 11, version 24H2
+keywords: privacy, telemetry
+ms.service: windows-client
+ms.subservice: itpro-privacy
+ms.localizationpriority: high
+author: DHB-MSFT
+ms.author: danbrown
+manager: laurawi
+ms.date: 10/01/2024
+ms.topic: reference
+ms.collection: privacy-windows
+---
+
+# Required diagnostic events and fields for Windows 11, version 24H2
+
+**Applies to**
+
+- Windows 11, version 24H2
+
+Required diagnostic data gathers a limited set of information that is critical for understanding the device and its configuration including: basic device information, quality-related information, app compatibility, and Microsoft Store.
+
+Required diagnostic data helps to identify problems that can occur on a particular device hardware or software configuration. For example, it can help determine if crashes are more frequent on devices with a specific amount of memory or that are running a particular driver version. This helps Microsoft fix operating system or app problems.
+
+Use this article to learn about diagnostic events, grouped by event area, and the fields within each event. A brief description is provided for each field. Every event generated includes common data, which collects device data.
+
+You can learn more about Windows functional and diagnostic data through these articles:
+
+- [Required diagnostic events and fields for Windows 11, versions 23H2 and 22H2](required-diagnostic-events-fields-windows-11-22H2.md)
+- [Required diagnostic events and fields for Windows 11, version 21H2](required-windows-11-diagnostic-events-and-fields.md)
+- [Required diagnostic events and fields for Windows 10, versions 22H2 and 21H2](required-windows-diagnostic-data-events-and-fields-2004.md)
+- [Windows 10, version 1809 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1809.md)
+- [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md)
+- [Configure Windows diagnostic data in your organization](configure-windows-diagnostic-data-in-your-organization.md)
+
+
+## Appraiser events
+
+### Microsoft.Windows.Appraiser.General.ChecksumTotalPictureCount
+
+This event lists the types of objects and how many of each exist on the client device. This allows for a quick way to ensure that the records present on the server match what is present on the client. The data collected with this event is used to help keep Windows up to date.
+
+The following fields are available:
+
+- **DatasourceApplicationFile_CO21H2Setup** The total number of objects of this type present on this device.
+- **DatasourceApplicationFile_CU23H2Setup** The count of the number of this particular object type present on this device.
+- **DatasourceApplicationFile_NI22H2** The count of the number of this particular object type present on this device.
+- **DatasourceApplicationFile_NI22H2Setup** The total number of objects of this type present on this device.
+- **DatasourceApplicationFile_RS1** The total number of objects of this type present on this device.
+- **DatasourceApplicationFile_ZN23H2** The count of the number of this particular object type present on this device.
+- **DatasourceApplicationFile_ZN23H2Exp** The count of the number of this particular object type present on this device.
+- **DatasourceApplicationFile_ZN23H2Setup** The count of the number of this particular object type present on this device.
+- **DatasourceApplicationFileBackup** The count of the number of this particular object type present on this device.
+- **DatasourceBackupApplicationRestore** The count of the number of this particular object type present on this device.
+- **DatasourceDevicePnp_20H1Setup** The total number of objects of this type present on this device.
+- **DatasourceDevicePnp_CO21H2Setup** The total number of objects of this type present on this device.
+- **DatasourceDevicePnp_CU23H2Setup** The count of the number of this particular object type present on this device.
+- **DatasourceDevicePnp_NI22H2** The count of the number of this particular object type present on this device.
+- **DatasourceDevicePnp_NI22H2Setup** The total number of objects of this type present on this device.
+- **DatasourceDevicePnp_RS1** The total DataSourceDevicePnp objects targeting Windows 10 version 1607 on this device.
+- **DatasourceDevicePnp_ZN23H2** The count of the number of this particular object type present on this device.
+- **DatasourceDevicePnp_ZN23H2Exp** The count of the number of this particular object type present on this device.
+- **DatasourceDevicePnp_ZN23H2Setup** The count of the number of this particular object type present on this device.
+- **DatasourceDriverPackage_20H1Setup** The total number of objects of this type present on this device.
+- **DatasourceDriverPackage_CO21H2Setup** The total number of objects of this type present on this device.
+- **DatasourceDriverPackage_CU23H2Setup** The count of the number of this particular object type present on this device.
+- **DatasourceDriverPackage_NI22H2** The count of the number of this particular object type present on this device.
+- **DatasourceDriverPackage_NI22H2Setup** The total number of objects of this type present on this device.
+- **DatasourceDriverPackage_RS1** The total number of objects of this type present on this device.
+- **DatasourceDriverPackage_ZN23H2** The count of the number of this particular object type present on this device.
+- **DatasourceDriverPackage_ZN23H2Exp** The count of the number of this particular object type present on this device.
+- **DatasourceDriverPackage_ZN23H2Setup** The count of the number of this particular object type present on this device.
+- **DataSourceMatchingInfoBlock_CO21H2Setup** The total number of objects of this type present on this device.
+- **DataSourceMatchingInfoBlock_CU23H2Setup** The count of the number of this particular object type present on this device.
+- **DataSourceMatchingInfoBlock_NI22H2** The count of the number of this particular object type present on this device.
+- **DataSourceMatchingInfoBlock_NI22H2Setup** The total number of objects of this type present on this device.
+- **DataSourceMatchingInfoBlock_RS1** The total number of objects of this type present on this device.
+- **DataSourceMatchingInfoBlock_ZN23H2** The count of the number of this particular object type present on this device.
+- **DataSourceMatchingInfoBlock_ZN23H2Exp** The count of the number of this particular object type present on this device.
+- **DataSourceMatchingInfoBlock_ZN23H2Setup** The count of the number of this particular object type present on this device.
+- **DataSourceMatchingInfoPassive_CO21H2Setup** The total number of objects of this type present on this device.
+- **DataSourceMatchingInfoPassive_CU23H2Setup** The count of the number of this particular object type present on this device.
+- **DataSourceMatchingInfoPassive_NI22H2** The count of the number of this particular object type present on this device.
+- **DataSourceMatchingInfoPassive_NI22H2Setup** The total number of objects of this type present on this device.
+- **DataSourceMatchingInfoPassive_RS1** The total number of objects of this type present on this device.
+- **DataSourceMatchingInfoPassive_ZN23H2** The count of the number of this particular object type present on this device.
+- **DataSourceMatchingInfoPassive_ZN23H2Exp** The count of the number of this particular object type present on this device.
+- **DataSourceMatchingInfoPassive_ZN23H2Setup** The count of the number of this particular object type present on this device.
+- **DataSourceMatchingInfoPostUpgrade_CO21H2Setup** The total number of objects of this type present on this device.
+- **DataSourceMatchingInfoPostUpgrade_CU23H2Setup** The count of the number of this particular object type present on this device.
+- **DataSourceMatchingInfoPostUpgrade_NI22H2** The count of the number of this particular object type present on this device.
+- **DataSourceMatchingInfoPostUpgrade_NI22H2Setup** The total number of objects of this type present on this device.
+- **DataSourceMatchingInfoPostUpgrade_RS1** The total number of objects of this type present on this device.
+- **DataSourceMatchingInfoPostUpgrade_ZN23H2** The count of the number of this particular object type present on this device.
+- **DataSourceMatchingInfoPostUpgrade_ZN23H2Exp** The count of the number of this particular object type present on this device.
+- **DataSourceMatchingInfoPostUpgrade_ZN23H2Setup** The count of the number of this particular object type present on this device.
+- **DatasourceSystemBios_20H1Setup** The total number of objects of this type present on this device.
+- **DatasourceSystemBios_CO21H2Setup** The total number of objects of this type present on this device.
+- **DatasourceSystemBios_CU23H2Setup** The count of the number of this particular object type present on this device.
+- **DatasourceSystemBios_NI22H2** The count of the number of this particular object type present on this device.
+- **DatasourceSystemBios_NI22H2Setup** The total number of objects of this type present on this device.
+- **DatasourceSystemBios_RS1** The total DatasourceSystemBios objects targeting Windows 10 version 1607 present on this device.
+- **DatasourceSystemBios_ZN23H2** The count of the number of this particular object type present on this device.
+- **DatasourceSystemBios_ZN23H2Exp** The count of the number of this particular object type present on this device.
+- **DatasourceSystemBios_ZN23H2Setup** The count of the number of this particular object type present on this device.
+- **DecisionApplicationFile_CO21H2Setup** The total number of objects of this type present on this device.
+- **DecisionApplicationFile_CU23H2Setup** The count of the number of this particular object type present on this device.
+- **DecisionApplicationFile_NI22H2** The count of the number of this particular object type present on this device.
+- **DecisionApplicationFile_NI22H2Setup** The total number of objects of this type present on this device.
+- **DecisionApplicationFile_RS1** The total number of objects of this type present on this device.
+- **DecisionApplicationFile_ZN23H2** The count of the number of this particular object type present on this device.
+- **DecisionApplicationFile_ZN23H2Exp** The count of the number of this particular object type present on this device.
+- **DecisionApplicationFile_ZN23H2Setup** The count of the number of this particular object type present on this device.
+- **DecisionDevicePnp_20H1Setup** The total number of objects of this type present on this device.
+- **DecisionDevicePnp_CO21H2Setup** The total number of objects of this type present on this device.
+- **DecisionDevicePnp_CU23H2Setup** The count of the number of this particular object type present on this device.
+- **DecisionDevicePnp_NI22H2** The count of the number of this particular object type present on this device.
+- **DecisionDevicePnp_NI22H2Setup** The total number of objects of this type present on this device.
+- **DecisionDevicePnp_RS1** The total number of objects of this type present on this device.
+- **DecisionDevicePnp_ZN23H2** The count of the number of this particular object type present on this device.
+- **DecisionDevicePnp_ZN23H2Exp** The count of the number of this particular object type present on this device.
+- **DecisionDevicePnp_ZN23H2Setup** The count of the number of this particular object type present on this device.
+- **DecisionDriverPackage_20H1Setup** The total number of objects of this type present on this device.
+- **DecisionDriverPackage_CO21H2Setup** The total number of objects of this type present on this device.
+- **DecisionDriverPackage_CU23H2Setup** The count of the number of this particular object type present on this device.
+- **DecisionDriverPackage_NI22H2** The count of the number of this particular object type present on this device.
+- **DecisionDriverPackage_NI22H2Setup** The total number of objects of this type present on this device.
+- **DecisionDriverPackage_RS1** The total number of objects of this type present on this device.
+- **DecisionDriverPackage_ZN23H2** The count of the number of this particular object type present on this device.
+- **DecisionDriverPackage_ZN23H2Exp** The count of the number of this particular object type present on this device.
+- **DecisionDriverPackage_ZN23H2Setup** The count of the number of this particular object type present on this device.
+- **DecisionMatchingInfoBlock_CO21H2Setup** The total number of objects of this type present on this device.
+- **DecisionMatchingInfoBlock_CU23H2Setup** The count of the number of this particular object type present on this device.
+- **DecisionMatchingInfoBlock_NI22H2** The count of the number of this particular object type present on this device.
+- **DecisionMatchingInfoBlock_NI22H2Setup** The total number of objects of this type present on this device.
+- **DecisionMatchingInfoBlock_RS1** The total number of objects of this type present on this device.
+- **DecisionMatchingInfoBlock_ZN23H2** The count of the number of this particular object type present on this device.
+- **DecisionMatchingInfoBlock_ZN23H2Exp** The count of the number of this particular object type present on this device.
+- **DecisionMatchingInfoBlock_ZN23H2Setup** The count of the number of this particular object type present on this device.
+- **DecisionMatchingInfoPassive_CO21H2Setup** The total number of objects of this type present on this device.
+- **DecisionMatchingInfoPassive_CU23H2Setup** The count of the number of this particular object type present on this device.
+- **DecisionMatchingInfoPassive_NI22H2** The count of the number of this particular object type present on this device.
+- **DecisionMatchingInfoPassive_NI22H2Setup** The total number of objects of this type present on this device.
+- **DecisionMatchingInfoPassive_RS1** The total DecisionMatchingInfoPassive objects targeting Windows 10 version 1607 on this device.
+- **DecisionMatchingInfoPassive_ZN23H2** The count of the number of this particular object type present on this device.
+- **DecisionMatchingInfoPassive_ZN23H2Exp** The count of the number of this particular object type present on this device.
+- **DecisionMatchingInfoPassive_ZN23H2Setup** The count of the number of this particular object type present on this device.
+- **DecisionMatchingInfoPostUpgrade_CO21H2Setup** The total number of objects of this type present on this device.
+- **DecisionMatchingInfoPostUpgrade_CU23H2Setup** The count of the number of this particular object type present on this device.
+- **DecisionMatchingInfoPostUpgrade_NI22H2** The count of the number of this particular object type present on this device.
+- **DecisionMatchingInfoPostUpgrade_NI22H2Setup** The total number of objects of this type present on this device.
+- **DecisionMatchingInfoPostUpgrade_RS1** The total DecisionMatchingInfoPostUpgrade objects targeting Windows 10 version 1607 on this device.
+- **DecisionMatchingInfoPostUpgrade_ZN23H2** The count of the number of this particular object type present on this device.
+- **DecisionMatchingInfoPostUpgrade_ZN23H2Exp** The count of the number of this particular object type present on this device.
+- **DecisionMatchingInfoPostUpgrade_ZN23H2Setup** The count of the number of this particular object type present on this device.
+- **DecisionMediaCenter_CO21H2Setup** The total number of objects of this type present on this device.
+- **DecisionMediaCenter_CU23H2Setup** The count of the number of this particular object type present on this device.
+- **DecisionMediaCenter_NI22H2** The count of the number of this particular object type present on this device.
+- **DecisionMediaCenter_NI22H2Setup** The total number of objects of this type present on this device.
+- **DecisionMediaCenter_RS1** The total number of objects of this type present on this device.
+- **DecisionMediaCenter_ZN23H2** The count of the number of this particular object type present on this device.
+- **DecisionMediaCenter_ZN23H2Exp** The count of the number of this particular object type present on this device.
+- **DecisionMediaCenter_ZN23H2Setup** The count of the number of this particular object type present on this device.
+- **DecisionSModeState_CO21H2Setup** The total number of objects of this type present on this device.
+- **DecisionSModeState_CU23H2Setup** The count of the number of this particular object type present on this device.
+- **DecisionSModeState_NI22H2** The count of the number of this particular object type present on this device.
+- **DecisionSModeState_NI22H2Setup** The total number of objects of this type present on this device.
+- **DecisionSModeState_RS1** The total number of objects of this type present on this device.
+- **DecisionSModeState_ZN23H2** The count of the number of this particular object type present on this device.
+- **DecisionSModeState_ZN23H2Exp** The count of the number of this particular object type present on this device.
+- **DecisionSModeState_ZN23H2Setup** The count of the number of this particular object type present on this device.
+- **DecisionSystemBios_20H1Setup** The total number of objects of this type present on this device.
+- **DecisionSystemBios_CO21H2Setup** The total number of objects of this type present on this device.
+- **DecisionSystemBios_CU23H2Setup** The count of the number of this particular object type present on this device.
+- **DecisionSystemBios_NI22H2** The count of the number of this particular object type present on this device.
+- **DecisionSystemBios_NI22H2Setup** The total number of objects of this type present on this device.
+- **DecisionSystemBios_RS1** The total number of objects of this type present on this device.
+- **DecisionSystemBios_ZN23H2** The count of the number of this particular object type present on this device.
+- **DecisionSystemBios_ZN23H2Exp** The count of the number of this particular object type present on this device.
+- **DecisionSystemBios_ZN23H2Setup** The count of the number of this particular object type present on this device.
+- **DecisionSystemDiskSize_CO21H2Setup** The total number of objects of this type present on this device.
+- **DecisionSystemDiskSize_CU23H2Setup** The count of the number of this particular object type present on this device.
+- **DecisionSystemDiskSize_NI22H2** The count of the number of this particular object type present on this device.
+- **DecisionSystemDiskSize_NI22H2Setup** The total number of objects of this type present on this device.
+- **DecisionSystemDiskSize_RS1** The total number of objects of this type present on this device.
+- **DecisionSystemDiskSize_ZN23H2** The count of the number of this particular object type present on this device.
+- **DecisionSystemDiskSize_ZN23H2Exp** The count of the number of this particular object type present on this device.
+- **DecisionSystemDiskSize_ZN23H2Setup** The count of the number of this particular object type present on this device.
+- **DecisionSystemMemory_CO21H2Setup** The total number of objects of this type present on this device.
+- **DecisionSystemMemory_CU23H2Setup** The count of the number of this particular object type present on this device.
+- **DecisionSystemMemory_NI22H2** The count of the number of this particular object type present on this device.
+- **DecisionSystemMemory_NI22H2Setup** The total number of objects of this type present on this device.
+- **DecisionSystemMemory_RS1** The total number of objects of this type present on this device.
+- **DecisionSystemMemory_ZN23H2** The count of the number of this particular object type present on this device.
+- **DecisionSystemMemory_ZN23H2Exp** The count of the number of this particular object type present on this device.
+- **DecisionSystemMemory_ZN23H2Setup** The count of the number of this particular object type present on this device.
+- **DecisionSystemProcessorCpuCores_CO21H2Setup** The total number of objects of this type present on this device.
+- **DecisionSystemProcessorCpuCores_CU23H2Setup** The count of the number of this particular object type present on this device.
+- **DecisionSystemProcessorCpuCores_NI22H2** The count of the number of this particular object type present on this device.
+- **DecisionSystemProcessorCpuCores_NI22H2Setup** The total number of objects of this type present on this device.
+- **DecisionSystemProcessorCpuCores_RS1** The total number of objects of this type present on this device.
+- **DecisionSystemProcessorCpuCores_ZN23H2** The count of the number of this particular object type present on this device.
+- **DecisionSystemProcessorCpuCores_ZN23H2Exp** The count of the number of this particular object type present on this device.
+- **DecisionSystemProcessorCpuCores_ZN23H2Setup** The count of the number of this particular object type present on this device.
+- **DecisionSystemProcessorCpuModel_CO21H2Setup** The total number of objects of this type present on this device.
+- **DecisionSystemProcessorCpuModel_CU23H2Setup** The count of the number of this particular object type present on this device.
+- **DecisionSystemProcessorCpuModel_NI22H2** The count of the number of this particular object type present on this device.
+- **DecisionSystemProcessorCpuModel_NI22H2Setup** The total number of objects of this type present on this device.
+- **DecisionSystemProcessorCpuModel_RS1** The total number of objects of this type present on this device.
+- **DecisionSystemProcessorCpuModel_ZN23H2** The count of the number of this particular object type present on this device.
+- **DecisionSystemProcessorCpuModel_ZN23H2Exp** The count of the number of this particular object type present on this device.
+- **DecisionSystemProcessorCpuModel_ZN23H2Setup** The count of the number of this particular object type present on this device.
+- **DecisionSystemProcessorCpuSpeed_CO21H2Setup** The total number of objects of this type present on this device.
+- **DecisionSystemProcessorPopCnt** The count of the number of this particular object type present on this device.
+- **DecisionTest_CO21H2Setup** The total number of objects of this type present on this device.
+- **DecisionTest_CU23H2Setup** The count of the number of this particular object type present on this device.
+- **DecisionTest_NI22H2** The count of the number of this particular object type present on this device.
+- **DecisionTest_NI22H2Setup** The total number of objects of this type present on this device.
+- **DecisionTest_RS1** The total number of objects of this type present on this device.
+- **DecisionTest_ZN23H2** The count of the number of this particular object type present on this device.
+- **DecisionTest_ZN23H2Exp** The count of the number of this particular object type present on this device.
+- **DecisionTest_ZN23H2Setup** The count of the number of this particular object type present on this device.
+- **DecisionTpmVersion_CO21H2Setup** The total number of objects of this type present on this device.
+- **DecisionTpmVersion_CU23H2Setup** The count of the number of this particular object type present on this device.
+- **DecisionTpmVersion_NI22H2** The count of the number of this particular object type present on this device.
+- **DecisionTpmVersion_NI22H2Setup** The total number of objects of this type present on this device.
+- **DecisionTpmVersion_RS1** The total number of objects of this type present on this device.
+- **DecisionTpmVersion_ZN23H2** The count of the number of this particular object type present on this device.
+- **DecisionTpmVersion_ZN23H2Exp** The count of the number of this particular object type present on this device.
+- **DecisionTpmVersion_ZN23H2Setup** The count of the number of this particular object type present on this device.
+- **DecisionUefiSecureBoot_CO21H2Setup** The total number of objects of this type present on this device.
+- **DecisionUefiSecureBoot_CU23H2Setup** The count of the number of this particular object type present on this device.
+- **DecisionUefiSecureBoot_NI22H2** The count of the number of this particular object type present on this device.
+- **DecisionUefiSecureBoot_NI22H2Setup** The total number of objects of this type present on this device.
+- **DecisionUefiSecureBoot_RS1** The total number of objects of this type present on this device.
+- **DecisionUefiSecureBoot_ZN23H2** The count of the number of this particular object type present on this device.
+- **DecisionUefiSecureBoot_ZN23H2Exp** The count of the number of this particular object type present on this device.
+- **DecisionUefiSecureBoot_ZN23H2Setup** The count of the number of this particular object type present on this device.
+- **InventoryApplicationFile** The count of the number of this particular object type present on this device.
+- **InventoryLanguagePack** The count of the number of this particular object type present on this device.
+- **InventoryMediaCenter** The count of the number of this particular object type present on this device.
+- **InventorySystemBios** The count of the number of this particular object type present on this device.
+- **InventoryTest** The count of the number of this particular object type present on this device.
+- **InventoryUplevelDriverPackage** The count of the number of this particular object type present on this device.
+- **PCFP** The count of the number of this particular object type present on this device.
+- **SystemMemory** The count of the number of this particular object type present on this device.
+- **SystemProcessorCompareExchange** The count of the number of this particular object type present on this device.
+- **SystemProcessorLahfSahf** The count of the number of this particular object type present on this device.
+- **SystemProcessorNx** The total number of objects of this type present on this device.
+- **SystemProcessorPopCnt** The count of the number of this particular object type present on this device.
+- **SystemProcessorPopCnt_NI22H2** The count of the number of this particular object type present on this device.
+- **SystemProcessorPopCnt_RS1** The count of the number of this particular object type present on this device.
+- **SystemProcessorPopCnt_ZN23H2** The count of the number of this particular object type present on this device.
+- **SystemProcessorPopCnt_ZN23H2Exp** The count of the number of this particular object type present on this device.
+- **SystemProcessorPopCnt_ZN23H2Setup** The count of the number of this particular object type present on this device.
+- **SystemProcessorPrefetchW** The total number of objects of this type present on this device.
+- **SystemProcessorSse2** The total number of objects of this type present on this device.
+- **SystemTouch** The count of the number of this particular object type present on this device.
+- **SystemWim** The total number of objects of this type present on this device.
+- **SystemWindowsActivationStatus** The count of the number of this particular object type present on this device.
+- **SystemWlan** The total number of objects of this type present on this device.
+- **Wmdrm_CO21H2Setup** The total number of objects of this type present on this device.
+- **Wmdrm_CU23H2Setup** The count of the number of this particular object type present on this device.
+- **Wmdrm_NI22H2** The count of the number of this particular object type present on this device.
+- **Wmdrm_NI22H2Setup** The total number of objects of this type present on this device.
+- **Wmdrm_RS1** The total number of objects of this type present on this device.
+- **Wmdrm_ZN23H2** The count of the number of this particular object type present on this device.
+- **Wmdrm_ZN23H2Exp** The count of the number of this particular object type present on this device.
+- **Wmdrm_ZN23H2Setup** The count of the number of this particular object type present on this device.
+
+
+### Microsoft.Windows.Appraiser.General.DatasourceApplicationFileRemove
+
+This event indicates that the DatasourceApplicationFile object is no longer present. The data collected with this event is used to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DatasourceBackupApplicationRestoreAdd
+
+Represents the basic metadata about the interesting backed up applications to be restored on the system. This event describes whether the backed up applications are incompatible with upcoming Windows Feature updates. Microsoft uses this information to understand and address problems with computers receiving updates.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the appraiser file that is generating the events.
+- **BackupLabel** Indicates compatibility information about the application found on the backup device.
+- **CatalogSource** The type of application.
+- **CreatePlaceholder** Represents the decision regarding if the application should be restored.
+- **Name** Name of the application.
+- **ProgramId** A hash of the Name, Version, Publisher, and Language of an application used to identify it.
+- **SdbEntryGuid** Indicates the SDB entry that applies to this file.
+- **SdbRestoreAction** Indicates compatibility information about the application found on the backup device.
+
+### Microsoft.Windows.Appraiser.General.DatasourceBackupApplicationRestoreStartSync
+
+This event indicates that a new set of DatasourceBackupApplicationRestoreAdd events will be sent.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the appraiser binary generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPassiveRemove
+
+This event indicates that the DataSourceMatchingInfoPassive object is no longer present. The data collected with this event is used to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPassiveStartSync
+
+This event indicates that a new set of DataSourceMatchingInfoPassiveAdd events will be sent. This event is used to make compatibility decisions about files to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoPassiveAdd
+
+This event sends compatibility decision data about non-blocking entries on the system that aren't keyed by either applications or devices, to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+- **BlockingApplication** Are there any application issues that interfere with upgrade due to matching info blocks?
+- **DisplayGenericMessageGated** Indicates whether a generic offer block message will be shown due to matching info blocks.
+- **MigApplication** Is there a matching info block with a mig for the current mode of upgrade?
+
+
+### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoPassiveStartSync
+
+This event indicates that a new set of DecisionMatchingInfoPassiveAdd events will be sent. The data collected with this event is used to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.RestoreContext
+
+This event indicates the result of the restore appraisal.
+
+The following fields are available:
+
+- **AppraiserBranch** The source branch in which the currently-running version of appraiser was built.
+- **AppraiserVersion** The version of the appraiser binary generating the events.
+- **Context** Indicates what mode appraiser is running in, this should be Restore.
+- **PCFP** An ID for the system, calculated by hashing hardware identifiers.
+- **Result** HRESULT indicating the result of the restore appraisal.
+- **Time** The client time of the event.
+
+
+### Microsoft.Windows.Appraiser.General.SystemProcessorPopCntAdd
+
+This event sends data indicating whether the system supports the PopCnt CPU requirement for newer versions of Windows, to help keep Windows up-to-date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** Appraiser version
+- **Blocking** Is the upgrade blocked due to the processor missing the PopCnt instruction?
+- **PopCntPassed** Whether the machine passes the latest OS hardware requirements or not for the PopCnt instruction.
+
+
+### Microsoft.Windows.Appraiser.General.SystemProcessorPopCntStartSync
+
+The SystemProcessorPopCntStartSync event indicates that a new set of SystemProcessorPopCntAdd events will be sent. This event is used to understand if the system supports the PopCnt CPU requirement for newer versions of Windows.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** Appraiser version.
+
+
+## Census events
+
+### Census.Xbox
+
+This event sends data about the Xbox Console, such as Serial Number and DeviceId, to help keep Windows up to date.
+
+The following fields are available:
+
+- **XboxConsolePreferredLanguage** Retrieves the preferred language selected by the user on Xbox console.
+- **XboxConsoleSerialNumber** Retrieves the serial number of the Xbox console.
+- **XboxLiveDeviceId** Retrieves the unique device ID of the console.
+- **XboxLiveSandboxId** Retrieves the developer sandbox ID if the device is internal to Microsoft.
+
+## Code Integrity events
+
+### Microsoft.Windows.Security.CodeIntegrity.Driver.AggregatedBlock
+
+AggregatedBlock is an event with non-PII details on drivers blocked by code integrity. Fires no more than once per 25 days per driver.
+
+The following fields are available:
+
+- **CertificateInfo** Non-PII details about the digital signature(s) and digital countersignatures on driver binary files which was blocked from loading.
+- **DriverInfo** Non-PII details about the driver binary file and its digital signature(s) and digital countersignature.
+- **EventVersion** The version of the schema used in the DriverInfo field.
+
+
+### Microsoft.Windows.Security.CodeIntegrity.HVCISysprep.AutoEnablementIsBlocked
+
+Indicates if OEM attempted to block autoenablement via regkey.
+
+The following fields are available:
+
+- **BlockHvciAutoenablement** True if auto-enablement was successfully blocked, false otherwise.
+- **BlockRequested** Whether an autoenablement block was requested.
+- **Scenario** Used to differentiate VBS and HVCI paths.
+
+
+### Microsoft.Windows.Security.CodeIntegrity.HVCISysprep.Compatibility
+
+Fires when the compatibility check completes. Gives the results from the check.
+
+The following fields are available:
+
+- **IsRecommended** Denotes whether all compatibility checks have passed and, if so, returns true. Otherwise returns false.
+- **Issues** If compatibility checks failed, provides bit indexed indicators of issues detected. Table located here: [Check results of HVCI default enablement](/windows-hardware/design/device-experiences/oem-hvci-enablement#check-results-of-memory-integrity-default-enablement)
+- **Scenario** Denotes whether SysPrep is attempting to enable HVCI (0) or VBS (1).
+
+
+### Microsoft.Windows.Security.CodeIntegrity.HVCISysprep.Enabled
+
+Fires when auto-enablement is successful and HVCI is being enabled on the device.
+
+The following fields are available:
+
+- **Error** Error code if there was an issue during enablement
+- **Scenario** Indicates whether enablement was for VBS vs HVCI
+- **SuccessfullyEnabled** Indicates whether enablement was successful
+- **Upgrade** Indicates whether the event was fired during upgrade (rather than clean install)
+
+
+### Microsoft.Windows.Security.CodeIntegrity.HVCISysprep.HVCIActivity
+
+Fires at the beginning and end of the HVCI auto-enablement process in sysprep.
+
+The following fields are available:
+
+- **wilActivity** Contains the thread ID used to match the begin and end events, and for the end event also a HResult indicating success or failure.
+
+
+### Microsoft.Windows.Security.CodeIntegrity.HVCISysprep.HvciAlreadyEnabled
+
+Fires when HVCI is already enabled so no need to continue auto-enablement.
+
+
+
+### Microsoft.Windows.Security.CodeIntegrity.HVCISysprep.HvciScanGetResultFailed
+
+Fires when driver scanning fails to get results.
+
+
+
+### Microsoft.Windows.Security.CodeIntegrity.HVCISysprep.HvciScanningDriverInSdbError
+
+Fires when there's an error checking the SDB for a particular driver.
+
+The following fields are available:
+
+- **DriverPath** Path to the driver that was being checked in the SDB when checking encountered an error.
+- **Error** Error encountered during checking the SDB.
+
+
+### Microsoft.Windows.Security.CodeIntegrity.HVCISysprep.HvciScanningDriverNonCompliantError
+
+Fires when a driver is discovered that is non-compliant with HVCI.
+
+The following fields are available:
+
+- **DriverPath** Path to driver.
+- **NonComplianceMask** Error code indicating driver violation.
+
+
+### Microsoft.Windows.Security.CodeIntegrity.HVCISysprep.IsRegionDisabledLanguage
+
+Fires when an incompatible language pack is detected.
+
+The following fields are available:
+
+- **Language** String containing the incompatible language pack detected.
+
+
+### Microsoft.Windows.Security.CodeIntegrity.HVCISysprep.KcetHvciDisabled
+
+This event indicates that kernel-mode Control-flow Enforcement Technology (CET), which is a CPU-based security feature that protects against return address hijacking attacks from malicious software, was unable to be enabled because HVCI (a dependent security feature) wasn't also enabled.
+
+
+### Microsoft.Windows.Security.CodeIntegrity.State.DefenderSwitchedNWOff
+
+This event tracks when Defender turns off Smart App Control via the Cloud.
+
+
+### Microsoft.Windows.Security.CodeIntegrity.State.DefenderSwitchedNWOffIgnored
+
+This event indicates that a request to switch Smart App Control off by Defender from the cloud was ignored as the device was still within the grace period after OOBE.
+
+The following fields are available:
+
+- **Count** Count of events in the aggregation window.
+- **CurrentTimeMax** Time of latest event.
+- **CurrentTimeMin** Time of first event.
+- **NightsWatchDesktopIgnoreAutoOptOut** Value of NightsWatchDesktopIgnoreAutoOptOut in registry.
+- **OOBECompleteTime** Value of OOBECompleteTime in registry.
+- **OOBESafetyTime** Start of timer set by Smart App Control if OOBECompleteTime wasn't set.
+
+
+### Microsoft.Windows.Security.CodeIntegrity.State.SwitchedNWOff
+
+This event tracks when Smart App Control is turned off.
+
+
+### Microsoft.Windows.Security.CodeIntegrity.State.SwitchedNWToEnforcementMode
+
+This event tracks when Smart App Control is changed from evaluation to enforcement mode.
+
+
+
+## Common data extensions
+
+### Common Data Extensions.app
+
+Describes the properties of the running application. This extension could be populated by a client app or a web app.
+
+The following fields are available:
+
+- **asId** An integer value that represents the app session. This value starts at 0 on the first app launch and increments after each subsequent app launch per boot session.
+- **env** The environment from which the event was logged.
+- **expId** Associates a flight, such as an OS flight, or an experiment, such as a web site UX experiment, with an event.
+- **id** Represents a unique identifier of the client application currently loaded in the process producing the event; and is used to group events together and understand usage pattern, errors by application.
+- **locale** The locale of the app.
+- **name** The name of the app.
+- **userId** The userID as known by the application.
+- **ver** Represents the version number of the application. Used to understand errors by Version, Usage by Version across an app.
+
+
+### Common Data Extensions.container
+
+Describes the properties of the container for events logged within a container.
+
+The following fields are available:
+
+- **epoch** An ID that's incremented for each SDK initialization.
+- **localId** The device ID as known by the client.
+- **osVer** The operating system version.
+- **seq** An ID that's incremented for each event.
+- **type** The container type. Examples: Process or VMHost
+
+
+### Common Data Extensions.device
+
+Describes the device-related fields.
+
+The following fields are available:
+
+- **deviceClass** The device classification. For example, Desktop, Server, or Mobile.
+- **localId** A locally-defined unique ID for the device. This isn't the human-readable device name. Most likely equal to the value stored at HKLM\Software\Microsoft\SQMClient\MachineId
+- **make** Device manufacturer.
+- **model** Device model.
+
+
+### Common Data Extensions.Envelope
+
+Represents an envelope that contains all of the common data extensions.
+
+The following fields are available:
+
+- **data** Represents the optional unique diagnostic data for a particular event schema.
+- **ext_app** Describes the properties of the running application. This extension could be populated by either a client app or a web app. See [Common Data Extensions.app](#common-data-extensionsapp).
+- **ext_container** Describes the properties of the container for events logged within a container. See [Common Data Extensions.container](#common-data-extensionscontainer).
+- **ext_device** Describes the device-related fields. See [Common Data Extensions.device](#common-data-extensionsdevice).
+- **ext_mscv** Describes the correlation vector-related fields. See [Common Data Extensions.mscv](#common-data-extensionsmscv).
+- **ext_os** Describes the operating system properties that would be populated by the client. See [Common Data Extensions.os](#common-data-extensionsos).
+- **ext_sdk** Describes the fields related to a platform library required for a specific SDK. See [Common Data Extensions.sdk](#common-data-extensionssdk).
+- **ext_user** Describes the fields related to a user. See [Common Data Extensions.user](#common-data-extensionsuser).
+- **ext_utc** Describes the fields that might be populated by a logging library on Windows. See [Common Data Extensions.utc](#common-data-extensionsutc).
+- **ext_xbl** Describes the fields related to XBOX Live. See [Common Data Extensions.xbl](#common-data-extensionsxbl).
+- **iKey** Represents an ID for applications or other logical groupings of events.
+- **name** Represents the uniquely qualified name for the event.
+- **time** Represents the event date time in Coordinated Universal Time (UTC) when the event was generated on the client. This should be in ISO 8601 format.
+- **ver** Represents the major and minor version of the extension.
+
+
+### Common Data Extensions.mscv
+
+Describes the correlation vector-related fields.
+
+The following fields are available:
+
+- **cV** Represents the Correlation Vector: A single field for tracking partial order of related events across component boundaries.
+
+
+### Common Data Extensions.os
+
+Describes some properties of the operating system.
+
+The following fields are available:
+
+- **bootId** An integer value that represents the boot session. This value starts at 0 on first boot after OS install and increments after every reboot.
+- **expId** Represents the experiment ID. The standard for associating a flight, such as an OS flight (pre-release build), or an experiment, such as a web site UX experiment, with an event is to record the flight / experiment IDs in Part A of the common schema.
+- **locale** Represents the locale of the operating system.
+- **name** Represents the operating system name.
+- **ver** Represents the major and minor version of the extension.
+
+
+### Common Data Extensions.sdk
+
+Used by platform specific libraries to record fields that are required for a specific SDK.
+
+The following fields are available:
+
+- **epoch** An ID that is incremented for each SDK initialization.
+- **installId** An ID that's created during the initialization of the SDK for the first time.
+- **libVer** The SDK version.
+- **seq** An ID that is incremented for each event.
+- **ver** The version of the logging SDK.
+
+
+### Common Data Extensions.user
+
+Describes the fields related to a user.
+
+The following fields are available:
+
+- **authId** This is an ID of the user associated with this event that is deduced from a token such as a Microsoft Account ticket or an XBOX token.
+- **locale** The language and region.
+- **localId** Represents a unique user identity that is created locally and added by the client. This isn't the user's account ID.
+
+
+### Common Data Extensions.utc
+
+Describes the properties that could be populated by a logging library on Windows.
+
+The following fields are available:
+
+- **aId** Represents the ETW ActivityId. Logged via TraceLogging or directly via ETW.
+- **bSeq** Upload buffer sequence number in the format: buffer identifier:sequence number
+- **cat** Represents a bitmask of the ETW Keywords associated with the event.
+- **cpId** The composer ID, such as Reference, Desktop, Phone, Holographic, Hub, IoT Composer.
+- **epoch** Represents the epoch and seqNum fields, which help track how many events were fired and how many events were uploaded, and enables identification of data lost during upload and de-duplication of events on the ingress server.
+- **eventFlags** Represents a collection of bits that describe how the event should be processed by the Connected User Experience and Telemetry component pipeline. The lowest-order byte is the event persistence. The next byte is the event latency.
+- **flags** Represents the bitmap that captures various Windows specific flags.
+- **loggingBinary** The binary (executable, library, driver, etc.) that fired the event.
+- **mon** Combined monitor and event sequence numbers in the format: monitor sequence : event sequence
+- **op** Represents the ETW Op Code.
+- **pgName** The short form of the provider group name associated with the event.
+- **popSample** Represents the effective sample rate for this event at the time it was generated by a client.
+- **providerGuid** The ETW provider ID associated with the provider name.
+- **raId** Represents the ETW Related ActivityId. Logged via TraceLogging or directly via ETW.
+- **seq** Represents the sequence field used to track absolute order of uploaded events. It's an incrementing identifier for each event added to the upload queue. The Sequence helps track how many events were fired and how many events were uploaded and enables identification of data lost during upload and de-duplication of events on the ingress server.
+- **sqmId** The Windows SQM (Software Quality Metrics—a precursor of Windows 10 Diagnostic Data collection) device identifier.
+- **stId** Represents the Scenario Entry Point ID. This is a unique GUID for each event in a diagnostic scenario. This used to be Scenario Trigger ID.
+- **wcmp** The Windows Shell Composer ID.
+- **wPId** The Windows Core OS product ID.
+- **wsId** The Windows Core OS session ID.
+
+
+### Common Data Extensions.xbl
+
+Describes the fields that are related to XBOX Live.
+
+The following fields are available:
+
+- **claims** Any additional claims whose short claim name hasn't been added to this structure.
+- **did** XBOX device ID
+- **dty** XBOX device type
+- **dvr** The version of the operating system on the device.
+- **eid** A unique ID that represents the developer entity.
+- **exp** Expiration time
+- **ip** The IP address of the client device.
+- **nbf** Not before time
+- **pid** A comma separated list of PUIDs listed as base10 numbers.
+- **sbx** XBOX sandbox identifier
+- **sid** The service instance ID.
+- **sty** The service type.
+- **tid** The XBOX Live title ID.
+- **tvr** The XBOX Live title version.
+- **uts** A bit field, with 2 bits being assigned to each user ID listed in xid. This field is omitted if all users are retail accounts.
+- **xid** A list of base10-encoded XBOX User IDs.
+
+
+## Common data fields
+
+### Ms.Device.DeviceInventoryChange
+
+Describes the installation state for all hardware and software components available on a particular device.
+
+The following fields are available:
+
+- **action** The change that was invoked on a device inventory object.
+- **inventoryId** Device ID used for Compatibility testing
+- **objectInstanceId** Object identity which is unique within the device scope.
+- **objectType** Indicates the object type that the event applies to.
+- **syncId** A string used to group StartSync, EndSync, Add, and Remove operations that belong together. This field is unique by Sync period and is used to disambiguate in situations where multiple agents perform overlapping inventories for the same object.
+-
+
+## Component-based servicing events
+
+### CbsServicingProvider.CbsCapabilityEnumeration
+
+This event reports on the results of scanning for optional Windows content on Windows Update to keep Windows up to date.
+
+The following fields are available:
+
+- **architecture** Indicates the scan was limited to the specified architecture.
+- **capabilityCount** The number of optional content packages found during the scan.
+- **clientId** The name of the application requesting the optional content.
+- **duration** The amount of time it took to complete the scan.
+- **hrStatus** The HReturn code of the scan.
+- **language** Indicates the scan was limited to the specified language.
+- **majorVersion** Indicates the scan was limited to the specified major version.
+- **minorVersion** Indicates the scan was limited to the specified minor version.
+- **namespace** Indicates the scan was limited to packages in the specified namespace.
+- **sourceFilter** A bitmask indicating the scan checked for locally available optional content.
+- **stackBuild** The build number of the servicing stack.
+- **stackMajorVersion** The major version number of the servicing stack.
+- **stackMinorVersion** The minor version number of the servicing stack.
+- **stackRevision** The revision number of the servicing stack.
+
+
+### CbsServicingProvider.CbsCapabilitySessionFinalize
+
+This event provides information about the results of installing or uninstalling optional Windows content from Windows Update. The data collected with this event is used to help keep Windows up to date.
+
+The following fields are available:
+
+- **capabilities** The names of the optional content packages that were installed.
+- **clientId** The name of the application requesting the optional content.
+- **currentID** The ID of the current install session.
+- **downloadSource** The source of the download.
+- **highestState** The highest final install state of the optional content.
+- **hrLCUReservicingStatus** Indicates whether the optional content was updated to the latest available version.
+- **hrStatus** The HReturn code of the install operation.
+- **rebootCount** The number of reboots required to complete the install.
+- **retryID** The session ID that will be used to retry a failed operation.
+- **retryStatus** Indicates whether the install will be retried in the event of failure.
+- **stackBuild** The build number of the servicing stack.
+- **stackMajorVersion** The major version number of the servicing stack.
+- **stackMinorVersion** The minor version number of the servicing stack.
+- **stackRevision** The revision number of the servicing stack.
+
+
+### CbsServicingProvider.CbsCapabilitySessionPended
+
+This event provides information about the results of installing optional Windows content that requires a reboot to keep Windows up to date.
+
+The following fields are available:
+
+- **clientId** The name of the application requesting the optional content.
+- **pendingDecision** Indicates the cause of reboot, if applicable.
+
+
+### CbsServicingProvider.CbsFodInventory
+
+This event reports on the state of the current optional Windows content obtained from Windows Update.
+
+The following fields are available:
+
+- **capabilities** A bitmask with each position indicating if each type of optional Windows content is currently enabled.
+- **initiatedOffline** A true or false value indicating if the inventory describes an offline WIM file.
+- **stackBuild** The build number of the servicing stack.
+- **stackMajorVersion** The major version number of the servicing stack.
+- **stackMinorVersion** The minor version number of the servicing stack.
+- **stackRevision** The revision number of the servicing stack.
+
+### CbsServicingProvider.CbsLateAcquisition
+
+This event sends data to indicate if some Operating System packages couldn't be updated as part of an upgrade, to help keep Windows up to date.
+
+The following fields are available:
+
+- **Features** The list of feature packages that couldn't be updated.
+- **RetryID** The ID identifying the retry attempt to update the listed packages.
+
+
+### CbsServicingProvider.CbsPackageRemoval
+
+This event provides information about the results of uninstalling a Windows Cumulative Security Update to help keep Windows up to date.
+
+The following fields are available:
+
+- **buildVersion** The build number of the security update being uninstalled.
+- **clientId** The name of the application requesting the uninstall.
+- **currentStateEnd** The final state of the update after the operation.
+- **failureDetails** Information about the cause of a failure, if applicable.
+- **failureSourceEnd** The stage during the uninstall where the failure occurred.
+- **hrStatusEnd** The overall exit code of the operation.
+- **initiatedOffline** Indicates if the uninstall was initiated for a mounted Windows image.
+- **majorVersion** The major version number of the security update being uninstalled.
+- **minorVersion** The minor version number of the security update being uninstalled.
+- **originalState** The starting state of the update before the operation.
+- **pendingDecision** Indicates the cause of reboot, if applicable.
+- **primitiveExecutionContext** The state during system startup when the uninstall was completed.
+- **revisionVersion** The revision number of the security update being uninstalled.
+- **transactionCanceled** Indicates whether the uninstall was canceled.
+
+
+### CbsServicingProvider.CbsPostponedReserveInstallDecision
+
+This event reports on the scheduling of installs for Windows cumulative security updates.
+
+The following fields are available:
+
+- **hardReserveSize** The size of the disk space reserve used to update Windows OS content.
+- **hardReserveUsedSpace** The disk space currently in use in the reserve used to update Windows OS content.
+- **postponed** A boolean indicating if updating processing has been delayed to shutdown due to low disk space.
+- **userFreeSpace** The amount of free disk space available on the OS volume.
+- **usingReserves** A boolean indicating whether disk space reserves are being used to install the update.
+
+
+### CbsServicingProvider.CbsQualityUpdateInstall
+
+This event reports on the performance and reliability results of installing Servicing content from Windows Update to keep Windows up to date.
+
+The following fields are available:
+
+- **buildVersion** The build version number of the update package.
+- **clientId** The name of the application requesting the optional content.
+- **corruptionHistoryFlags** A bitmask of the types of component store corruption that have caused update failures on the device.
+- **corruptionType** An enumeration listing the type of data corruption responsible for the current update failure.
+- **currentStateEnd** The final state of the package after the operation has completed.
+- **doqTimeSeconds** The time in seconds spent updating drivers.
+- **executeTimeSeconds** The number of seconds required to execute the install.
+- **failureDetails** The driver or installer that caused the update to fail.
+- **failureSourceEnd** An enumeration indicating at what phase of the update a failure occurred.
+- **hrStatusEnd** The return code of the install operation.
+- **initiatedOffline** A true or false value indicating whether the package was installed into an offline Windows Imaging Format (WIM) file.
+- **majorVersion** The major version number of the update package.
+- **minorVersion** The minor version number of the update package.
+- **originalState** The starting state of the package.
+- **overallTimeSeconds** The time (in seconds) to perform the overall servicing operation.
+- **planTimeSeconds** The time in seconds required to plan the update operations.
+- **poqTimeSeconds** The time in seconds processing file and registry operations.
+- **postRebootTimeSeconds** The time (in seconds) to do startup processing for the update.
+- **preRebootTimeSeconds** The time (in seconds) between execution of the installation and the reboot.
+- **primitiveExecutionContext** An enumeration indicating at what phase of shutdown or startup the update was installed.
+- **rebootCount** The number of reboots required to install the update.
+- **rebootTimeSeconds** The time (in seconds) before startup processing begins for the update.
+- **resolveTimeSeconds** The time in seconds required to resolve the packages that are part of the update.
+- **revisionVersion** The revision version number of the update package.
+- **rptTimeSeconds** The time in seconds spent executing installer plugins.
+- **shutdownTimeSeconds** The time (in seconds) required to do shutdown processing for the update.
+- **stackRevision** The revision number of the servicing stack.
+- **stageTimeSeconds** The time (in seconds) required to stage all files that are part of the update.
+
+
+### CbsServicingProvider.CbsSelectableUpdateChangeV2
+
+This event reports the results of enabling or disabling optional Windows Content to keep Windows up to date.
+
+The following fields are available:
+
+- **applicableUpdateState** Indicates the highest applicable state of the optional content.
+- **buildVersion** The build version of the package being installed.
+- **clientId** The name of the application requesting the optional content change.
+- **downloadSource** Indicates if optional content was obtained from Windows Update or a locally accessible file.
+- **downloadtimeInSeconds** Indicates if optional content was obtained from Windows Update or a locally accessible file.
+- **executionID** A unique ID used to identify events associated with a single servicing operation and not reused for future operations.
+- **executionSequence** A counter that tracks the number of servicing operations attempted on the device.
+- **firstMergedExecutionSequence** The value of a pervious executionSequence counter that is being merged with the current operation, if applicable.
+- **firstMergedID** A unique ID of a pervious servicing operation that is being merged with this operation, if applicable.
+- **hrDownloadResult** The return code of the download operation.
+- **hrStatusUpdate** The return code of the servicing operation.
+- **identityHash** A pseudonymized (hashed) identifier for the Windows Package that is being installed or uninstalled.
+- **initiatedOffline** Indicates whether the operation was performed against an offline Windows image file or a running instance of Windows.
+- **majorVersion** The major version of the package being installed.
+- **minorVersion** The minor version of the package being installed.
+- **packageArchitecture** The architecture of the package being installed.
+- **packageLanguage** The language of the package being installed.
+- **packageName** The name of the package being installed.
+- **rebootRequired** Indicates whether a reboot is required to complete the operation.
+- **revisionVersion** The revision number of the package being installed.
+- **stackBuild** The build number of the servicing stack binary performing the installation.
+- **stackMajorVersion** The major version number of the servicing stack binary performing the installation.
+- **stackMinorVersion** The minor version number of the servicing stack binary performing the installation.
+- **stackRevision** The revision number of the servicing stack binary performing the installation.
+- **updateName** The name of the optional Windows Operation System feature being enabled or disabled.
+- **updateStartState** A value indicating the state of the optional content before the operation started.
+- **updateTargetState** A value indicating the desired state of the optional content.
+
+
+### CbsServicingProvider.CbsUpdateDeferred
+
+This event reports the results of deferring Windows Content to keep Windows up to date.
+
+
+
+## Deployment events
+
+### Microsoft.Windows.Deployment.Imaging.AppExit
+
+This event is sent on imaging application exit. The data collected with this event is used to help keep Windows up to date.
+
+The following fields are available:
+
+- **hr** HResult returned from app exit.
+- **totalTimeInMs** Total time taken in Ms.
+
+
+### Microsoft.Windows.Deployment.Imaging.AppInvoked
+
+This event is sent when the app for image creation is invoked. The data collected with this event is used to help keep Windows up to date.
+
+The following fields are available:
+
+- **branch** Corresponding branch for the image.
+- **isInDbg** Whether the app is in debug mode or not.
+- **isWSK** Whether the app is building images using WSK or not.
+
+
+## DISM events
+
+### Microsoft.Windows.StartRepairCore.DISMPendingInstall
+
+The DISM Pending Install event sends information to report pending package installation found. The data collected with this event is used to help keep Windows up to date, secure, and performing properly.
+
+The following fields are available:
+
+- **dismPendingInstallPackageName** The name of the pending package.
+
+
+### Microsoft.Windows.StartRepairCore.DISMRevertPendingActions
+
+The DISM Pending Install event sends information to report pending package installation found. The data collected with this event is used to help keep Windows up to date, secure, and performing properly.
+
+The following fields are available:
+
+- **errorCode** The result code returned by the event.
+
+
+### Microsoft.Windows.StartRepairCore.SRTRepairActionEnd
+
+The SRT Repair Action End event sends information to report repair operation ended for given plug-in. The data collected with this event is used to help keep Windows up to date, secure, and performing properly.
+
+The following fields are available:
+
+- **errorCode** The result code returned by the event.
+- **failedUninstallCount** The number of driver updates that failed to uninstall.
+- **failedUninstallFlightIds** The Flight IDs (identifiers of beta releases) of driver updates that failed to uninstall.
+- **foundDriverUpdateCount** The number of found driver updates.
+- **srtRepairAction** The scenario name for a repair.
+- **successfulUninstallCount** The number of successfully uninstalled driver updates.
+- **successfulUninstallFlightIds** The Flight IDs (identifiers of beta releases) of successfully uninstalled driver updates.
+
+
+### Microsoft.Windows.StartRepairCore.SRTRepairActionStart
+
+The SRT Repair Action Start event sends information to report repair operation started for given plug-in. The data collected with this event is used to help keep Windows up to date, secure, and performing properly.
+
+The following fields are available:
+
+- **srtRepairAction** The scenario name for a repair.
+
+
+### Microsoft.Windows.StartRepairCore.SRTRootCauseDiagEnd
+
+The SRT Root Cause Diagnosis End event sends information to report diagnosis operation completed for given plug-in. The data collected with this event is used to help keep Windows up to date, secure, and performing properly.
+
+The following fields are available:
+
+- **errorCode** The result code returned by the event.
+- **flightIds** The Flight IDs (identifier of the beta release) of found driver updates.
+- **foundDriverUpdateCount** The number of found driver updates.
+- **srtRootCauseDiag** The scenario name for a diagnosis event.
+
+
+### Microsoft.Windows.StartRepairCore.SRTRootCauseDiagStart
+
+The SRT Root Cause Diagnosis Start event sends information to report diagnosis operation started for given plug-in. The data collected with this event is used to help keep Windows up to date, secure, and performing properly.
+
+The following fields are available:
+
+- **srtRootCauseDiag** The scenario name for a diagnosis event.
+
+
+## DxgKernelTelemetry events
+
+### DxgKrnlTelemetry.GPUAdapterInventoryV2
+
+This event sends basic GPU and display driver information to keep Windows and display drivers up-to-date.
+
+The following fields are available:
+
+- **AdapterTypeValue** The numeric value indicating the type of Graphics adapter.
+- **aiSeqId** The event sequence ID.
+- **bootId** The system boot ID.
+- **BrightnessVersionViaDDI** The version of the Display Brightness Interface.
+- **ComputePreemptionLevel** The maximum preemption level supported by GPU for compute payload.
+- **DDIInterfaceVersion** The device driver interface version.
+- **DedicatedSystemMemoryB** The amount of system memory dedicated for GPU use (in bytes).
+- **DedicatedVideoMemoryB** The amount of dedicated VRAM of the GPU (in bytes).
+- **Display1UMDFilePath** The file path to the location of the Display User Mode Driver in the Driver Store.
+- **DisplayAdapterLuid** The display adapter LUID.
+- **DriverDate** The date of the display driver.
+- **DriverRank** The rank of the display driver.
+- **DriverVersion** The display driver version.
+- **DriverWorkarounds** Numeric value indicating the driver workarounds that are enabled for this device.
+- **DX10UMDFilePath** The file path to the location of the DirectX 10 Display User Mode Driver in the Driver Store.
+- **DX11UMDFilePath** The file path to the location of the DirectX 11 Display User Mode Driver in the Driver Store.
+- **DX12UMDFilePath** The file path to the location of the DirectX 12 Display User Mode Driver in the Driver Store.
+- **DX9UMDFilePath** The file path to the location of the DirectX 9 Display User Mode Driver in the Driver Store.
+- **DxDbCurrentVersion** Version of the DirectX Database on the device.
+- **DxDbVersionCheckStatus** Numeric value indicating the result of the last check on the DirectX Database version for the device.
+- **GPUDeviceID** The GPU device ID.
+- **GPUPreemptionLevel** The maximum preemption level supported by GPU for graphics payload.
+- **GPURevisionID** The GPU revision ID.
+- **GPUVendorID** The GPU vendor ID.
+- **HwFlipQueueSupportState** Numeric value indicating the adapter's support for hardware flip queues.
+- **HwSchSupportState** Numeric value indicating the adapter's support for hardware scheduling.
+- **IddPairedRenderAdapterLuid** Identifier for the render adapter paired with this display adapter.
+- **InterfaceFuncPointersProvided1** Number of device driver interface function pointers provided.
+- **InterfaceFuncPointersProvided2** Number of device driver interface function pointers provided.
+- **InterfaceFuncPointersProvided3** Number of device driver interface function pointers provided.
+- **InterfaceId** The GPU interface ID.
+- **IsCrossAdapterScanOutSupported** Boolean value indicating whether the adapter supports cross-adapter scanout optimization.
+- **IsDisplayDevice** Does the GPU have displaying capabilities?
+- **IsHwFlipQueueEnabled** Boolean value indicating whether hardware flip queues are enabled.
+- **IsHwSchEnabled** Boolean value indicating whether hardware scheduling is enabled.
+- **IsHybridDiscrete** Does the GPU have discrete GPU capabilities in a hybrid device?
+- **IsHybridIntegrated** Does the GPU have integrated GPU capabilities in a hybrid device?
+- **IsLDA** Is the GPU comprised of Linked Display Adapters?
+- **IsMiracastSupported** Does the GPU support Miracast?
+- **IsMismatchLDA** Is at least one device in the Linked Display Adapters chain from a different vendor?
+- **IsMPOSupported** Does the GPU support Multi-Plane Overlays?
+- **IsMsMiracastSupported** Are the GPU Miracast capabilities driven by a Microsoft solution?
+- **IsPostAdapter** Is this GPU the POST GPU in the device?
+- **IsRemovable** TRUE if the adapter supports being disabled or removed.
+- **IsRenderDevice** Does the GPU have rendering capabilities?
+- **IsSoftwareDevice** Is this a software implementation of the GPU?
+- **IsVirtualRefreshRateSupported** Boolean value indicating whether the adapter supports virtual refresh rates.
+- **KMDFilePath** The file path to the location of the Display Kernel Mode Driver in the Driver Store.
+- **MdmSupportStatus** Numeric value indicating support for Microsoft Display Mux.
+- **MeasureEnabled** Is the device listening to MICROSOFT_KEYWORD_MEASURES?
+- **NodeTypes** Types of execution nodes comprising the graphics adapter.
+- **NumExecutionNodes** Number of execution nodes comprising the graphics adapter.
+- **NumNonVidPnTargets** Number of display targets.
+- **NumPhysicalAdapters** Number of physical graphics adapters.
+- **NumVidPnSources** The number of supported display output sources.
+- **NumVidPnTargets** The number of supported display output targets.
+- **SharedSystemMemoryB** The amount of system memory shared by GPU and CPU (in bytes).
+- **SubSystemID** The subsystem ID.
+- **SubVendorID** The GPU sub vendor ID.
+- **TelemetryEnabled** Is the device listening to MICROSOFT_KEYWORD_TELEMETRY?
+- **TelInvEvntTrigger** What triggered this event to be logged? Example: 0 (GPU enumeration) or 1 (DxgKrnlTelemetry provider toggling)
+- **version** The event version.
+- **WDDMVersion** The Windows Display Driver Model version.
+
+
+### DxgKrnlTelemetry.GPUStartAdapter
+
+This event records information about an attempt to start a graphics adapter.
+
+The following fields are available:
+
+- **DDIInterfaceVersion** Version of the display driver interface (DDI).
+- **DriverDate** Date of the display driver.
+- **DriverRank** Rank for the display driver.
+- **DriverVersion** Version of the display driver.
+- **FailureReason** Numeric value indicating the stage in which the startup attempt failed.
+- **GPUDeviceID** Device identifier for the graphics adapter.
+- **GPURevisionID** Revision identifier for the graphics adapter.
+- **GPUVendorID** Vendor identifier for the graphics adapter.
+- **IsSoftwareDevice** Boolean value indicating whether the graphics adapter is implemented in software only.
+- **StartAdapterFailedSequenceId** Numeric value indicating the graphics adapter startup attempt count.
+- **Status** Numeric value indicating the status of the graphics adapter startup attempt.
+- **SubSystemID** Subsystem identifier for the graphics adapter.
+- **SubVendorID** Subsystem vendor identifier for the graphics identifier.
+- **version** Version of the schema for the event.
+
+
+## Failover Clustering events
+
+### Microsoft.Windows.Server.FailoverClusteringCritical.ClusterSummary2
+
+This event returns information about how many resources and of what type are in the server cluster. This data is collected to keep Windows Server safe, secure, and up to date. The data includes information about whether hardware is configured correctly, if the software is patched correctly, and assists in preventing crashes by attributing issues (like fatal errors) to workloads and system configurations.
+
+The following fields are available:
+
+- **autoAssignSite** The cluster parameter: auto site.
+- **autoBalancerLevel** The cluster parameter: auto balancer level.
+- **autoBalancerMode** The cluster parameter: auto balancer mode.
+- **blockCacheSize** The configured size of the block cache.
+- **ClusterAdConfiguration** The ad configuration of the cluster.
+- **clusterAdType** The cluster parameter: mgmt_point_type.
+- **clusterDumpPolicy** The cluster configured dump policy.
+- **clusterFunctionalLevel** The current cluster functional level.
+- **clusterGuid** The unique identifier for the cluster.
+- **clusterWitnessType** The witness type the cluster is configured for.
+- **countNodesInSite** The number of nodes in the cluster.
+- **crossSiteDelay** The cluster parameter: CrossSiteDelay.
+- **crossSiteThreshold** The cluster parameter: CrossSiteThreshold.
+- **crossSubnetDelay** The cluster parameter: CrossSubnetDelay.
+- **crossSubnetThreshold** The cluster parameter: CrossSubnetThreshold.
+- **csvCompatibleFilters** The cluster parameter: ClusterCsvCompatibleFilters.
+- **csvIncompatibleFilters** The cluster parameter: ClusterCsvIncompatibleFilters.
+- **csvResourceCount** The number of resources in the cluster.
+- **currentNodeSite** The name configured for the current site for the cluster.
+- **dasModeBusType** The direct storage bus type of the storage spaces.
+- **downLevelNodeCount** The number of nodes in the cluster that are running down-level.
+- **drainOnShutdown** Specifies whether a node should be drained when it's shut down.
+- **dynamicQuorumEnabled** Specifies whether dynamic Quorum has been enabled.
+- **enforcedAntiAffinity** The cluster parameter: enforced anti affinity.
+- **genAppNames** The Win32 service name of a clustered service.
+- **genSvcNames** The command line of a clustered genapp.
+- **hangRecoveryAction** The cluster parameter: hang recovery action.
+- **hangTimeOut** Specifies the “hang time out” parameter for the cluster.
+- **isCalabria** Specifies whether storage spaces direct is enabled.
+- **isMixedMode** Identifies if the cluster is running with different version of OS for nodes.
+- **isRunningDownLevel** Identifies if the current node is running down-level.
+- **logLevel** Specifies the granularity that is logged in the cluster log.
+- **logSize** Specifies the size of the cluster log.
+- **lowerQuorumPriorityNodeId** The cluster parameter: lower quorum priority node ID.
+- **minNeverPreempt** The cluster parameter: minimum never preempt.
+- **minPreemptor** The cluster parameter: minimum preemptor priority.
+- **netftIpsecEnabled** The parameter: netftIpsecEnabled.
+- **NodeCount** The number of nodes in the cluster.
+- **nodeId** The current node number in the cluster.
+- **nodeResourceCounts** Specifies the number of node resources.
+- **nodeResourceOnlineCounts** Specifies the number of node resources that are online.
+- **numberOfSites** The number of different sites.
+- **numNodesInNoSite** The number of nodes not belonging to a site.
+- **plumbAllCrossSubnetRoutes** The cluster parameter: plumb all cross subnet routes.
+- **preferredSite** The preferred site location.
+- **privateCloudWitness** Specifies whether a private cloud witness exists for this cluster.
+- **quarantineDuration** The quarantine duration.
+- **quarantineThreshold** The quarantine threshold.
+- **quorumArbitrationTimeout** In the event of an arbitration event, this specifies the quorum timeout period.
+- **rdmaConnectionsForStorage** This specifies the rdma connections for storage.
+- **resiliencyLevel** Specifies the level of resiliency.
+- **resourceCounts** Specifies the number of resources.
+- **resourceTypeCounts** Specifies the number of resource types in the cluster.
+- **resourceTypes** Data representative of each resource type.
+- **resourceTypesPath** Data representative of the DLL path for each resource type.
+- **sameSubnetDelay** The cluster parameter: same subnet delay.
+- **sameSubnetThreshold** The cluster parameter: same subnet threshold.
+- **secondsInMixedMode** The amount of time (in seconds) that the cluster has been in mixed mode (nodes with different operating system versions in the same cluster).
+- **securityLevel** The cluster parameter: security level.
+- **securityLevelForStorage** The cluster parameter: security level for storage.
+- **sharedVolumeBlockCacheSize** Specifies the block cache size for shared for shared volumes.
+- **shutdownTimeoutMinutes** Specifies the amount of time it takes to time out when shutting down.
+- **upNodeCount** Specifies the number of nodes that are up (online).
+- **useClientAccessNetworksForCsv** The cluster parameter: use client access networks for CSV.
+- **useRdmaForStorage** The cluster parameter to use rdma for storage.
+- **vmIsolationTime** The cluster parameter: VM isolation time.
+- **witnessDatabaseWriteTimeout** Specifies the timeout period for writing to the quorum witness database.
+
+
+## Fault Reporting events
+
+### Microsoft.Windows.FaultReporting.AppCrashEvent
+
+This event sends data about crashes for both native and managed applications, to help keep Windows up to date. The data includes information about the crashing process and a summary of its exception record. It doesn't contain any Watson bucketing information. The bucketing information is recorded in a Windows Error Reporting (WER) event that is generated when the WER client reports the crash to the Watson service, and the WER event will contain the same ReportID (see field 14 of crash event, field 19 of WER event) as the crash event for the crash being reported. AppCrash is emitted once for each crash handled by WER (for example, from an unhandled exception or FailFast or ReportException). Note that Generic Watson event types (for example, from PLM) that may be considered crashes\" by a user DO NOT emit this event.
+
+The following fields are available:
+
+- **AppName** The name of the app that has crashed.
+- **AppSessionGuid** GUID made up of process ID and is used as a correlation vector for process instances in the telemetry backend.
+- **AppTimeStamp** The date/time stamp of the app.
+- **AppVersion** The version of the app that has crashed.
+- **ExceptionCode** The exception code returned by the process that has crashed.
+- **ExceptionOffset** The address where the exception had occurred.
+- **Flags** Flags indicating how reporting is done. For example, queue the report, don't offer JIT debugging, or don't terminate the process after reporting.
+- **FriendlyAppName** The description of the app that has crashed, if different from the AppName. Otherwise, the process name.
+- **IsFatal** True/False to indicate whether the crash resulted in process termination.
+- **ModName** Exception module name (for example, bar.dll).
+- **ModTimeStamp** The date/time stamp of the module.
+- **ModVersion** The version of the module that has crashed.
+- **PackageFullName** Store application identity.
+- **PackageRelativeAppId** Store application identity.
+- **ProcessArchitecture** Architecture of the crashing process, as one of the PROCESSOR_ARCHITECTURE_* constants: 0: PROCESSOR_ARCHITECTURE_INTEL. 5: PROCESSOR_ARCHITECTURE_ARM. 9: PROCESSOR_ARCHITECTURE_AMD64. 12: PROCESSOR_ARCHITECTURE_ARM64.
+- **ProcessCreateTime** The time of creation of the process that has crashed.
+- **ProcessId** The ID of the process that has crashed.
+- **ReportId** A GUID used to identify the report. This can used to track the report across Watson.
+- **TargetAppId** The kernel reported AppId of the application being reported.
+- **TargetAppVer** The specific version of the application being reported
+- **TargetAsId** The sequence number for the hanging process.
+
+
+## Feature quality events
+
+### Microsoft.Windows.FeatureQuality.Heartbeat
+
+This event indicates the feature status heartbeat. The data collected with this event is used to help keep Windows up to date, secure, and performing properly.
+
+The following fields are available:
+
+- **Features** Array of features.
+
+
+### Microsoft.Windows.FeatureQuality.StateChange
+
+This event indicates the change of feature state. The data collected with this event is used to help keep Windows up to date, secure, and performing properly.
+
+The following fields are available:
+
+- **flightId** Flight ID.
+- **state** New state.
+
+
+### Microsoft.Windows.FeatureQuality.Status
+
+This event indicates the feature status. The data collected with this event is used to help keep Windows up to date, secure, and performing properly.
+
+The following fields are available:
+
+- **featureId** Feature ID.
+- **flightId** Flight ID.
+- **time** Time of status change.
+- **variantId** Variant ID.
+
+
+## Feature update events
+
+### Microsoft.Windows.Upgrade.Uninstall.UninstallFailed
+
+This event sends diagnostic data about failures when uninstalling a feature update, to help resolve any issues preventing customers from reverting to a known state. The data collected with this event is used to help keep Windows up to date and performing properly.
+
+The following fields are available:
+
+- **failureReason** Provides data about the uninstall initialization operation failure.
+- **hr** Provides the Win32 error code for the operation failure.
+
+
+### Microsoft.Windows.Upgrade.Uninstall.UninstallFinalizedAndRebootTriggered
+
+This event indicates that the uninstall was properly configured and that a system reboot was initiated. The data collected with this event is used to help keep Windows up to date and performing properly.
+
+
+
+## Hang Reporting events
+
+### Microsoft.Windows.HangReporting.AppHangEvent
+
+This event sends data about hangs for both native and managed applications, to help keep Windows up to date. It doesn't contain any Watson bucketing information. The bucketing information is recorded in a Windows Error Reporting (WER) event that is generated when the WER client reports the hang to the Watson service, and the WER event will contain the same ReportID (see field 13 of hang event, field 19 of WER event) as the hang event for the hang being reported. AppHang is reported only on PC devices. It handles classic Win32 hangs and is emitted only once per report. Some behaviors that may be perceived by a user as a hang are reported by app managers (for example, PLM/RM/EM) as Watson Generics and won't produce AppHang events.
+
+The following fields are available:
+
+- **AppName** The name of the app that has hung.
+- **AppSessionGuid** GUID made up of process ID used as a correlation vector for process instances in the telemetry backend.
+- **AppVersion** The version of the app that has hung.
+- **IsFatal** True/False based on whether the hung application caused the creation of a Fatal Hang Report.
+- **PackageFullName** Store application identity.
+- **PackageRelativeAppId** Store application identity.
+- **ProcessArchitecture** Architecture of the hung process, as one of the PROCESSOR_ARCHITECTURE_* constants: 0: PROCESSOR_ARCHITECTURE_INTEL. 5: PROCESSOR_ARCHITECTURE_ARM. 9: PROCESSOR_ARCHITECTURE_AMD64. 12: PROCESSOR_ARCHITECTURE_ARM64.
+- **ProcessCreateTime** The time of creation of the process that has hung.
+- **ProcessId** The ID of the process that has hung.
+- **ReportId** A GUID used to identify the report. This can used to track the report across Watson.
+- **TargetAppId** The kernel reported AppId of the application being reported.
+- **TargetAppVer** The specific version of the application being reported.
+- **TargetAsId** The sequence number for the hanging process.
+- **TypeCode** Bitmap describing the hang type.
+- **WaitingOnAppName** If this is a cross process hang waiting for an application, this has the name of the application.
+- **WaitingOnAppVersion** If this is a cross process hang, this has the version of the application for which it's waiting.
+- **WaitingOnPackageFullName** If this is a cross process hang waiting for a package, this has the full name of the package for which it's waiting.
+- **WaitingOnPackageRelativeAppId** If this is a cross process hang waiting for a package, this has the relative application ID of the package.
+
+
+## Holographic events
+
+### Microsoft.Windows.Analog.Spectrum.TelemetryHolographicDeviceAdded
+
+This event indicates Windows Mixed Reality device state. This event is also used to count WMR device. The data collected with this event is used to keep Windows performing properly.
+
+The following fields are available:
+
+- **ClassGuid** Windows Mixed Reality device class GUID.
+- **DeviceInterfaceId** Windows Mixed Reality device interface ID.
+- **DriverVersion** Windows Mixed Reality device driver version.
+- **FirmwareVersion** Windows Mixed Reality firmware version.
+- **Manufacturer** Windows Mixed Reality device manufacturer.
+- **ModelName** Windows Mixed Reality device model name.
+- **SerialNumber** Windows Mixed Reality device serial number.
+
+
+### Microsoft.Windows.Analog.Spectrum.TelemetryHolographicDeviceRemoved
+
+This event indicates Windows Mixed Reality device state. The data collected with this event is used to keep Windows and Windows Mixed Reality performing properly.
+
+The following fields are available:
+
+- **DeviceInterfaceId** Device Interface ID.
+
+
+### Microsoft.Windows.Analog.Spectrum.TelemetryHolographicSpaceCreated
+
+This event indicates the state of Windows holographic scene. The data collected with this event is used to keep Windows performing properly.
+
+The following fields are available:
+
+- **AppSessionGuid** GUID made up of process ID and is used as a correlation vector for process instances in the telemetry backend.
+- **IsForCompositor** True/False to indicate whether the holographic space is for compositor process.
+- **Source** An enumeration indicating the source of the log.
+- **WindowInstanceId** Unique value for each window instance.
+
+
+### Microsoft.Windows.Holographic.Coordinator.HoloShellStateUpdated
+
+This event indicates Windows Mixed Reality HoloShell State. This event is also used to count WMR device. The data collected with this event is used to keep Windows performing properly.
+
+The following fields are available:
+
+- **HmdState** Windows Mixed Reality Headset HMD state.
+- **NewHoloShellState** Windows Mixed Reality HoloShell state.
+- **PriorHoloShellState** Windows Mixed Reality state prior to entering to HoloShell.
+- **SimulationEnabled** Windows Mixed Reality Simulation state.
+
+
+### Microsoft.Windows.Shell.HolographicFirstRun.AppActivated
+
+This event indicates Windows Mixed Reality Portal app activation state. This event also used to count WMR device. The data collected with this event is used to keep Windows performing properly.
+
+The following fields are available:
+
+- **IsDemoMode** Windows Mixed Reality Portal app state of demo mode.
+- **IsDeviceSetupComplete** Windows Mixed Reality Portal app state of device setup completion.
+- **PackageVersion** Windows Mixed Reality Portal app package version.
+- **PreviousExecutionState** Windows Mixed Reality Portal app prior execution state.
+- **wilActivity** Windows Mixed Reality Portal app wilActivity ID.
+
+
+### Microsoft.Windows.Shell.HolographicFirstRun.SomethingWentWrong
+
+This event is emitted when something went wrong error occurs. The data collected with this event is used to keep Windows and Windows Mixed Reality performing properly.
+
+The following fields are available:
+
+- **ErrorSource** Source of error, obsoleted always 0.
+- **StartupContext** Start up state.
+- **StatusCode** Error status code.
+- **SubstatusCode** Error sub status code.
+
+
+### TraceLoggingHoloLensSensorsProvider.OnDeviceAdd
+
+This event provides Windows Mixed Reality device state with new process that hosts the driver. The data collected with this event is used to keep Windows and Windows Mixed Reality performing properly.
+
+The following fields are available:
+
+- **Process** Process ID.
+- **Thread** Thread ID.
+
+
+### TraceLoggingOasisUsbHostApiProvider.DeviceInformation
+
+This event provides Windows Mixed Reality device information. This event is also used to count WMR device and device type. The data collected with this event is used to keep Windows performing properly.
+
+The following fields are available:
+
+- **BootloaderMajorVer** Windows Mixed Reality device boot loader major version.
+- **BootloaderMinorVer** Windows Mixed Reality device boot loader minor version.
+- **BootloaderRevisionNumber** Windows Mixed Reality device boot loader revision number.
+- **BTHFWMajorVer** Windows Mixed Reality device BTHFW major version. This event also used to count WMR device.
+- **BTHFWMinorVer** Windows Mixed Reality device BTHFW minor version. This event also used to count WMR device.
+- **BTHFWRevisionNumber** Windows Mixed Reality device BTHFW revision number.
+- **CalibrationBlobSize** Windows Mixed Reality device calibration blob size.
+- **CalibrationFwMajorVer** Windows Mixed Reality device calibration firmware major version.
+- **CalibrationFwMinorVer** Windows Mixed Reality device calibration firmware minor version.
+- **CalibrationFwRevNum** Windows Mixed Reality device calibration firmware revision number.
+- **DeviceInfoFlags** Windows Mixed Reality device info flags.
+- **DeviceReleaseNumber** Windows Mixed Reality device release number.
+- **FirmwareMajorVer** Windows Mixed Reality device firmware major version.
+- **FirmwareMinorVer** Windows Mixed Reality device firmware minor version.
+- **FirmwareRevisionNumber** Windows Mixed Reality device calibration firmware revision number.
+- **FpgaFwMajorVer** Windows Mixed Reality device FPGA firmware major version.
+- **FpgaFwMinorVer** Windows Mixed Reality device FPGA firmware minor version.
+- **FpgaFwRevisionNumber** Windows Mixed Reality device FPGA firmware revision number.
+- **FriendlyName** Windows Mixed Reality device friendly name.
+- **HashedSerialNumber** Windows Mixed Reality device hashed serial number.
+- **HeaderSize** Windows Mixed Reality device header size.
+- **HeaderVersion** Windows Mixed Reality device header version.
+- **LicenseKey** Windows Mixed Reality device header license key.
+- **Make** Windows Mixed Reality device make.
+- **ManufacturingDate** Windows Mixed Reality device manufacturing date.
+- **Model** Windows Mixed Reality device model.
+- **PresenceSensorHidVendorPage** Windows Mixed Reality device presence sensor HID vendor page.
+- **PresenceSensorHidVendorUsage** Windows Mixed Reality device presence sensor HID vendor usage.
+- **PresenceSensorUsbVid** Windows Mixed Reality device presence sensor USB VId.
+- **ProductBoardRevision** Windows Mixed Reality device product board revision number.
+- **SerialNumber** Windows Mixed Reality device serial number.
+
+
+## Inventory events
+
+### Microsoft.Windows.Inventory.Core.InventoryApplicationAdd
+
+This event sends basic metadata about an application on the system. The data collected with this event is used to keep Windows performing properly and up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AndroidPackageId** A unique identifier for an Android app.
+- **HiddenArp** Indicates whether a program hides itself from showing up in ARP.
+- **InstallDate** The date the application was installed (a best guess based on folder creation date heuristics).
+- **InstallDateArpLastModified** The date of the registry ARP key for a given application. Hints at install date but not always accurate. Passed as an array. Example: 4/11/2015 00:00:00
+- **InstallDateFromLinkFile** The estimated date of install based on the links to the files. Passed as an array.
+- **InstallDateMsi** The install date if the application was installed via Microsoft Installer (MSI). Passed as an array.
+- **InventoryVersion** The version of the inventory file generating the events.
+- **Language** The language code of the program.
+- **MsiInstallDate** The install date recorded in the program's MSI package.
+- **MsiPackageCode** A GUID that describes the MSI Package. Multiple 'Products' (apps) can make up an MsiPackage.
+- **MsiProductCode** A GUID that describe the MSI Product.
+- **Name** The name of the application.
+- **OSVersionAtInstallTime** The four octets from the OS version at the time of the application's install.
+- **PackageFullName** The package full name for a Store application.
+- **ProgramInstanceId** A hash of the file IDs in an app.
+- **Publisher** The Publisher of the application. Location pulled from depends on the 'Source' field.
+- **RootDirPath** The path to the root directory where the program was installed.
+- **Source** How the program was installed (for example, ARP, MSI, Appx).
+- **SparkId** Unique ID that represents a Win32 app installed from the Microsoft Store.
+- **StoreAppType** A sub-classification for the type of Microsoft Store app, such as UWP or Win8StoreApp.
+- **Type** One of ("Application", "Hotfix", "BOE", "Service", "Unknown"). Application indicates Win32 or Appx app, Hotfix indicates app updates (KBs), BOE indicates it's an app with no ARP or MSI entry, Service indicates that it's a service. Application and BOE are the ones most likely seen.
+- **Version** The version number of the program.
+
+
+### Microsoft.Windows.Inventory.Core.InventoryApplicationKbStartSync
+
+This event represents the basic metadata about an application updates (KBs) installed on the system. This event is used to understand the applications on a machine to determine if there will be compatibility issues when upgrading Windows.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **InventoryVersion** The version of the inventory components.
+
+
+### Microsoft.Windows.Inventory.Core.InventoryApplicationRemove
+
+This event indicates that a new set of InventoryDevicePnpAdd events will be sent. The data collected with this event is used to keep Windows performing properly.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **InventoryVersion** The version of the inventory file generating the events.
+
+
+## Kernel events
+
+### Microsoft.Windows.Kernel.PnP.AggregateSetDevNodeProblem
+
+This event is sent when a new problem code is assigned to a device. The data collected with this event is used to help keep Windows up to date and performing properly.
+
+The following fields are available:
+
+- **Count** The total number of events.
+- **DeviceInstanceId** The unique identifier of the device in the system.
+- **LastProblem** The previous problem code that was set on the device.
+- **LastProblemStatus** The previous NTSTATUS value that was set on the device.
+- **Problem** The new problem code that was set on the device.
+- **ProblemStatus** The new NTSTATUS value that was set on the device.
+- **ServiceName** The driver or service name that is attached to the device.
+
+
+### Microsoft.Windows.Kernel.Power.AbnormalShutdown
+
+This event provides diagnostic information of the most recent abnormal shutdown.
+
+The following fields are available:
+
+- **BootEnvironment** Errors from boot environment.
+- **BootStatValid** Status of bootstat file.
+- **Bugcheck** Bugcheck information.
+- **CrashDump** Crash dump information.
+- **CurrentBootId** ID of this boot.
+- **FirmwareReset** System reset by firmware.
+- **LastShutdownBootId** BootID of last shutdown.
+- **LongPowerButtonHold** Long power button hold information.
+- **SystemStateTransition** State transition information.
+- **Watchdog** Watchdog information.
+- **WheaBootErrorCount** Whea boot error information.
+
+
+### Microsoft.Windows.Kernel.Power.PreviousShutdownWasThermalShutdown
+
+This event sends Product and Service Performance data on which area of the device exceeded safe temperature limits and caused the device to shutdown. This information is used to ensure devices are behaving as they're expected to. The data collected with this event is used to keep Windows performing properly.
+
+The following fields are available:
+
+- **temperature** Contains the actual temperature measurement, in tenths of degrees Kelvin, for the area that exceeded the limit.
+- **thermalZone** Contains an identifier that specifies which area it was that exceeded temperature limits.
+- **TotalUpTimeMs** Contains the total system up time in milliseconds.
+
+
+## Microsoft Edge events
+
+### Aria.160f0649efde47b7832f05ed000fc453.Microsoft.WebBrowser.SystemInfo.Config
+
+This config event sends basic device connectivity and configuration information from Microsoft Edge about the current data collection consent, app version, and installation state to keep Microsoft Edge up to date and secure.
+
+The following fields are available:
+
+- **account_type** A number representing the type of the signed in user account, where 0 indicates None, 1 indicates Microsoft Account, 2 indicates Azure Active Directory, 3 indicates On-Prem Active Directory and 4 indicates Azure Active Directory (Degraded). This field is currently only supported on mobile platforms and so the value is set to -1 on non-mobile platforms.
+- **app_sample_rate** A number representing how often the client sends telemetry, expressed as a percentage. Low values indicate that said client sends more events and high values indicate that said client sends fewer events.
+- **app_version** The internal Microsoft Edge build version string, taken from the UMA metrics field system_profile.app_version.
+- **appConsentState** Bit flags describing consent for data collection on the machine or zero if the state wasn't retrieved. The following are true when the associated bit is set: consent was granted (0x1), consent was communicated at install (0x2), diagnostic data consent granted (0x20000), browsing data consent granted (0x40000).
+- **AppSessionGuid** An identifier of a particular application session starting at process creation time and persisting until process end.
+- **brandCode** Contains the 4 character brand code or distribution tag that has been assigned to a partner. Not every Windows install will have a brand code.
+- **Channel** An integer indicating the channel of the installation (Canary or Dev).
+- **client_id** A unique identifier with which all other diagnostic client data is associated, taken from the UMA metrics provider. This ID is effectively unique per device, per OS user profile, per release channel (for example, Canary/Dev/Beta/Stable). client_id isn't durable, based on user preferences. client_id is initialized on the first application launch under each OS user profile. client_id is linkable, but not unique across devices or OS user profiles. client_id is reset whenever UMA data collection is disabled, or when the application is uninstalled.
+- **ConnectionType** The first reported type of network connection currently connected. This can be one of Unknown, Ethernet, WiFi, 2G, 3G, 4G, None, or Bluetooth.
+- **container_client_id** The client ID of the container, if in WDAG mode. This will be different from the UMA log client ID, which is the client ID of the host in WDAG mode.
+- **container_session_id** The session ID of the container, if in WDAG mode. This will be different from the UMA log session ID, which is the session ID of the host in WDAG mode.
+- **device_sample_rate** A number representing how often the device sends telemetry, expressed as a percentage. Low values indicate that device sends more events and high values indicate that device sends fewer events. The value is rounded to five significant figures for privacy reasons and if an error is hit in getting the device sample number value from the registry then this will be -1; and if client isn't on a UTC-enabled platform, then this value won't be set.
+- **Etag** Etag is an identifier representing all service applied configurations and experiments for the current browser session. This field is left empty when Windows diagnostic level is set to Basic or lower or when consent for diagnostic data has been denied.
+- **EventInfo.Level** The minimum Windows diagnostic data level required for the event, where 1 is basic, 2 is enhanced, and 3 is full.
+- **experimentation_mode** A number representing the value set for the ExperimentationAndConfigurationServiceControl group policy. See [Microsoft Edge - Policies](/DeployEdge/microsoft-edge-policies#experimentationandconfigurationservicecontrol) for more details on this policy.
+- **install_date** The date and time of the most recent installation in seconds since midnight on January 1, 1970 UTC, rounded down to the nearest hour.
+- **installSourceName** A string representation of the installation source.
+- **PayloadClass** The base class used to serialize and deserialize the Protobuf binary payload.
+- **PayloadGUID** A random identifier generated for each original monolithic Protobuf payload, before the payload is potentially broken up into manageably-sized chunks for transmission.
+- **PayloadLogType** The log type for the event correlating with 0 for unknown, 1 for stability, 2 for on-going, 3 for independent, 4 for UKM, or 5 for instance level.
+- **pop_sample** A value indicating how the device's data is being sampled.
+- **reactivationBrandCode** Contains the 4 character reactivation brand code or distribution tag that has been assigned to a partner. Not every Windows install will have a brand code.
+- **session_id** An identifier that is incremented each time the user launches the application, irrespective of any client_id changes. session_id is seeded during the initial installation of the application. session_id is effectively unique per client_id value. Several other internal identifier values, such as window or tab IDs, are only meaningful within a particular session. The session_id value is forgotten when the application is uninstalled, but not during an upgrade.
+- **utc_flags** Event Tracing for Windows (ETW) flags required for the event as part of the data collection process.
+
+
+### Aria.29e24d069f27450385c7acaa2f07e277.Microsoft.WebBrowser.SystemInfo.Config
+
+This config event sends basic device connectivity and configuration information from Microsoft Edge about the current data collection consent, app version, and installation state to keep Microsoft Edge up to date and secure.
+
+The following fields are available:
+
+- **account_type** A number representing the type of the signed in user account, where 0 indicates None, 1 indicates Microsoft Account, 2 indicates Azure Active Directory, 3 indicates On-Prem Active Directory and 4 indicates Azure Active Directory (Degraded). This field is currently only supported on mobile platforms and so the value is set to -1 on non-mobile platforms.
+- **app_sample_rate** A number representing how often the client sends telemetry, expressed as a percentage. Low values indicate that said client sends more events and high values indicate that said client sends fewer events.
+- **app_version** The internal Microsoft Edge build version string, taken from the UMA metrics field system_profile.app_version.
+- **appConsentState** Bit flags describing consent for data collection on the machine or zero if the state wasn't retrieved. The following are true when the associated bit is set: consent was granted (0x1), consent was communicated at install (0x2), diagnostic data consent granted (0x20000), browsing data consent granted (0x40000).
+- **AppSessionGuid** An identifier of a particular application session starting at process creation time and persisting until process end.
+- **brandCode** Contains the 4 character brand code or distribution tag that has been assigned to a partner. Not every Windows install will have a brand code.
+- **Channel** An integer indicating the channel of the installation (Canary or Dev).
+- **client_id** A unique identifier with which all other diagnostic client data is associated, taken from the UMA metrics provider. This ID is effectively unique per device, per OS user profile, per release channel (for example, Canary/Dev/Beta/Stable). client_id isn't durable, based on user preferences. client_id is initialized on the first application launch under each OS user profile. client_id is linkable, but not unique across devices or OS user profiles. client_id is reset whenever UMA data collection is disabled, or when the application is uninstalled.
+- **ConnectionType** The first reported type of network connection currently connected. This can be one of Unknown, Ethernet, WiFi, 2G, 3G, 4G, None, or Bluetooth.
+- **container_client_id** The client ID of the container, if in WDAG mode. This will be different from the UMA log client ID, which is the client ID of the host in WDAG mode.
+- **container_session_id** The session ID of the container, if in WDAG mode. This will be different from the UMA log session ID, which is the session ID of the host in WDAG mode.
+- **device_sample_rate** A number representing how often the device sends telemetry, expressed as a percentage. Low values indicate that device sends more events and high values indicate that device sends fewer events. The value is rounded to five significant figures for privacy reasons and if an error is hit in getting the device sample number value from the registry then this will be -1; and if client isn't on a UTC-enabled platform, then this value won't be set.
+- **Etag** Etag is an identifier representing all service applied configurations and experiments for the current browser session. This field is left empty when Windows diagnostic level is set to Basic or lower or when consent for diagnostic data has been denied.
+- **EventInfo.Level** The minimum Windows diagnostic data level required for the event where 1 is basic, 2 is enhanced, and 3 is full.
+- **experimentation_mode** A number representing the value set for the ExperimentationAndConfigurationServiceControl group policy. See [Microsoft Edge - Policies](/DeployEdge/microsoft-edge-policies#experimentationandconfigurationservicecontrol) for more details on this policy.
+- **install_date** The date and time of the most recent installation in seconds since midnight on January 1, 1970 UTC, rounded down to the nearest hour.
+- **installSourceName** A string representation of the installation source.
+- **PayloadClass** The base class used to serialize and deserialize the Protobuf binary payload.
+- **PayloadGUID** A random identifier generated for each original monolithic Protobuf payload, before the payload is potentially broken up into manageably-sized chunks for transmission.
+- **PayloadLogType** The log type for the event correlating with 0 for unknown, 1 for stability, 2 for on-going, 3 for independent, 4 for UKM, or 5 for instance level.
+- **pop_sample** A value indicating how the device's data is being sampled.
+- **reactivationBrandCode** Contains the 4 character reactivation brand code or distribution tag that has been assigned to a partner. Not every Windows install will have a brand code.
+- **session_id** An identifier that is incremented each time the user launches the application, irrespective of any client_id changes. session_id is seeded during the initial installation of the application. session_id is effectively unique per client_id value. Several other internal identifier values, such as window or tab IDs, are only meaningful within a particular session. The session_id value is forgotten when the application is uninstalled, but not during an upgrade.
+- **utc_flags** Event Tracing for Windows (ETW) flags required for the event as part of the data collection process.
+
+
+### Aria.7005b72804a64fa4b2138faab88f877b.Microsoft.WebBrowser.SystemInfo.Config
+
+This config event sends basic device connectivity and configuration information from Microsoft Edge about the current data collection consent, app version, and installation state to keep Microsoft Edge up to date and secure.
+
+The following fields are available:
+
+- **account_type** Aria.7005b72804a64fa4b2138faab88f877b.Microsoft.WebBrowser.SystemInfo.Config
+- **app_sample_rate** A number representing how often the client sends telemetry, expressed as a percentage. Low values indicate that said client sends more events and high values indicate that said client sends fewer events.
+- **app_version** The internal Microsoft Edge build version string, taken from the UMA metrics field system_profile.app_version.
+- **appConsentState** Bit flags describing consent for data collection on the machine or zero if the state wasn't retrieved. The following are true when the associated bit is set: consent was granted (0x1), consent was communicated at install (0x2), diagnostic data consent granted (0x20000), browsing data consent granted (0x40000).
+- **AppSessionGuid** An identifier of a particular application session starting at process creation time and persisting until process end.
+- **brandCode** Contains the 4 character brand code or distribution tag that has been assigned to a partner. Not every Windows install will have a brand code.
+- **Channel** An integer indicating the channel of the installation (Canary or Dev).
+- **client_id** A unique identifier with which all other diagnostic client data is associated, taken from the UMA metrics provider. This ID is effectively unique per device, per OS user profile, per release channel (for example, Canary/Dev/Beta/Stable). client_id isn't durable, based on user preferences. client_id is initialized on the first application launch under each OS user profile. client_id is linkable, but not unique across devices or OS user profiles. client_id is reset whenever UMA data collection is disabled, or when the application is uninstalled.
+- **ConnectionType** The first reported type of network connection currently connected. This can be one of Unknown, Ethernet, WiFi, 2G, 3G, 4G, None, or Bluetooth.
+- **container_client_id** The client ID of the container, if in WDAG mode. This will be different from the UMA log client ID, which is the client ID of the host in WDAG mode.
+- **container_session_id** The session ID of the container, if in WDAG mode. This will be different from the UMA log session ID, which is the session ID of the host in WDAG mode.
+- **device_sample_rate** A number representing how often the device sends telemetry, expressed as a percentage. Low values indicate that device sends more events and high values indicate that device sends fewer events. The value is rounded to five significant figures for privacy reasons and if an error is hit in getting the device sample number value from the registry then this will be -1; and if client isn't on a UTC-enabled platform, then this value won't be set.
+- **Etag** Etag is an identifier representing all service applied configurations and experiments for the current browser session. This field is left empty when Windows diagnostic level is set to Basic or lower or when consent for diagnostic data has been denied.
+- **EventInfo.Level** The minimum Windows diagnostic data level required for the event where 1 is basic, 2 is enhanced, and 3 is full.
+- **experimentation_mode** A number representing the value set for the ExperimentationAndConfigurationServiceControl group policy. See [Microsoft Edge - Policies](/DeployEdge/microsoft-edge-policies#experimentationandconfigurationservicecontrol) for more details on this policy.
+- **install_date** The date and time of the most recent installation in seconds since midnight on January 1, 1970 UTC, rounded down to the nearest hour.
+- **installSourceName** A string representation of the installation source.
+- **PayloadClass** The base class used to serialize and deserialize the Protobuf binary payload.
+- **PayloadGUID** A random identifier generated for each original monolithic Protobuf payload, before the payload is potentially broken up into manageably-sized chunks for transmission.
+- **PayloadLogType** The log type for the event correlating with 0 for unknown, 1 for stability, 2 for on-going, 3 for independent, 4 for UKM, or 5 for instance level.
+- **pop_sample** A value indicating how the device's data is being sampled.
+- **reactivationBrandCode** Contains the 4 character reactivation brand code or distribution tag that has been assigned to a partner. Not every Windows install will have a brand code.
+- **session_id** An identifier that is incremented each time the user launches the application, irrespective of any client_id changes. session_id is seeded during the initial installation of the application. session_id is effectively unique per client_id value. Several other internal identifier values, such as window or tab IDs, are only meaningful within a particular session. The session_id value is forgotten when the application is uninstalled, but not during an upgrade.
+- **utc_flags** Event Tracing for Windows (ETW) flags required for the event as part of the data collection process.
+
+
+### Aria.754de735ccd546b28d0bfca8ac52c3de.Microsoft.WebBrowser.SystemInfo.Config
+
+This config event sends basic device connectivity and configuration information from Microsoft Edge about the current data collection consent, app version, and installation state to keep Microsoft Edge up to date and secure.
+
+The following fields are available:
+
+- **account_type** A number representing the type of the signed in user account, where 0 indicates None, 1 indicates Microsoft Account, 2 indicates Azure Active Directory, 3 indicates On-Prem Active Directory and 4 indicates Azure Active Directory (Degraded). This field is currently only supported on mobile platforms and so the value is set to -1 on non-mobile platforms.
+- **app_sample_rate** A number representing how often the client sends telemetry, expressed as a percentage. Low values indicate that said client sends more events and high values indicate that said client sends fewer events.
+- **app_version** The internal Microsoft Edge build version string, taken from the UMA metrics field system_profile.app_version.
+- **appConsentState** Bit flags describing consent for data collection on the machine or zero if the state wasn't retrieved. The following are true when the associated bit is set: consent was granted (0x1), consent was communicated at install (0x2), diagnostic data consent granted (0x20000), browsing data consent granted (0x40000).
+- **AppSessionGuid** An identifier of a particular application session starting at process creation time and persisting until process end.
+- **brandCode** Contains the 4 character brand code or distribution tag that has been assigned to a partner. Not every Windows install will have a brand code.
+- **Channel** An integer indicating the channel of the installation (Canary or Dev).
+- **client_id** A unique identifier with which all other diagnostic client data is associated, taken from the UMA metrics provider. This ID is effectively unique per device, per OS user profile, per release channel (for example, Canary/Dev/Beta/Stable). client_id isn't durable, based on user preferences. client_id is initialized on the first application launch under each OS user profile. client_id is linkable, but not unique across devices or OS user profiles. client_id is reset whenever UMA data collection is disabled, or when the application is uninstalled.
+- **ConnectionType** The first reported type of network connection currently connected. This can be one of Unknown, Ethernet, WiFi, 2G, 3G, 4G, None, or Bluetooth.
+- **container_client_id** The client ID of the container, if in WDAG mode. This will be different from the UMA log client ID, which is the client ID of the host in WDAG mode.
+- **container_session_id** The session ID of the container, if in WDAG mode. This will be different from the UMA log session ID, which is the session ID of the host in WDAG mode.
+- **device_sample_rate** A number representing how often the device sends telemetry, expressed as a percentage. Low values indicate that device sends more events and high values indicate that device sends fewer events. The value is rounded to five significant figures for privacy reasons and if an error is hit in getting the device sample number value from the registry then this will be -1; and if client isn't on a UTC-enabled platform, then this value won't be set.
+- **Etag** Etag is an identifier representing all service applied configurations and experiments for the current browser session. This field is left empty when Windows diagnostic level is set to Basic or lower or when consent for diagnostic data has been denied.
+- **EventInfo.Level** The minimum Windows diagnostic data level required for the event where 1 is basic, 2 is enhanced, and 3 is full.
+- **experimentation_mode** A number representing the value set for the ExperimentationAndConfigurationServiceControl group policy. See [Microsoft Edge - Policies](/DeployEdge/microsoft-edge-policies#experimentationandconfigurationservicecontrol) for more details on this policy.
+- **install_date** The date and time of the most recent installation in seconds since midnight on January 1, 1970 UTC, rounded down to the nearest hour.
+- **installSourceName** A string representation of the installation source.
+- **PayloadClass** The base class used to serialize and deserialize the Protobuf binary payload.
+- **PayloadGUID** A random identifier generated for each original monolithic Protobuf payload, before the payload is potentially broken up into manageably-sized chunks for transmission.
+- **PayloadLogType** The log type for the event correlating with 0 for unknown, 1 for stability, 2 for on-going, 3 for independent, 4 for UKM, or 5 for instance level.
+- **pop_sample** A value indicating how the device's data is being sampled.
+- **reactivationBrandCode** Contains the 4 character reactivation brand code or distribution tag that has been assigned to a partner. Not every Windows install will have a brand code.
+- **session_id** An identifier that is incremented each time the user launches the application, irrespective of any client_id changes. session_id is seeded during the initial installation of the application. session_id is effectively unique per client_id value. Several other internal identifier values, such as window or tab IDs, are only meaningful within a particular session. The session_id value is forgotten when the application is uninstalled, but not during an upgrade.
+- **utc_flags** Event Tracing for Windows (ETW) flags required for the event as part of the data collection process.
+
+
+### Aria.af397ef28e484961ba48646a5d38cf54.Microsoft.WebBrowser.Installer.EdgeUpdate.Ping
+
+This Ping event sends a detailed inventory of software and hardware information about the EdgeUpdate service, Microsoft Edge applications, and the current system environment including app configuration, update configuration, and hardware capabilities. This event contains Device Connectivity and Configuration, Product and Service Performance, and Software Setup and Inventory data. One or more events is sent each time any installation, update, or uninstallation occurs with the EdgeUpdate service or with Microsoft Edge applications. This event is used to measure the reliability and performance of the EdgeUpdate service and if Microsoft Edge applications are up to date. This is an indication that the event is designed to keep Windows secure and up to date.
+
+The following fields are available:
+
+- **appAp** Any additional parameters for the specified application. Default: ''.
+- **appAppId** The GUID that identifies the product. Compatible clients must transmit this attribute. Default: undefined.
+- **appBrandCode** The brand code under which the product was installed, if any. A brand code is a short (4-character) string used to identify installations that took place as a result of partner deals or website promotions. Default: ''.
+- **appChannel** An integer indicating the channel of the installation (that is, Canary or Dev).
+- **appClientId** A generalized form of the brand code that can accept a wider range of values and is used for similar purposes. Default: ''.
+- **appCohort** A machine-readable string identifying the release cohort (channel) that the app belongs to. Limited to ASCII characters 32 to 127 (inclusive) and a maximum length of 1024 characters. Default: ''.
+- **appCohortHint** A machine-readable enum indicating that the client has a desire to switch to a different release cohort. The exact legal values are app-specific and should be shared between the server and app implementations. Limited to ASCII characters 32 to 127 (inclusive) and a maximum length of 1024 characters. Default: ''.
+- **appCohortName** A stable non-localized human-readable enum indicating which (if any) set of messages the app should display to the user. For example, an app with a cohort Name of 'beta' might display beta-specific branding to the user. Limited to ASCII characters 32 to 127 (inclusive) and a maximum length of 1024 characters. Default: ''.
+- **appConsentState** Bit flags describing the diagnostic data disclosure and response flow where 1 indicates the affirmative and 0 indicates the negative or unspecified data. Bit 1 indicates consent was given, bit 2 indicates data originated from the download page, bit 18 indicates choice for sending data about how the browser is used, and bit 19 indicates choice for sending data about websites visited.
+- **appDayOfInstall** The date-based counting equivalent of appInstallTimeDiffSec (the numeric calendar day that the app was installed on). This value is provided by the server in the response to the first request in the installation flow. The client MAY fuzz this value to the week granularity (for example, send '0' for 0 through 6, '7' for 7 through 13, etc.). The first communication to the server should use a special value of '-1'. A value of '-2' indicates that this value isn't known. Default: '-2'.
+- **appEdgePreviewDisenrollReason** Reason why Preview was unenrolled.
+- **appEdgePreviewPreviousValuesV2** Previous values of the Microsoft Edge Preview.
+- **appEdgePreviewState** Specifies if Microsoft Edge is in the preview state.
+- **appExperiments** A key/value list of experiment identifiers. Experiment labels are used to track membership in different experimental groups, and may be set at install or update time. The experiments string is formatted as a semicolon-delimited concatenation of experiment label strings. An experiment label string is an experiment Name, followed by the '=' character, followed by an experimental label value. For example: 'crdiff=got_bsdiff;optimized=O3'. The client shouldn't transmit the expiration date of any experiments it has, even if the server previously specified a specific expiration date. Default: ''.
+- **appFirstFRESeenTime** The earliest time the Microsoft Edge First Run Experience was seen by any user on the device in Windows FILETIME units / 10. Default: undefined.
+- **appFirstFRESeenVersion** The earliest Microsoft Edge First Run Experience version that was seen by any user on the device (for example '1.2.3.4'). Default: undefined.
+- **appInactivityBadgeApplied** Specifies that the inactivity badge has been applied.
+- **appInactivityBadgeCleared** Specifies that the inactivity badge has been cleared.
+- **appInactivityBadgeDuration** The duration of the inactivity badge.
+- **appInstallTime** The product install time in seconds. '0' if unknown. Default: '-1'.
+- **appInstallTimeDiffSec** The difference between the current time and the install date in seconds. '0' if unknown. Default: '-1'.
+- **appIsPinnedSystem** Specifies is the app is pinned.
+- **appLang** The language of the product install, in IETF BCP 47 representation. Default: ''.
+- **appLastLaunchCount** Number of times the app launched last.
+- **appLastLaunchTime** The time when browser was last launched.
+- **appNextVersion** The version of the app that the update flow to which this event belongs attempted to reach, regardless of the success or failure of the update operation. Default: '0.0.0.0'.
+- **appOOBEInstallTime** The time of first recorded successful OOBE Microsoft Edge install in Windows FILETIME units / 10 (that is, the install time of any fully completed OOBE install achieved before OOBE finishes), as recorded by setup.exe. Default: undefined.
+- **appPingEventAppSize** The total number of bytes of all downloaded packages. Default: '0'.
+- **appPingEventDoneBeforeOOBEComplete** Indicates whether the install or update was completed before Windows Out of the Box Experience ends. 1 means event completed before OOBE finishes; 0 means event wasn't completed before OOBE finishes; -1 means the field doesn't apply.
+- **appPingEventDownloadMetricsCdnAzureRefOriginShield** Provides a unique reference string that identifies a request served by Azure Front Door. It's used to search access logs and is critical for troubleshooting. For example, Ref A: E172B39D19774147B0EFCC8E3E823D9D Ref B: BL2EDGE0215 Ref C: 2021-05-11T22:25:48Z.
+- **appPingEventDownloadMetricsCdnCache** Corresponds to the result, whether the proxy has served the result from cache (HIT for yes, and MISS for no) For example, HIT from proxy.domain.tld, MISS from proxy.local.
+- **appPingEventDownloadMetricsCdnCCC** ISO 2 character country code that matches to the country updated binaries are delivered from. for example: US.
+- **appPingEventDownloadMetricsCdnCID** Numeric value used to internally track the origins of the updated binaries. For example, 2.
+- **appPingEventDownloadMetricsCdnMSEdgeRef** Used to help correlate client-to-AFD (Azure Front Door) conversations. For example, Ref A: E2476A9592DF426A934098C0C2EAD3AB Ref B: DM2EDGE0307 Ref C: 2022-01-13T22:08:31Z.
+- **appPingEventDownloadMetricsCdnP3P** Electronic privacy statement: CAO = collects contact-and-other, PSA = for pseudo-analysis, OUR = data received by us only. Helps identify the existence of transparent intermediaries (proxies) that can create noise in legitimate error detection. For example, CP=\"CAO PSA OUR\".
+- **appPingEventDownloadMetricsDownloadedBytes** For events representing a download, the number of bytes expected to be downloaded. For events representing an entire update flow, the sum of all such expected bytes over the course of the update flow. Default: '0'.
+- **appPingEventDownloadMetricsDownloader** A string identifying the download algorithm and/or stack. Example values include: 'bits', 'direct', 'winhttp', 'p2p'. Sent in events that have an event type of '14' only. Default: ''.
+- **appPingEventDownloadMetricsDownloadTimeMs** For events representing a download, the time elapsed between the start of the download and the end of the download, in milliseconds. For events representing an entire update flow, the sum of all such download times over the course of the update flow. Sent in events that have an event type of '1', '2', '3', and '14' only. Default: '0'.
+- **appPingEventDownloadMetricsError** The error code (if any) of the operation, encoded as a signed base-10 integer. Default: '0'.
+- **appPingEventDownloadMetricsServerIpHint** For events representing a download, the CDN Host IP address that corresponds to the update file server. The CDN host is controlled by Microsoft servers and always maps to IP addresses hosting *.delivery.mp.microsoft.com or msedgesetup.azureedge.net. Default: ''.
+- **appPingEventDownloadMetricsTotalBytes** For events representing a download, the number of bytes expected to be downloaded. For events representing an entire update flow, the sum of all such expected bytes over the course of the update flow. Default: '0'.
+- **appPingEventDownloadMetricsUrl** For events representing a download, the CDN URL provided by the update server for the client to download the update, the URL is controlled by Microsoft servers and always maps back to either *.delivery.mp.microsoft.com or msedgesetup.azureedge.net. Default: ''.
+- **appPingEventDownloadTimeMs** For events representing a download, the time elapsed between the start of the download and the end of the download, in milliseconds. For events representing an entire update flow, the sum of all such download times over the course of the update flow. Sent in events that have an event type of '1', '2', '3', and '14' only. Default: '0'.
+- **appPingEventErrorCode** The error code (if any) of the operation, encoded as a signed, base-10 integer. Default: '0'.
+- **appPingEventEventResult** An enum indicating the result of the event. Default: '0'.
+- **appPingEventEventType** An enum indicating the type of the event. Compatible clients MUST transmit this attribute.
+- **appPingEventExtraCode1** Additional numeric information about the operation's result, encoded as a signed, base-10 integer. Default: '0'.
+- **appPingEventInstallTimeMs** For events representing an install, the time elapsed between the start of the install and the end of the install, in milliseconds. For events representing an entire update flow, the sum of all such durations. Sent in events that have an event type of '2' and '3' only. Default: '0'.
+- **appPingEventNumBytesDownloaded** The number of bytes downloaded for the specified application. Default: '0'.
+- **appPingEventPackageCacheResult** Whether there's an existing package cached in the system to update or install. 1 means that there's a cache hit under the expected key, 2 means there's a cache hit under a different key, 0 means that there's a cache miss. -1 means the field doesn't apply.
+- **appPingEventSequenceId** An ID that uniquely identifies particular events within one requestId. Since a request can contain multiple ping events, this field is necessary to uniquely identify each possible event.
+- **appPingEventSourceUrlIndex** For events representing a download, the position of the download URL in the list of URLs supplied by the server in a "urls" tag.
+- **appPingEventSystemUptimeTicks** Number of ticks that the system has been up.
+- **appPingEventUpdateCheckTimeMs** For events representing an entire update flow, the time elapsed between the start of the update check and the end of the update check, in milliseconds. Sent in events that have an event type of '2' and '3' only. Default: '0'.
+- **appReferralHash** The hash of the referral code used to install the product. '0' if unknown. Default: '0'.
+- **appUpdateCheckIsRollbackAllowed** Check for status showing whether or not rollback is allowed.
+- **appUpdateCheckIsUpdateDisabled** The state of whether app updates are restricted by group policy. True if updates have been restricted by group policy or false if they haven't.
+- **appUpdateCheckTargetChannel** Check for status showing the target release channel.
+- **appUpdateCheckTargetVersionPrefix** A component-wise prefix of a version number, or a complete version number suffixed with the $ character. The server shouldn't return an update instruction to a version number that doesn't match the prefix or complete version number. The prefix is interpreted a dotted-tuple that specifies the exactly-matching elements; it's not a lexical prefix (for example, '1.2.3' must match '1.2.3.4' but must not match '1.2.34'). Default: ''.
+- **appUpdateCheckTtToken** An opaque access token that can be used to identify the requesting client as a member of a trusted-tester group. If non-empty, the request should be sent over SSL or another secure protocol. Default: ''.
+- **appUpdateCount** A running total of successful updates recorded by setup.exe. This is used for continuity checking of the Ping data spanning consecutive updates.
+- **appUpdatesAllowedForMeteredNetworks** Specifies if the device can receive updates with on a metered network.
+- **appVersion** The version of the product install. shouldn't Default: '0.0.0.0'.
+- **EventInfo.Level** The minimum Windows diagnostic data level required for the event where 1 is basic, 2 is enhanced, and 3 is full.
+- **eventType** A string indicating the type of the event. shouldn't
+- **expETag** An identifier representing all service applied configurations and experiments when current update happens. Used for testing only.
+- **hwDiskType** Device’s hardware disk type.
+- **hwHasAvx** '1' if the client's hardware supports the AVX instruction set. '0' if the client's hardware doesn't support the AVX instruction set. '-1' if unknown. Default: '-1'.
+- **hwHasSse** '1' if the client's hardware supports the SSE instruction set. '0' if the client's hardware doesn't support the SSE instruction set. '-1' if unknown. Default: '-1'.
+- **hwHasSse2** '1' if the client's hardware supports the SSE2 instruction set. '0' if the client's hardware doesn't support the SSE2 instruction set. '-1' if unknown. Default: '-1'.
+- **hwHasSse3** '1' if the client's hardware supports the SSE3 instruction set. '0' if the client's hardware doesn't support the SSE3 instruction set. '-1' if unknown. Default: '-1'.
+- **hwHasSse41** '1' if the client's hardware supports the SSE4.1 instruction set. '0' if the client's hardware doesn't support the SSE4.1 instruction set. '-1' if unknown. Default: '-1'.
+- **hwHasSse42** '1' if the client's hardware supports the SSE4.2 instruction set. '0' if the client's hardware doesn't support the SSE4.2 instruction set. '-1' if unknown. Default: '-1'.
+- **hwHasSsse3** '1' if the client's hardware supports the SSSE3 instruction set. '0' if the client's hardware doesn't support the SSSE3 instruction set. '-1' if unknown. Default: '-1'.
+- **hwLogicalCpus** Number of logical CPUs of the device.
+- **hwPhysmemory** The physical memory available to the client, truncated down to the nearest gibibyte. '-1' if unknown. This value is intended to reflect the maximum theoretical storage capacity of the client, not including any hard drive or paging to a hard drive or peripheral. Default: '-1'.
+- **isCTADevice** Specifies if the device is CTA.
+- **isMsftDomainJoined** '1' if the client is a member of a Microsoft domain. '0' otherwise. Default: '0'.
+- **oemProductManufacturer** The device manufacturer name.
+- **oemProductName** The product name of the device defined by device manufacturer.
+- **osArch** The architecture of the operating system (for example, 'x86', 'x64', 'arm'). '' if unknown. Default: ''.
+- **osIsDefaultNetworkConnectionMetered** States if the default network connection is metered.
+- **osIsInLockdownMode** Is the OS in lockdown mode.
+- **osIsWIP** Whether the OS is in preview.
+- **osPlatform** The operating system family that the within which the Omaha client is running (for example 'win', 'mac', 'linux', 'ios', 'android'). '' if unknown. The operating system Name should be transmitted in lowercase with minimal formatting. Default: ''.
+- **osProductType** Type associated with the operating system.
+- **osServicePack** The secondary version of the operating system. '' if unknown. Default: ''.
+- **osVersion** The primary version of the operating system. '' if unknown. Default: ''.
+- **osWIPBranch** WIP branch of the operating system.
+- **requestCheckPeriodSec** The update interval in seconds. The value is read from the registry. Default: '-1'.
+- **requestDlpref** A comma-separated list of values specifying the preferred download URL behavior. The first value is the highest priority, further values reflect secondary, tertiary, et cetera priorities. Legal values are '' (in which case the entire list must be empty, indicating unknown or no-preference) or 'cacheable' (the server should prioritize sending URLs that are easily cacheable). Default: ''.
+- **requestDomainJoined** '1' if the machine is part of a managed enterprise domain. Otherwise '0'.
+- **requestInstallSource** A string specifying the cause of the update flow. For example: 'ondemand', or 'scheduledtask'. Default: ''.
+- **requestIsMachine** '1' if the client is known to be installed with system-level or administrator privileges. '0' otherwise. Default: '0'.
+- **requestOmahaShellVersion** The version of the Omaha installation folder. Default: ''.
+- **requestOmahaVersion** The version of the Omaha updater itself (the entity sending this request). Default: '0.0.0.0'.
+- **requestProtocolVersion** The version of the Omaha protocol. Compatible clients MUST provide a value of '3.0'. Compatible clients must always transmit this attribute. Default: undefined.
+- **requestRequestId** A randomly-generated (uniformly distributed) GUID, corresponding to the Omaha request. Each request attempt should have (with high probability) a unique request id. Default: ''.
+- **requestSessionCorrelationVectorBase** A client generated random MS Correlation Vector base code used to correlate the update session with update and CDN servers. Default: ''.
+- **requestSessionId** A randomly-generated (uniformly distributed) GUID. Each single update flow (for example, update check, update application, event ping sequence) should have (with high probability) a single unique session ID. Default: ''.
+- **requestTestSource** Either '', 'dev', 'qa', 'prober', 'auto', or 'ossdev'. Any value except '' indicates that the request is a test and shouldn't be counted toward normal metrics. Default: ''.
+- **requestUid** A randomly-generated (uniformly distributed) GUID, corresponding to the Omaha user. Each request attempt SHOULD have (with high probability) a unique request id. Default: ''.
+
+
+### Aria.af397ef28e484961ba48646a5d38cf54.Microsoft.WebBrowser.Installer.EdgeUpdate.PingXml
+
+The PingXml event sends detailed information pertaining to a specific instance of an update process in MicrosoftEdgeUpdate. This event contains Device Connectivity and Configuration, Product and Service Performance, and Software Setup and Inventory data. Each PingXml event can contain update logs from multiple different applications, and each application node in the XML payload can contain multiple different ping events. This event is sent whenever an update process occurs in the MicrosoftEdgeUpdate, regardless of the exit status. This event is used to track the reliability and performance of the MicrosoftEdgeUpdate process. The payload of this event is defined in the protocol definition header file.
+
+The following fields are available:
+
+- **EventInfo.Level** The minimum Windows diagnostic data level required for the event where 1 is basic, 2 is enhanced, and 3 is full.
+- **Xml** XML-encoded string representing the request payload of the ping event. The request payload includes data and metadata for four nodes: the request itself, the hardware of the device, the OS of the device, and each updated application. Each application node includes additional nodes for individual ping events.
+
+
+## Migration events
+
+### Microsoft.Windows.MigrationCore.MigObjectCountDLSys
+
+This event is used to indicate object count for system paths during different phases of Windows feature update.
+
+The following fields are available:
+
+- **migDiagSession->CString** Indicates the phase of the update.
+- **objectCount** Number of files being tracked for the corresponding phase of the update.
+- **sfInfo.Name** This indicates well know folder location path (Ex: PUBLIC_downloads etc.)
+
+
+### Microsoft.Windows.MigrationCore.MigObjectCountDLUsr
+
+This event returns data to track the count of the migration objects across various phases during feature update. The data collected with this event is used to help keep Windows secure and to track data loss scenarios.
+
+The following fields are available:
+
+- **currentSid** Indicates the user SID for which the migration is being performed.
+- **migDiagSession->CString** The phase of the upgrade where migration occurs. (for example: Validate tracked content)
+- **objectCount** The count for the number of objects that are being transferred.
+- **sfInfo.Name** This event identifies the phase of the upgrade where migration happens.
+
+
+### Microsoft.Windows.MigrationCore.MigObjectCountKFSys
+
+This event returns data about the count of the migration objects across various phases during feature update. The data collected with this event is used to help keep Windows secure and to track data loss scenarios.
+
+The following fields are available:
+
+- **migDiagSession->CString** Identifies the phase of the upgrade where migration happens.
+- **objectCount** The count of the number of objects that are being transferred.
+- **sfInfo.Name** The predefined folder path locations. For example, FOLDERID_PublicDownloads
+
+
+### Microsoft.Windows.MigrationCore.MigObjectCountKFUsr
+
+This event returns data to track the count of the migration objects across various phases during feature update. The data collected with this event is used to help keep Windows secure and to track data loss scenarios.
+
+The following fields are available:
+
+- **currentSid** Indicates the user SID for which the migration is being performed.
+- **migDiagSession->CString** The phase of the upgrade where the migration occurs. (For example, Validate tracked content.)
+- **objectCount** The number of objects that are being transferred.
+- **sfInfo.Name** The predefined folder path locations. For example, FOLDERID_PublicDownloads.
+
+
+## OneSettings events
+
+### Microsoft.Windows.OneSettingsClient.Heartbeat
+
+This event indicates the config state heartbeat. The data collected with this event is used to help keep Windows up to date, secure, and performing properly.
+
+The following fields are available:
+
+- **Configs** Array of configs.
+
+
+### Microsoft.Windows.OneSettingsClient.StateChange
+
+This event indicates the change in config state. The data collected with this event is used to help keep Windows up to date, secure, and performing properly.
+
+The following fields are available:
+
+- **flightId** Flight id.
+- **state** New state.
+
+
+### Microsoft.Windows.OneSettingsClient.Status
+
+This event indicates the config usage of status update. The data collected with this event is used to help keep Windows up to date, secure, and performing properly.
+
+The following fields are available:
+
+- **flightId** Flight id.
+- **time** Time.
+
+
+## OOBE events
+
+### Microsoft.Windows.Shell.Oobe.ExpeditedUpdate.ExpeditedUpdateNthLogonDisplayStatus
+
+NthLogon NDUP evaluated whether it should launch or not.
+
+The following fields are available:
+
+- **nthSkippedReasonFlag** Flag indicating skip reason.
+- **reason** Skip reason string.
+
+
+### Microsoft.Windows.Shell.Oobe.ExpeditedUpdate.ExpeditedUpdatePageSkipped
+
+This event provides information about skipping expedited update page. The data collected with this event is used to help keep Windows secure, up to date, and performing properly.
+
+The following fields are available:
+
+- **reason** Reason for skip.
+- **skippedReasonFlag** Flag representing reason for skip.
+
+
+### Microsoft.Windows.Shell.Oobe.ExpeditedUpdate.ExpeditedUpdateStatusResult
+
+This event provides status of expedited update. The data collected with this event is used to help keep Windows secure, up to date, and performing properly.
+
+The following fields are available:
+
+- **oobeExpeditedUpdateStatus** Expedited update status.
+- **reason** Reason for the status.
+- **resultCode** HR result of operation.
+
+
+## Other events
+
+### Microsoft.Windows.Analog.HolographicDriverClient.TelemetryUserPresenceChanged
+
+This event sends data indicating the state detected by user presence sensor. The data collected with this event is used to keep Windows performing properly.
+
+The following fields are available:
+
+- **correlationGuid** Unique correlation Guid Id.
+- **isPresent** State detected by user presence sensor.
+
+
+### Microsoft.Windows.Analog.HydrogenCompositor.ExclusiveMode_Entered
+
+This event sends data indicating the start of augmented reality application experience. The data collected with this event is used to keep Windows performing properly.
+
+The following fields are available:
+
+- **SessionID** Unique value for each attempt.
+- **TargetAsId** The sequence number for the process.
+- **windowInstanceId** Unique value for each window instance.
+
+
+### Microsoft.Windows.Analog.HydrogenCompositor.ExclusiveMode_Leave
+
+This event sends data indicating the end of augmented reality application experience. The data collected with this event is used to keep Windows performing properly.
+
+The following fields are available:
+
+- **EventHistory** Unique number of event history.
+- **ExternalComponentState** State of external component.
+- **LastEvent** Unique number of last event.
+- **SessionID** Unique value for each attempt.
+- **TargetAsId** The sequence number for the process.
+- **windowInstanceId** Unique value for each window instance.
+
+
+### Microsoft.Windows.Security.NGC.KspSvc.NgcUserIdKeyFinalize
+
+This event traces Windows Hello key creation finalize.
+
+
+The following fields are available:
+
+- **accountType** The account type of the user.
+- **cacheType** The cache type of the key.
+- **finalizeStatus** Returned status code after the finalize operation.
+- **gestureRequired** The operation requires a gesture.
+- **isIsoContainer** Indicates if it's using IsoContainer.
+- **isVsm** Indicates if Container is in Vsm.
+- **keyAccountId** Key account ID.
+- **keyAlgId** Key Algorithm ID.
+- **keyDomain** Key domain name.
+- **keyImplType** Key implementation type.
+- **keyTenant** Key tenant name.
+- **keyType** Key type.
+- **signStatus** Returned status code after the finalize operation.
+- **silentByCaller** Indicates whether the caller wanted to finalize silently.
+- **silentByProperty** Indicates whether the key property specified to finalize silently.
+
+
+### Microsoft.Windows.Security.NGC.KspSvc.NgcUserIdKeySignHash
+
+This event traces Windows Hello key signing details.
+
+The following fields are available:
+
+- **accountType** The account type of the user.
+- **cacheType** The cache type of the key.
+- **callerCmdLine** Caller process command line string.
+- **didPrompt** Whether a UI prompt was triggered.
+- **gestureRequired** The operation requires a gesture.
+- **isCacheWithTimedCounterEnabled** New caching mechanism is enabled.
+- **isCallerProcessQueryLimited** Indicates if caller process failed to be opened with PROCESS_VM_READ privilege.
+- **isUnlockTimeSet** We have a valid unlock time to use.
+- **keyAccountId** Hashed key account ID.
+- **keyDomain** Hashed key domain name.
+- **keyImplType** The implementation type of the key.
+- **keyTenant** Hashed key tenant name.
+- **keyType** Key type.
+- **numSignatures** Number of signatures made since logon or unlock.
+- **persistedInPinCache** The PIN was persisted in the cache.
+- **protectionLevel** Specifies whether the caller process is a PPL and at what level.
+- **sessionGuid** Unique identifier for the current user session.
+- **signStatus** Returned status code after the sign operation.
+- **silentByCaller** Indicates whether the caller wanted to sign silently.
+- **silentByProperty** Indicates whether the key property specified to sign silently.
+- **timeSinceUnlockMs** Time since logon or unlock in milliseconds.
+- **usedPinCache** The PIN cache was used to attempt to sign.
+- **validTicket** The provided ticket doesn't match the default or invalid auth ticket.
+
+### Microsoft.Windows.Security.SBServicing.ApplySecureBootUpdateFailed
+
+Event that indicates that an attempt to apply secure boot updates failed
+
+The following fields are available:
+
+- **Action** Action string when error occurred
+- **hr** Error code in HRESULT
+- **IsRejectedByFirmware** Bool value to indicate if firmware has rejected the update.
+- **IsResealNeeded** BOOL value to indicate if TPM Reseal was needed
+- **RevokedBootmanager** BOOL value to indicate if current bootmgr is revoked.
+- **SecureBootUpdateCaller** Scenario in which function was called. Could be Update or Upgrade
+- **UpdateType** Indicates if it's DB or DBX update
+- **WillResealSucceed** Indicates if TPM reseal operation is expected to succeed
+
+
+### Microsoft.Windows.Security.SBServicing.ApplySecureBootUpdateStarted
+
+Event that indicates secure boot update has started.
+
+The following fields are available:
+
+- **AvailableUpdates** Number of available secure boot updates.
+- **SecureBootUpdateCaller** Enum value indicating if this is a servicing or an upgrade.
+
+
+### Microsoft.Windows.Security.SBServicing.ApplySecureBootUpdateSucceeded
+
+This event indicates if the Secure Boot Update succeded.
+
+The following fields are available:
+
+- **Action** Indicates the stage for success.
+- **IsRebootRequiredBeforeUpdate** Indicates if reboot is required for before re-attempting the update.
+- **IsResealNeeded** Indicates if BitLocker reseal is needed.
+- **RevokedBootmanager** Indicates if there's a revoked bootmgr on the machine.
+- **SecureBootUpdateCaller** Info about the caller of the update.
+- **UpdateType** VariableMask like DB, DBX.
+- **WillResealSucceed** Inform if reseal will succeed.
+
+
+### Microsoft.Windows.Security.SBServicingCore.ApplySecureBootUpdateCompleted
+
+This event logs when the installer completes Secureboot update.
+
+The following fields are available:
+
+- **Action** String that tells us the failure stage if any.
+- **hr** error code.
+- **IsResealNeeded** Is BitLocker reseal was needed on this machine.
+- **sbServicingFailureReason** Enum containing failure details.
+- **SecureBootUpdateCaller** Caller of the update like Secureboot AI, tpmtask or dbupdater.
+- **UpdateType** Update type DB or DBX.
+- **WillResealSucceed** If BitLocker reseal will succeed on this machine.
+
+
+### Microsoft.Windows.Security.SBServicingCore.ApplySecureBootUpdateStarted
+
+This event logs when Secureboot updating containing DB/DBX payload starts.
+
+The following fields are available:
+
+- **SecureBootUpdateCaller** Caller of the update like Secureboot AI, TPMTask or DBUpdater.
+- **UpdateType** Update type like DB or DBX.
+
+
+### Microsoft.Windows.Security.SBServicingCore.SBServicingCoreFunctionFailed
+
+This event logs when some core function of Secureboot AI fails.
+
+The following fields are available:
+
+- **Action** stage at which the failure occurred.
+- **Function** name of the function where the failure occurred.
+- **hr** error code.
+
+
+### Microsoft.Windows.Shell.CortanaSearch.WebView2ProcessFailed
+
+This event tracks if the WebView2 process failed.
+
+The following fields are available:
+
+- **ExitCode** WebView2 exit code.
+- **ProcessFailedKind** WebView2 process failure kind.
+- **Reason** WebView2 process failure reason.
+- **SessionId** WebView2 sessionId.
+
+
+### Microsoft.Windows.Shell.SystemSettings.SettingsAppActivity.GetUserAccountState
+
+This event keeps track of if the user's account is in a good state upon loading the Settings Accounts L1 page.
+
+The following fields are available:
+
+- **CassService** Version of the Cass service.
+- **componentName** Name of the Settings component.
+- **correlationVector** Identifier for correlating events.
+- **currentPageGroupId** Identifier for the current page group.
+- **currentPageId** Identifier for the current page.
+- **experienceId** Identifier for the Settings experience.
+- **experienceVersion** Version of the experience.
+- **isExperienceInbox** Is the experience present by default (Comes with the system).
+- **pageId** Identifier for the Setting page.
+- **pageSessionId** Identifier for the page session.
+- **processSessionId** Identifier for the process.
+- **state** State that determines if the account has required backup proofs (eg. email and phone)
+
+
+### Microsoft.Windows.WinRE.Agent.CreateWinRePartitionFailed
+
+This event emits failure of the Creation of the WinRE partition operation.
+
+The following fields are available:
+
+- **ErrorCode** Error code.
+
+
+### Microsoft.Windows.WinRE.Agent.ExtendOsPartitionSucceed
+
+This event emits success for the extending OS Partition operation.
+
+
+### Microsoft.Windows.WinRE.Agent.ShrinkOsPartitionFailed
+
+This event captures OS partition shrink operation failures during the WinRE servicing.
+
+The following fields are available:
+
+- **HRESULT** Error code.
+
+
+### Microsoft.Windows.WinRE.Agent.WinreFormatPartition
+
+This event fires when WinRE partition is formatted.
+
+
+
+### Microsoft.Windows.WinRE.Agent.WinreFormatPartitionSucceed
+
+This vvent fires when WinRE partition attempts to format and succeeds.
+
+
+## Privacy consent logging events
+
+### Microsoft.Windows.Shell.PrivacyConsentLogging.PrivacyConsentCompleted
+
+This event is used to determine whether the user successfully completed the privacy consent experience. The data collected with this event is used to help keep Windows up to date.
+
+The following fields are available:
+
+- **presentationVersion** Which display version of the privacy consent experience the user completed
+- **privacyConsentState** The current state of the privacy consent experience
+- **settingsVersion** Which setting version of the privacy consent experience the user completed
+- **userOobeExitReason** The exit reason of the privacy consent experience
+
+
+### Microsoft.Windows.Shell.PrivacyConsentLogging.PrivacyConsentStatus
+
+This event provides the effectiveness of new privacy experience. The data collected with this event is used to help keep Windows up to date.
+
+The following fields are available:
+
+- **isAdmin** whether the person who is logging in is an admin
+- **isExistingUser** whether the account existed in a downlevel OS
+- **isLaunching** Whether or not the privacy consent experience will be launched
+- **isSilentElevation** whether the user has most restrictive UAC controls
+- **privacyConsentState** whether the user has completed privacy experience
+- **userRegionCode** The current user's region setting
+
+
+## Setup events
+
+### Microsoft.Windows.Setup.WinSetupMon.ProtectionViolation
+
+This event provides information about move or deletion of a file or a directory which is being monitored for data safety during feature updates. The data collected with this event is used to help keep Windows up to date.
+
+The following fields are available:
+
+- **Mode** The kind of monitoring mode enforced for the given path (this is one of a fixed set of strings).
+- **Path** Path to the file or the directory which is being moved or deleted.
+- **Process** Path to the process which is requesting the move or the deletion.
+- **SessionId** Identifier to correlate this component's telemetry with that of others.
+- **TargetPath** (Optional) If the operation is a move, the target path to which the file or directory is being moved.
+
+
+### Microsoft.Windows.Setup.WinSetupMon.TraceError
+
+Provides details about error in the functioning of upgrade data safety monitoring filter driver.
+
+The following fields are available:
+
+- **Message** Text string describing the error condition.
+- **SessionId** Identifier to correlate this component's telemetry with that of others.
+- **Status** NTSTATUS code related to the error.
+
+
+### Microsoft.Windows.Setup.WinSetupMon.TraceErrorVolume
+
+Provides details about error in the functioning of upgrade data safety monitoring filter driver, related to a specific volume (drive).
+
+The following fields are available:
+
+- **Message** Text string describing the error condition.
+- **SessionId** Identifier to correlate this component's telemetry with that of others.
+- **Status** NTSTATUS code related to the error.
+- **Volume** Path of the volume on which the error occurs
+
+
+## Surface events
+
+### Microsoft.Surface.Battery.Prod.BatteryInfoEvent
+
+This event includes the hardware level data about battery performance. The data collected with this event is used to help keep Windows products and services performing properly.
+
+The following fields are available:
+
+- **batteryData** Battery Performance data.
+- **batteryData.data()** Battery performance data.
+- **BatteryDataSize:** Size of the battery performance data.
+- **batteryInfo.data()** Battery performance data.
+- **BatteryInfoSize:** Size of the battery performance data.
+
+
+### Microsoft.Surface.Battery.Prod.BatteryInfoEventV2_BPM
+
+This event includes the hardware level data about battery performance. The data collected with this event is used to keep Windows performing properly.
+
+The following fields are available:
+
+- **BPMCurrentlyEngaged** Instantaneous snapshot if BPM is engaged on device.
+- **BPMExitCriteria** What is the BPM exit criteria - 20%SOC or 50%SOC?
+- **BPMHvtCountA** Current HVT count for BPM counter A.
+- **BPMHvtCountB** Current HVT count for BPM counter B.
+- **bpmOptOutLifetimeCount** BPM OptOut Lifetime Count.
+- **BPMRsocBucketsHighTemp_Values** Time in temperature range 46°C -60°C and in the following true RSOC ranges: 0%-49%; 50%-79%; 80%-89%; 90%-94%; 95%-100%.
+- **BPMRsocBucketsLowTemp_Values** Time in temperature range 0°C -20°C and in the following true RSOC ranges: 0%-49%; 50%-79%; 80%-89%; 90%-94%; 95%-100%.
+- **BPMRsocBucketsMediumHighTemp_Values** Time in temperature range 36°C -45°C and in the following true RSOC ranges: 0%-49%; 50%-79%; 80%-89%; 90%-94%; 95%-100%.
+- **BPMRsocBucketsMediumLowTemp_Values** Time in temperature range 21°C-35°C and in the following true RSOC ranges: 0%-49%; 50%-79%; 80%-89%; 90%-94%; 95%-100%.
+- **BPMTotalEngagedMinutes** Total time that BPM was engaged.
+- **BPMTotalEntryEvents** Total number of times entering BPM.
+- **BPMv4CurrentlyEngaged** Instantaneous snapshot if BPM is engaged on device.
+- **BPMv4ExitCriteria** What is the BPM exit criteria - 20%SOC or 50%SOC?.
+- **BPMv4HvtCountA** Current HVT count for BPM counter A.
+- **BPMv4HvtCountB** Current HVT count for BPM counter B.
+- **BPMv4RsocBucketsHighTemp_Values** Time in temperature range 46°C -60°C and in the following true RSOC ranges: 0%-49%; 50%-79%; 80%-89%; 90%-94%; 95%-100%.
+- **BPMv4RsocBucketsLowTemp_Values** Time in temperature range 0°C -20°C and in the following true RSOC ranges: 0%-49%; 50%-79%; 80%-89%; 90%-94%; 95%-100%.
+- **BPMv4RsocBucketsMediumHighTemp_Values** Time in temperature range 36°C -45°C and in the following true RSOC ranges: 0%-49%; 50%-79%; 80%-89%; 90%-94%; 95%-100%.
+- **BPMv4RsocBucketsMediumLowTemp_Values** Time in temperature range 21°C-35°C and in the following true RSOC ranges: 0%-49%; 50%-79%; 80%-89%; 90%-94%; 95%-100%.
+- **BPMv4TotalEngagedMinutes** Total time that BPM was engaged.
+- **BPMv4TotalEntryEvents** Total number of times entering BPM.
+- **ComponentId** Component ID.
+- **FwVersion** FW version that created this log.
+- **LogClass** Log Class.
+- **LogInstance** Log instance within class (1..n).
+- **LogVersion** Log MGR version.
+- **MCUInstance** Instance ID used to identify multiple MCUs in a product.
+- **ProductId** Product ID.
+- **SeqNum** Sequence Number.
+- **TimeStamp** UTC seconds when log was created.
+- **Ver** Schema version.
+
+
+### Microsoft.Surface.Battery.Prod.BatteryInfoEventV2_CTT
+
+This event includes the hardware level data about battery performance. The data collected with this event is used to keep Windows performing properly.
+
+The following fields are available:
+
+- **batteryPresent** Battery present on device.
+- **BPMKioskModeStartDateInSeconds** First time Battery Limit was turned on.
+- **BPMKioskModeTotalEngagedMinutes** Total time Battery Limit was on (SOC value at 50%).
+- **ComponentId** Component ID.
+- **CTTEqvTimeat35C** Poll time every minute. Add to lifetime counter based on temperature. Only count time above 80% SOC.
+- **CTTEqvTimeat35CinBPM** Poll time every minute. Add to lifetime counter based on temperature. Only count time above 55% SOC and when device is in BPM. Round up.
+- **CTTMinSOC1day** Rolling 1 day minimum SOC. Value set to 0 initially.
+- **CTTMinSOC28day** Rolling 28 day minimum SOC. Value set to 0 initially.
+- **CTTMinSOC3day** Rolling 3 day minimum SOC. Value set to 0 initially.
+- **CTTMinSOC7day** Rolling 7 day minimum SOC. Value set to 0 initially.
+- **CTTReduction** Current CTT reduction in mV
+- **CTTStartDateInSeconds** Start date from when device was starting to be used.
+- **currentAuthenticationState** Current Authentication State.
+- **FwVersion** FW version that created this log.
+- **LogClass** LOG CLASS.
+- **LogInstance** Log instance within class (1..n).
+- **LogVersion** LOG MGR VERSION.
+- **MCUInstance** Instance ID used to identify multiple MCUs in a product.
+- **newSnFruUpdateCount** New Sn FRU Update Count.
+- **newSnUpdateCount** New Sn Update Count.
+- **ProductId** Product ID.
+- **ProtectionPolicy** Battery limit engaged. True (0 False).
+- **SeqNum** Sequence Number.
+- **TimeStamp** UTC seconds when log was created.
+- **Ver** Schema version.
+- **VoltageOptimization** Current CTT reduction in mV.
+
+
+### Microsoft.Surface.Battery.Prod.BatteryInfoEventV2_GG
+
+This event includes the hardware level data about battery performance. The data collected with this event is used to keep Windows performing properly.
+
+The following fields are available:
+
+- **cbTimeCell_Values** cb time for different cells.
+- **ComponentId** Component ID.
+- **cycleCount** Cycle Count.
+- **deltaVoltage** Delta voltage.
+- **eocChargeVoltage_Values** EOC Charge voltage values.
+- **fullChargeCapacity** Full Charge Capacity.
+- **FwVersion** FW version that created this log.
+- **lastCovEvent** Last Cov event.
+- **lastCuvEvent** Last Cuv event.
+- **LogClass** LOG_CLASS.
+- **LogInstance** Log instance within class (1..n).
+- **LogVersion** LOG_MGR_VERSION.
+- **manufacturerName** Manufacturer name.
+- **maxChargeCurrent** Max charge current.
+- **maxDeltaCellVoltage** Max delta cell voltage.
+- **maxDischargeCurrent** Max discharge current.
+- **maxTempCell** Max temp cell.
+- **maxVoltage_Values** Max voltage values.
+- **MCUInstance** Instance ID used to identify multiple MCUs in a product.
+- **minTempCell** Min temp cell.
+- **minVoltage_Values** Min voltage values.
+- **numberOfCovEvents** Number of Cov events.
+- **numberOfCuvEvents** Number of Cuv events.
+- **numberOfOCD1Events** Number of OCD1 events.
+- **numberOfOCD2Events** Number of OCD2 events.
+- **numberOfQmaxUpdates** Number of Qmax updates.
+- **numberOfRaUpdates** Number of Ra updates.
+- **numberOfShutdowns** Number of shutdowns.
+- **pfStatus_Values** pf status values.
+- **ProductId** Product ID.
+- **qmax_Values** Qmax values for different cells.
+- **SeqNum** Sequence Number.
+- **TimeStamp** UTC seconds when log was created.
+- **Ver** Schema version.
+
+
+### Microsoft.Surface.Battery.Prod.BatteryInfoEventV2_GGExt
+
+This event includes the hardware level data about battery performance. The data collected with this event is used to keep Windows performing properly.
+
+The following fields are available:
+
+- **avgCurrLastRun** Average current last run.
+- **avgPowLastRun** Average power last run.
+- **batteryMSPN** BatteryMSPN
+- **batteryMSSN** BatteryMSSN.
+- **cell0Ra3** Cell0Ra3.
+- **cell1Ra3** Cell1Ra3.
+- **cell2Ra3** Cell2Ra3.
+- **cell3Ra3** Cell3Ra3.
+- **ComponentId** Component ID.
+- **currentAtEoc** Current at Eoc.
+- **firstPFstatusA** First PF status-A.
+- **firstPFstatusB** First PF status-B.
+- **firstPFstatusC** First PF status-C.
+- **firstPFstatusD** First PF status-D.
+- **FwVersion** FW version that created this log.
+- **lastQmaxUpdate** Last Qmax update.
+- **lastRaDisable** Last Ra disable.
+- **lastRaUpdate** Last Ra update.
+- **lastValidChargeTerm** Last valid charge term.
+- **LogClass** LOG CLASS.
+- **LogInstance** Log instance within class (1..n).
+- **LogVersion** LOG MGR VERSION.
+- **maxAvgCurrLastRun** Max average current last run.
+- **maxAvgPowLastRun** Max average power last run.
+- **MCUInstance** Instance ID used to identify multiple MCUs in a product.
+- **mfgInfoBlockB01** MFG info Block B01.
+- **mfgInfoBlockB02** MFG info Block B02.
+- **mfgInfoBlockB03** MFG info Block B03.
+- **mfgInfoBlockB04** MFG info Block B04.
+- **numOfRaDisable** Number of Ra disable.
+- **numOfValidChargeTerm** Number of valid charge term.
+- **ProductId** Product ID.
+- **qmaxCycleCount** Qmax cycle count.
+- **SeqNum** Sequence Number.
+- **stateOfHealthEnergy** State of health energy.
+- **stateOfHealthFcc** State of health Fcc.
+- **stateOfHealthPercent** State of health percent.
+- **TimeStamp** UTC seconds when log was created.
+- **totalFwRuntime** Total FW runtime.
+- **updateStatus** Update status.
+- **Ver** Schema version.
+
+
+### Microsoft.Surface.Battery.Prod.BatteryInfoEventV3
+
+Hardware level data about battery performance.
+
+The following fields are available:
+
+- **BatteryTelemetry** Hardware Level Data about battery performance.
+- **ComponentId** Component ID.
+- **FwVersion** FW version that created this log.
+- **LogClass** LOG CLASS.
+- **LogInstance** Log instance within class (1..n).
+- **LogVersion** LOG MGR VERSION.
+- **MCUInstance** Instance ID used to identify multiple MCUs in a product.
+- **ProductId** ProductId ID.
+- **SeqNum** Sequence Number.
+- **TimeStamp** UTC seconds when log was created.
+- **Ver** Schema version.
+
+
+## Update Assistant events
+
+### Microsoft.Windows.RecommendedTroubleshootingService.MitigationFailed
+
+This event is raised after an executable delivered by Mitigation Service has run and failed. Data from this event is used to measure the health of mitigations used by engineers to solve in-market problems on internal, insider, and retail devices. Failure data will also be used for root-cause investigation by feature teams, as signal to halt mitigation rollout and, possible follow-up action on specific devices still impacted by the problem because the mitigation failed (that is, reoffer it to impacted devices). The data collected with this event is used to help keep Windows up to date and performing properly.
+
+The following fields are available:
+
+- **activeProcesses** Number of active processes.
+- **atleastOneMitigationSucceeded** Bool flag indicating if at least one mitigation succeeded.
+- **callerId** Identifier (GUID) of the caller requesting a system initiated troubleshooter.
+- **contactTSServiceAttempts** Number of attempts made by TroubleshootingSvc in a single Scanner session to get Troubleshooter metadata from the Troubleshooting cloud service.
+- **countDownloadedPayload** Count instances of payload downloaded.
+- **description** Description of failure.
+- **devicePreference** Recommended Troubleshooting Setting on the device.
+- **downloadBinaryAttempts** Number of attempts made by TroubleshootingSvc in a single Scanner session to download Troubleshooter Exe.
+- **downloadCabAttempts** Number of attempts made by TroubleshootingSvc in a single Scanner session to download PrivilegedActions Cab.
+- **executionHR** HR code of the execution of the mitigation.
+- **executionPreference** Current Execution level Preference. This may not be same as devicePreference, for example, when executing Critical troubleshooters, the executionPreference is set to the Silent option.
+- **exitCode** Exit code of the execution of the mitigation.
+- **experimentFeatureId** Experiment feature ID.
+- **experimentFeatureState** Config state of the experiment.
+- **hr** HRESULT for error code.
+- **isActiveSessionPresent** If an active user session is present on the device.
+- **isCriticalMitigationAvailable** If a critical mitigation is available to this device.
+- **isFilteringSuccessful** If the filtering operation was successful.
+- **isReApply** reApply status for the mitigation.
+- **mitigationId** ID value of the mitigation.
+- **mitigationProcessCycleTime** Process cycle time used by the mitigation.
+- **mitigationRequestWithCompressionFailed** Boolean flag indicating if HTTP request with compression failed for this device.
+- **mitigationServiceResultFetched** Boolean flag indicating if mitigation details were fetched from the admin service.
+- **mitigationVersion** String indicating version of the mitigation.
+- **oneSettingsMetadataParsed** If OneSettings metadata was parsed successfully.
+- **oneSettingsSchemaVersion** Schema version used by the OneSettings parser.
+- **onlyNoOptMitigationsPresent** Checks if all mitigations were no opt.
+- **parsedOneSettingsFile** Indicates if OneSettings parsing was successful.
+- **sessionAttempts** Number of Scanner sessions attempted so far by TroubleshootingSvc for this troubleshooter.
+- **SessionId** Random GUID used for grouping events in a session.
+- **subType** Error type.
+- **totalKernelTime** Total kernel time used by the mitigation.
+- **totalNumberOfApplicableMitigations** Total number of applicable mitigations.
+- **totalProcesses** Total number of processes assigned to the job object.
+- **totalTerminatedProcesses** Total number of processes in terminated state assigned to the job object.
+- **totalUserTime** Total user mode time used by the job object.
+
+
+### Microsoft.Windows.RecommendedTroubleshootingService.MitigationSucceeded
+
+This event is raised after an executable delivered by Mitigation Service has successfully run. Data from this event is used to measure the health of mitigations used by engineers to solve in-market problems on internal, insider, and retail devices. The data collected with this event is used to keep Windows performing properly.
+
+The following fields are available:
+
+- **activeProcesses** Number of active processes.
+- **callerId** Identifier (GUID) of the caller requesting a system initiated troubleshooter.
+- **contactTSServiceAttempts** Number of attempts made by TroubleshootingSvc in a single Scanner session to get Troubleshooter metadata from the Troubleshooting cloud service.
+- **devicePreference** Recommended troubleshooting setting on the device.
+- **downloadBinaryAttempts** Number of attempts made by TroubleshootingSvc in a single Scanner session to download Troubleshooter Exe.
+- **downloadCabAttempts** Number of attempts made by TroubleshootingSvc in a single Scanner session to download PrivilegedActions Cab.
+- **executionPreference** Current Execution level Preference. This may not be same as devicePreference, for example, when executing Critical troubleshooters, the executionPreference is set to the Silent option.
+- **exitCode** Exit code of the execution of the mitigation.
+- **exitCodeDefinition** String describing the meaning of the exit code returned by the mitigation (that is, ProblemNotFound).
+- **experimentFeatureId** Experiment feature ID.
+- **experimentFeatureState** Feature state for the experiment.
+- **mitigationId** ID value of the mitigation.
+- **mitigationProcessCycleTime** Process cycle time used by the mitigation.
+- **mitigationVersion** String indicating version of the mitigation.
+- **sessionAttempts** Number of Scanner sessions attempted so far by TroubleshootingSvc for this troubleshooter.
+- **SessionId** Random GUID used for grouping events in a session.
+- **totalKernelTime** Total kernel time used by the mitigation.
+- **totalProcesses** Total number of processes assigned to the job object.
+- **totalTerminatedProcesses** Total number of processes in terminated state assigned to the job object.
+- **totalUserTime** Total user mode time used by the job object.
+
+
+## Update events
+
+### Update360Telemetry.FellBackToDownloadingAllPackageFiles
+
+This event indicates whether a failure occurred during Missing File List generation and is applicable to Quality Update downloads.
+
+The following fields are available:
+
+- **ErrorCode** Error code returned during Missing File List generation.
+- **FlightId** Unique ID for each flight.
+- **ObjectId** Unique ID for each flight.
+- **Package** Name of the package for which Missing File List generation failed and we fell back to downloading all package files.
+- **RelatedCV** Correlation vector value generated from the latest USO scan.
+- **ScenarioId** Indicates the update scenario.
+- **SessionId** Unique value for each attempt (same value for initialize, download, install commit phases).
+- **UpdateId** Unique ID for each Update.
+
+
+### Update360Telemetry.UpdateAgentCommit
+
+This event collects information regarding the commit phase of the new Unified Update Platform (UUP) update scenario, which is leveraged by both Mobile and Desktop. The data collected with this event is used to help keep Windows secure and up to date.
+
+The following fields are available:
+
+- **CancelRequested** Boolean that indicates whether cancel was requested.
+- **ErrorCode** The error code returned for the current install phase.
+- **FlightId** Unique ID for each flight.
+- **ObjectId** Unique value for each Update Agent mode.
+- **RelatedCV** Correlation vector value generated from the latest USO scan.
+- **Result** Outcome of the install phase of the update.
+- **ScenarioId** Indicates the update scenario.
+- **SessionId** Unique value for each update attempt.
+- **UpdateId** Unique ID for each update.
+
+
+### Update360Telemetry.UpdateAgentPostRebootResult
+
+This event collects information for both Mobile and Desktop regarding the post reboot phase of the new Unified Update Platform (UUP) update scenario. The data collected with this event is used to help keep Windows secure and up to date.
+
+The following fields are available:
+
+- **ErrorCode** The error code returned for the current post reboot phase.
+- **FlightId** The specific ID of the Windows Insider build the device is getting.
+- **ObjectId** Unique value for each Update Agent mode.
+- **PostRebootResult** Indicates the Hresult.
+- **RelatedCV** Correlation vector value generated from the latest USO scan.
+- **RollbackFailureReason** Indicates the cause of the rollback.
+- **ScenarioId** The scenario ID. Example: MobileUpdate, DesktopLanguagePack, DesktopFeatureOnDemand, or DesktopDriverUpdate.
+- **SessionId** Unique value for each update attempt.
+- **UpdateId** Unique ID for each update.
+- **UpdateOutputState** A numeric value indicating the state of the update at the time of reboot.
+
+
+## Windows Error Reporting events
+
+### Microsoft.Windows.WERVertical.OSCrash
+
+This event sends binary data from the collected dump file whenever a bug check occurs, to help keep Windows up to date. This is the OneCore version of this event.
+
+The following fields are available:
+
+- **BootId** Uint32 identifying the boot number for this device.
+- **BugCheckCode** Uint64 "bugcheck code" that identifies a proximate cause of the bug check.
+- **BugCheckParameter1** Uint64 parameter providing additional information.
+- **BugCheckParameter2** Uint64 parameter providing additional information.
+- **BugCheckParameter3** Uint64 parameter providing additional information.
+- **BugCheckParameter4** Uint64 parameter providing additional information.
+- **DumpFileAttributes** Codes that identify the type of data contained in the dump file
+- **DumpFileSize** Size of the dump file
+- **IsValidDumpFile** True if the dump file is valid for the debugger, false otherwise
+- **ReportId** WER Report Id associated with this bug check (used for finding the corresponding report archive in Watson).
+
+
+## Windows Hardware Error Architecture events
+
+### WheaProvider.WheaDriverErrorExternal
+
+This event is sent when a common platform hardware error is recorded by an external WHEA error source driver. The data collected with this event is used to help keep Windows up to date and performing properly.
+
+The following fields are available:
+
+- **creatorId** A GUID that identifies the entity that created the error record.
+- **errorFlags** Flags set on the error record.
+- **notifyType** A GUID that identifies the notification mechanism by which an error condition is reported to the operating system.
+- **partitionId** A GUID that identifies the partition on which the hardware error occurred.
+- **platformId** A GUID that identifies the platform on which the hardware error occurred.
+- **record** A binary blob containing the full error record. Due to the nature of common platform error records we have no way of fully parsing this blob for any given record.
+- **recordId** The identifier of the error record. This identifier is unique only on the system that created the error record.
+- **sectionFlags** The flags for each section recorded in the error record.
+- **sectionTypes** A GUID that represents the type of sections contained in the error record.
+- **severityCount** The severity of each individual section.
+- **timeStamp** Error time stamp as recorded in the error record.
+
+
+### WheaProvider.WheaDriverExternalLogginLimitReached
+
+This event indicates that WHEA has reached the logging limit for critical events from external drivers. The data collected with this event is used to help keep Windows up to date and performing properly.
+
+The following fields are available:
+
+- **timeStamp** Time at which the logging limit was reached.
+
+
+## Windows Store events
+
+### Microsoft.Windows.StoreAgent.Telemetry.AbortedInstallation
+
+This event is sent when an installation or update is canceled by a user or the system and is used to help keep Windows Apps up to date and secure.
+
+The following fields are available:
+
+- **AggregatedPackageFullNames** The names of all packages to be downloaded and installed.
+- **AttemptNumber** Number of retry attempts before it was canceled.
+- **BundleId** The Item Bundle ID.
+- **CategoryId** The Item Category ID.
+- **ClientAppId** The identity of the app that initiated this operation.
+- **HResult** The result code of the last action performed before this operation.
+- **IsBundle** Is this a bundle?
+- **IsInteractive** Was this requested by a user?
+- **IsMandatory** Was this a mandatory update?
+- **IsRemediation** Was this a remediation install?
+- **IsRestore** Is this automatically restoring a previously acquired product?
+- **IsUpdate** Flag indicating if this is an update.
+- **ParentBundleId** The product ID of the parent (if this product is part of a bundle).
+- **PFN** The product family name of the product being installed.
+- **ProductId** The identity of the package or packages being installed.
+- **SystemAttemptNumber** The total number of automatic attempts at installation before it was canceled.
+- **UserAttemptNumber** The total number of user attempts at installation before it was canceled.
+- **WUContentId** The Windows Update content ID.
+
+
+### Microsoft.Windows.StoreAgent.Telemetry.BeginAcquireLicense
+
+During App Installs and updates, a license is acquired to ensure the app/machine has an entitlement to the app.
+
+The following fields are available:
+
+- **AggregatedPackageFullNames** The name(s) of all packages to be downloaded and installed.
+- **AttemptNumber** Total number of install attempts before this operation.
+- **BundleId** The identity of the flight associated with this product.
+- **CategoryId** The identity of the package(s) being installed.
+- **ClientAppId** Client App Id (different in case of auto updates or interactive updates from the app).
+- **IsBundle** The identity of the app that initiated this operation.
+- **IsInteractive** True if this operation was requested by a user.
+- **IsMandatory** True if this is a mandatory update.
+- **IsRemediation** True if this install is repairing a previous install.
+- **IsRestore** True when automatically restoring a previously acquired product.
+- **IsUpdate** True if this is a product update.
+- **ParentBundleId** The Product ID of the parent if this product is part of a bundle.
+- **PFN** Product Family Name of this product being installed.
+- **ProductId** The Store Product ID for the product being installed.
+- **SystemAttemptNumber** Total number of automatic attempts to install before cancellation.
+- **UserAttemptNumber** Total number of user attempts to install before cancellation.
+- **WUContentId** Licensing identity of this package.
+
+
+### Microsoft.Windows.StoreAgent.Telemetry.BeginDownload
+
+This event is fired during the app update or install process when actual bits are being downloaded, this particular event is fired at the beginning of the process to indicate a state change to "Downloading". StoreAgent events are needed to help keep Windows pre-installed 1st party apps up to date and secure such as the mail and calendar apps. App update failure can be unique across devices and without this data from every device we won't be able to track the success/failure and fix any future vulnerabilities related to these built-in Windows Apps.
+
+The following fields are available:
+
+- **AggregatedPackageFullNames** The name(s) of all packages to be downloaded and installed.
+- **AttemptNumber** Total number of install attempts before this operation.
+- **BundleId** The identity of the flight associated with this product.
+- **CategoryId** The identity of the package(s) being installed.
+- **ClientAppId** The identity of the app that initiated this operation.
+- **IsBundle** True if this is a bundle.
+- **IsInteractive** True if this operation was requested by a user.
+- **IsMandatory** True if this is a mandatory update.
+- **IsRemediation** True if this install is repairing a previous install.
+- **IsRestore** True when automatically restoring a previously acquired product.
+- **IsUpdate** True if this is a product update.
+- **ParentBundleId** The product ID of the parent if this product is part of a bundle.
+- **PFN** Product Family Name of app being downloaded.
+- **ProductId** The Store Product ID for the product being installed.
+- **SystemAttemptNumber** Total number of automatic attempts to install before cancellation.
+- **UserAttemptNumber** Total number of user attempts to install before cancellation.
+- **WUContentId** NLicensing identity of this package.
+
+
+### Microsoft.Windows.StoreAgent.Telemetry.BeginGetFreeEntitlement
+
+Tracks the beginning of the call to get a free app entitlement.
+
+The following fields are available:
+
+- **CampaignId** Marketing Campaign Identifier.
+- **StoreId** App Store Catalog Id.
+- **UseDeviceId** Boolean value to select whether the entitlement should be a device versus a user entitlement.
+
+
+### Microsoft.Windows.StoreAgent.Telemetry.BeginInstall
+
+This event is fired near the end stage of a new app install or update after the bits have been downloaded. StoreAgent events are needed to help keep Windows pre-installed 1st party apps up to date and secure such as the mail and calendar apps. App update failure can be unique across devices and without this data from every device we won't be able to track the success/failure and fix any future vulnerabilities related to these built-in Windows Apps.
+
+The following fields are available:
+
+- **AggregatedPackageFullNames** The name(s) of all packages to be downloaded and installed.
+- **AttemptNumber** Total number of install attempts before this operation.
+- **BundleId** The identity of the flight associated with this product.
+- **CategoryId** The identity of the package(s) being installed.
+- **ClientAppId** The identity of the app that initiated this operation.
+- **IsBundle** True if this is a bundle.
+- **IsInteractive** True if this operation was requested by a user.
+- **IsMandatory** True if this is a mandatory update.
+- **IsRemediation** True if this install is repairing a previous install.
+- **IsRestore** True when automatically restoring a previously acquired product.
+- **IsUpdate** True if this is a product update.
+- **ParentBundleId** The product ID of the parent if this product is part of a bundle.
+- **PFN** The name(s) of the package(s) requested for install.
+- **ProductId** The Store Product ID for the product being installed.
+- **SystemAttemptNumber** Total number of automatic attempts to install.
+- **UserAttemptNumber** Total number of user attempts to install.
+- **WUContentId** Licensing identity of this package.
+
+### Microsoft.Windows.StoreAgent.Telemetry.BeginSearchUpdatePackages
+
+This event is fired when looking for app updates.
+
+The following fields are available:
+
+- **AttemptNumber** Total number of install attempts before this operation.
+- **BundleId** The identity of the flight associated with this product.
+- **CategoryId** The identity of the package(s) being installed.
+- **ClientAppId** The identity of the app that initiated this operation.
+- **IsBundle** True if this is a bundle.
+- **IsInteractive** True if this operation was requested by a user.
+- **IsMandatory** True if this is a mandatory update.
+- **IsRemediation** True if this install is repairing a previous install.
+- **IsRestore** True when automatically restoring a previously acquired product.
+- **IsUpdate** True if this is a product update.
+- **ParentBundleId** The product ID of the parent if this product is part of a bundle.
+- **PFN** The name(s) of the package(s) requested for install.
+- **ProductId** The Store Product ID for the product being installed.
+- **SystemAttemptNumber** Total number of automatic attempts to install.
+- **UserAttemptNumber** Total number of user attempts to install.
+- **WUContentId** Licensing identity of this package.
+
+
+### Microsoft.Windows.StoreAgent.Telemetry.BlockLowPriorityWorkItems
+
+This event is fired when the BlockLowPriorityWorkItems method is called, stopping the queue from installing LowPriority work items.
+
+The following fields are available:
+
+- **ClientId** Client ID of the caller.
+
+
+### Microsoft.Windows.StoreAgent.Telemetry.CancelInstallation
+
+This event is sent when an app update or installation is canceled while in interactive mode. This can be canceled by the user or the system. It's used to help keep Windows up-to-date and secure.
+
+The following fields are available:
+
+- **AggregatedPackageFullNames** The names of all package or packages to be downloaded and installed.
+- **AttemptNumber** Total number of installation attempts.
+- **BundleId** The identity of the Windows Insider build that is associated with this product.
+- **CategoryId** The identity of the package or packages being installed.
+- **ClientAppId** The identity of the app that initiated this operation.
+- **IsBundle** Is this a bundle?
+- **IsInteractive** Was this requested by a user?
+- **IsMandatory** Is this a mandatory update?
+- **IsRemediation** Is this repairing a previous installation?
+- **IsRestore** Is this an automatic restore of a previously acquired product?
+- **IsUpdate** Is this a product update?
+- **ParentBundleId** The product ID of the parent (if this product is part of a bundle).
+- **PFN** The name of all packages to be downloaded and installed.
+- **PreviousHResult** The previous HResult code.
+- **PreviousInstallState** Previous installation state before it was canceled.
+- **ProductId** The name of the package or packages requested for installation.
+- **RelatedCV** Correlation Vector of a previous performed action on this product.
+- **SystemAttemptNumber** Total number of automatic attempts to install before it was canceled.
+- **UserAttemptNumber** Total number of user attempts to install before it was canceled.
+- **WUContentId** The Windows Update content ID.
+
+
+### Microsoft.Windows.StoreAgent.Telemetry.EndAcquireLicense
+
+This event is sent after the license is acquired when a product is being installed. It's used to help keep Windows up-to-date and secure.
+
+The following fields are available:
+
+- **AggregatedPackageFullNames** Includes a set of package full names for each app that is part of an atomic set.
+- **AttemptNumber** The total number of attempts to acquire this product.
+- **BundleId** The bundle ID
+- **CategoryId** The identity of the package or packages being installed.
+- **ClientAppId** The identity of the app that initiated this operation.
+- **HResult** HResult code to show the result of the operation (success/failure).
+- **IsBundle** Is this a bundle?
+- **IsInteractive** Did the user initiate the installation?
+- **IsMandatory** Is this a mandatory update?
+- **IsRemediation** Is this repairing a previous installation?
+- **IsRestore** Is this happening after a device restore?
+- **IsUpdate** Is this an update?
+- **ParentBundleId** The parent bundle ID (if it's part of a bundle).
+- **PFN** Product Family Name of the product being installed.
+- **ProductId** The Store Product ID for the product being installed.
+- **SystemAttemptNumber** The number of attempts by the system to acquire this product.
+- **UserAttemptNumber** The number of attempts by the user to acquire this product
+- **WUContentId** The Windows Update content ID.
+
+
+### Microsoft.Windows.StoreAgent.Telemetry.EndDownload
+
+This event is sent after an app is downloaded to help keep Windows up-to-date and secure.
+
+The following fields are available:
+
+- **AggregatedPackageFullNames** The name of all packages to be downloaded and installed.
+- **AttemptNumber** Number of retry attempts before it was canceled.
+- **BundleId** The identity of the Windows Insider build associated with this product.
+- **CategoryId** The identity of the package or packages being installed.
+- **ClientAppId** The identity of the app that initiated this operation.
+- **DownloadSize** The total size of the download.
+- **ExtendedHResult** Any extended HResult error codes.
+- **HResult** The result code of the last action performed.
+- **IsBundle** Is this a bundle?
+- **IsInteractive** Is this initiated by the user?
+- **IsMandatory** Is this a mandatory installation?
+- **IsRemediation** Is this repairing a previous installation?
+- **IsRestore** Is this a restore of a previously acquired product?
+- **IsUpdate** Is this an update?
+- **ParentBundleId** The parent bundle ID (if it's part of a bundle).
+- **PFN** The Product Family Name of the app being download.
+- **ProductId** The Store Product ID for the product being installed.
+- **SystemAttemptNumber** The number of attempts by the system to download.
+- **UserAttemptNumber** The number of attempts by the user to download.
+- **WUContentId** The Windows Update content ID.
+
+
+### Microsoft.Windows.StoreAgent.Telemetry.EndFrameworkUpdate
+
+This event is sent when an app update requires an updated Framework package and the process starts to download it. It's used to help keep Windows up-to-date and secure.
+
+The following fields are available:
+
+- **HResult** The result code of the last action performed before this operation.
+
+
+### Microsoft.Windows.StoreAgent.Telemetry.EndGetFreeEntitlement
+
+Telemetry is fired at the end of the call to request a free app entitlement, which will make a server call to get the entitlement.
+
+The following fields are available:
+
+- **CampaignId** Campaign marketing Id.
+- **HResult** Error result.
+- **StoreId** Store Catalog Id of item requesting ownership.
+- **UseDeviceId** Boolean value to select whether the entitlement should be a device versus a user entitlement.
+
+
+### Microsoft.Windows.StoreAgent.Telemetry.EndInstall
+
+This event is sent after a product has been installed to help keep Windows up-to-date and secure.
+
+The following fields are available:
+
+- **AggregatedPackageFullNames** The names of all packages to be downloaded and installed.
+- **AttemptNumber** The number of retry attempts before it was canceled.
+- **BundleId** The identity of the build associated with this product.
+- **CategoryId** The identity of the package or packages being installed.
+- **ClientAppId** The identity of the app that initiated this operation.
+- **ExtendedHResult** The extended HResult error code.
+- **HResult** The result code of the last action performed.
+- **IsBundle** Is this a bundle?
+- **IsInteractive** Is this an interactive installation?
+- **IsMandatory** Is this a mandatory installation?
+- **IsRemediation** Is this repairing a previous installation?
+- **IsRestore** Is this automatically restoring a previously acquired product?
+- **IsUpdate** Is this an update?
+- **ParentBundleId** The product ID of the parent (if this product is part of a bundle).
+- **PFN** Product Family Name of the product being installed.
+- **ProductId** The Store Product ID for the product being installed.
+- **SystemAttemptNumber** The total number of system attempts.
+- **UserAttemptNumber** The total number of user attempts.
+- **WUContentId** The Windows Update content ID.
+
+
+### Microsoft.Windows.StoreAgent.Telemetry.EndScanForUpdates
+
+This event is sent after a scan for product updates to determine if there are packages to install. It's used to help keep Windows up-to-date and secure.
+
+The following fields are available:
+
+- **AutoUpdateWorkScheduledWithUOTime** The time when work was first scheduled with UO. Value deleted when UO calls UnblockLowPriorityWorkItems.
+- **ClientAppId** The identity of the app that initiated this operation.
+- **HResult** The result code of the last action performed.
+- **IsApplicability** Is this request to only check if there are any applicable packages to install?
+- **IsInteractive** Is this user requested?
+- **IsOnline** Is the request doing an online check?
+- **NumberOfApplicableUpdates** The number of packages returned by this operation.
+- **PFN** The PackageFullName of the app currently installed on the machine. This operation is scanning for an update for this app. Value will be empty if operation is scanning for updates for more than one app.
+
+
+### Microsoft.Windows.StoreAgent.Telemetry.EndSearchUpdatePackages
+
+This event is sent after searching for update packages to install. It's used to help keep Windows up-to-date and secure.
+
+The following fields are available:
+
+- **AggregatedPackageFullNames** The names of all packages to be downloaded and installed.
+- **AttemptNumber** The total number of retry attempts before it was canceled.
+- **BundleId** The identity of the build associated with this product.
+- **CategoryId** The identity of the package or packages being installed.
+- **ClientAppId** The identity of the app that initiated this operation.
+- **HResult** The result code of the last action performed.
+- **IsBundle** Is this a bundle?
+- **IsInteractive** Is this user requested?
+- **IsMandatory** Is this a mandatory update?
+- **IsRemediation** Is this repairing a previous installation?
+- **IsRestore** Is this restoring previously acquired content?
+- **IsUpdate** Is this an update?
+- **ParentBundleId** The product ID of the parent (if this product is part of a bundle).
+- **PFN** The name of the package or packages requested for install.
+- **ProductId** The Store Product ID for the product being installed.
+- **SystemAttemptNumber** The total number of system attempts.
+- **UserAttemptNumber** The total number of user attempts.
+- **WUContentId** The Windows Update content ID.
+
+
+### Microsoft.Windows.StoreAgent.Telemetry.EndStageUserData
+
+This event is sent after restoring user data (if any) that needs to be restored following a product install. It's used to keep Windows up-to-date and secure.
+
+The following fields are available:
+
+- **AggregatedPackageFullNames** The name of all packages to be downloaded and installed.
+- **AttemptNumber** The total number of retry attempts before it was canceled.
+- **BundleId** The identity of the build associated with this product.
+- **CategoryId** The identity of the package or packages being installed.
+- **ClientAppId** The identity of the app that initiated this operation.
+- **HResult** The result code of the last action performed.
+- **IsBundle** Is this a bundle?
+- **IsInteractive** Is this user requested?
+- **IsMandatory** Is this a mandatory update?
+- **IsRemediation** Is this repairing a previous installation?
+- **IsRestore** Is this restoring previously acquired content?
+- **IsUpdate** Is this an update?
+- **ParentBundleId** The product ID of the parent (if this product is part of a bundle).
+- **PFN** The name of the package or packages requested for install.
+- **ProductId** The Store Product ID for the product being installed.
+- **SystemAttemptNumber** The total number of system attempts.
+- **UserAttemptNumber** The total number of system attempts.
+- **WUContentId** The Windows Update content ID.
+
+
+### Microsoft.Windows.StoreAgent.Telemetry.FulfillmentComplete
+
+This event is sent at the end of an app install or update to help keep Windows up-to-date and secure.
+
+The following fields are available:
+
+- **CatalogId** The name of the product catalog from which this app was chosen.
+- **FailedRetry** Indicates whether the installation or update retry was successful.
+- **HResult** The HResult code of the operation.
+- **PFN** The Package Family Name of the app that is being installed or updated.
+- **ProductId** The product ID of the app that is being updated or installed.
+
+
+### Microsoft.Windows.StoreAgent.Telemetry.FulfillmentInitiate
+
+This event is sent at the beginning of an app install or update to help keep Windows up-to-date and secure.
+
+The following fields are available:
+
+- **CatalogId** The name of the product catalog from which this app was chosen.
+- **ClientAppId** The identity of the app that initiated this operation.
+- **FulfillmentPluginId** The ID of the plugin needed to install the package type of the product.
+- **InstalledPFuN** Package Full Name of the app that is installed and will be updated.
+- **PFN** The Package Family Name of the app that is being installed or updated.
+- **PluginTelemetryData** Diagnostic information specific to the package-type plug-in.
+- **PluginWorkCreationHr** Resulting HResult error/success code from plugin work creation.
+- **ProductId** The product ID of the app that is being updated or installed.
+
+
+### Microsoft.Windows.StoreAgent.Telemetry.InstallOperationRequest
+
+This event is sent when a product install or update is initiated, to help keep Windows up-to-date and secure.
+
+The following fields are available:
+
+- **BundleId** The identity of the build associated with this product.
+- **CatalogId** If this product is from a private catalog, the Store Product ID for the product being installed.
+- **ProductId** The Store Product ID for the product being installed.
+- **SkuId** Specific edition ID being installed.
+- **VolumePath** The disk path of the installation.
+
+
+### Microsoft.Windows.StoreAgent.Telemetry.InstallRequestReceived
+
+This event is sent when a product install request is received by AppInstallManager.
+
+The following fields are available:
+
+- **ClientId** Client ID of the caller.
+- **StoreId** The Store ID for the product being installed.
+
+
+### Microsoft.Windows.StoreAgent.Telemetry.PauseInstallation
+
+This event is sent when a product install or update is paused (either by a user or the system), to help keep Windows up-to-date and secure.
+
+The following fields are available:
+
+- **AggregatedPackageFullNames** The names of all packages to be downloaded and installed.
+- **AttemptNumber** The total number of retry attempts before it was canceled.
+- **BundleId** The identity of the build associated with this product.
+- **CategoryId** The identity of the package or packages being installed.
+- **ClientAppId** The identity of the app that initiated this operation.
+- **IsBundle** Is this a bundle?
+- **IsInteractive** Is this user requested?
+- **IsMandatory** Is this a mandatory update?
+- **IsRemediation** Is this repairing a previous installation?
+- **IsRestore** Is this restoring previously acquired content?
+- **IsUpdate** Is this an update?
+- **ParentBundleId** The product ID of the parent (if this product is part of a bundle).
+- **PFN** The Product Full Name.
+- **PreviousHResult** The result code of the last action performed before this operation.
+- **PreviousInstallState** Previous state before the installation or update was paused.
+- **ProductId** The Store Product ID for the product being installed.
+- **RelatedCV** Correlation Vector of a previous performed action on this product.
+- **SystemAttemptNumber** The total number of system attempts.
+- **UserAttemptNumber** The total number of user attempts.
+- **WUContentId** The Windows Update content ID.
+
+
+### Microsoft.Windows.StoreAgent.Telemetry.QueueStuckError
+
+This event indicates that the Install Queue is in a stuck state.
+
+The following fields are available:
+
+- **ItemLifetimeInSeconds** The amount of time elapsed since the item had been created in seconds at the time of the error.
+- **OpenSlots** The number of open slots in the queue at the time of the error.
+- **PendingItems** The number of pending items in the queue at the time of the error.
+- **QueueItems** The number of items in the queue at the time of the error.
+
+
+### Microsoft.Windows.StoreAgent.Telemetry.RestoreDeviceMetrics
+
+This event provides an informational summary of the apps returned from the restorable apps data store.
+
+The following fields are available:
+
+- **DeferredAppIds** The number of backed-up apps that will be auto-installed at an optimal time for the machine, determined by the policies of a Windows component called the Universal Orchestrator.
+- **DelayedAppIds** The number of backed-up apps that will be auto-installed one hour after device setup.
+- **NumBackupApps** The number of apps returned from the restorable apps data store.
+- **NumCompatibleApps** The number of backed-up apps reported by compatibility service to be compatible.
+- **NumIncompatibleApps** The number of backed-up apps reported by compatibility service to be incompatible.
+- **NumProcessedBackupApps** The number of backed-up apps for which we have instructed AppRestore Service to create a placeholder.
+
+
+### Microsoft.Windows.StoreAgent.Telemetry.RestoreError
+
+This event indicates a blocking error occurred during the restore compatibility check.
+
+The following fields are available:
+
+- **ErrorCode** The error code associated with the error.
+- **ErrorLocation** The location of the error.
+- **ErrorMessage** The message associated with the error.
+- **ErrorMethod** The method the error occurred in.
+- **ErrorName** The name of the error.
+- **ErrorType** The type of the error.
+- **LineNumber** The line number the error occurred on.
+- **Severity** The severity level of the error.
+
+
+### Microsoft.Windows.StoreAgent.Telemetry.ResumeInstallation
+
+This event is sent when a product install or update is resumed (either by a user or the system), to help keep Windows up-to-date and secure.
+
+The following fields are available:
+
+- **AggregatedPackageFullNames** The names of all packages to be downloaded and installed.
+- **AttemptNumber** The number of retry attempts before it was canceled.
+- **BundleId** The identity of the build associated with this product.
+- **CategoryId** The identity of the package or packages being installed.
+- **ClientAppId** The identity of the app that initiated this operation.
+- **HResult** The result code of the last action performed before this operation.
+- **IsBundle** Is this a bundle?
+- **IsInteractive** Is this user requested?
+- **IsMandatory** Is this a mandatory update?
+- **IsRemediation** Is this repairing a previous installation?
+- **IsRestore** Is this restoring previously acquired content?
+- **IsUpdate** Is this an update?
+- **IsUserRetry** Did the user initiate the retry?
+- **ParentBundleId** The product ID of the parent (if this product is part of a bundle).
+- **PFN** The name of the package or packages requested for install.
+- **PreviousHResult** The previous HResult error code.
+- **PreviousInstallState** Previous state before the installation was paused.
+- **ProductId** The Store Product ID for the product being installed.
+- **RelatedCV** Correlation Vector for the original install before it was resumed.
+- **ResumeClientId** The ID of the app that initiated the resume operation.
+- **SystemAttemptNumber** The total number of system attempts.
+- **UserAttemptNumber** The total number of user attempts.
+- **WUContentId** The Windows Update content ID.
+
+
+### Microsoft.Windows.StoreAgent.Telemetry.ResumeOperationRequest
+
+This event is sent when a product install or update is resumed by a user or on installation retries, to help keep Windows up-to-date and secure.
+
+The following fields are available:
+
+- **ProductId** The Store Product ID for the product being installed.
+
+
+### Microsoft.Windows.StoreAgent.Telemetry.ScheduleWorkWithUO
+
+This event is fired when we schedule installs and/or updates with UO.
+
+The following fields are available:
+
+- **ClientId** Client ID of the caller.
+
+
+### Microsoft.Windows.StoreAgent.Telemetry.SearchForUpdateOperationRequest
+
+This event is sent when searching for update packages to install, to help keep Windows up-to-date and secure.
+
+The following fields are available:
+
+- **CatalogId** The Store Catalog ID for the product being installed.
+- **ProductId** The Store Product ID for the product being installed.
+- **SkuId** Specific edition of the app being updated.
+
+
+### Microsoft.Windows.StoreAgent.Telemetry.StateTransition
+
+Products in the process of being fulfilled (installed or updated) are maintained in a list. This event is sent any time there's a change in a product's fulfillment status (pending, working, paused, canceled, or complete), to help keep Windows up to date and secure.
+
+The following fields are available:
+
+- **CatalogId** The ID for the product being installed if the product is from a private catalog, such as the Enterprise catalog.
+- **FulfillmentPluginId** The ID of the plugin needed to install the package type of the product.
+- **HResult** The resulting HResult error/success code of this operation.
+- **NewState** The current fulfillment state of this product.
+- **PFN** The Package Family Name of the app that is being installed or updated.
+- **PluginLastStage** The most recent product fulfillment step that the plug-in has reported (different than its state).
+- **PluginTelemetryData** Diagnostic information specific to the package-type plug-in.
+- **Prevstate** The previous fulfillment state of this product.
+- **ProductId** Product ID of the app that is being updated or installed.
+
+
+### Microsoft.Windows.StoreAgent.Telemetry.UnblockLowPriorityWorkItems
+
+This event is fired when the UnblockLowPriorityWorkItems method is called, changing the state of all LowPriority work items to working if AutoUpdateState is enabled.
+
+The following fields are available:
+
+- **ClientId** Client ID of the caller.
+
+
+### Microsoft.Windows.StoreAgent.Telemetry.UpdateAppOperationRequest
+
+This event occurs when an update is requested for an app, to help keep Windows up-to-date and secure.
+
+The following fields are available:
+
+- **PFamN** The name of the app that is requested for update.
+
+
+## Windows Update Delivery Optimization events
+
+### Microsoft.OSG.DU.DeliveryOptClient.DownloadCanceled
+
+This event describes when a download was canceled with Delivery Optimization. It's used to understand and address problems regarding downloads. The data collected with this event is used to help keep Windows up to date.
+
+The following fields are available:
+
+- **background** Is the download being done in the background?
+- **bytesFromCacheServer** Bytes received from a cache host.
+- **bytesFromCDN** The number of bytes received from a CDN source.
+- **bytesFromGroupPeers** The number of bytes received from a peer in the same group.
+- **bytesFromIntPeers** The number of bytes received from peers not in the same LAN or in the same group.
+- **bytesFromLedbat** The number of bytes received from a source using an Ledbat enabled connection.
+- **bytesFromLinkLocalPeers** The number of bytes received from local peers.
+- **bytesFromLocalCache** Bytes copied over from local (on disk) cache.
+- **bytesFromPeers** The number of bytes received from a peer in the same LAN.
+- **cdnErrorCodes** A list of CDN connection errors since the last FailureCDNCommunication event.
+- **cdnErrorCounts** The number of times each error in cdnErrorCodes was encountered.
+- **cdnIp** The IP Address of the source CDN (Content Delivery Network).
+- **cdnUrl** The URL of the source CDN (Content Delivery Network).
+- **dataSourcesTotal** Bytes received per source type, accumulated for the whole session.
+- **errorCode** The error code that was returned.
+- **experimentId** When running a test, this is used to correlate events that are part of the same test.
+- **fileID** The ID of the file being downloaded.
+- **isVpn** Is the device connected to a Virtual Private Network?
+- **jobID** Identifier for the Windows Update job.
+- **predefinedCallerName** The name of the API Caller.
+- **reasonCode** Reason the action or event occurred.
+- **routeToCacheServer** The cache server setting, source, and value.
+- **sessionID** The ID of the file download session.
+- **sessionTimeMs** The duration of the download session, spanning multiple jobs, in milliseconds.
+- **totalTimeMs** The duration of the download, in milliseconds.
+- **updateID** The ID of the update being downloaded.
+
+
+### Microsoft.OSG.DU.DeliveryOptClient.DownloadCompleted
+
+This event describes when a download has completed with Delivery Optimization. It's used to understand and address problems regarding downloads. The data collected with this event is used to help keep Windows up to date.
+
+The following fields are available:
+
+- **background** Is the download a background download?
+- **bytesFromCacheServer** Bytes received from a cache host.
+- **bytesFromCDN** The number of bytes received from a CDN source.
+- **bytesFromGroupPeers** The number of bytes received from a peer in the same domain group.
+- **bytesFromIntPeers** The number of bytes received from peers not in the same LAN or in the same domain group.
+- **bytesFromLedbat** The number of bytes received from source using an Ledbat enabled connection.
+- **bytesFromLinkLocalPeers** The number of bytes received from local peers.
+- **bytesFromLocalCache** Bytes copied over from local (on disk) cache.
+- **bytesFromPeers** The number of bytes received from a peer in the same LAN.
+- **bytesRequested** The total number of bytes requested for download.
+- **cacheServerConnectionCount** Number of connections made to cache hosts.
+- **cdnConnectionCount** The total number of connections made to the CDN.
+- **cdnErrorCodes** A list of CDN connection errors since the last FailureCDNCommunication event.
+- **cdnErrorCounts** The number of times each error in cdnErrorCodes was encountered.
+- **cdnIp** The IP address of the source CDN.
+- **cdnUrl** Url of the source Content Distribution Network (CDN).
+- **congestionPrevention** Indicates a download may have been suspended to prevent network congestion.
+- **dataSourcesTotal** Bytes received per source type, accumulated for the whole session.
+- **downlinkBps** The maximum measured available download bandwidth (in bytes per second).
+- **downlinkUsageBps** The download speed (in bytes per second).
+- **downloadMode** The download mode used for this file download session.
+- **downloadModeReason** Reason for the download.
+- **downloadModeSrc** Source of the DownloadMode setting.
+- **experimentId** When running a test, this is used to correlate with other events that are part of the same test.
+- **expiresAt** The time when the content will expire from the Delivery Optimization Cache.
+- **fileID** The ID of the file being downloaded.
+- **fileSize** The size of the file being downloaded.
+- **groupConnectionCount** The total number of connections made to peers in the same group.
+- **groupID** A GUID representing a custom group of devices.
+- **internetConnectionCount** The total number of connections made to peers not in the same LAN or the same group.
+- **isEncrypted** TRUE if the file is encrypted and will be decrypted after download.
+- **isThrottled** Event Rate throttled (event represents aggregated data).
+- **isVpn** Is the device connected to a Virtual Private Network?
+- **jobID** Identifier for the Windows Update job.
+- **lanConnectionCount** The total number of connections made to peers in the same LAN.
+- **linkLocalConnectionCount** The number of connections made to peers in the same Link-local network.
+- **numPeers** The total number of peers used for this download.
+- **numPeersLocal** The total number of local peers used for this download.
+- **predefinedCallerName** The name of the API Caller.
+- **restrictedUpload** Is the upload restricted?
+- **routeToCacheServer** The cache server setting, source, and value.
+- **rttMs** Min, Max, Avg round-trip time to the source.
+- **rttRLedbatMs** Min, Max, Avg round-trip time to a Ledbat enabled source.
+- **sessionID** The ID of the download session.
+- **sessionTimeMs** The duration of the session, in milliseconds.
+- **totalTimeMs** Duration of the download (in seconds).
+- **updateID** The ID of the update being downloaded.
+- **uplinkBps** The maximum measured available upload bandwidth (in bytes per second).
+- **uplinkUsageBps** The upload speed (in bytes per second).
+
+
+### Microsoft.OSG.DU.DeliveryOptClient.DownloadPaused
+
+This event represents a temporary suspension of a download with Delivery Optimization. It's used to understand and address problems regarding downloads. The data collected with this event is used to help keep Windows up to date.
+
+The following fields are available:
+
+- **background** Is the download a background download?
+- **cdnUrl** The URL of the source CDN (Content Delivery Network).
+- **errorCode** The error code that was returned.
+- **experimentId** When running a test, this is used to correlate with other events that are part of the same test.
+- **fileID** The ID of the file being paused.
+- **isVpn** Is the device connected to a Virtual Private Network?
+- **jobID** Identifier for the Windows Update job.
+- **predefinedCallerName** The name of the API Caller object.
+- **reasonCode** The reason for pausing the download.
+- **routeToCacheServer** The cache server setting, source, and value.
+- **sessionID** The ID of the download session.
+- **sessionTimeMs** The duration of the download session, spanning multiple jobs, in milliseconds.
+- **totalTimeMs** The duration of the download, in milliseconds.
+- **updateID** The ID of the update being paused.
+
+
+### Microsoft.OSG.DU.DeliveryOptClient.DownloadStarted
+
+This event sends data describing the start of a new download to enable Delivery Optimization. It's used to understand and address problems regarding downloads. The data collected with this event is used to help keep Windows up to date.
+
+The following fields are available:
+
+- **background** Indicates whether the download is happening in the background.
+- **bytesRequested** Number of bytes requested for the download.
+- **callerAppPackageName** The caller app package name.
+- **cdnUrl** The URL of the source Content Distribution Network (CDN).
+- **costFlags** A set of flags representing network cost.
+- **deviceProfile** Identifies the usage or form factor (such as Desktop, Xbox, or VM).
+- **diceRoll** Random number used for determining if a client will use peering.
+- **doClientVersion** The version of the Delivery Optimization client.
+- **downloadMode** The download mode used for this file download session (CdnOnly = 0, Lan = 1, Group = 2, Internet = 3, Simple = 99, Bypass = 100).
+- **downloadModeReason** Reason for the download.
+- **downloadModeSrc** Source of the DownloadMode setting (KvsProvider = 0, GeoProvider = 1, GeoVerProvider = 2, CpProvider = 3, DiscoveryProvider = 4, RegistryProvider = 5, GroupPolicyProvider = 6, MdmProvider = 7, SettingsProvider = 8, InvalidProviderType = 9).
+- **errorCode** The error code that was returned.
+- **experimentId** ID used to correlate client/services calls that are part of the same test during A/B testing.
+- **fileID** The ID of the file being downloaded.
+- **filePath** The path to where the downloaded file will be written.
+- **fileSize** Total file size of the file that was downloaded.
+- **fileSizeCaller** Value for total file size provided by our caller.
+- **groupID** ID for the group.
+- **isEncrypted** Indicates whether the download is encrypted.
+- **isThrottled** Indicates the Event Rate was throttled (event represent aggregated data).
+- **isVpn** Indicates whether the device is connected to a Virtual Private Network.
+- **jobID** The ID of the Windows Update job.
+- **peerID** The ID for this delivery optimization client.
+- **predefinedCallerName** Name of the API caller.
+- **routeToCacheServer** Cache server setting, source, and value.
+- **sessionID** The ID for the file download session.
+- **setConfigs** A JSON representation of the configurations that have been set, and their sources.
+- **updateID** The ID of the update being downloaded.
+- **UusVersion** The version of the undocked update stack.
+
+
+### Microsoft.OSG.DU.DeliveryOptClient.FailureCdnCommunication
+
+This event represents a failure to download from a CDN with Delivery Optimization. It's used to understand and address problems regarding downloads. The data collected with this event is used to help keep Windows up to date.
+
+The following fields are available:
+
+- **cdnHeaders** The HTTP headers returned by the CDN.
+- **cdnIp** The IP address of the CDN.
+- **cdnUrl** The URL of the CDN.
+- **errorCode** The error code that was returned.
+- **errorCount** The total number of times this error code was seen since the last FailureCdnCommunication event was encountered.
+- **experimentId** When running a test, this is used to correlate with other events that are part of the same test.
+- **fileID** The ID of the file being downloaded.
+- **httpStatusCode** The HTTP status code returned by the CDN.
+- **isHeadRequest** The type of HTTP request that was sent to the CDN. Example: HEAD or GET
+- **peerType** The type of peer (LAN, Group, Internet, CDN, Cache Host, etc.).
+- **requestOffset** The byte offset within the file in the sent request.
+- **requestSize** The size of the range requested from the CDN.
+- **responseSize** The size of the range response received from the CDN.
+- **sessionID** The ID of the download session.
+
+
+## Windows Update events
+
+### Microsoft.Windows.Update.Aggregator.UusCoreHealth.HealthAggregatorSummary
+
+This event is a summary of UUS health indicators.
+
+The following fields are available:
+
+- **Fallback** Failover information.
+- **FlightId** Payload that is being sent.
+- **IsStable** Boolean if the payload is in image.
+- **Lock** Lock identifier.
+- **UpdateId** Update identifier.
+- **UusVersion** Version of the undocked payload.
+- **VersionActivationsSinceLastBoot** Number of activations since last reboot.
+
+
+### Microsoft.Windows.Update.DeviceUpdateAgent.UpdateAgentInitialize
+
+This event sends data for initializing a new update session for the new device manifest UUP (Unified Update Platform) update scenario, which is used to install a device manifest describing a set of driver packages. The data collected with this event is used to help keep Windows secure and up to date.
+
+The following fields are available:
+
+- **errorCode** The error code returned for the current session initialization.
+- **flightId** The unique identifier for each flight.
+- **flightMetadata** Contains the FlightId and the build being flighted.
+- **objectId** Unique value for each Update Agent mode.
+- **relatedCV** Correlation vector value generated from the latest USO scan.
+- **result** Result of the initialize phase of the update. 0 = Succeeded, 1 = Failed, 2 = Cancelled, 3 = Blocked, 4 = BlockCancelled.
+- **scenarioId** The scenario ID. Example: MobileUpdate, DesktopLanguagePack, DesktopFeatureOnDemand, or DesktopDriverUpdate.
+- **sessionData** Contains instructions to update agent for processing FODs and DUICs (Null for other scenarios).
+- **sessionId** Unique value for each Update Agent mode attempt.
+- **updateId** Unique ID for each update.
+
+
+### Microsoft.Windows.Update.Orchestrator.Client.AppUpdateInstallResult
+
+This event reports installation result details of expedited apps.
+
+The following fields are available:
+
+- **Completed** Whether the installation completed.
+- **DeploymentAttempted** Whether the deployment was attempted.
+- **DeploymentErrorCode** The error code resulting from the deployment attempt.
+- **DeploymentExtendedErrorCode** The extended error code resulting from the deployment attempt.
+- **InstallFailureReason** On failure, the InstallFailureReason reported.
+- **OperationStatus** OperationStatus result reported by the installation attempt.
+- **Succeeded** Whether the installation succeeded.
+- **updaterId** The UpdaterId associated with this expedited app.
+- **UusVersion** The version of the UUS stack currently active.
+- **VelocityEnabled** Whether the velocity tag for the expedited app is enabled.
+
+
+### Microsoft.Windows.Update.Orchestrator.Client.BizCriticalStoreAppInstallAlreadyRunning
+
+This event indicates that another instance is currently attempting to install business critical store updates.
+
+The following fields are available:
+
+- **UusVersion** The version of the UUS Stack currently active.
+
+
+### Microsoft.Windows.Update.Orchestrator.Client.BizCriticalStoreAppInstallResult
+
+This event returns the result after installing a business critical store application. The data collected with this event is used to help keep Windows secure and up to date.
+
+The following fields are available:
+
+- **AppInstallState** The application installation state.
+- **HRESULT** The result code (HResult) of the install.
+- **PFN** The package family name of the package being installed.
+- **updaterId** The Id of the updater.
+- **UusVersion** The version of the UUS stack currently active.
+
+
+### Microsoft.Windows.Update.Orchestrator.Client.EdgeUpdateResult
+
+This event sends data indicating the result of invoking the edge updater. The data collected with this event is used to help keep Windows secure and up to date.
+
+The following fields are available:
+
+- **ExitCode** The exit code that was returned.
+- **HRESULT** The result code (HResult) of the operation.
+- **UusVersion** The version of the UUS stack currently active.
+- **VelocityEnabled** A flag that indicates if velocity is enabled.
+- **WorkCompleted** A flag that indicates if work is completed.
+
+
+### Microsoft.Windows.Update.Orchestrator.Client.MACUpdateInstallResult
+
+This event reports the installation result details of the MACUpdate expedited application.
+
+The following fields are available:
+
+- **Completed** Indicates whether the installation is complete.
+- **DeploymentAttempted** Whether the deployment was attempted.
+- **DeploymentErrorCode** The error code resulting from the deployment attempt.
+- **DeploymentExtendedErrorCode** The extended error code resulting from the deployment attempt.
+- **InstallFailureReason** Indicates the reason an install failed.
+- **IsRetriableError** Indications whether the error is retriable.
+- **OperationStatus** Returns the operation status result reported by the installation attempt.
+- **Succeeded** Indicates whether the installation succeeded.
+- **UusVersion** The version of the UUS stack currently active.
+- **VelocityEnabled** Indicates whether the velocity tag for MACUpdate is enabled.
+
+
+### Microsoft.Windows.Update.Orchestrator.UpdatePolicyCacheRefresh
+
+This event sends data on whether Update Management Policies were enabled on a device, to help keep Windows secure and up to date.
+
+The following fields are available:
+
+- **configuredPoliciescount** Number of policies on the device.
+- **policiesNamevaluesource** Policy name and source of policy (group policy, MDM, or flight).
+- **updateInstalluxsetting** Indicates whether a user has set policies via a user experience option.
+- **UusVersion** Active version of UUS.
+
+
+### Microsoft.Windows.Update.Orchestrator.Worker.EulaAccepted
+
+Indicates that EULA for an update has been accepted.
+
+The following fields are available:
+
+- **HRESULT** Was the EULA acceptance successful.
+- **publisherIntent** Publisher Intent ID associated with the update.
+- **reason** Reason for EULA acceptance.
+- **update** Update for which EULA has been accepted.
+- **UusVersion** The version of the UUS stack currently active.
+
+
+### Microsoft.Windows.Update.Orchestrator.Worker.OobeUpdateApproved
+
+This event signifies an update being approved around the OOBE time period. The data collected with this event is used to help keep Windows secure and up to date.
+
+The following fields are available:
+
+- **approved** Flag to determine if it's approved or not.
+- **provider** The provider related to which the update is approved.
+- **publisherIntent** The publisher intent of the Update.
+- **update** Additional information about the Update.
+- **UusVersion** The version of the UUS Stack currently active.
+
+
+### Microsoft.Windows.Update.Orchestrator.Worker.SetIpuMode
+
+This event indicates that a provider is setting the inplace upgrade mode.
+
+The following fields are available:
+
+- **flightId** Flight Identifier.
+- **mode** The value being set.
+- **provider** The provider that is getting the value.
+- **reason** The reason the value is being set.
+- **uniqueId** Update Identifier.
+- **UusVersion** The version of the UUS Stack currently active.
+
+
+### Microsoft.Windows.Update.Orchestrator.Worker.UpdateActionCritical
+
+This event informs the update related action being performed around the OOBE timeframe. The data collected with this event is used to help keep Windows secure and up to date.
+
+The following fields are available:
+
+- **action** The type of action being performed (Install or download etc.).
+- **connectivity** Informs if the device is connected to network while this action is performed.
+- **freeDiskSpaceInMB** Amount of free disk space.
+- **freeDiskSpaceInMBDelta** Amount of free disk space.
+- **interactive** Informs if this action is caused due to user interaction.
+- **nextAction** Next action to be performed.
+- **priority** The CPU and IO priority this action is being performed on.
+- **provider** The provider that is being invoked to perform this action (WU, Legacy UO Provider etc.).
+- **publisherIntent** ID for the metadata associated with the update.
+- **scenario** The result of the action being performed.
+- **update** Update related metadata including UpdateId.
+- **uptimeMinutes** Duration USO for up for in the current boot session.
+- **uptimeMinutesDelta** The change in device uptime while this action was performed.
+- **UusVersion** The version of the UUS stack currently active.
+- **wilActivity** Wil Activity related information.
+
+### Microsoft.Windows.Update.SIHClient.CheckForUpdatesStarted
+
+Scan event for Server Initiated Healing client.
+
+The following fields are available:
+
+- **CallerApplicationName** Name of the application making the Windows Update Request. Used to identify context of the request.
+- **EventInstanceID** A globally unique identifier for event instance.
+- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Windows Store, etc.).
+- **TargetMetadataVersion** The detected version of the self healing engine that is currently downloading or downloaded.
+- **UusVersion** UUS version.
+- **WUDeviceID** Identifier for the service to which the software distribution client is connecting (Windows Update, Windows Store, etc.).
+
+
+### Microsoft.Windows.Update.SIHClient.CheckForUpdatesSucceeded
+
+Scan event for Server Initiated Healing client
+
+The following fields are available:
+
+- **ApplicableUpdateInfo** Metadata for the updates which were detected as applicable.
+- **CachedEngineVersion** The engine DLL version that is being used.
+- **CallerApplicationName** Name of the application making the Windows Update Request. Used to identify context of the request.
+- **EventInstanceID** A globally unique identifier for event instance.
+- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Windows Store, etc.).
+- **StatusCode** Launch event for Server Initiated Healing client.
+- **TargetMetadataVersion** The detected version of the self healing engine that is currently downloading or downloaded.
+- **UusVersion** Active UUS Version.
+- **WUDeviceID** Identifier for the service to which the software distribution client is connecting (Windows Update, Windows Store, etc.).
+
+
+### Microsoft.Windows.Update.SIHClient.DownloadSucceeded
+
+Download process event for target update on SIH Client.
+
+The following fields are available:
+
+- **CachedEngineVersion** Version of the Cache Engine.
+- **CallerApplicationName** Name of application making the Windows Update request. Used to identify context of request.
+- **DownloadType** Type of Download.
+- **EventInstanceID** ID of the Event Instance being fired.
+- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Windows Store, etc.).
+- **TargetMetadataVersion** Version of the Metadata which is being targeted for an update.
+- **UpdateID** Identifier associated with the specific piece of content.
+- **UusVersion** The version of the Update Undocked Stack.
+- **WUDeviceID** Global Device ID utilized to identify Device.
+
+
+### Microsoft.Windows.Update.SIHClient.TaskRunCompleted
+
+This event is a launch event for Server Initiated Healing client.
+
+The following fields are available:
+
+- **CallerApplicationName** Name of the application making the Windows Update Request. Used to identify context of the request.
+- **CmdLineArgs** Command line arguments passed in by the caller.
+- **EventInstanceID** A globally unique identifier for event instance.
+- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Windows Store, etc.).
+- **StatusCode** Result code of the event (success, cancellation, failure code HResult).
+- **UusVersion** The version of the Update Undocked Stack.
+- **WUDeviceID** Identifier for the service to which the software distribution client is connecting (Windows Update, Windows Store, etc.).
+
+
+### Microsoft.Windows.Update.SIHClient.TaskRunStarted
+
+This event is a launch event for Server Initiated Healing client.
+
+The following fields are available:
+
+- **CallerApplicationName** Name of the application making the Windows Update Request. Used to identify context of the request.
+- **CmdLineArgs** Command line arguments passed in by the caller.
+- **EventInstanceID** A globally unique identifier for event instance.
+- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Windows Store, etc.).
+- **UusVersion** The version of the Update Undocked Stack.
+- **WUDeviceID** Unique device ID controlled by the software distribution client.
+
+
+### Microsoft.Windows.Update.Undocked.Brain.ActiveVersionUpdated
+
+This event gets fired when the active version of the Undocked Update Stack is being updated/
+
+The following fields are available:
+
+- **Fallback** Initiated Process.
+- **FlightID** FlightID associated.
+- **Lock** Lock Group Name.
+- **MinutesSinceInstall** Time to complete process.
+- **Stable** Is VersionActive from stable.
+- **UpdateID** Update identifier.
+- **VersionActive** The now active version of the UUS stack.
+- **VersionPrevious** The previous active version of the UUS stack.
+
+
+### Microsoft.Windows.Update.Undocked.Brain.FailoverVersionExcluded
+
+This event indicates Failover tried to exclude an UUS Version.
+
+The following fields are available:
+
+- **AlreadyExcluded** Boolean.
+- **Exception** The exception encountered during exclusion.
+- **ExclusionReason** Reason for the exclusion.
+- **Success** Success or failure indicator.
+- **VerFailover** The actual UUS Version that failover was running for.
+
+
+### Microsoft.Windows.Update.Undocked.UpdateAgent.DownloadRequest
+
+Download request for undocked update agent
+
+The following fields are available:
+
+- **errorCode** Error code.
+- **flightId** FlightID of the package.
+- **rangeRequestState** State of request for download range.
+- **relatedCV** CV for telemetry mapping.
+- **result** Result code.
+- **sessionId** Logging identification.
+- **updateId** Identifier for payload.
+- **uusVersion** Version of the UUS stack being installed.
+
+
+### Microsoft.Windows.Update.Undocked.UpdateAgent.Initialize
+
+Initialization event of undocked update agent.
+
+The following fields are available:
+
+- **errorCode** Error code.
+- **flightId** FlightID of the package.
+- **flightMetadata** Metadata.
+- **relatedCV** CV for telemetry mapping.
+- **result** Result code.
+- **sessionData** Additional logging.
+- **sessionId** Logging identification.
+- **updateId** Identifier for payload.
+- **uusVersion** Version of the UUS stack being installed.
+
+
+### Microsoft.Windows.Update.Undocked.UpdateAgent.Install
+
+Install event of undocked update agent.
+
+The following fields are available:
+
+- **errorCode** Error code.
+- **flightId** FlightID of the package.
+- **folderExists** Boolean.
+- **packageNewer** version of newer package.
+- **relatedCV** CV for telemetry mapping.
+- **result** Result code.
+- **retryCount** result count.
+- **sessionId** Logging identification.
+- **updateId** Identifier for payload.
+- **uusVersion** Version of the UUS stack being installed.
+
+
+### Microsoft.Windows.Update.Undocked.UpdateAgent.ModeStart
+
+Undocked update agent mode start event.
+
+The following fields are available:
+
+- **flightId** FlightID of the package.
+- **mode** Install or Download mode.
+- **relatedCV** CV for telemetry mapping.
+- **sessionId** Logging identification.
+- **updateId** Identifier for payload.
+- **uusVersion** Version of the UUS stack being installed.
+
+
+### Microsoft.Windows.Update.Undocked.UpdateAgent.Payload
+
+Payload event of undocked update agent.
+
+The following fields are available:
+
+- **errorCode** Error code.
+- **fileCount** Number of files to download.
+- **flightId** FlightID of the package.
+- **mode** Install or Download mode.
+- **relatedCV** CV for telemetry mapping.
+- **result** Result code.
+- **sessionId** Logging identification.
+- **updateId** Identifier for payload.
+- **uusVersion** Version of the UUS stack being installed.
+
+
+### Microsoft.Windows.Update.WUClient.CheckForUpdatesCanceled
+
+This event checks for updates canceled on the Windows Update client. The data collected with this event is used to help keep Windows up to date and secure.
+
+The following fields are available:
+
+- **AADDeviceTicketResult** Identifies result of AAD Device Token Acquisition.
+- **CallerName** Name of application making the Windows Update request. Used to identify context of request.
+- **ExtendedStatusCode** Secondary status code for certain scenarios where StatusCode wasn't specific enough.
+- **MetadataIntegrityMode** Mode of update transport metadata integrity check. 0-Unknown, 1-Ignoe, 2-Audit, 3-Enforce.
+- **NumFailedAudienceMetadataSignatures** Number of audience Publisher Intent metadata signatures checks which failed for new metadata synced.
+- **NumFailedMetadataSignatures** Number of metadata signatures checks which failed for new metadata synced download.
+- **Props** Commit Props (MergedUpdate).
+- **RelatedCV** The previous correlation vector that was used by the client, before swapping with a new one.
+- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Windows Store, etc.).
+- **ServiceUrl** Environment URL for which a device is configured to scan.
+- **StatusCode** Result code of the event (success, cancellation, failure code HResult).
+- **SyncType** Describes the type of scan for this event (1-Full Sync, 2-Delta Sync, 3-Full CatScan Sync, 4-Delta CatScan Sync).
+- **UusVersion** Active UUS version.
+
+
+### Microsoft.Windows.Update.WUClient.CheckForUpdatesFailed
+
+This event checks for failed updates on the Windows Update client. The data collected with this event is used to help keep Windows up to date and secure.
+
+The following fields are available:
+
+- **AADDeviceTicketResult** Identifies result of AAD Device Token Acquisition.
+- **CallerName** Name of the application making the Windows Update Request. Used to identify context of the request.
+- **ExtendedStatusCode** Secondary status code for certain scenarios where StatusCode wasn't specific enough.
+- **FailedUpdateInfo** Information about the update failure.
+- **HandlerInfo** Blob of Handler related information.
+- **HandlerType** Name of Handler.
+- **MetadataIntegrityMode** Mode of update transport metadata integrity check. 0-Unknown, 1-Ignoe, 2-Audit, 3-Enforce.
+- **NumFailedAudienceMetadataSignatures** Number of audience PublisherIntent metadata signatures checks which failed for new metadata synced.
+- **NumFailedMetadataSignatures** Number of metadata signatures checks which failed for new metadata synced download.
+- **Props** A bitmask for additional flags associated with the Windows Update request (IsInteractive, IsSeeker, AllowCachedResults, DriverSyncPassPerformed, IPv4, IPv6, Online, ExtendedMetadataIncl, WUfb).
+- **RelatedCV** The previous correlation vector that was used by the client, before swapping with a new one.
+- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Windows Store, etc.).
+- **ServiceUrl** Environment URL for which a device is configured to scan.
+- **StatusCode** Result code of the event (success, cancellation, failure code HResult.).
+- **SyncType** Describes the type of scan for this event (1-Full Sync, 2-Delta Sync, 3-Full CatScan Sync, 4-Delta CatScan Sync).
+- **UndockedComponents** Information consisting of Id, HR, ModuleVer, LoadProps, Path relating to the Undocked component.
+- **UusVersion** Active UUSVersion.
+
+
+### Microsoft.Windows.Update.WUClient.CheckForUpdatesRetry
+
+This event checks for update retries on the Windows Update client. The data collected with this event is used to help keep Windows up to date and secure.
+
+The following fields are available:
+
+- **CallerName** Name of application making the Windows Update request. Used to identify context of request.
+- **Props** Commit Props (MergedUpdate).
+- **RelatedCV** The previous correlation vector that was used by the client, before swapping with a new one.
+- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Windows Store, etc.).
+- **ServiceUrl** Environment URL for which a device is configured to scan.
+- **SyncType** Describes the type of scan for this event (1-Full Sync, 2-Delta Sync, 3-Full CatScan Sync, 4-Delta CatScan Sync).
+- **UusVersion** The version of the Update Undocked Stack.
+
+
+### Microsoft.Windows.Update.WUClient.CheckForUpdatesScanInitFailed
+
+This event checks for failed update initializations on the Windows Update client. The data collected with this event is used to help keep Windows up to date and secure.
+
+The following fields are available:
+
+- **AADDeviceTicketResult** Identifies result of AAD Device Token Acquisition.
+- **CallerName** Name of the application making the Windows Update Request. Used to identify context of the request.
+- **MetadataIntegrityMode** Mode of update transport metadata integrity check. 0-Unknown, 1-Ignoe, 2-Audit, 3-Enforce.
+- **NumFailedAudienceMetadataSignatures** Number of audience PublisherIntent metadata signatures checks which failed for new metadata synced.
+- **NumFailedMetadataSignatures** Number of metadata signatures checks which failed for new metadata synced download.
+- **RelatedCV** The previous correlation vector that was used by the client, before swapping with a new one.
+- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Windows Store, etc.).
+- **ServiceUrl** Environment URL for which a device is configured to scan.
+- **StatusCode** Result code of the event (success, cancellation, failure code HResult).
+- **SyncType** Describes the type of scan the event was.
+- **UndockedComponents** Information consisting of Id, HR, ModuleVer, LoadProps, Path relating to the Undocked component.
+- **UusVersion** Active UUS version.
+
+### Microsoft.Windows.Update.WUClient.CheckForUpdatesServiceRegistrationFailed
+
+This event checks for updates for failed service registrations the Windows Update client. The data collected with this event is used to help keep Windows up to date and secure.
+
+The following fields are available:
+
+- **AADDeviceTicketResult** Identifies result of AAD Device Token Acquisition.
+- **CallerName** For drivers targeted to a specific device model, this is the version release of the drivers being distributed to the device.
+- **Context** Context of failure.
+- **MetadataIntegrityMode** Mode of update transport metadata integrity check. 0-Unknown, 1-Ignoe, 2-Audit, 3-Enforce.
+- **NumFailedAudienceMetadataSignatures** Number of audience Publisher Intent metadata signatures checks which failed for new metadata synced.
+- **NumFailedMetadataSignatures** Number of audience Publisher Intent metadata signatures checks which failed for new metadata synced download.
+- **RelatedCV** The previous correlation vector that was used by the client, before swapping with a new one.
+- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Windows Store, etc.).
+- **ServiceUrl** Environment URL for which a device is configured to scan.
+- **StatusCode** Result code of the event (success, cancellation, failure code HResult).
+- **SyncType** Describes the type of scan the event was.
+- **UndockedComponents** Information consisting of Id, HR, ModuleVer, LoadProps, Path relating to the Undocked component.
+- **UusVersion** Active UUS version.
+
+
+### Microsoft.Windows.Update.WUClient.CheckForUpdatesSucceeded
+
+This event checks for successful updates on the Windows Update client. The data collected with this event is used to help keep Windows up to date and secure.
+
+The following fields are available:
+
+- **AADDeviceTicketInfo** Identifies result of AAD Device Token Acquisition.
+- **AADDeviceTicketResult** Identifies result of AAD Device Token Acquisition.
+- **ApplicableUpdateInfo** Metadata for the updates which were detected as applicable.
+- **CallerName** Name of the application making the Windows Update Request. Used to identify context of the request.
+- **HandlerInfo** HandlerInfo Blob.
+- **HandlerType** HandlerType blob.
+- **MetadataIntegrityMode** Mode of update transport metadata integrity check. 0-Unknown, 1-Ignoe, 2-Audit, 3-Enforce.
+- **NumberOfApplicableUpdates** Number of updates which were ultimately deemed applicable to the system after detection process is complete.
+- **NumFailedAudienceMetadataSignatures** Number of audience PublisherIntent metadata signatures checks which failed for new metadata synced.
+- **NumFailedMetadataSignatures** Number of metadata signatures checks which failed for new metadata synced download.
+- **Props** Commit Props (MergedUpdate).
+- **RelatedCV** The previous correlation vector that was used by the client, before swapping with a new one.
+- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Windows Store, etc.).
+- **ServiceUrl** Environment URL for which a device is configured to scan.
+- **SyncType** Describes the type of scan for this event (1-Full Sync, 2-Delta Sync, 3-Full CatScan Sync, 4-Delta CatScan Sync).
+- **UusVersion** Active UUS version.
+- **WUFBInfo** WufBinfoBlob.
+
+
+### Microsoft.Windows.Update.WUClient.CommitFailed
+
+This event checks for failed commits on the Windows Update client. The data collected with this event is used to help keep Windows up to date and secure.
+
+The following fields are available:
+
+- **BundleId** Identifier associated with the specific content bundle; shouldn't be all zeros if the bundleID was found.
+- **CallerName** Name of application making the Windows Update request. Used to identify context of request.
+- **ClassificationId** Classification identifier of the update content.
+- **EventType** Indicates the purpose of the event - whether because scan started, succeeded, failed, etc.
+- **ExtendedStatusCode** Possible values are "Child", "Bundle", "Release" or "Driver".
+- **FlightId** Secondary status code for certain scenarios where StatusCode wasn't specific enough.
+- **HandlerType** Indicates the kind of content (app, driver, windows patch, etc.).
+- **Props** Commit Props (MergedUpdate).
+- **RelatedCV** The previous correlation vector that was used by the client, before swapping with a new one.
+- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Windows Store, etc.).
+- **StatusCode** Result code of the event (success, cancellation, failure code HResult).
+- **UndockedComponents** Information consisting of Id, HR, ModuleVer, LoadProps, Path relating to the Undocked component.
+- **UpdateId** Identifier associated with the specific piece of content.
+- **UusVersion** Active UUS version.
+
+
+### Microsoft.Windows.Update.WUClient.CommitStarted
+
+This event tracks the commit started event on the Windows Update client. The data collected with this event is used to help keep Windows up to date and secure.
+
+The following fields are available:
+
+- **BundleId** Identifier associated with the specific content bundle; shouldn't be all zeros if the bundleID was found.
+- **CallerName** Name of application making the Windows Update request. Used to identify context of request.
+- **ClassificationId** Classification identifier of the update content.
+- **EventType** Possible values are "Child", "Bundle", "Release" or "Driver".
+- **FlightId** The specific ID of the flight the device is getting.
+- **HandlerType** Indicates the kind of content (app, driver, windows patch, etc.).
+- **Props** Commit Props (MergedUpdate).
+- **RelatedCV** The previous correlation vector that was used by the client, before swapping with a new one.
+- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Windows Store, etc.).
+- **UpdateId** Identifier associated with the specific piece of content.
+- **UusVersion** Current active UUS version.
+
+
+### Microsoft.Windows.Update.WUClient.CommitSucceeded
+
+This event is used to track the commit succeeded process, after the update installation, when the software update client is trying to update the device. The data collected with this event is used to help keep Windows up to date and secure.
+
+The following fields are available:
+
+- **BundleId** Identifier associated with the specific content bundle; shouldn't be all zeros if the bundleID was found.
+- **CallerName** Name of application making the Windows Update request. Used to identify context of request.
+- **ClassificationId** Classification identifier of the update content.
+- **EventType** Indicates the purpose of the event - whether scan started, succeeded, failed, etc.
+- **FlightId** Secondary status code for certain scenarios where StatusCode wasn't specific enough.
+- **HandlerType** The specific ID of the flight the device is getting.
+- **Props** Commit Props (MergedUpdate).
+- **RelatedCV** The previous correlation vector that was used by the client, before swapping with a new one.
+- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Windows Store, etc.).
+- **UndockedComponents** Information consisting of Id, HR, ModuleVer, LoadProps, Path relating to the Undocked component.
+- **UpdateId** Identifier associated with the specific piece of content.
+- **UusVersion** Active UUS version.
+
+
+### Microsoft.Windows.Update.WUClient.DownloadCanceled
+
+This event tracks the download canceled event when the update client is trying to update the device. The data collected with this event is used to help keep Windows up to date and secure.
+
+The following fields are available:
+
+- **BundleId** Name of application making the Windows Update request. Used to identify context of request.
+- **CallerName** Name of the application making the Windows Update Request. Used to identify context of the request.
+- **ClassificationId** Classification identifier of the update content.
+- **DownloadPriority** Indicates the priority of the download activity.
+- **DownloadStartTimeUTC** Download start time to measure the length of the session.
+- **EventType** Possible values are "Child", "Bundle", "Release" or "Driver".
+- **FlightId** The specific ID of the flight the device is getting.
+- **HandlerInfo** HandlerInfo Blob.
+- **HandlerType** HandlerType Blob.
+- **HostName** Identifies the hostname.
+- **NetworkCost** Identifies the network cost.
+- **NetworkRestrictionStatus** When download is done, identifies whether network switch happened to restricted.
+- **Props** A bitmask for additional flags associated with the download request.
+- **Reason** Cancel reason information.
+- **RelatedCV** The previous correlation vector that was used by the client, before swapping with a new one.
+- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Windows Store, etc.).
+- **UpdateId** Identifier associated with the specific piece of content.
+- **UusVersion** Active UUS version.
+
+
+### Microsoft.Windows.Update.WUClient.DownloadFailed
+
+This event tracks the download failed event when the update client is trying to update the device. The data collected with this event is used to help keep Windows up to date and secure.
+
+The following fields are available:
+
+- **BundleId** Name of application making the Windows Update request. Used to identify context of request.
+- **CallerName** Name of the application making the Windows Update Request. Used to identify context of the request.
+- **ClassificationId** Provides context about distribution stack for reporting.
+- **DownloadPriority** Indicates the priority of the download activity.
+- **DownloadStartTimeUTC** Start time to measure length of session.
+- **EventType** Possible values are "Child", "Bundle", "Release" or "Driver".
+- **ExtendedStatusCode** Secondary status code for certain scenarios where StatusCode wasn't specific enough.
+- **FlightId** The specific ID of the flight the device is getting.
+- **HandlerInfo** HandlerInfo Blob.
+- **HandlerType** HandlerType Blob.
+- **HostName** Identifies the hostname.
+- **NetworkCost** Identifies the network cost.
+- **NetworkRestrictionStatus** When download is done, identifies whether network switch happened to restricted.
+- **Props** Commit Props (MergedUpdate).
+- **RelatedCV** The previous correlation vector that was used by the client, before swapping with a new one.
+- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Windows Store, etc.).
+- **StatusCode** Result code of the event (success, cancellation, failure code HResult).
+- **UpdateId** Identifier associated with the specific piece of content.
+- **UusVersion** Active UUS version.
+
+
+### Microsoft.Windows.Update.WUClient.DownloadPaused
+
+This event is fired when the Download stage is paused.
+
+The following fields are available:
+
+- **BundleId** Identifier associated with the specific content bundle; shouldn't be all zeros if the bundleID was found.
+- **CallerName** Name of application making the Windows Update request. Used to identify context of request.
+- **ClassificationId** Classification identifier of the update content.
+- **DownloadPriority** Indicates the priority of the download activity.
+- **EventType** Indicates the purpose of the event - whether because scan started, succeeded, failed, etc.
+- **FlightId** Secondary status code for certain scenarios where StatusCode wasn't specific enough.
+- **HandlerInfo** Blob of Handler related information.
+- **HandlerType** Indicates the kind of content (app, driver, windows patch, etc.).
+- **Props** Commit Props (MergedUpdate)
+- **RegulationResult** The result code (HResult) of the last attempt to contact the regulation web service for download regulation of update content.
+- **RelatedCV** The previous correlation vector that was used by the client, before swapping with a new one.
+- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Windows Store, etc.).
+- **UpdateId** Identifier associated with the specific piece of content.
+- **UusVersion** The version of the Update Undocked Stack.
+
+
+### Microsoft.Windows.Update.WUClient.DownloadQueued
+
+This event tracks the download queued event when the update client is trying to update the device. The data collected with this event is used to help keep Windows up to date and secure.
+
+The following fields are available:
+
+- **BundleId** Identifier associated with the specific content bundle; shouldn't be all zeros if the bundleID was found.
+- **CallerName** Name of the application making the Windows Update Request. Used to identify context of the request.
+- **ClassificationId** Classification identifier of the update content.
+- **DownloadPriority** Indicates the priority of the download activity.
+- **EventType** Possible values are "Child", "Bundle", "Release" or "Driver".
+- **FlightId** The specific ID of the flight the device is getting.
+- **HandlerInfo** Blob of Handler related information.
+- **HandlerType** Indicates the kind of content (app, driver, windows patch, etc.).
+- **Props** Commit Props (MergedUpdate)
+- **QueuedReason** The reason in which a download has been queued.
+- **RegulationResult** The result code (HResult) of the last attempt to contact the regulation web service for download regulation of update content.
+- **RelatedCV** The previous correlation vector that was used by the client, before swapping with a new one.
+- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Windows Store, etc.).
+- **UpdateId** Identifier associated with the specific piece of content.
+- **UusVersion** The version of the Update Undocked Stack.
+
+
+### Microsoft.Windows.Update.WUClient.DownloadResumed
+
+This event is fired when the Download of content is continued from a pause state.
+
+The following fields are available:
+
+- **BundleId** Identifier associated with the specific content bundle; shouldn't be all zeros if the bundleID was found.
+- **CallerName** Name of application making the Windows Update request. Used to identify context of request.
+- **ClassificationId** Classification identifier of the update content.
+- **DownloadPriority** Indicates the priority of the download activity.
+- **EventType** Indicates the purpose of the event - whether because scan started, succeeded, failed, etc.
+- **FlightId** Secondary status code for certain scenarios where StatusCode wasn't specific enough.
+- **HandlerInfo** Blob of Handler related information.
+- **HandlerType** Indicates the kind of content (app, driver, windows patch, etc.).
+- **Props** Commit Props (MergedUpdate)
+- **RegulationResult** The result code (HResult) of the last attempt to contact the regulation web service for download regulation of update content.
+- **RelatedCV** The previous correlation vector that was used by the client, before swapping with a new one.
+- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Windows Store, etc.).
+- **UpdateId** Identifier associated with the specific piece of content.
+- **UusVersion** The version of the Update Undocked Stack.
+
+
+### Microsoft.Windows.Update.WUClient.InstallCanceled
+
+This event tracks the install canceled event when the update client is trying to update the device. The data collected with this event is used to help keep Windows up to date and secure.
+
+The following fields are available:
+
+- **BundleId** Identifier associated with the specific content bundle; shouldn't be all zeros if the bundleID was found.
+- **CallerName** Name of the application making the Windows Update Request. Used to identify context of the request.
+- **ClassificationId** Classification identifier of the update content.
+- **EventType** Possible values are "Child", "Bundle", "Release" or "Driver".
+- **FlightId** The specific ID of the flight the device is getting.
+- **HandlerType** Indicates the kind of content (app, driver, windows patch, etc.).
+- **Props** Install props (UsedSystemVolume, MergedUpdate, IsSuccessFailurePostReboot, isInteractive)
+- **Reason** Install canceled reason.
+- **RelatedCV** The previous correlation vector that was used by the client, before swapping with a new one.
+- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Windows Store, etc.).
+- **UpdateId** Identifier associated with the specific piece of content.
+- **UusVersion** Active UUS version.
+
+
+### Microsoft.Windows.Update.WUClient.InstallFailed
+
+This event tracks the install failed event when the update client is trying to update the device. The data collected with this event is used to help keep Windows up to date and secure.
+
+The following fields are available:
+
+- **BundleId** Identifier associated with the specific content bundle; shouldn't be all zeros if the bundleID was found.
+- **CallerName** Name of application making the Windows Update request. Used to identify context of request.
+- **ClassificationId** Classification identifier of the update content.
+- **EventType** Possible values are "Child", "Bundle", "Release" or "Driver".
+- **ExtendedStatusCode** Secondary status code for certain scenarios where StatusCode wasn't specific enough.
+- **FlightId** The specific ID of the flight the device is getting.
+- **HandlerInfo** Handler specific information.
+- **HandlerType** Indicates the kind of content (app, driver, windows patch, etc.).
+- **Props** Install props (UsedSystemVolume, MergedUpdate, IsSuccessFailurePostReboot, isInteractive)
+- **RelatedCV** The previous correlation vector that was used by the client, before swapping with a new one.
+- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Windows Store, etc.).
+- **StatusCode** Result code of the event (success, cancellation, failure code HResult).
+- **UndockedComponents** Information about the undocked components.
+- **UpdateId** Identifier associated with the specific piece of content.
+- **UusVersion** UUS version.
+
+
+### Microsoft.Windows.Update.WUClient.InstallRebootPending
+
+This event tracks the install reboot pending event when the update client is trying to update the device. The data collected with this event is used to help keep Windows up to date and secure.
+
+The following fields are available:
+
+- **BundleId** Identifier associated with the specific content bundle; shouldn't be all zeros if the bundleID was found.
+- **CallerName** Name of application making the Windows Update request. Used to identify context of request.
+- **ClassificationId** Classification identifier of the update content.
+- **EventType** Possible values are "Child", "Bundle", "Release" or "Driver".
+- **FlightId** The specific ID of the flight the device is getting.
+- **HandlerType** Indicates the kind of content (app, driver, windows patch, etc.).
+- **Props** Install props (UsedSystemVolume, MergedUpdate, IsSuccessFailurePostReboot, isInteractive)
+- **RelatedCV** The previous correlation vector that was used by the client, before swapping with a new one.
+- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Windows Store, etc.).
+- **UpdateId** Identifier associated with the specific piece of content.
+- **UusVersion** Active UUS version.
+
+### Microsoft.Windows.Update.WUClient.InstallStarted
+
+The event tracks the install started event when the update client is trying to update the device. The data collected with this event is used to help keep Windows up to date and secure.
+
+The following fields are available:
+
+- **BundleId** Identifier associated with the specific content bundle; shouldn't be all zeros if the bundleID was found.
+- **CallerName** Name of the application making the Windows Update Request. Used to identify context of the request.
+- **ClassificationId** Classification identifier of the update content.
+- **EventType** Possible values are "Child", "Bundle", "Release" or "Driver".
+- **FlightId** The specific ID of the flight the device is getting.
+- **HandlerType** Indicates the kind of content (app, driver, windows patch, etc.).
+- **Props** Install props (UsedSystemVolume, MergedUpdate, IsSuccessFailurePostReboot, isInteractive)
+- **RelatedCV** The previous correlation vector that was used by the client, before swapping with a new one.
+- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Windows Store, etc.).
+- **UpdateId** Identifier associated with the specific piece of content.
+- **UusVersion** Active UUS version.
+
+
+### Microsoft.Windows.Update.WUClient.InstallSucceeded
+
+The event tracks the successful install event when the update client is trying to update the device. The data collected with this event is used to help keep Windows up to date and secure.
+
+The following fields are available:
+
+- **BundleId** Identifier associated with the specific content bundle; shouldn't be all zeros if the bundleID was found.
+- **CallerName** Name of the application making the Windows Update Request. Used to identify context of the request.
+- **ClassificationId** Classification identifier of the update content.
+- **EventType** Possible values are "Child", "Bundle", "Release" or "Driver".
+- **FlightId** The specific ID of the flight the device is getting.
+- **HandlerInfo** Handler specific datapoints.
+- **HandlerType** Indicates the kind of content (app, driver, windows patch, etc.).
+- **Props** Install props (UsedSystemVolume, MergedUpdate, IsSuccessFailurePostReboot, isInteractive)
+- **RelatedCV** The previous correlation vector that was used by the client, before swapping with a new one.
+- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Windows Store, etc.).
+- **UndockedComponents** Information about the undocked components.
+- **UpdateId** Identifier associated with the specific piece of content.
+- **UusVersion** Active UUS version.
+
+
+### Microsoft.Windows.Update.WUClient.RevertFailed
+
+This event tracks the revert failed event when the update client is trying to update the device. The data collected with this event is used to help keep Windows up to date and secure.
+
+The following fields are available:
+
+- **BundleId** Identifier associated with the specific content bundle; shouldn't be all zeros if the bundleID was found.
+- **CallerName** Name of the application making the Windows Update Request. Used to identify context of the request.
+- **ClassificationId** Classification identifier of the update content.
+- **EventType** Possible values are "Child", "Bundle", "Release" or "Driver".
+- **ExtendedStatusCode** Secondary status code for certain scenarios where StatusCode wasn't specific enough.
+- **FlightId** The specific ID of the flight the device is getting.
+- **HandlerType** Indicates the kind of content (app, driver, windows patch, etc.).
+- **Props** Commit Props (MergedUpdate)
+- **RelatedCV** The previous correlation vector that was used by the client, before swapping with a new one.
+- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Windows Store, etc.).
+- **StatusCode** Result code of the event (success, cancellation, failure code HResult).
+- **UndockedComponents** Information consisting of Id, HR, ModuleVer, LoadProps, Path relating to the Undocked component.
+- **UpdateId** Identifier associated with the specific piece of content.
+- **UusVersion** Active UUS version.
+
+
+### Microsoft.Windows.Update.WUClient.RevertStarted
+
+This event tracks the revert started event when the update client is trying to update the device. The data collected with this event is used to help keep Windows up to date and secure.
+
+The following fields are available:
+
+- **BundleId** Identifier associated with the specific content bundle; shouldn't be all zeros if the bundleID was found.
+- **CallerName** Name of the application making the Windows Update Request. Used to identify context of the request.
+- **ClassificationId** Classification identifier of the update content.
+- **EventType** Possible values are "Child", "Bundle", "Release" or "Driver".
+- **FlightId** The specific ID of the flight the device is getting.
+- **HandlerType** Indicates the kind of content (app, driver, windows patch, etc.).
+- **Props** Revert props (MergedUpdate)
+- **RelatedCV** The previous correlation vector that was used by the client, before swapping with a new one.
+- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Windows Store, etc.).
+- **UpdateId** Identifier associated with the specific piece of content.
+- **UusVersion** The version of the Update Undocked Stack.
+
+
+### Microsoft.Windows.Update.WUClient.RevertSucceeded
+
+The event tracks the successful revert event when the update client is trying to update the device. The data collected with this event is used to help keep Windows up to date and secure.
+
+The following fields are available:
+
+- **BundleId** Identifier associated with the specific content bundle; shouldn't be all zeros if the bundleID was found.
+- **CallerName** Name of the application making the Windows Update Request. Used to identify context of the request.
+- **ClassificationId** Classification identifier of the update content.
+- **EventType** Possible values are "Child", "Bundle", "Release" or "Driver".
+- **FlightId** The specific ID of the flight the device is getting.
+- **HandlerType** Indicates the kind of content (app, driver, windows patch, etc.).
+- **Props** Revert props (MergedUpdate)
+- **RelatedCV** The previous correlation vector that was used by the client, before swapping with a new one.
+- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Windows Store, etc.).
+- **UndockedComponents** Information consisting of Id, HR, ModuleVer, LoadProps, Path relating to the Undocked component.
+- **UpdateId** Identifier associated with the specific piece of content.
+- **UusVersion** Active UUS version.
+
+
+### Microsoft.Windows.Update.WUClientExt.DownloadCheckpoint
+
+This is a checkpoint event between the Windows Update download phases for UUP content. The data collected with this event is used to help keep Windows secure and up to date.
+
+The following fields are available:
+
+- **CallerName** Name of the application making the Windows Update Request. Used to identify context of the request.
+- **EventType** Possible values are "Child", "Bundle", "Release" or "Driver".
+- **ExtendedStatusCode** Secondary status code for certain scenarios where StatusCode wasn't specific enough.
+- **FileId** Unique identifier for the downloaded file.
+- **FileName** Name of the downloaded file.
+- **FlightId** The specific ID of the flight the device is getting.
+- **RelatedCV** The previous correlation vector that was used by the client, before swapping with a new one.
+- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Windows Store, etc.).
+- **StatusCode** Result code of the event (success, cancellation, failure code HResult).
+- **UpdateId** Identifier associated with the specific piece of content.
+- **UusVersion** Active UUS version.
+
+
+### Microsoft.Windows.Update.WUClientExt.DownloadHeartbeat
+
+This event allows tracking of ongoing downloads and contains data to explain the current state of the download. The data collected with this event is used to help keep Windows up to date and secure.
+
+The following fields are available:
+
+- **BytesTotal** Total bytes to transfer for this content.
+- **BytesTransferred** Total bytes transferred for this content at the time of heartbeat.
+- **CallerName** Name of the application making the Windows Update Request. Used to identify context of the request.
+- **ConnectionStatus** Indicates the connectivity state of the device at the time of heartbeat.
+- **CurrentError** Last (transient) error encountered by the active download.
+- **DownloadHBFlags** Flags indicating if power state is ignored.
+- **DownloadState** Current state of the active download for this content (queued, suspended, progressing).
+- **EventType** Possible values are "Child", "Bundle", "Release" or "Driver".
+- **FlightId** The specific ID of the flight the device is getting.
+- **MOAppDownloadLimit** Mobile operator cap on size of application downloads, if any.
+- **MOUpdateDownloadLimit** Mobile operator cap on size of OS update downloads, if any.
+- **PowerState** Indicates the power state of the device at the time of heartbeart (DC, AC, Battery Saver, Connected Standby).
+- **Props** Commit Props (MergedUpdate)
+- **RelatedCV** The previous correlation vector that was used by the client, before swapping with a new one.
+- **ResumeCount** Number of times this active download has resumed from a suspended state.
+- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Windows Store, etc.).
+- **SuspendCount** Number of times this active download has entered a suspended state.
+- **SuspendReason** Last reason for which this active download has entered suspended state.
+- **UpdateId** Identifier associated with the specific piece of content.
+- **UusVersion** The version of the Update Undocked Stack.
+
+
+### Microsoft.Windows.Update.WUClientExt.UpdateMetadataIntegrityFragmentSigning
+
+This event helps to identify whether update content has been tampered with and protects against man-in-the-middle attack. The data collected with this event is used to help keep Windows secure and up to date.
+
+The following fields are available:
+
+- **CallerName** Name of the application making the Windows Update Request. Used to identify context of the request.
+- **EndpointUrl** URL of the endpoint where client obtains update metadata. Used to identify test vs staging vs production environments.
+- **ExtendedStatusCode** Secondary status code for certain scenarios where StatusCode wasn't specific enough.
+- **LeafCertId** IntegralIDfrom the FragmentSigning data for certificate which failed.
+- **ListOfSHA256OfIntermediateCerData** List of Base64 string of hash of intermediate cert data.
+- **MetadataIntegrityMode** Base64 string of the signature associated with the update metadata (specified by revision id).
+- **RawMode** Raw unparsed mode string from the SLS response. Null if not applicable.
+- **RawValidityWindowInDays** Raw unparsed string of validity window in effect when verifying the timestamp.
+- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Windows Store, etc.).
+- **SHA256OfLeafCerData** Base64 string of hash of the leaf cert data.
+- **SLSPrograms** A test program a machine may be opted in. Examples include "Canary" and "Insider Fast".
+- **StatusCode** Result code of the event (success, cancellation, failure code HResult).
+- **UusVersion** Active UUS version.
+
+
+### Microsoft.Windows.Update.WUClientExt.UpdateMetadataIntegrityGeneral
+
+Ensures Windows Updates are secure and complete. Event helps to identify whether update content has been tampered with and protects against man-in-the-middle attack.
+
+The following fields are available:
+
+- **CallerName** Name of the application making the Windows Update Request. Used to identify context of the request.
+- **EndpointUrl** Ensures Windows Updates are secure and complete. Event helps to identify whether update content has been tampered with and protects against man-in-the-middle attack.
+- **ExtendedStatusCode** Secondary status code for certain scenarios where StatusCode wasn't specific enough.
+- **MetadataIntegrityMode** Mode of update transport metadata integrity check. 0-Unknown, 1-Ignoe, 2-Audit, 3-Enforce
+- **RawMode** Raw unparsed mode string from the SLS response. May be null if not applicable.
+- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Windows Store, etc.)
+- **SLSPrograms** A test program a machine may be opted in. Examples include "Canary" and "Insider Fast".
+- **StatusCode** Result code of the event (success, cancellation, failure code HResult)
+- **UusVersion** The version of the Update Undocked Stack
+
+
+### Microsoft.Windows.Update.WUClientExt.UpdateMetadataIntegritySignature
+
+This event helps to identify whether update content has been tampered with and protects against man-in-the-middle attack. The data collected with this event is used to help keep Windows secure and up to date.
+
+The following fields are available:
+
+- **CallerName** Name of the application making the Windows Update Request. Used to identify context of the request.
+- **EndpointUrl** URL of the endpoint where client obtains update metadata. Used to identify test vs staging vs production environments.
+- **ExtendedStatusCode** Secondary status code for certain scenarios where StatusCode wasn't specific enough.
+- **LeafCertId** IntegralIDfrom the FragmentSigning data for certificate which failed.
+- **MetadataIntegrityMode** Mode of update transport metadata integrity check. 0-Unknown, 1-Ignoe, 2-Audit, 3-Enforce.
+- **MetadataSignature** Base64 string of the signature associated with the update metadata (specified by revision id).
+- **RawMode** Raw unparsed mode string from the SLS response. Null if not applicable.
+- **RevisionId** Identifies the revision of this specific piece of content.
+- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Windows Store, etc.).
+- **SHA256OfLeafCertPublicKey** Base64 string of hash of the leaf cert public key.
+- **SHA256OfTimestampToken** Base64 string of hash of the timestamp token blob.
+- **SignatureAlgorithm** Hash algorithm for the metadata signature.
+- **SLSPrograms** A test program a machine may be opted in. Examples include "Canary" and "Insider Fast".
+- **StatusCode** Result code of the event (success, cancellation, failure code HResult).
+- **TimestampTokenId** Created time encoded in the timestamp blob. This will be zeroed if the token is malformed and decoding failed.
+- **UpdateID** String of update ID and version number.
+- **UusVersion** The version of the Update Undocked Stack.
+
+
+### Microsoft.Windows.Update.WUClientExt.UpdateMetadataIntegrityTimestamp
+
+This event helps to identify whether update content has been tampered with and protects against man-in-the-middle attack. The data collected with this event is used to help keep Windows secure and up to date.
+
+The following fields are available:
+
+- **CallerName** Name of the application making the Windows Update Request. Used to identify context of the request.
+- **EndpointUrl** URL of the endpoint where client obtains update metadata. Used to identify test vs staging vs production environments.
+- **ExtendedStatusCode** Secondary status code for certain scenarios where StatusCode wasn't specific enough.
+- **MetadataIntegrityMode** Mode of update transport metadata integrity check. 0-Unknown, 1-Ignoe, 2-Audit, 3-Enforce
+- **RawMode** Raw unparsed mode string from the SLS response. Null if not applicable.
+- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Windows Store, etc.).
+- **SHA256OfTimestampToken** Base64 string of hash of the timestamp token blob.
+- **SLSPrograms** A test program a machine may be opted in. Examples include "Canary" and "Insider Fast".
+- **StatusCode** Result code of the event (success, cancellation, failure code HResult).
+- **TimestampTokenId** Created time encoded in the timestamp blob. This will be zeroed if the token is itself malformed and decoding failed.
+- **UusVersion** Active UUS Version.
+- **ValidityWindowInDays** Validity window in effect when verifying the timestamp.
+
+
+### Microsoft.Windows.Update.WUClientExt.UUSLoadModuleFailed
+
+This is the UUSLoadModule failed event and is used to track the failure of loading an undocked component. The data collected with this event is used to help keep Windows up to date and secure.
+
+The following fields are available:
+
+- **ModulePath** Path of the undocked module.
+- **ModuleVersion** Version of the undocked module.
+- **Props** A bitmask for flags associated with loading the undocked module.
+- **RelatedCV** The previous correlation vector that was used by the client, before swapping with a new one.
+- **StatusCode** Result of the undocked module loading operation.
+- **UusSessionID** Unique ID used to create the UUS session.
+- **UusVersion** Active UUS version.
+
+
+## Winlogon events
+
+### Microsoft.Windows.Security.Winlogon.SetupCompleteLogon
+
+This event signals the completion of the setup process. It happens only once during the first logon.
\ No newline at end of file
diff --git a/windows/privacy/required-windows-11-diagnostic-events-and-fields.md b/windows/privacy/required-windows-11-diagnostic-events-and-fields.md
index 15649caaf5..dc34bef60a 100644
--- a/windows/privacy/required-windows-11-diagnostic-events-and-fields.md
+++ b/windows/privacy/required-windows-11-diagnostic-events-and-fields.md
@@ -7,7 +7,7 @@ ms.localizationpriority: high
author: DHB-MSFT
ms.author: danbrown
manager: laurawi
-ms.date: 04/24/2024
+ms.date: 10/08/2024
ms.collection: privacy-windows
ms.topic: reference
---
@@ -19,6 +19,8 @@ ms.topic: reference
- Windows 11, version 21H2
+> [!IMPORTANT]
+> This version of Windows 11 has reached its end of servicing date. For more information, see [Microsoft Product Lifecyle](/lifecycle/products).
Required diagnostic data gathers a limited set of information that is critical for understanding the device and its configuration including: basic device information, quality-related information, app compatibility, and Microsoft Store.
@@ -28,6 +30,7 @@ Use this article to learn about diagnostic events, grouped by event area, and th
You can learn more about Windows functional and diagnostic data through these articles:
+- [Required diagnostic events and fields for Windows 11, version 24H2](required-diagnostic-events-fields-windows-11-24H2.md)
- [Required diagnostic events and fields for Windows 11, versions 23H2 and 22H2](required-diagnostic-events-fields-windows-11-22H2.md)
- [Required diagnostic events and fields for Windows 10, versions 22H2 and 21H2](required-windows-diagnostic-data-events-and-fields-2004.md)
- [Windows 10, version 1809 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1809.md)
@@ -167,7 +170,6 @@ The following fields are available:
- **AppraiserVersion** The version of the appraiser binary generating the events.
-
### Microsoft.Windows.Appraiser.General.DatasourceApplicationFileRemove
This event indicates that the DatasourceApplicationFile object is no longer present. The data collected with this event is used to help keep Windows up to date.
@@ -438,7 +440,7 @@ The following fields are available:
- **DriverAvailableInbox** Is a driver included with the operating system for this PNP device?
- **DriverAvailableOnline** Is there a driver for this PNP device on Windows Update?
- **DriverAvailableUplevel** Is there a driver on Windows Update or included with the operating system for this PNP device?
-- **DriverBlockOverridden** Is there's a driver block on the device that has been overridden?
+- **DriverBlockOverridden** Is there a driver block on the device that has been overridden?
- **NeedsDismissAction** Will the user would need to dismiss a warning during Setup for this device?
- **NotRegressed** Does the device have a problem code on the source OS that is no better than the one it would have on the target OS?
- **SdbDeviceBlockUpgrade** Is there an SDB block on the PNP device that blocks upgrade?
@@ -1475,7 +1477,7 @@ The following fields are available:
- **AzureOSIDPresent** Represents the field used to identify an Azure machine.
- **AzureVMType** Represents whether the instance is Azure VM PAAS, Azure VM IAAS or any other VMs.
- **CDJType** Represents the type of cloud domain joined for the machine.
-- **CommercialId** Represents the GUID for the commercial entity that the device is a member of. Will be used to reflect insights back to customers.
+- **CommercialId** Represents the GUID for the commercial entity that the device is a member of. Will be used to reflect insights back to customers.
- **ContainerType** The type of container, such as process or virtual machine hosted.
- **EnrollmentType** Defines the type of MDM enrollment on the device.
- **HashedDomain** The hashed representation of the user domain used for login.
@@ -1490,7 +1492,6 @@ The following fields are available:
- **ServerFeatures** Represents the features installed on a Windows Server. This can be used by developers and administrators who need to automate the process of determining the features installed on a set of server computers.
- **SystemCenterID** The Configuration Manager ID is an anonymized one-way hash of the Active Directory Organization identifier
-
### Census.Firmware
This event sends data about the BIOS and startup embedded in the device. The data collected with this event is used to help keep Windows secure and up to date.
@@ -1948,7 +1949,7 @@ Fires at the beginning and end of the HVCI auto-enablement process in sysprep.
The following fields are available:
-- **wilActivity** Contains the thread ID used to match the begin and end events, and for the end event also a HResult indicating sucess or failure.
+- **wilActivity** Contains the thread ID used to match the begin and end events, and for the end event also a HResult indicating success or failure.
### Microsoft.Windows.Security.CodeIntegrity.HVCISysprep.HvciAlreadyEnabled
@@ -1956,6 +1957,7 @@ The following fields are available:
Fires when HVCI is already enabled so no need to continue auto-enablement.
+
### Microsoft.Windows.Security.CodeIntegrity.HVCISysprep.HvciScanGetResultFailed
Fires when driver scanning fails to get results.
@@ -2197,6 +2199,7 @@ The following fields are available:
- **uts** A bit field, with 2 bits being assigned to each user ID listed in xid. This field is omitted if all users are retail accounts.
- **xid** A list of base10-encoded XBOX User IDs.
+
## Common data fields
### Ms.Device.DeviceInventoryChange
@@ -2212,6 +2215,7 @@ The following fields are available:
- **syncId** A string used to group StartSync, EndSync, Add, and Remove operations that belong together. This field is unique by Sync period and is used to disambiguate in situations where multiple agents perform overlapping inventories for the same object.
+
## Component-based servicing events
### CbsServicingProvider.CbsCapabilityEnumeration
@@ -2985,6 +2989,7 @@ The following fields are available:
- **PreviousExecutionState** Windows Mixed Reality Portal app prior execution state.
- **wilActivity** Windows Mixed Reality Portal app wilActivity ID.
+
### Microsoft.Windows.Shell.HolographicFirstRun.AppLifecycleService_Resuming
This event indicates Windows Mixed Reality Portal app resuming. This event is also used to count WMR device. The data collected with this event is used to keep Windows performing properly.
@@ -3570,7 +3575,7 @@ This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedevic
### Microsoft.Windows.Inventory.General.InventoryMiscellaneousUUPInfoAdd
-This event provides data on Unified Update Platform (UUP) products and what version they are at. The data collected with this event is used to keep Windows performing properly.
+This event provides data on Unified Update Platform (UUP) products and what version they're at. The data collected with this event is used to keep Windows performing properly.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -3753,7 +3758,7 @@ This Ping event sends a detailed inventory of software and hardware information
The following fields are available:
- **appAp** Any additional parameters for the specified application. Default: ''.
-- **appAppId** The GUID that identifies the product. Compatible clients must transmit this attribute. See the wiki for additional information. Default: undefined.
+- **appAppId** The GUID that identifies the product. Compatible clients must transmit this attribute. Default: undefined.
- **appBrandCode** The brand code under which the product was installed, if any. A brand code is a short (4-character) string used to identify installations that took place as a result of partner deals or website promotions. Default: ''.
- **appChannel** An integer indicating the channel of the installation (i.e. Canary or Dev).
- **appClientId** A generalized form of the brand code that can accept a wider range of values and is used for similar purposes. Default: ''.
@@ -3761,13 +3766,13 @@ The following fields are available:
- **appCohortHint** A machine-readable enum indicating that the client has a desire to switch to a different release cohort. The exact legal values are app-specific and should be shared between the server and app implementations. Limited to ASCII characters 32 to 127 (inclusive) and a maximum length of 1024 characters. Default: ''.
- **appCohortName** A stable non-localized human-readable enum indicating which (if any) set of messages the app should display to the user. For example, an app with a cohort Name of 'beta' might display beta-specific branding to the user. Limited to ASCII characters 32 to 127 (inclusive) and a maximum length of 1024 characters. Default: ''.
- **appConsentState** Bit flags describing the diagnostic data disclosure and response flow where 1 indicates the affirmative and 0 indicates the negative or unspecified data. Bit 1 indicates consent was given, bit 2 indicates data originated from the download page, bit 18 indicates choice for sending data about how the browser is used, and bit 19 indicates choice for sending data about websites visited.
-- **appDayOfInstall** The date-based counting equivalent of appInstallTimeDiffSec (the numeric calendar day that the app was installed on). This value is provided by the server in the response to the first request in the installation flow. The client MAY fuzz this value to the week granularity (e.g. send '0' for 0 through 6, '7' for 7 through 13, etc.). The first communication to the server should use a special value of '-1'. A value of '-2' indicates that this value isn't known. See the wiki for additional information. Default: '-2'.
+- **appDayOfInstall** The date-based counting equivalent of appInstallTimeDiffSec (the numeric calendar day that the app was installed on). This value is provided by the server in the response to the first request in the installation flow. The client MAY fuzz this value to the week granularity (e.g. send '0' for 0 through 6, '7' for 7 through 13, etc.). The first communication to the server should use a special value of '-1'. A value of '-2' indicates that this value isn't known. Default: '-2'.
- **appExperiments** A key/value list of experiment identifiers. Experiment labels are used to track membership in different experimental groups, and may be set at install or update time. The experiments string is formatted as a semicolon-delimited concatenation of experiment label strings. An experiment label string is an experiment Name, followed by the '=' character, followed by an experimental label value. For example: 'crdiff=got_bsdiff;optimized=O3'. The client shouldn't transmit the expiration date of any experiments it has, even if the server previously specified a specific expiration date. Default: ''.
- **appInstallTime** The product install time in seconds. '0' if unknown. Default: '-1'.
- **appInstallTimeDiffSec** The difference between the current time and the install date in seconds. '0' if unknown. Default: '-1'.
- **appLang** The language of the product install, in IETF BCP 47 representation. Default: ''.
- **appLastLaunchTime** The time when browser was last launched.
-- **appNextVersion** The version of the app that the update flow to which this event belongs attempted to reach, regardless of the success or failure of the update operation. See the wiki for additional information. Default: '0.0.0.0'.
+- **appNextVersion** The version of the app that the update flow to which this event belongs attempted to reach, regardless of the success or failure of the update operation. Default: '0.0.0.0'.
- **appPingEventAppSize** The total number of bytes of all downloaded packages. Default: '0'.
- **appPingEventDoneBeforeOOBEComplete** Indicates whether the install or update was completed before Windows Out of the Box Experience ends. 1 means event completed before OOBE finishes; 0 means event wasn't completed before OOBE finishes; -1 means the field doesn't apply.
- **appPingEventDownloadMetricsCdnCCC** ISO 2 character country or region code that matches to the country or region updated binaries are delivered from. E.g.: US.
@@ -3781,8 +3786,8 @@ The following fields are available:
- **appPingEventDownloadMetricsUrl** For events representing a download, the CDN URL provided by the update server for the client to download the update, the URL is controlled by Microsoft servers and always maps back to either *.delivery.mp.microsoft.com or msedgesetup.azureedge.net. Default: ''.
- **appPingEventDownloadTimeMs** For events representing a download, the time elapsed between the start of the download and the end of the download, in milliseconds. For events representing an entire update flow, the sum of all such download times over the course of the update flow. Sent in events that have an event type of '1', '2', '3', and '14' only. Default: '0'.
- **appPingEventErrorCode** The error code (if any) of the operation, encoded as a signed, base-10 integer. Default: '0'.
-- **appPingEventEventResult** An enum indicating the result of the event. See the wiki for additional information. Default: '0'.
-- **appPingEventEventType** An enum indicating the type of the event. Compatible clients MUST transmit this attribute. See the wiki for additional information.
+- **appPingEventEventResult** An enum indicating the result of the event. Default: '0'.
+- **appPingEventEventType** An enum indicating the type of the event. Compatible clients MUST transmit this attribute.
- **appPingEventExtraCode1** Additional numeric information about the operation's result, encoded as a signed, base-10 integer. Default: '0'.
- **appPingEventInstallTimeMs** For events representing an install, the time elapsed between the start of the install and the end of the install, in milliseconds. For events representing an entire update flow, the sum of all such durations. Sent in events that have an event type of '2' and '3' only. Default: '0'.
- **appPingEventNumBytesDownloaded** The number of bytes downloaded for the specified application. Default: '0'.
@@ -3794,9 +3799,9 @@ The following fields are available:
- **appUpdateCheckIsUpdateDisabled** The state of whether app updates are restricted by group policy. True if updates have been restricted by group policy or false if they haven't.
- **appUpdateCheckTargetVersionPrefix** A component-wise prefix of a version number, or a complete version number suffixed with the $ character. The server shouldn't return an update instruction to a version number that doesn't match the prefix or complete version number. The prefix is interpreted a dotted-tuple that specifies the exactly-matching elements; it isn't a lexical prefix (for example, '1.2.3' must match '1.2.3.4' but must not match '1.2.34'). Default: ''.
- **appUpdateCheckTtToken** An opaque access token that can be used to identify the requesting client as a member of a trusted-tester group. If non-empty, the request should be sent over SSL or another secure protocol. Default: ''.
-- **appVersion** The version of the product install. See the wiki for additional information. Default: '0.0.0.0'.
+- **appVersion** The version of the product install. Default: '0.0.0.0'.
- **EventInfo.Level** The minimum Windows diagnostic data level required for the event where 1 is basic, 2 is enhanced, and 3 is full.
-- **eventType** A string indicating the type of the event. See the wiki for additional information.
+- **eventType** A string indicating the type of the event.
- **expETag** An identifier representing all service applied configurations and experiments when current update happens. Used for testing only.
- **hwDiskType** Device’s hardware disk type.
- **hwHasAvx** '1' if the client's hardware supports the AVX instruction set. '0' if the client's hardware doesn't support the AVX instruction set. '-1' if unknown. Default: '-1'.
@@ -3996,7 +4001,6 @@ The following fields are available:
- **extendedData** GTL extended data section for each app to add its own extensions.
- **timeToActionMs** Time in MS for this Page Action.
-
### Microsoft.Surface.Mcu.Prod.CriticalLog
Error information from Surface device firmware.
@@ -4312,7 +4316,7 @@ The following fields are available:
- **DownloadState** Current state of the active download for this content (queued, suspended, or progressing)
- **EventType** Possible values are "Child", "Bundle", or "Driver"
- **FlightId** The unique identifier for each flight
-- **IsNetworkMetered** Indicates whether Windows considered the current network to be metered"
+- **IsNetworkMetered** Indicates whether Windows considered the current network to be "metered"
- **MOAppDownloadLimit** Mobile operator cap on size of application downloads, if any
- **MOUpdateDownloadLimit** Mobile operator cap on size of operating system update downloads, if any
- **PowerState** Indicates the power state of the device at the time of heartbeart (DC, AC, Battery Saver, or Connected Standby)
@@ -5185,7 +5189,7 @@ The following fields are available:
### Update360Telemetry.UpdateAgentMitigationSummary
-This event sends a summary of all the update agent mitigations available for an this update. The data collected with this event is used to help keep Windows secure and up to date.
+This event sends a summary of all the update agent mitigations available for an update. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -5618,7 +5622,7 @@ The following fields are available:
- **ReportId** With Windows Update, this is the updateID that is passed to Setup. In media setup, this is the GUID for the install.wim.
- **Setup360Extended** Detailed information about the phase/action when the potential failure occurred.
- **Setup360Mode** The phase of Setup360. Example: Predownload, Install, Finalize, Rollback.
-- **Setup360Result** The result of Setup360. This is an HRESULT error code that can be used used to diagnose errors.
+- **Setup360Result** The result of Setup360. This is an HRESULT error code that can be used to diagnose errors.
- **Setup360Scenario** The Setup360 flow type. Example: Boot, Media, Update, MCT.
- **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS).
- **State** The exit state of a Setup360 run. Example: succeeded, failed, blocked, canceled.
@@ -5665,7 +5669,7 @@ The following fields are available:
- **pluginFailureCount** The number of plugins that have failed.
- **pluginsCount** The number of plugins.
- **qualityAssessmentImpact** WaaS Assessment impact for quality updates.
-- **remediationSummary** Result of each operation performed on a device to fix an invalid state or configuration that's preventing the device from getting updates. For example, if Windows Update service is turned off, the fix is to turn the it back on.
+- **remediationSummary** Result of each operation performed on a device to fix an invalid state or configuration that's preventing the device from getting updates. For example, if Windows Update service is turned off, the fix is to turn it back on.
- **usingBackupFeatureAssessment** Relying on backup feature assessment.
- **usingBackupQualityAssessment** Relying on backup quality assessment.
- **usingCachedFeatureAssessment** WaaS Medic run didn't get OS build age from the network on the previous run.
@@ -5678,7 +5682,7 @@ The following fields are available:
### Microsoft.Windows.WERVertical.OSCrash
-This event sends binary data from the collected dump file whenever a bug check occurs, to help keep Windows up to date. The is the OneCore version of this event.
+This event sends binary data from the collected dump file whenever a bug check occurs, to help keep Windows up to date. This is the OneCore version of this event.
The following fields are available:
@@ -6108,7 +6112,7 @@ The following fields are available:
- **CatalogId** The Store Catalog ID for the product being installed.
- **ProductId** The Store Product ID for the product being installed.
-- **SkuId** Specfic edition of the app being updated.
+- **SkuId** Specific edition of the app being updated.
### Microsoft.Windows.StoreAgent.Telemetry.StateTransition
@@ -6355,7 +6359,7 @@ The following fields are available:
- **flightMetadata** Contains the FlightId and the build being flighted.
- **objectId** Unique value for each Update Agent mode.
- **relatedCV** Correlation vector value generated from the latest USO scan.
-- **result** Result of the initialize phase of the update. 0 = Succeeded, 1 = Failed, 2 = Cancelled, 3 = Blocked, 4 = BlockCancelled.
+- **result** Result of the initialize phase of the update. 0 = Succeeded, 1 = Failed, 2 = Canceled, 3 = Blocked, 4 = BlockCancelled.
- **scenarioId** The scenario ID. Example: MobileUpdate, DesktopLanguagePack, DesktopFeatureOnDemand, or DesktopDriverUpdate.
- **sessionData** Contains instructions to update agent for processing FODs and DUICs (Null for other scenarios).
- **sessionId** Unique value for each Update Agent mode attempt.
@@ -6589,6 +6593,15 @@ The following fields are available:
- **WasPresented** True if the user interaction campaign is displayed to the user.
+### Microsoft.Windows.WindowsUpdate.RUXIM.IHExit
+
+This event is generated when the RUXIM Interaction Handler (RUXIMIH.EXE) exits. The data collected with this event is used to help keep Windows up to date and performing properly.
+
+The following fields are available:
+
+- **InteractionCampaignID** GUID identifying the interaction campaign that RUXIMIH processed.
+
+
## Windows Update mitigation events
### Microsoft.Windows.Mitigations.AllowInPlaceUpgrade.ApplyTroubleshootingComplete
@@ -6840,7 +6853,4 @@ The following fields are available:
- **Disposition** The parameter for the hard reserve adjustment function.
- **Flags** The flags passed to the hard reserve adjustment function.
- **PendingHardReserveAdjustment** The final change to the hard reserve size.
-- **UpdateType** Indicates whether the change is an increase or decrease in the size of the hard reserve.
-
-
-
+- **UpdateType** Indicates whether the change is an increase or decrease in the size of the hard reserve.
\ No newline at end of file
diff --git a/windows/privacy/required-windows-diagnostic-data-events-and-fields-2004.md b/windows/privacy/required-windows-diagnostic-data-events-and-fields-2004.md
index 4fb9beb260..e008b7598b 100644
--- a/windows/privacy/required-windows-diagnostic-data-events-and-fields-2004.md
+++ b/windows/privacy/required-windows-diagnostic-data-events-and-fields-2004.md
@@ -7,7 +7,7 @@ ms.localizationpriority: high
author: DHB-MSFT
ms.author: danbrown
manager: laurawi
-ms.date: 04/24/2024
+ms.date: 10/01/2024
ms.collection: privacy-windows
ms.topic: reference
---
@@ -31,6 +31,7 @@ Use this article to learn about diagnostic events, grouped by event area, and th
You can learn more about Windows functional and diagnostic data through these articles:
+- [Required diagnostic events and fields for Windows 11, version 24H2](required-diagnostic-events-fields-windows-11-24H2.md)
- [Required diagnostic events and fields for Windows 11, versions 23H2 and 22H2](required-diagnostic-events-fields-windows-11-22H2.md)
- [Required diagnostic events and fields for Windows 11, version 21H2](required-windows-11-diagnostic-events-and-fields.md)
- [Windows 10, version 1809 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1809.md)
@@ -873,7 +874,7 @@ The following fields are available:
- **DriverAvailableInbox** Is a driver included with the operating system for this PNP device?
- **DriverAvailableOnline** Is there a driver for this PNP device on Windows Update?
- **DriverAvailableUplevel** Is there a driver on Windows Update or included with the operating system for this PNP device?
-- **DriverBlockOverridden** Is there's a driver block on the device that has been overridden?
+- **DriverBlockOverridden** Is there a driver block on the device that has been overridden?
- **NeedsDismissAction** Will the user would need to dismiss a warning during Setup for this device?
- **NotRegressed** Does the device have a problem code on the source OS that is no better than the one it would have on the target OS?
- **SdbDeviceBlockUpgrade** Is there an SDB block on the PNP device that blocks upgrade?
@@ -2476,7 +2477,8 @@ Fires when the compatibility check completes. Gives the results from the check.
The following fields are available:
- **IsRecommended** Denotes whether all compatibility checks have passed and, if so, returns true. Otherwise returns false.
-- **Issues** If compatibility checks failed, provides bit indexed indicators of issues detected. Table located here: [Check results of HVCI default enablement](/windows-hardware/design/device-experiences/oem-hvci-enablement#check-results-of-hvci-default-enablement).
+- **Issues** If compatibility checks failed, provides bit indexed indicators of issues detected. Table located here: [Check results of HVCI default enablement](/windows-hardware/design/device-experiences/oem-hvci-enablement#check-results-of-memory-integrity-default-enablement).
+
### Microsoft.Windows.Security.CodeIntegrity.HVCISysprep.Enabled
@@ -4334,6 +4336,7 @@ The following fields are available:
- **InventoryVersion** The version of the inventory binary generating the events.
+
### Microsoft.Windows.Inventory.Core.InventoryAcpiPhatHealthRecordAdd
This event sends basic metadata about ACPI PHAT Health Record structure on the machine. The data collected with this event is used to help keep Windows up to date.
@@ -4608,6 +4611,7 @@ The following fields are available:
- **InventoryVersion** The version of the inventory file generating the events.
+
### Microsoft.Windows.Inventory.Core.InventoryDevicePnpAdd
This event sends basic metadata about a PNP device and its associated driver to help keep Windows up to date. This information is used to assess if the PNP device and driver will remain compatible when upgrading Windows.
@@ -4858,7 +4862,7 @@ This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedevic
### Microsoft.Windows.Inventory.General.InventoryMiscellaneousUUPInfoAdd
-This event provides data on Unified Update Platform (UUP) products and what version they are at. The data collected with this event is used to keep Windows performing properly.
+This event provides data on Unified Update Platform (UUP) products and what version they're at. The data collected with this event is used to keep Windows performing properly.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -5148,7 +5152,7 @@ This Ping event sends a detailed inventory of software and hardware information
The following fields are available:
- **appAp** Any additional parameters for the specified application. Default: ''.
-- **appAppId** The GUID that identifies the product. Compatible clients must transmit this attribute. Please see the wiki for additional information. Default: undefined.
+- **appAppId** The GUID that identifies the product. Compatible clients must transmit this attribute. Default: undefined.
- **appBrandCode** The brand code under which the product was installed, if any. A brand code is a short (4-character) string used to identify installations that took place as a result of partner deals or website promotions. Default: ''.
- **appChannel** An integer indicating the channel of the installation (i.e. Canary or Dev).
- **appClientId** A generalized form of the brand code that can accept a wider range of values and is used for similar purposes. Default: ''.
@@ -5156,13 +5160,13 @@ The following fields are available:
- **appCohortHint** A machine-readable enum indicating that the client has a desire to switch to a different release cohort. The exact legal values are app-specific and should be shared between the server and app implementations. Limited to ASCII characters 32 to 127 (inclusive) and a maximum length of 1024 characters. Default: ''.
- **appCohortName** A stable non-localized human-readable enum indicating which (if any) set of messages the app should display to the user. For example, an app with a cohort Name of 'beta' might display beta-specific branding to the user. Limited to ASCII characters 32 to 127 (inclusive) and a maximum length of 1024 characters. Default: ''.
- **appConsentState** Bit flags describing the diagnostic data disclosure and response flow where 1 indicates the affirmative and 0 indicates the negative or unspecified data. Bit 1 indicates consent was given, bit 2 indicates data originated from the download page, bit 18 indicates choice for sending data about how the browser is used, and bit 19 indicates choice for sending data about websites visited.
-- **appDayOfInstall** The date-based counting equivalent of appInstallTimeDiffSec (the numeric calendar day that the app was installed on). This value is provided by the server in the response to the first request in the installation flow. The client MAY fuzz this value to the week granularity (e.g. send '0' for 0 through 6, '7' for 7 through 13, etc.). The first communication to the server should use a special value of '-1'. A value of '-2' indicates that this value isn't known. Please see the wiki for additional information. Default: '-2'.
+- **appDayOfInstall** The date-based counting equivalent of appInstallTimeDiffSec (the numeric calendar day that the app was installed on). This value is provided by the server in the response to the first request in the installation flow. The client MAY fuzz this value to the week granularity (e.g. send '0' for 0 through 6, '7' for 7 through 13, etc.). The first communication to the server should use a special value of '-1'. A value of '-2' indicates that this value isn't known. Default: '-2'.
- **appExperiments** A key/value list of experiment identifiers. Experiment labels are used to track membership in different experimental groups, and may be set at install or update time. The experiments string is formatted as a semicolon-delimited concatenation of experiment label strings. An experiment label string is an experiment Name, followed by the '=' character, followed by an experimental label value. For example: 'crdiff=got_bsdiff;optimized=O3'. The client shouldn't transmit the expiration date of any experiments it has, even if the server previously specified a specific expiration date. Default: ''.
- **appInstallTime** The product install time in seconds. '0' if unknown. Default: '-1'.
- **appInstallTimeDiffSec** The difference between the current time and the install date in seconds. '0' if unknown. Default: '-1'.
- **appLang** The language of the product install, in IETF BCP 47 representation. Default: ''.
- **appLastLaunchTime** The time when browser was last launched.
-- **appNextVersion** The version of the app that the update flow to which this event belongs attempted to reach, regardless of the success or failure of the update operation. Please see the wiki for additional information. Default: '0.0.0.0'.
+- **appNextVersion** The version of the app that the update flow to which this event belongs attempted to reach, regardless of the success or failure of the update operation. Default: '0.0.0.0'.
- **appPingEventAppSize** The total number of bytes of all downloaded packages. Default: '0'.
- **appPingEventDoneBeforeOOBEComplete** Indicates whether the install or update was completed before Windows Out of the Box Experience ends. 1 means event completed before OOBE finishes; 0 means event wasn't completed before OOBE finishes; -1 means the field doesn't apply.
- **appPingEventDownloadMetricsCdnAzureRefOriginShield** Provides a unique reference string that identifies a request served by Azure Front Door. It's used to search access logs and is critical for troubleshooting. For example, Ref A: E172B39D19774147B0EFCC8E3E823D9D Ref B: BL2EDGE0215 Ref C: 2021-05-11T22:25:48Z.
@@ -5180,8 +5184,8 @@ The following fields are available:
- **appPingEventDownloadMetricsUrl** For events representing a download, the CDN URL provided by the update server for the client to download the update, the URL is controlled by Microsoft servers and always maps back to either *.delivery.mp.microsoft.com or msedgesetup.azureedge.net. Default: ''.
- **appPingEventDownloadTimeMs** For events representing a download, the time elapsed between the start of the download and the end of the download, in milliseconds. For events representing an entire update flow, the sum of all such download times over the course of the update flow. Sent in events that have an event type of '1', '2', '3', and '14' only. Default: '0'.
- **appPingEventErrorCode** The error code (if any) of the operation, encoded as a signed, base-10 integer. Default: '0'.
-- **appPingEventEventResult** An enum indicating the result of the event. Please see the wiki for additional information. Default: '0'.
-- **appPingEventEventType** An enum indicating the type of the event. Compatible clients MUST transmit this attribute. Please see the wiki for additional information.
+- **appPingEventEventResult** An enum indicating the result of the event. Default: '0'.
+- **appPingEventEventType** An enum indicating the type of the event. Compatible clients MUST transmit this attribute.
- **appPingEventExtraCode1** Additional numeric information about the operation's result, encoded as a signed, base-10 integer. Default: '0'.
- **appPingEventInstallTimeMs** For events representing an install, the time elapsed between the start of the install and the end of the install, in milliseconds. For events representing an entire update flow, the sum of all such durations. Sent in events that have an event type of '2' and '3' only. Default: '0'.
- **appPingEventNumBytesDownloaded** The number of bytes downloaded for the specified application. Default: '0'.
@@ -5195,9 +5199,9 @@ The following fields are available:
- **appUpdateCheckTargetChannel** Check for status showing the target release channel.
- **appUpdateCheckTargetVersionPrefix** A component-wise prefix of a version number, or a complete version number suffixed with the $ character. The server shouldn't return an update instruction to a version number that doesn't match the prefix or complete version number. The prefix is interpreted a dotted-tuple that specifies the exactly-matching elements; it isn't a lexical prefix (for example, '1.2.3' must match '1.2.3.4' but must not match '1.2.34'). Default: ''.
- **appUpdateCheckTtToken** An opaque access token that can be used to identify the requesting client as a member of a trusted-tester group. If non-empty, the request should be sent over SSL or another secure protocol. Default: ''.
-- **appVersion** The version of the product install. Please see the wiki for additional information. Default: '0.0.0.0'.
+- **appVersion** The version of the product install. Default: '0.0.0.0'.
- **EventInfo.Level** The minimum Windows diagnostic data level required for the event where 1 is basic, 2 is enhanced, and 3 is full.
-- **eventType** A string indicating the type of the event. Please see the wiki for additional information.
+- **eventType** A string indicating the type of the event.
- **expDeviceId** A non-unique resettable device ID to identify a device in experimentation.
- **expEtag** An identifier representing all service applied configurations and experiments when current update happens. Used for testing only.
- **expETag** An identifier representing all service applied configurations and experiments when current update happens. Used for testing only.
@@ -5618,6 +5622,7 @@ The following fields are available:
- **criticalLogSize** Log size
- **CUtility::GetTargetNameA(target)** Product identifier.
- **productId** Product identifier
+- **SurfaceTelemetry_EventType** Required vs. Optional event
- **uniqueId** Correlation ID that can be used with Watson to get more details about the failure.
@@ -5639,6 +5644,7 @@ This event sends information about the Operating System image name to Microsoft.
The following fields are available:
+- **SurfaceTelemetry_EventType** Required vs. Optional event
- **szOsImageName** This is the image name that is running on the device.
@@ -5691,6 +5697,7 @@ The following fields are available:
- **UpdateType** Indicates if it's DB or DBX update
- **WillResealSucceed** Indicates if TPM reseal operation is expected to succeed
+
### Microsoft.Windows.Security.SBServicing.ApplySecureBootUpdateStarted
Event that indicates secure boot update has started.
@@ -5746,9 +5753,7 @@ The following fields are available:
- **touchKeyboardDesktop** Touch keyboard desktop
- **touchKeyboardTablet** Touch keyboard tablet
- **triggerType** Trigger type
-- **usePowershell** Use PowerShell
-
-
+- **usePowershell** Use PowerShell.
## Privacy consent logging events
@@ -6558,8 +6563,9 @@ The following fields are available:
- **CUtility::GetTargetNameA(Target)** Sub component name.
- **HealthLog** Health indicator log.
- **healthLogSize** 4KB.
+- **PartA_PrivacyProduct** Product tag
- **productId** Identifier for product model.
-
+- **SurfaceTelemetry_EventType** Required vs. Optional event
### Microsoft.Surface.SystemReset.Prod.ResetCauseEventV2
@@ -6568,9 +6574,25 @@ This event sends reason for SAM, PCH and SoC reset. The data collected with this
The following fields are available:
- **ControllerResetCause** The cause for the controller reset.
+- **EcResetCause** EC reset cause.
+- **FaultReset1Cause** Fault 1 reset cause.
+- **FaultReset2Cause** Fault 2 reset cause.
- **HostResetCause** Host reset cause.
+- **OffResetCause** Off reset cause.
+- **OnResetCause** On reset cause.
+- **PartA_PrivacyProduct** Product tag
- **PchResetCause** PCH reset cause.
+- **PoffResetCause** Power Off reset cause.
+- **PonResetCause** Power On reset cause.
+- **S3ResetCause** S3 reset cause.
- **SamResetCause** SAM reset cause.
+- **SamResetCauseExtBacklightState** SAM Reset Display Backlight state.
+- **SamResetCauseExtLastPowerButtonTime** SAM Reset Last Power Button time.
+- **SamResetCauseExtLastSshCommunicationTime** SAM Reset Last SSH Communication time.
+- **SamResetCauseExtPostureStateReason** SAM Reset Last Posture State reason.
+- **SamResetCauseExtRestartReason** SAM Reset Extended Restart reason.
+- **SurfaceTelemetry_EventType** Required vs. Optional event.
+- **WarmResetCause** Warm reset cause.
## Update Assistant events
@@ -10018,7 +10040,4 @@ The following fields are available:
- **videoResolution** Video resolution to use.
- **virtualMachineName** VM name.
- **waitForClientConnection** True if we should wait for client connection.
-- **wp81NetworkStackDisabled** WP 8.1 networking stack disabled.
-
-
-
+- **wp81NetworkStackDisabled** WP 8.1 networking stack disabled.
\ No newline at end of file
diff --git a/windows/privacy/toc.yml b/windows/privacy/toc.yml
index 9c47130eca..e177a03cd3 100644
--- a/windows/privacy/toc.yml
+++ b/windows/privacy/toc.yml
@@ -13,6 +13,8 @@
href: diagnostic-data-viewer-powershell.md
- name: Required Windows diagnostic data events and fields
items:
+ - name: Windows 11, version 24H2
+ href: required-diagnostic-events-fields-windows-11-24H2.md
- name: Windows 11, versions 23H2 and 22H2
href: required-diagnostic-events-fields-windows-11-22H2.md
- name: Windows 11, version 21H2
diff --git a/windows/privacy/windows-privacy-compliance-guide.md b/windows/privacy/windows-privacy-compliance-guide.md
index fb9459ba79..2cb7a70074 100644
--- a/windows/privacy/windows-privacy-compliance-guide.md
+++ b/windows/privacy/windows-privacy-compliance-guide.md
@@ -8,7 +8,7 @@ author: DHB-MSFT
ms.author: danbrown
manager: laurawi
ms.date: 05/20/2019
-ms.topic: conceptual
+ms.topic: article
ms.collection: essentials-compliance
---
diff --git a/windows/security/application-security/application-control/app-control-for-business/AppIdTagging/appcontrol-appid-tagging-guide.md b/windows/security/application-security/application-control/app-control-for-business/AppIdTagging/appcontrol-appid-tagging-guide.md
index 8ea04f6820..d6095213cd 100644
--- a/windows/security/application-security/application-control/app-control-for-business/AppIdTagging/appcontrol-appid-tagging-guide.md
+++ b/windows/security/application-security/application-control/app-control-for-business/AppIdTagging/appcontrol-appid-tagging-guide.md
@@ -3,7 +3,7 @@ title: Designing, creating, managing, and troubleshooting App Control for Busine
description: How to design, create, manage, and troubleshoot your App Control AppId Tagging policies
ms.localizationpriority: medium
ms.date: 09/11/2024
-ms.topic: conceptual
+ms.topic: article
---
# App Control Application ID (AppId) Tagging guide
diff --git a/windows/security/application-security/application-control/app-control-for-business/AppIdTagging/deploy-appid-tagging-policies.md b/windows/security/application-security/application-control/app-control-for-business/AppIdTagging/deploy-appid-tagging-policies.md
index 82fbcd6156..3ab782c3a7 100644
--- a/windows/security/application-security/application-control/app-control-for-business/AppIdTagging/deploy-appid-tagging-policies.md
+++ b/windows/security/application-security/application-control/app-control-for-business/AppIdTagging/deploy-appid-tagging-policies.md
@@ -3,7 +3,7 @@ title: Deploying App Control for Business AppId tagging policies
description: How to deploy your App Control AppId tagging policies locally and globally within your managed environment.
ms.localizationpriority: medium
ms.date: 09/11/2024
-ms.topic: conceptual
+ms.topic: install-set-up-deploy
---
# Deploying App Control for Business AppId tagging policies
diff --git a/windows/security/application-security/application-control/app-control-for-business/AppIdTagging/design-create-appid-tagging-policies.md b/windows/security/application-security/application-control/app-control-for-business/AppIdTagging/design-create-appid-tagging-policies.md
index 363d4b5dd8..a56bbb1694 100644
--- a/windows/security/application-security/application-control/app-control-for-business/AppIdTagging/design-create-appid-tagging-policies.md
+++ b/windows/security/application-security/application-control/app-control-for-business/AppIdTagging/design-create-appid-tagging-policies.md
@@ -3,7 +3,7 @@ title: Create your App Control for Business AppId Tagging Policies
description: Create your App Control for Business AppId tagging policies for Windows devices.
ms.localizationpriority: medium
ms.date: 09/23/2024
-ms.topic: conceptual
+ms.topic: how-to
---
# Creating your App Control AppId Tagging Policies
@@ -21,7 +21,7 @@ You can use the App Control for Business Wizard and the PowerShell commands to c
:::image type="content" alt-text="Configuring the policy base and template." source="../images/appid-appcontrol-wizard-1.png" lightbox="../images/appid-appcontrol-wizard-1.png":::
> [!NOTE]
- > If your AppId Tagging Policy does build off the base templates or does not allow Windows in-box processes, you will notice significant performance regressions, especially during boot. For this reason, it is strongly recommended to build off the base templates. For more information on the issue, see the [AppId Tagging Known Issue](../operations/known-issues.md#slow-boot-and-performance-with-custom-policies).
+ > If your AppId Tagging Policy does not build off the base templates or does not allow Windows in-box processes, you will notice significant performance regressions, especially during boot. For this reason, it is strongly recommended to build off the base templates. For more information on the issue, see the [AppId Tagging Known Issue](../operations/known-issues.md#slow-boot-and-performance-with-custom-policies).
2. Set the following rule-options using the Wizard toggles:
diff --git a/windows/security/application-security/application-control/app-control-for-business/appcontrol-and-applocker-overview.md b/windows/security/application-security/application-control/app-control-for-business/appcontrol-and-applocker-overview.md
index 5520d9161c..c29cba2822 100644
--- a/windows/security/application-security/application-control/app-control-for-business/appcontrol-and-applocker-overview.md
+++ b/windows/security/application-security/application-control/app-control-for-business/appcontrol-and-applocker-overview.md
@@ -3,7 +3,7 @@ title: App Control and AppLocker Overview
description: Compare Windows application control technologies.
ms.localizationpriority: medium
ms.date: 09/11/2024
-ms.topic: conceptual
+ms.topic: concept-article
---
# App Control for Business and AppLocker Overview
diff --git a/windows/security/application-security/application-control/app-control-for-business/appcontrol.md b/windows/security/application-security/application-control/app-control-for-business/appcontrol.md
index 561da483b6..a778ffc2fb 100644
--- a/windows/security/application-security/application-control/app-control-for-business/appcontrol.md
+++ b/windows/security/application-security/application-control/app-control-for-business/appcontrol.md
@@ -4,7 +4,7 @@ description: Application Control restricts which applications users are allowed
ms.localizationpriority: medium
ms.collection:
- tier3
-ms.date: 09/11/2024
+ms.date: 10/25/2024
ms.topic: overview
---
@@ -30,9 +30,9 @@ Windows 10 and Windows 11 include two technologies that can be used for applicat
## App Control and Smart App Control
-Starting in Windows 11 version 22H2, [Smart App Control](https://support.microsoft.com/topic/what-is-smart-app-control-285ea03d-fa88-4d56-882e-6698afdb7003) provides application control for consumers. Smart App Control is based on App Control, allowing enterprise customers to create a policy that offers the same security and compatibility with the ability to customize it to run line-of-business (LOB) apps. To make it easier to implement this policy, an [example policy](design/example-appcontrol-base-policies.md) is provided. The example policy includes **Enabled:Conditional Windows Lockdown Policy** option that isn't supported for App Control enterprise policies. This rule must be removed before you use the example policy. To use this example policy as a starting point for creating your own policy, see [Create a custom base policy using an example App Control base policy](design/create-appcontrol-policy-for-lightly-managed-devices.md#create-a-custom-base-policy-using-an-example-app-control-base-policy).
+Starting in Windows 11 version 22H2, [Smart App Control](https://support.microsoft.com/topic/what-is-smart-app-control-285ea03d-fa88-4d56-882e-6698afdb7003) provides application control for consumers. Smart App Control is based on App Control. App control enables enterprise customers to create a policy that offers the same security and compatibility as Smart App Control with the capability to customize policies to run line-of-business (LOB) apps. To make it easier to implement policy, an [example policy](design/example-appcontrol-base-policies.md) is provided. The example policy includes **Enabled:Conditional Windows Lockdown Policy** option that isn't supported for App Control enterprise policies. This rule must be removed before you use the example policy. To use this example policy as a starting point for creating your own policy, see [Create a custom base policy using an example App Control base policy](design/create-appcontrol-policy-for-lightly-managed-devices.md#create-a-custom-base-policy-using-an-example-app-control-base-policy).
-Smart App Control is only available on clean installation of Windows 11 version 22H2 or later, and starts in evaluation mode. Smart App Control is automatically turned off for enterprise managed devices unless the user has turned it on first. To turn off Smart App Control across your organization's endpoints, you can set the **VerifiedAndReputablePolicyState** (DWORD) registry value under `HKLM\SYSTEM\CurrentControlSet\Control\CI\Policy` as shown in the following table. After you change the registry value, you must either restart the device or use [CiTool.exe -r](operations/citool-commands.md#refresh-the-app-control-policies-on-the-system) for the change to take effect.
+Smart App Control is only available on clean installation of Windows 11 version 22H2 or later, and starts in evaluation mode. Smart App Control is automatically turned off for enterprise managed devices unless the user has turned it on first. To turn off Smart App Control across your organization's endpoints, you can set the **VerifiedAndReputablePolicyState** (DWORD) registry value under `HKLM\SYSTEM\CurrentControlSet\Control\CI\Policy` as shown in the following table. After you change the registry value, you must use [CiTool.exe -r](operations/citool-commands.md#refresh-the-app-control-policies-on-the-system) for the change to take effect.
| Value | Description |
|-------|-------------|
@@ -43,15 +43,6 @@ Smart App Control is only available on clean installation of Windows 11 version
> [!IMPORTANT]
> Once you turn Smart App Control off, it can't be turned on without resetting or reinstalling Windows.
-### Smart App Control Enforced Blocks
-
-Smart App Control enforces the [Microsoft Recommended Driver Block rules](design/microsoft-recommended-driver-block-rules.md) and the [Microsoft Recommended Block Rules](design/applications-that-can-bypass-appcontrol.md), with a few exceptions for compatibility considerations. The following aren't blocked by Smart App Control:
-
-- Infdefaultinstall.exe
-- Microsoft.Build.dll
-- Microsoft.Build.Framework.dll
-- Wslhost.dll
-
[!INCLUDE [windows-defender-application-control-wdac](../../../../../includes/licensing/windows-defender-application-control-wdac.md)]
## Related articles
diff --git a/windows/security/application-security/application-control/app-control-for-business/applocker/add-rules-for-packaged-apps-to-existing-applocker-rule-set.md b/windows/security/application-security/application-control/app-control-for-business/applocker/add-rules-for-packaged-apps-to-existing-applocker-rule-set.md
index 64ec3acfbf..19aa013427 100644
--- a/windows/security/application-security/application-control/app-control-for-business/applocker/add-rules-for-packaged-apps-to-existing-applocker-rule-set.md
+++ b/windows/security/application-security/application-control/app-control-for-business/applocker/add-rules-for-packaged-apps-to-existing-applocker-rule-set.md
@@ -2,7 +2,7 @@
title: Add rules for packaged apps to existing AppLocker rule-set
description: This article for IT professionals describes how to update your existing AppLocker policies for packaged apps using the Remote Server Administration Toolkit (RSAT).
ms.localizationpriority: medium
-ms.topic: conceptual
+ms.topic: article
ms.date: 09/11/2024
---
diff --git a/windows/security/application-security/application-control/app-control-for-business/applocker/administer-applocker.md b/windows/security/application-security/application-control/app-control-for-business/applocker/administer-applocker.md
index d2e0c1da1e..f4251d5025 100644
--- a/windows/security/application-security/application-control/app-control-for-business/applocker/administer-applocker.md
+++ b/windows/security/application-security/application-control/app-control-for-business/applocker/administer-applocker.md
@@ -2,7 +2,7 @@
title: Administer AppLocker
description: This article for IT professionals provides links to specific procedures to use when administering AppLocker policies.
ms.localizationpriority: medium
-ms.topic: conceptual
+ms.topic: how-to
ms.date: 09/11/2024
---
diff --git a/windows/security/application-security/application-control/app-control-for-business/applocker/applocker-architecture-and-components.md b/windows/security/application-security/application-control/app-control-for-business/applocker/applocker-architecture-and-components.md
index 7314cce2f9..b23c2bbb56 100644
--- a/windows/security/application-security/application-control/app-control-for-business/applocker/applocker-architecture-and-components.md
+++ b/windows/security/application-security/application-control/app-control-for-business/applocker/applocker-architecture-and-components.md
@@ -2,7 +2,7 @@
title: AppLocker architecture and components
description: This article for IT professional describes AppLocker’s basic architecture and its major components.
ms.localizationpriority: medium
-ms.topic: conceptual
+ms.topic: article
ms.date: 09/11/2024
---
diff --git a/windows/security/application-security/application-control/app-control-for-business/applocker/applocker-functions.md b/windows/security/application-security/application-control/app-control-for-business/applocker/applocker-functions.md
index 2ce3ad5532..cd332a947e 100644
--- a/windows/security/application-security/application-control/app-control-for-business/applocker/applocker-functions.md
+++ b/windows/security/application-security/application-control/app-control-for-business/applocker/applocker-functions.md
@@ -2,7 +2,7 @@
title: AppLocker functions
description: This article for the IT professional lists the functions and security levels for AppLocker.
ms.localizationpriority: medium
-ms.topic: conceptual
+ms.topic: article
ms.date: 09/11/2024
---
diff --git a/windows/security/application-security/application-control/app-control-for-business/applocker/applocker-overview.md b/windows/security/application-security/application-control/app-control-for-business/applocker/applocker-overview.md
index 1af7a371bb..0123fba7fe 100644
--- a/windows/security/application-security/application-control/app-control-for-business/applocker/applocker-overview.md
+++ b/windows/security/application-security/application-control/app-control-for-business/applocker/applocker-overview.md
@@ -4,7 +4,7 @@ description: This article provides a description of AppLocker and can help you d
ms.collection:
- tier3
- must-keep
-ms.topic: conceptual
+ms.topic: article
ms.localizationpriority: medium
ms.date: 09/11/2024
---
diff --git a/windows/security/application-security/application-control/app-control-for-business/applocker/applocker-policies-deployment-guide.md b/windows/security/application-security/application-control/app-control-for-business/applocker/applocker-policies-deployment-guide.md
index 8520621d36..2708051c46 100644
--- a/windows/security/application-security/application-control/app-control-for-business/applocker/applocker-policies-deployment-guide.md
+++ b/windows/security/application-security/application-control/app-control-for-business/applocker/applocker-policies-deployment-guide.md
@@ -2,7 +2,7 @@
title: AppLocker deployment guide
description: This article for IT professionals introduces the concepts and describes the steps required to deploy AppLocker policies.
ms.localizationpriority: medium
-ms.topic: conceptual
+ms.topic: install-set-up-deploy
ms.date: 09/11/2024
---
diff --git a/windows/security/application-security/application-control/app-control-for-business/applocker/applocker-policies-design-guide.md b/windows/security/application-security/application-control/app-control-for-business/applocker/applocker-policies-design-guide.md
index 174ed4907c..af106d2482 100644
--- a/windows/security/application-security/application-control/app-control-for-business/applocker/applocker-policies-design-guide.md
+++ b/windows/security/application-security/application-control/app-control-for-business/applocker/applocker-policies-design-guide.md
@@ -2,7 +2,7 @@
title: AppLocker design guide
description: This article for the IT professional introduces the design and planning steps required to deploy application control policies by using AppLocker.
ms.localizationpriority: medium
-ms.topic: conceptual
+ms.topic: article
ms.date: 09/11/2024
---
diff --git a/windows/security/application-security/application-control/app-control-for-business/applocker/applocker-policy-use-scenarios.md b/windows/security/application-security/application-control/app-control-for-business/applocker/applocker-policy-use-scenarios.md
index 0d11e182ca..0b9425c2ca 100644
--- a/windows/security/application-security/application-control/app-control-for-business/applocker/applocker-policy-use-scenarios.md
+++ b/windows/security/application-security/application-control/app-control-for-business/applocker/applocker-policy-use-scenarios.md
@@ -2,7 +2,7 @@
title: AppLocker policy use scenarios
description: This article for the IT professional lists the various application control scenarios in which AppLocker policies can be effectively implemented.
ms.localizationpriority: medium
-ms.topic: conceptual
+ms.topic: article
ms.date: 09/11/2024
---
diff --git a/windows/security/application-security/application-control/app-control-for-business/applocker/applocker-processes-and-interactions.md b/windows/security/application-security/application-control/app-control-for-business/applocker/applocker-processes-and-interactions.md
index 4bc0bd0949..b28e45f232 100644
--- a/windows/security/application-security/application-control/app-control-for-business/applocker/applocker-processes-and-interactions.md
+++ b/windows/security/application-security/application-control/app-control-for-business/applocker/applocker-processes-and-interactions.md
@@ -2,7 +2,7 @@
title: AppLocker processes and interactions
description: This article for the IT professional describes the process dependencies and interactions when AppLocker evaluates and enforces rules.
ms.localizationpriority: medium
-ms.topic: conceptual
+ms.topic: article
ms.date: 09/11/2024
---
diff --git a/windows/security/application-security/application-control/app-control-for-business/applocker/applocker-technical-reference.md b/windows/security/application-security/application-control/app-control-for-business/applocker/applocker-technical-reference.md
index 5dd3820526..057585ea54 100644
--- a/windows/security/application-security/application-control/app-control-for-business/applocker/applocker-technical-reference.md
+++ b/windows/security/application-security/application-control/app-control-for-business/applocker/applocker-technical-reference.md
@@ -2,7 +2,7 @@
title: AppLocker technical reference
description: This overview article for IT professionals provides links to the articles in the technical reference.
ms.localizationpriority: medium
-ms.topic: conceptual
+ms.topic: reference
ms.date: 09/11/2024
---
diff --git a/windows/security/application-security/application-control/app-control-for-business/applocker/configure-an-applocker-policy-for-audit-only.md b/windows/security/application-security/application-control/app-control-for-business/applocker/configure-an-applocker-policy-for-audit-only.md
index 422f3a9acd..3d09c7ce9a 100644
--- a/windows/security/application-security/application-control/app-control-for-business/applocker/configure-an-applocker-policy-for-audit-only.md
+++ b/windows/security/application-security/application-control/app-control-for-business/applocker/configure-an-applocker-policy-for-audit-only.md
@@ -2,7 +2,7 @@
title: Configure an AppLocker policy for audit only
description: This article for IT professionals describes how to set AppLocker policies to Audit only within your IT environment by using AppLocker.
ms.localizationpriority: medium
-ms.topic: conceptual
+ms.topic: how-to
ms.date: 09/11/2024
---
diff --git a/windows/security/application-security/application-control/app-control-for-business/applocker/configure-an-applocker-policy-for-enforce-rules.md b/windows/security/application-security/application-control/app-control-for-business/applocker/configure-an-applocker-policy-for-enforce-rules.md
index 07c51af5bb..8055479a03 100644
--- a/windows/security/application-security/application-control/app-control-for-business/applocker/configure-an-applocker-policy-for-enforce-rules.md
+++ b/windows/security/application-security/application-control/app-control-for-business/applocker/configure-an-applocker-policy-for-enforce-rules.md
@@ -2,7 +2,7 @@
title: Configure an AppLocker policy for enforce rules
description: This article for IT professionals describes the steps to enable the AppLocker policy enforcement setting.
ms.localizationpriority: medium
-ms.topic: conceptual
+ms.topic: how-to
ms.date: 09/11/2024
---
diff --git a/windows/security/application-security/application-control/app-control-for-business/applocker/configure-exceptions-for-an-applocker-rule.md b/windows/security/application-security/application-control/app-control-for-business/applocker/configure-exceptions-for-an-applocker-rule.md
index 11900e02c0..8e24b48f1d 100644
--- a/windows/security/application-security/application-control/app-control-for-business/applocker/configure-exceptions-for-an-applocker-rule.md
+++ b/windows/security/application-security/application-control/app-control-for-business/applocker/configure-exceptions-for-an-applocker-rule.md
@@ -2,7 +2,7 @@
title: Add exceptions for an AppLocker rule
description: This article for IT professionals describes the steps to specify which apps can or can't run as exceptions to an AppLocker rule.
ms.localizationpriority: medium
-ms.topic: conceptual
+ms.topic: how-to
ms.date: 09/11/2024
---
diff --git a/windows/security/application-security/application-control/app-control-for-business/applocker/configure-the-appLocker-reference-device.md b/windows/security/application-security/application-control/app-control-for-business/applocker/configure-the-appLocker-reference-device.md
index f6acca16ba..95d762964d 100644
--- a/windows/security/application-security/application-control/app-control-for-business/applocker/configure-the-appLocker-reference-device.md
+++ b/windows/security/application-security/application-control/app-control-for-business/applocker/configure-the-appLocker-reference-device.md
@@ -2,7 +2,7 @@
title: Configure the AppLocker reference device
description: This article for the IT professional describes the steps to create an AppLocker policy platform structure on a reference computer.
ms.localizationpriority: medium
-ms.topic: conceptual
+ms.topic: how-to
ms.date: 09/11/2024
---
diff --git a/windows/security/application-security/application-control/app-control-for-business/applocker/configure-the-application-identity-service.md b/windows/security/application-security/application-control/app-control-for-business/applocker/configure-the-application-identity-service.md
index c4156e9b57..b9668e661e 100644
--- a/windows/security/application-security/application-control/app-control-for-business/applocker/configure-the-application-identity-service.md
+++ b/windows/security/application-security/application-control/app-control-for-business/applocker/configure-the-application-identity-service.md
@@ -2,7 +2,7 @@
title: Configure the Application Identity service
description: This article for IT professionals shows how to configure the Application Identity service to start automatically or manually.
ms.localizationpriority: medium
-ms.topic: conceptual
+ms.topic: how-to
ms.date: 09/11/2024
---
diff --git a/windows/security/application-security/application-control/app-control-for-business/applocker/create-a-rule-for-packaged-apps.md b/windows/security/application-security/application-control/app-control-for-business/applocker/create-a-rule-for-packaged-apps.md
index 07fd6f2866..2122d84f16 100644
--- a/windows/security/application-security/application-control/app-control-for-business/applocker/create-a-rule-for-packaged-apps.md
+++ b/windows/security/application-security/application-control/app-control-for-business/applocker/create-a-rule-for-packaged-apps.md
@@ -2,7 +2,7 @@
title: Create a rule for packaged apps
description: This article for IT professionals shows how to create an AppLocker rule for packaged apps with a publisher condition.
ms.localizationpriority: medium
-ms.topic: conceptual
+ms.topic: how-to
ms.date: 09/11/2024
---
diff --git a/windows/security/application-security/application-control/app-control-for-business/applocker/create-a-rule-that-uses-a-file-hash-condition.md b/windows/security/application-security/application-control/app-control-for-business/applocker/create-a-rule-that-uses-a-file-hash-condition.md
index b764bb0493..e0c5ec4e77 100644
--- a/windows/security/application-security/application-control/app-control-for-business/applocker/create-a-rule-that-uses-a-file-hash-condition.md
+++ b/windows/security/application-security/application-control/app-control-for-business/applocker/create-a-rule-that-uses-a-file-hash-condition.md
@@ -2,7 +2,7 @@
title: Create a rule that uses a file hash condition
description: This article for IT professionals shows how to create an AppLocker rule with a file hash condition.
ms.localizationpriority: medium
-ms.topic: conceptual
+ms.topic: how-to
ms.date: 09/11/2024
---
diff --git a/windows/security/application-security/application-control/app-control-for-business/applocker/create-a-rule-that-uses-a-path-condition.md b/windows/security/application-security/application-control/app-control-for-business/applocker/create-a-rule-that-uses-a-path-condition.md
index fe26c1ee6a..97e052584c 100644
--- a/windows/security/application-security/application-control/app-control-for-business/applocker/create-a-rule-that-uses-a-path-condition.md
+++ b/windows/security/application-security/application-control/app-control-for-business/applocker/create-a-rule-that-uses-a-path-condition.md
@@ -2,7 +2,7 @@
title: Create a rule that uses a path condition
description: This article for IT professionals shows how to create an AppLocker rule with a path condition.
ms.localizationpriority: medium
-ms.topic: conceptual
+ms.topic: how-to
ms.date: 09/11/2024
---
diff --git a/windows/security/application-security/application-control/app-control-for-business/applocker/create-a-rule-that-uses-a-publisher-condition.md b/windows/security/application-security/application-control/app-control-for-business/applocker/create-a-rule-that-uses-a-publisher-condition.md
index 9b07438ec7..bebb1b7c3e 100644
--- a/windows/security/application-security/application-control/app-control-for-business/applocker/create-a-rule-that-uses-a-publisher-condition.md
+++ b/windows/security/application-security/application-control/app-control-for-business/applocker/create-a-rule-that-uses-a-publisher-condition.md
@@ -2,7 +2,7 @@
title: Create a rule that uses a publisher condition
description: This article for IT professionals shows how to create an AppLocker rule with a publisher condition.
ms.localizationpriority: medium
-ms.topic: conceptual
+ms.topic: how-to
ms.date: 09/11/2024
---
diff --git a/windows/security/application-security/application-control/app-control-for-business/applocker/create-applocker-default-rules.md b/windows/security/application-security/application-control/app-control-for-business/applocker/create-applocker-default-rules.md
index fd2aa8e292..fa3029ebd9 100644
--- a/windows/security/application-security/application-control/app-control-for-business/applocker/create-applocker-default-rules.md
+++ b/windows/security/application-security/application-control/app-control-for-business/applocker/create-applocker-default-rules.md
@@ -2,7 +2,7 @@
title: Create AppLocker default rules
description: This article for IT professionals describes the steps to create a standard set of AppLocker rules that allow Windows system files to run.
ms.localizationpriority: medium
-ms.topic: conceptual
+ms.topic: how-to
ms.date: 09/11/2024
---
diff --git a/windows/security/application-security/application-control/app-control-for-business/applocker/create-list-of-applications-deployed-to-each-business-group.md b/windows/security/application-security/application-control/app-control-for-business/applocker/create-list-of-applications-deployed-to-each-business-group.md
index f015e79882..a573b63891 100644
--- a/windows/security/application-security/application-control/app-control-for-business/applocker/create-list-of-applications-deployed-to-each-business-group.md
+++ b/windows/security/application-security/application-control/app-control-for-business/applocker/create-list-of-applications-deployed-to-each-business-group.md
@@ -2,7 +2,7 @@
title: Create a list of apps deployed to each business group
description: This article describes the process of gathering app usage requirements from each business group to implement application control policies by using AppLocker.
ms.localizationpriority: medium
-ms.topic: conceptual
+ms.topic: install-set-up-deploy
ms.date: 09/11/2024
---
diff --git a/windows/security/application-security/application-control/app-control-for-business/applocker/create-your-applocker-policies.md b/windows/security/application-security/application-control/app-control-for-business/applocker/create-your-applocker-policies.md
index 69119137f4..0b361247b2 100644
--- a/windows/security/application-security/application-control/app-control-for-business/applocker/create-your-applocker-policies.md
+++ b/windows/security/application-security/application-control/app-control-for-business/applocker/create-your-applocker-policies.md
@@ -2,7 +2,7 @@
title: Create Your AppLocker policies
description: This overview article for the IT professional describes the steps to create an AppLocker policy and prepare it for deployment.
ms.localizationpriority: medium
-ms.topic: conceptual
+ms.topic: how-to
ms.date: 09/11/2024
---
diff --git a/windows/security/application-security/application-control/app-control-for-business/applocker/create-your-applocker-rules.md b/windows/security/application-security/application-control/app-control-for-business/applocker/create-your-applocker-rules.md
index 415e9582f8..be793460ce 100644
--- a/windows/security/application-security/application-control/app-control-for-business/applocker/create-your-applocker-rules.md
+++ b/windows/security/application-security/application-control/app-control-for-business/applocker/create-your-applocker-rules.md
@@ -2,7 +2,7 @@
title: Create Your AppLocker rules
description: This article for the IT professional describes what you need to know about AppLocker rules and the methods that you can to create rules.
ms.localizationpriority: medium
-ms.topic: conceptual
+ms.topic: how-to
ms.date: 09/11/2024
---
diff --git a/windows/security/application-security/application-control/app-control-for-business/applocker/delete-an-applocker-rule.md b/windows/security/application-security/application-control/app-control-for-business/applocker/delete-an-applocker-rule.md
index 95836e5b28..24a0f10b39 100644
--- a/windows/security/application-security/application-control/app-control-for-business/applocker/delete-an-applocker-rule.md
+++ b/windows/security/application-security/application-control/app-control-for-business/applocker/delete-an-applocker-rule.md
@@ -2,7 +2,7 @@
title: Delete an AppLocker rule
description: This article for IT professionals describes the steps to delete an AppLocker rule.
ms.localizationpriority: medium
-ms.topic: conceptual
+ms.topic: how-to
ms.date: 09/11/2024
---
diff --git a/windows/security/application-security/application-control/app-control-for-business/applocker/deploy-applocker-policies-by-using-the-enforce-rules-setting.md b/windows/security/application-security/application-control/app-control-for-business/applocker/deploy-applocker-policies-by-using-the-enforce-rules-setting.md
index 83e603b364..50bc9f1a76 100644
--- a/windows/security/application-security/application-control/app-control-for-business/applocker/deploy-applocker-policies-by-using-the-enforce-rules-setting.md
+++ b/windows/security/application-security/application-control/app-control-for-business/applocker/deploy-applocker-policies-by-using-the-enforce-rules-setting.md
@@ -2,7 +2,7 @@
title: Deploy AppLocker policies by using the enforce rules setting
description: This article for IT professionals describes the steps to deploy AppLocker policies by using the enforcement setting method.
ms.localizationpriority: medium
-ms.topic: conceptual
+ms.topic: install-set-up-deploy
ms.date: 09/11/2024
---
diff --git a/windows/security/application-security/application-control/app-control-for-business/applocker/deploy-the-applocker-policy-into-production.md b/windows/security/application-security/application-control/app-control-for-business/applocker/deploy-the-applocker-policy-into-production.md
index 941a047e99..37ffcce44c 100644
--- a/windows/security/application-security/application-control/app-control-for-business/applocker/deploy-the-applocker-policy-into-production.md
+++ b/windows/security/application-security/application-control/app-control-for-business/applocker/deploy-the-applocker-policy-into-production.md
@@ -2,7 +2,7 @@
title: Deploy the AppLocker policy into production
description: This article for the IT professional describes the tasks that should be completed before you deploy AppLocker application control settings.
ms.localizationpriority: medium
-ms.topic: conceptual
+ms.topic: install-set-up-deploy
ms.date: 09/11/2024
---
diff --git a/windows/security/application-security/application-control/app-control-for-business/applocker/determine-group-policy-structure-and-rule-enforcement.md b/windows/security/application-security/application-control/app-control-for-business/applocker/determine-group-policy-structure-and-rule-enforcement.md
index 29380fe1e1..64a91162b6 100644
--- a/windows/security/application-security/application-control/app-control-for-business/applocker/determine-group-policy-structure-and-rule-enforcement.md
+++ b/windows/security/application-security/application-control/app-control-for-business/applocker/determine-group-policy-structure-and-rule-enforcement.md
@@ -2,7 +2,7 @@
title: Determine the Group Policy structure and rule enforcement
description: This overview article describes the process to follow when you're planning to deploy AppLocker rules.
ms.localizationpriority: medium
-ms.topic: conceptual
+ms.topic: article
ms.date: 09/11/2024
---
diff --git a/windows/security/application-security/application-control/app-control-for-business/applocker/determine-which-applications-are-digitally-signed-on-a-reference-computer.md b/windows/security/application-security/application-control/app-control-for-business/applocker/determine-which-applications-are-digitally-signed-on-a-reference-computer.md
index e1c6c88c0a..232f42ee6b 100644
--- a/windows/security/application-security/application-control/app-control-for-business/applocker/determine-which-applications-are-digitally-signed-on-a-reference-computer.md
+++ b/windows/security/application-security/application-control/app-control-for-business/applocker/determine-which-applications-are-digitally-signed-on-a-reference-computer.md
@@ -2,7 +2,7 @@
title: Find digitally signed apps on a reference device
description: This article for the IT professional describes how to use AppLocker logs and tools to determine which applications are digitally signed.
ms.localizationpriority: medium
-ms.topic: conceptual
+ms.topic: how-to
ms.date: 09/11/2024
---
diff --git a/windows/security/application-security/application-control/app-control-for-business/applocker/display-a-custom-url-message-when-users-try-to-run-a-blocked-application.md b/windows/security/application-security/application-control/app-control-for-business/applocker/display-a-custom-url-message-when-users-try-to-run-a-blocked-application.md
index bf1a962a76..e3764dc3cf 100644
--- a/windows/security/application-security/application-control/app-control-for-business/applocker/display-a-custom-url-message-when-users-try-to-run-a-blocked-application.md
+++ b/windows/security/application-security/application-control/app-control-for-business/applocker/display-a-custom-url-message-when-users-try-to-run-a-blocked-application.md
@@ -2,7 +2,7 @@
title: Display a custom URL message when users try to run a blocked app
description: This article for IT professionals describes the steps for displaying a customized message to users when an AppLocker policy blocks an app.
ms.localizationpriority: medium
-ms.topic: conceptual
+ms.topic: how-to
ms.date: 09/11/2024
---
diff --git a/windows/security/application-security/application-control/app-control-for-business/applocker/dll-rules-in-applocker.md b/windows/security/application-security/application-control/app-control-for-business/applocker/dll-rules-in-applocker.md
index 054c18fb61..c26bd8e92a 100644
--- a/windows/security/application-security/application-control/app-control-for-business/applocker/dll-rules-in-applocker.md
+++ b/windows/security/application-security/application-control/app-control-for-business/applocker/dll-rules-in-applocker.md
@@ -2,7 +2,7 @@
title: DLL rules in AppLocker
description: This article describes the file formats and available default rules for the DLL rule collection.
ms.localizationpriority: medium
-ms.topic: conceptual
+ms.topic: article
ms.date: 09/11/2024
---
diff --git a/windows/security/application-security/application-control/app-control-for-business/applocker/document-group-policy-structure-and-applocker-rule-enforcement.md b/windows/security/application-security/application-control/app-control-for-business/applocker/document-group-policy-structure-and-applocker-rule-enforcement.md
index b440a69b68..4493170c14 100644
--- a/windows/security/application-security/application-control/app-control-for-business/applocker/document-group-policy-structure-and-applocker-rule-enforcement.md
+++ b/windows/security/application-security/application-control/app-control-for-business/applocker/document-group-policy-structure-and-applocker-rule-enforcement.md
@@ -2,7 +2,7 @@
title: Document Group Policy structure & AppLocker rule enforcement
description: This planning article describes what you need to include in your plan when you use AppLocker.
ms.localizationpriority: medium
-ms.topic: conceptual
+ms.topic: how-to
ms.date: 09/11/2024
---
diff --git a/windows/security/application-security/application-control/app-control-for-business/applocker/document-your-application-list.md b/windows/security/application-security/application-control/app-control-for-business/applocker/document-your-application-list.md
index 00e357875d..49bcd565c3 100644
--- a/windows/security/application-security/application-control/app-control-for-business/applocker/document-your-application-list.md
+++ b/windows/security/application-security/application-control/app-control-for-business/applocker/document-your-application-list.md
@@ -2,7 +2,7 @@
title: Document your app list
description: This planning article describes the app information that you should document when you create a list of apps for AppLocker policies.
ms.localizationpriority: medium
-ms.topic: conceptual
+ms.topic: article
ms.date: 09/11/2024
---
diff --git a/windows/security/application-security/application-control/app-control-for-business/applocker/document-your-applocker-rules.md b/windows/security/application-security/application-control/app-control-for-business/applocker/document-your-applocker-rules.md
index efd0c0211f..1748c76b96 100644
--- a/windows/security/application-security/application-control/app-control-for-business/applocker/document-your-applocker-rules.md
+++ b/windows/security/application-security/application-control/app-control-for-business/applocker/document-your-applocker-rules.md
@@ -2,7 +2,7 @@
title: Document your AppLocker rules
description: Learn how to document your AppLocker rules and associate rule conditions with files, permissions, rule source, and implementation.
ms.localizationpriority: medium
-ms.topic: conceptual
+ms.topic: how-to
ms.date: 09/11/2024
---
diff --git a/windows/security/application-security/application-control/app-control-for-business/applocker/edit-an-applocker-policy.md b/windows/security/application-security/application-control/app-control-for-business/applocker/edit-an-applocker-policy.md
index 3ebf404dc6..0b3a920b1e 100644
--- a/windows/security/application-security/application-control/app-control-for-business/applocker/edit-an-applocker-policy.md
+++ b/windows/security/application-security/application-control/app-control-for-business/applocker/edit-an-applocker-policy.md
@@ -2,7 +2,7 @@
title: Edit an AppLocker policy
description: This article for IT professionals describes the steps required to modify an AppLocker policy.
ms.localizationpriority: medium
-ms.topic: conceptual
+ms.topic: how-to
ms.date: 09/11/2024
---
diff --git a/windows/security/application-security/application-control/app-control-for-business/applocker/edit-applocker-rules.md b/windows/security/application-security/application-control/app-control-for-business/applocker/edit-applocker-rules.md
index 7ae6e91083..ca8f3762b4 100644
--- a/windows/security/application-security/application-control/app-control-for-business/applocker/edit-applocker-rules.md
+++ b/windows/security/application-security/application-control/app-control-for-business/applocker/edit-applocker-rules.md
@@ -2,7 +2,7 @@
title: Edit AppLocker rules
description: This article for IT professionals describes the steps to edit a publisher rule, path rule, and file hash rule in AppLocker.
ms.localizationpriority: medium
-ms.topic: conceptual
+ms.topic: how-to
ms.date: 09/11/2024
---
diff --git a/windows/security/application-security/application-control/app-control-for-business/applocker/enable-the-dll-rule-collection.md b/windows/security/application-security/application-control/app-control-for-business/applocker/enable-the-dll-rule-collection.md
index c2569a0918..4cfe8b0a77 100644
--- a/windows/security/application-security/application-control/app-control-for-business/applocker/enable-the-dll-rule-collection.md
+++ b/windows/security/application-security/application-control/app-control-for-business/applocker/enable-the-dll-rule-collection.md
@@ -2,7 +2,7 @@
title: Enable the DLL rule collection
description: This article for IT professionals describes the steps to enable the DLL rule collection feature for AppLocker.
ms.localizationpriority: medium
-ms.topic: conceptual
+ms.topic: how-to
ms.date: 09/11/2024
---
diff --git a/windows/security/application-security/application-control/app-control-for-business/applocker/enforce-applocker-rules.md b/windows/security/application-security/application-control/app-control-for-business/applocker/enforce-applocker-rules.md
index 2abb621ddc..ac0281aec5 100644
--- a/windows/security/application-security/application-control/app-control-for-business/applocker/enforce-applocker-rules.md
+++ b/windows/security/application-security/application-control/app-control-for-business/applocker/enforce-applocker-rules.md
@@ -2,7 +2,7 @@
title: Enforce AppLocker rules
description: This article for IT professionals describes how to enforce application control rules by using AppLocker.
ms.localizationpriority: medium
-ms.topic: conceptual
+ms.topic: article
ms.date: 09/11/2024
---
diff --git a/windows/security/application-security/application-control/app-control-for-business/applocker/executable-rules-in-applocker.md b/windows/security/application-security/application-control/app-control-for-business/applocker/executable-rules-in-applocker.md
index 99ffe04a6d..650edc17f1 100644
--- a/windows/security/application-security/application-control/app-control-for-business/applocker/executable-rules-in-applocker.md
+++ b/windows/security/application-security/application-control/app-control-for-business/applocker/executable-rules-in-applocker.md
@@ -2,7 +2,7 @@
title: Executable rules in AppLocker
description: This article describes the file formats and available default rules for the executable rule collection.
ms.localizationpriority: medium
-ms.topic: conceptual
+ms.topic: article
ms.date: 09/11/2024
---
diff --git a/windows/security/application-security/application-control/app-control-for-business/applocker/export-an-applocker-policy-from-a-gpo.md b/windows/security/application-security/application-control/app-control-for-business/applocker/export-an-applocker-policy-from-a-gpo.md
index c9fe560838..29c9cb278a 100644
--- a/windows/security/application-security/application-control/app-control-for-business/applocker/export-an-applocker-policy-from-a-gpo.md
+++ b/windows/security/application-security/application-control/app-control-for-business/applocker/export-an-applocker-policy-from-a-gpo.md
@@ -2,7 +2,7 @@
title: Export an AppLocker policy from a GPO
description: This article for IT professionals describes the steps to export an AppLocker policy from a Group Policy Object (GPO) so that it can be modified.
ms.localizationpriority: medium
-ms.topic: conceptual
+ms.topic: how-to
ms.date: 09/11/2024
---
diff --git a/windows/security/application-security/application-control/app-control-for-business/applocker/export-an-applocker-policy-to-an-xml-file.md b/windows/security/application-security/application-control/app-control-for-business/applocker/export-an-applocker-policy-to-an-xml-file.md
index 106a4d836e..26be647e22 100644
--- a/windows/security/application-security/application-control/app-control-for-business/applocker/export-an-applocker-policy-to-an-xml-file.md
+++ b/windows/security/application-security/application-control/app-control-for-business/applocker/export-an-applocker-policy-to-an-xml-file.md
@@ -2,7 +2,7 @@
title: Export an AppLocker policy to an XML file
description: This article for IT professionals describes the steps to export an AppLocker policy to an XML file for review or testing.
ms.localizationpriority: medium
-ms.topic: conceptual
+ms.topic: how-to
ms.date: 09/11/2024
---
diff --git a/windows/security/application-security/application-control/app-control-for-business/applocker/how-applocker-works-techref.md b/windows/security/application-security/application-control/app-control-for-business/applocker/how-applocker-works-techref.md
index c704a9e977..b9871903f4 100644
--- a/windows/security/application-security/application-control/app-control-for-business/applocker/how-applocker-works-techref.md
+++ b/windows/security/application-security/application-control/app-control-for-business/applocker/how-applocker-works-techref.md
@@ -2,7 +2,7 @@
title: How AppLocker works
description: This article for the IT professional provides links to articles about AppLocker architecture and components, processes and interactions, rules and policies.
ms.localizationpriority: medium
-ms.topic: conceptual
+ms.topic: article
ms.date: 09/11/2024
---
diff --git a/windows/security/application-security/application-control/app-control-for-business/applocker/import-an-applocker-policy-from-another-computer.md b/windows/security/application-security/application-control/app-control-for-business/applocker/import-an-applocker-policy-from-another-computer.md
index 2472b7892c..65c625d6c9 100644
--- a/windows/security/application-security/application-control/app-control-for-business/applocker/import-an-applocker-policy-from-another-computer.md
+++ b/windows/security/application-security/application-control/app-control-for-business/applocker/import-an-applocker-policy-from-another-computer.md
@@ -2,7 +2,7 @@
title: Import an AppLocker policy from another computer
description: This article for IT professionals describes how to import an AppLocker policy.
ms.localizationpriority: medium
-ms.topic: conceptual
+ms.topic: how-to
ms.date: 09/11/2024
---
diff --git a/windows/security/application-security/application-control/app-control-for-business/applocker/import-an-applocker-policy-into-a-gpo.md b/windows/security/application-security/application-control/app-control-for-business/applocker/import-an-applocker-policy-into-a-gpo.md
index 039d978649..787dd87c42 100644
--- a/windows/security/application-security/application-control/app-control-for-business/applocker/import-an-applocker-policy-into-a-gpo.md
+++ b/windows/security/application-security/application-control/app-control-for-business/applocker/import-an-applocker-policy-into-a-gpo.md
@@ -2,7 +2,7 @@
title: Import an AppLocker policy into a GPO
description: This article for IT professionals describes the steps to import an AppLocker policy into a Group Policy Object (GPO).
ms.localizationpriority: medium
-ms.topic: conceptual
+ms.topic: how-to
ms.date: 09/11/2024
---
diff --git a/windows/security/application-security/application-control/app-control-for-business/applocker/maintain-applocker-policies.md b/windows/security/application-security/application-control/app-control-for-business/applocker/maintain-applocker-policies.md
index a4926c5f73..52f968351b 100644
--- a/windows/security/application-security/application-control/app-control-for-business/applocker/maintain-applocker-policies.md
+++ b/windows/security/application-security/application-control/app-control-for-business/applocker/maintain-applocker-policies.md
@@ -2,7 +2,7 @@
title: Maintain AppLocker policies
description: Learn how to maintain rules within AppLocker policies. View common AppLocker maintenance scenarios and see the methods to use to maintain AppLocker policies.
ms.localizationpriority: medium
-ms.topic: conceptual
+ms.topic: how-to
ms.date: 09/11/2024
---
diff --git a/windows/security/application-security/application-control/app-control-for-business/applocker/manage-packaged-apps-with-applocker.md b/windows/security/application-security/application-control/app-control-for-business/applocker/manage-packaged-apps-with-applocker.md
index b3e041a0f1..a8a538ae01 100644
--- a/windows/security/application-security/application-control/app-control-for-business/applocker/manage-packaged-apps-with-applocker.md
+++ b/windows/security/application-security/application-control/app-control-for-business/applocker/manage-packaged-apps-with-applocker.md
@@ -2,7 +2,7 @@
title: Manage packaged apps with AppLocker
description: Learn concepts and lists procedures to help you manage packaged apps with AppLocker as part of your overall application control strategy.
ms.localizationpriority: medium
-ms.topic: conceptual
+ms.topic: how-to
ms.date: 09/11/2024
---
diff --git a/windows/security/application-security/application-control/app-control-for-business/applocker/merge-applocker-policies-by-using-set-applockerpolicy.md b/windows/security/application-security/application-control/app-control-for-business/applocker/merge-applocker-policies-by-using-set-applockerpolicy.md
index 4df24222a0..cb352b0eaa 100644
--- a/windows/security/application-security/application-control/app-control-for-business/applocker/merge-applocker-policies-by-using-set-applockerpolicy.md
+++ b/windows/security/application-security/application-control/app-control-for-business/applocker/merge-applocker-policies-by-using-set-applockerpolicy.md
@@ -2,7 +2,7 @@
title: Merge AppLocker policies by using Set-ApplockerPolicy
description: This article for IT professionals describes the steps to merge AppLocker policies by using Windows PowerShell.
ms.localizationpriority: medium
-ms.topic: conceptual
+ms.topic: how-to
ms.date: 09/11/2024
---
diff --git a/windows/security/application-security/application-control/app-control-for-business/applocker/merge-applocker-policies-manually.md b/windows/security/application-security/application-control/app-control-for-business/applocker/merge-applocker-policies-manually.md
index 324bef3248..c28de87a29 100644
--- a/windows/security/application-security/application-control/app-control-for-business/applocker/merge-applocker-policies-manually.md
+++ b/windows/security/application-security/application-control/app-control-for-business/applocker/merge-applocker-policies-manually.md
@@ -2,7 +2,7 @@
title: Merge AppLocker policies manually
description: This article for IT professionals describes the steps to manually merge AppLocker policies to update the Group Policy Object (GPO).
ms.localizationpriority: medium
-ms.topic: conceptual
+ms.topic: how-to
ms.date: 09/11/2024
---
diff --git a/windows/security/application-security/application-control/app-control-for-business/applocker/monitor-application-usage-with-applocker.md b/windows/security/application-security/application-control/app-control-for-business/applocker/monitor-application-usage-with-applocker.md
index 14b704afe3..a77f07e9a4 100644
--- a/windows/security/application-security/application-control/app-control-for-business/applocker/monitor-application-usage-with-applocker.md
+++ b/windows/security/application-security/application-control/app-control-for-business/applocker/monitor-application-usage-with-applocker.md
@@ -2,7 +2,7 @@
title: Monitor app usage with AppLocker
description: This article for IT professionals describes how to monitor app usage when AppLocker policies are applied.
ms.localizationpriority: medium
-ms.topic: conceptual
+ms.topic: how-to
ms.date: 09/11/2024
---
diff --git a/windows/security/application-security/application-control/app-control-for-business/applocker/optimize-applocker-performance.md b/windows/security/application-security/application-control/app-control-for-business/applocker/optimize-applocker-performance.md
index f160bda367..e19aced7fc 100644
--- a/windows/security/application-security/application-control/app-control-for-business/applocker/optimize-applocker-performance.md
+++ b/windows/security/application-security/application-control/app-control-for-business/applocker/optimize-applocker-performance.md
@@ -2,7 +2,7 @@
title: Optimize AppLocker performance
description: This article for IT professionals describes how to optimize AppLocker policy enforcement.
ms.localizationpriority: medium
-ms.topic: conceptual
+ms.topic: article
ms.date: 09/11/2024
---
diff --git a/windows/security/application-security/application-control/app-control-for-business/applocker/packaged-apps-and-packaged-app-installer-rules-in-applocker.md b/windows/security/application-security/application-control/app-control-for-business/applocker/packaged-apps-and-packaged-app-installer-rules-in-applocker.md
index 7085567383..edae5b70c8 100644
--- a/windows/security/application-security/application-control/app-control-for-business/applocker/packaged-apps-and-packaged-app-installer-rules-in-applocker.md
+++ b/windows/security/application-security/application-control/app-control-for-business/applocker/packaged-apps-and-packaged-app-installer-rules-in-applocker.md
@@ -2,7 +2,7 @@
title: Packaged apps and packaged app installer rules in AppLocker
description: This article explains the AppLocker rule collection for packaged app installers and packaged apps.
ms.localizationpriority: medium
-ms.topic: conceptual
+ms.topic: article
ms.date: 09/11/2024
---
diff --git a/windows/security/application-security/application-control/app-control-for-business/applocker/plan-for-applocker-policy-management.md b/windows/security/application-security/application-control/app-control-for-business/applocker/plan-for-applocker-policy-management.md
index 51f30ea841..369cd12de6 100644
--- a/windows/security/application-security/application-control/app-control-for-business/applocker/plan-for-applocker-policy-management.md
+++ b/windows/security/application-security/application-control/app-control-for-business/applocker/plan-for-applocker-policy-management.md
@@ -2,7 +2,7 @@
title: Plan for AppLocker policy management
description: This article describes the decisions you need to make to establish the processes for managing and maintaining AppLocker policies.
ms.localizationpriority: medium
-ms.topic: conceptual
+ms.topic: concept-article
ms.date: 09/11/2024
---
diff --git a/windows/security/application-security/application-control/app-control-for-business/applocker/refresh-an-applocker-policy.md b/windows/security/application-security/application-control/app-control-for-business/applocker/refresh-an-applocker-policy.md
index 5d2df1f250..78ddebd7b1 100644
--- a/windows/security/application-security/application-control/app-control-for-business/applocker/refresh-an-applocker-policy.md
+++ b/windows/security/application-security/application-control/app-control-for-business/applocker/refresh-an-applocker-policy.md
@@ -2,7 +2,7 @@
title: Refresh an AppLocker policy
description: This article for IT professionals describes the steps to force an update for an AppLocker policy.
ms.localizationpriority: medium
-ms.topic: conceptual
+ms.topic: how-to
ms.date: 09/11/2024
---
diff --git a/windows/security/application-security/application-control/app-control-for-business/applocker/requirements-for-deploying-applocker-policies.md b/windows/security/application-security/application-control/app-control-for-business/applocker/requirements-for-deploying-applocker-policies.md
index 2caf917483..ca1dd0b0c7 100644
--- a/windows/security/application-security/application-control/app-control-for-business/applocker/requirements-for-deploying-applocker-policies.md
+++ b/windows/security/application-security/application-control/app-control-for-business/applocker/requirements-for-deploying-applocker-policies.md
@@ -2,7 +2,7 @@
title: Requirements for deploying AppLocker policies
description: This deployment article for the IT professional lists the requirements that you need to consider before you deploy AppLocker policies.
ms.localizationpriority: medium
-ms.topic: conceptual
+ms.topic: install-set-up-deploy
ms.date: 09/11/2024
---
diff --git a/windows/security/application-security/application-control/app-control-for-business/applocker/requirements-to-use-applocker.md b/windows/security/application-security/application-control/app-control-for-business/applocker/requirements-to-use-applocker.md
index 7bb94f1197..1cdee958cf 100644
--- a/windows/security/application-security/application-control/app-control-for-business/applocker/requirements-to-use-applocker.md
+++ b/windows/security/application-security/application-control/app-control-for-business/applocker/requirements-to-use-applocker.md
@@ -2,7 +2,7 @@
title: Requirements to use AppLocker
description: This article for the IT professional lists software requirements to use AppLocker on the supported Windows operating systems.
ms.localizationpriority: medium
-ms.topic: conceptual
+ms.topic: article
ms.date: 09/11/2024
---
diff --git a/windows/security/application-security/application-control/app-control-for-business/applocker/rule-collection-extensions.md b/windows/security/application-security/application-control/app-control-for-business/applocker/rule-collection-extensions.md
index e4481ab2c7..deab94e661 100644
--- a/windows/security/application-security/application-control/app-control-for-business/applocker/rule-collection-extensions.md
+++ b/windows/security/application-security/application-control/app-control-for-business/applocker/rule-collection-extensions.md
@@ -4,7 +4,7 @@ description: This article describes the RuleCollectionExtensions added in Window
ms.collection:
- tier3
- must-keep
-ms.topic: conceptual
+ms.topic: article
ms.localizationpriority: medium
ms.date: 09/11/2024
---
diff --git a/windows/security/application-security/application-control/app-control-for-business/applocker/run-the-automatically-generate-rules-wizard.md b/windows/security/application-security/application-control/app-control-for-business/applocker/run-the-automatically-generate-rules-wizard.md
index 3108458c0f..d503b89562 100644
--- a/windows/security/application-security/application-control/app-control-for-business/applocker/run-the-automatically-generate-rules-wizard.md
+++ b/windows/security/application-security/application-control/app-control-for-business/applocker/run-the-automatically-generate-rules-wizard.md
@@ -2,7 +2,7 @@
title: Run the Automatically Generate Rules wizard
description: This article for IT professionals describes steps to run the wizard to create AppLocker rules on a reference device.
ms.localizationpriority: medium
-ms.topic: conceptual
+ms.topic: how-to
ms.date: 09/11/2024
---
diff --git a/windows/security/application-security/application-control/app-control-for-business/applocker/script-rules-in-applocker.md b/windows/security/application-security/application-control/app-control-for-business/applocker/script-rules-in-applocker.md
index bc342eba8b..a9f2b80103 100644
--- a/windows/security/application-security/application-control/app-control-for-business/applocker/script-rules-in-applocker.md
+++ b/windows/security/application-security/application-control/app-control-for-business/applocker/script-rules-in-applocker.md
@@ -2,7 +2,7 @@
title: Script rules in AppLocker
description: This article describes the file formats and available default rules for the script rule collection.
ms.localizationpriority: medium
-ms.topic: conceptual
+ms.topic: article
ms.date: 09/11/2024
---
@@ -26,7 +26,7 @@ The following table lists the default rules that are available for the script ru
| Allow all users to run scripts in the Program Files folder| (Default Rule) All scripts located in the Program Files folder | Everyone | Path: `%programfiles%\*`|
> [!NOTE]
-> When a script runs that is not allowed by policy, AppLocker raises an event indicating that the script was "blocked". However, the actual script enforcement behavior is handled by the script host. In the case of PowerShell, "blocked" scripts will still run, but only in [Constrained Language Mode](/powershell/module/microsoft.powershell.core/about/about_language_modes). Authorized scripts run in Full Language Mode.
+> When a script runs that isn't allowed by policy, AppLocker raises an event indicating that the script was "blocked". However, the actual script enforcement behavior is handled by the script host. In the case of PowerShell, "blocked" scripts will still run, but only in [Constrained Language Mode](/powershell/module/microsoft.powershell.core/about/about_language_modes). Authorized scripts run in Full Language Mode.
## Related articles
diff --git a/windows/security/application-security/application-control/app-control-for-business/applocker/security-considerations-for-applocker.md b/windows/security/application-security/application-control/app-control-for-business/applocker/security-considerations-for-applocker.md
index 6a11796ca7..894f2f14ac 100644
--- a/windows/security/application-security/application-control/app-control-for-business/applocker/security-considerations-for-applocker.md
+++ b/windows/security/application-security/application-control/app-control-for-business/applocker/security-considerations-for-applocker.md
@@ -2,7 +2,7 @@
title: Security considerations for AppLocker
description: This article for the IT professional describes the security considerations you need to address when implementing AppLocker.
ms.localizationpriority: medium
-ms.topic: conceptual
+ms.topic: article
ms.date: 09/11/2024
---
diff --git a/windows/security/application-security/application-control/app-control-for-business/applocker/select-types-of-rules-to-create.md b/windows/security/application-security/application-control/app-control-for-business/applocker/select-types-of-rules-to-create.md
index 8000ce41d4..b6385e0a25 100644
--- a/windows/security/application-security/application-control/app-control-for-business/applocker/select-types-of-rules-to-create.md
+++ b/windows/security/application-security/application-control/app-control-for-business/applocker/select-types-of-rules-to-create.md
@@ -2,7 +2,7 @@
title: Select the types of rules to create
description: This article lists resources you can use when selecting your application control policy rules by using AppLocker.
ms.localizationpriority: medium
-ms.topic: conceptual
+ms.topic: article
ms.date: 09/11/2024
---
diff --git a/windows/security/application-security/application-control/app-control-for-business/applocker/test-an-applocker-policy-by-using-test-applockerpolicy.md b/windows/security/application-security/application-control/app-control-for-business/applocker/test-an-applocker-policy-by-using-test-applockerpolicy.md
index c7042db13e..88e65e3da6 100644
--- a/windows/security/application-security/application-control/app-control-for-business/applocker/test-an-applocker-policy-by-using-test-applockerpolicy.md
+++ b/windows/security/application-security/application-control/app-control-for-business/applocker/test-an-applocker-policy-by-using-test-applockerpolicy.md
@@ -2,7 +2,7 @@
title: Test an AppLocker policy by using Test-AppLockerPolicy
description: This article for IT professionals describes the steps to test an AppLocker policy prior to importing it into a Group Policy Object (GPO) or another computer.
ms.localizationpriority: medium
-ms.topic: conceptual
+ms.topic: how-to
ms.date: 09/11/2024
---
diff --git a/windows/security/application-security/application-control/app-control-for-business/applocker/test-and-update-an-applocker-policy.md b/windows/security/application-security/application-control/app-control-for-business/applocker/test-and-update-an-applocker-policy.md
index 00e03f5081..4b23691309 100644
--- a/windows/security/application-security/application-control/app-control-for-business/applocker/test-and-update-an-applocker-policy.md
+++ b/windows/security/application-security/application-control/app-control-for-business/applocker/test-and-update-an-applocker-policy.md
@@ -2,7 +2,7 @@
title: Test and update an AppLocker policy
description: This article discusses the steps required to test an AppLocker policy prior to deployment.
ms.localizationpriority: medium
-ms.topic: conceptual
+ms.topic: how-to
ms.date: 09/11/2024
---
diff --git a/windows/security/application-security/application-control/app-control-for-business/applocker/tools-to-use-with-applocker.md b/windows/security/application-security/application-control/app-control-for-business/applocker/tools-to-use-with-applocker.md
index 5b1ed0083d..f595601d15 100644
--- a/windows/security/application-security/application-control/app-control-for-business/applocker/tools-to-use-with-applocker.md
+++ b/windows/security/application-security/application-control/app-control-for-business/applocker/tools-to-use-with-applocker.md
@@ -2,7 +2,7 @@
title: Tools to use with AppLocker
description: This article for the IT professional describes the tools available to create and administer AppLocker policies.
ms.localizationpriority: medium
-ms.topic: conceptual
+ms.topic: article
ms.date: 09/11/2024
---
diff --git a/windows/security/application-security/application-control/app-control-for-business/applocker/understand-applocker-policy-design-decisions.md b/windows/security/application-security/application-control/app-control-for-business/applocker/understand-applocker-policy-design-decisions.md
index 3cc00fdf6e..4cca71d421 100644
--- a/windows/security/application-security/application-control/app-control-for-business/applocker/understand-applocker-policy-design-decisions.md
+++ b/windows/security/application-security/application-control/app-control-for-business/applocker/understand-applocker-policy-design-decisions.md
@@ -2,7 +2,7 @@
title: Understand AppLocker policy design decisions
description: Review some common considerations while you're planning to use AppLocker to deploy application control policies within a Windows environment.
ms.localizationpriority: medium
-ms.topic: conceptual
+ms.topic: concept-article
ms.date: 09/11/2024
---
diff --git a/windows/security/application-security/application-control/app-control-for-business/applocker/understand-applocker-rules-and-enforcement-setting-inheritance-in-group-policy.md b/windows/security/application-security/application-control/app-control-for-business/applocker/understand-applocker-rules-and-enforcement-setting-inheritance-in-group-policy.md
index 89f62e0cb9..28f45a1745 100644
--- a/windows/security/application-security/application-control/app-control-for-business/applocker/understand-applocker-rules-and-enforcement-setting-inheritance-in-group-policy.md
+++ b/windows/security/application-security/application-control/app-control-for-business/applocker/understand-applocker-rules-and-enforcement-setting-inheritance-in-group-policy.md
@@ -2,7 +2,7 @@
title: Understand AppLocker rules and enforcement setting inheritance in Group Policy
description: This article for the IT professional describes how application control policies configured in AppLocker are applied through Group Policy.
ms.localizationpriority: medium
-ms.topic: conceptual
+ms.topic: concept-article
ms.date: 09/11/2024
---
diff --git a/windows/security/application-security/application-control/app-control-for-business/applocker/understand-the-applocker-policy-deployment-process.md b/windows/security/application-security/application-control/app-control-for-business/applocker/understand-the-applocker-policy-deployment-process.md
index 43e63220e5..74fde9a437 100644
--- a/windows/security/application-security/application-control/app-control-for-business/applocker/understand-the-applocker-policy-deployment-process.md
+++ b/windows/security/application-security/application-control/app-control-for-business/applocker/understand-the-applocker-policy-deployment-process.md
@@ -2,7 +2,7 @@
title: Understand the AppLocker policy deployment process
description: This planning and deployment article for the IT professional describes the process for using AppLocker when deploying application control policies.
ms.localizationpriority: medium
-ms.topic: conceptual
+ms.topic: concept-article
ms.date: 09/11/2024
---
diff --git a/windows/security/application-security/application-control/app-control-for-business/applocker/understanding-applocker-allow-and-deny-actions-on-rules.md b/windows/security/application-security/application-control/app-control-for-business/applocker/understanding-applocker-allow-and-deny-actions-on-rules.md
index 86c795601f..042da1bb93 100644
--- a/windows/security/application-security/application-control/app-control-for-business/applocker/understanding-applocker-allow-and-deny-actions-on-rules.md
+++ b/windows/security/application-security/application-control/app-control-for-business/applocker/understanding-applocker-allow-and-deny-actions-on-rules.md
@@ -2,7 +2,7 @@
title: Understanding AppLocker allow and deny actions on rules
description: This article explains the differences between allow and deny actions on AppLocker rules.
ms.localizationpriority: medium
-ms.topic: conceptual
+ms.topic: concept-article
ms.date: 09/11/2024
---
diff --git a/windows/security/application-security/application-control/app-control-for-business/applocker/understanding-applocker-default-rules.md b/windows/security/application-security/application-control/app-control-for-business/applocker/understanding-applocker-default-rules.md
index 67b52608e3..d1ebca2a82 100644
--- a/windows/security/application-security/application-control/app-control-for-business/applocker/understanding-applocker-default-rules.md
+++ b/windows/security/application-security/application-control/app-control-for-business/applocker/understanding-applocker-default-rules.md
@@ -2,7 +2,7 @@
title: Understanding AppLocker default rules
description: This article for IT professional describes the set of rules that can be used to ensure that required Windows system files continue to run when the policy is applied.
ms.localizationpriority: medium
-ms.topic: conceptual
+ms.topic: concept-article
ms.date: 09/11/2024
---
diff --git a/windows/security/application-security/application-control/app-control-for-business/applocker/understanding-applocker-rule-behavior.md b/windows/security/application-security/application-control/app-control-for-business/applocker/understanding-applocker-rule-behavior.md
index 0d9b08e51c..bb26a44584 100644
--- a/windows/security/application-security/application-control/app-control-for-business/applocker/understanding-applocker-rule-behavior.md
+++ b/windows/security/application-security/application-control/app-control-for-business/applocker/understanding-applocker-rule-behavior.md
@@ -2,7 +2,7 @@
title: Understanding AppLocker rule behavior
description: This article describes how AppLocker rules are enforced by using the allow and deny options in AppLocker.
ms.localizationpriority: medium
-ms.topic: conceptual
+ms.topic: concept-article
ms.date: 09/11/2024
---
diff --git a/windows/security/application-security/application-control/app-control-for-business/applocker/understanding-applocker-rule-collections.md b/windows/security/application-security/application-control/app-control-for-business/applocker/understanding-applocker-rule-collections.md
index 8ee9ed92d5..16d2b01891 100644
--- a/windows/security/application-security/application-control/app-control-for-business/applocker/understanding-applocker-rule-collections.md
+++ b/windows/security/application-security/application-control/app-control-for-business/applocker/understanding-applocker-rule-collections.md
@@ -2,7 +2,7 @@
title: Understanding AppLocker rule collections
description: This article explains the five different types of AppLocker rule collections used to enforce AppLocker policies.
ms.localizationpriority: medium
-ms.topic: conceptual
+ms.topic: concept-article
ms.date: 09/11/2024
---
@@ -19,11 +19,11 @@ An AppLocker rule collection is a set of rules that apply to one of five types:
- Packaged apps and packaged app installers: .appx
> [!IMPORTANT]
-> Each app can load several DLLs, and AppLocker must check each DLL before it is allowed to run. Be sure you create DLL allow rules for every DLL that is used by any of the allowed apps. Denying some DLLs from running can also create app compatibility problems.
+> Each app can load several DLLs, and AppLocker must check each DLL before it's allowed to run. Be sure you create DLL allow rules for every DLL that is used by any of the allowed apps. Denying some DLLs from running can also create app compatibility problems.
>
> DLL rules might cause performance problems on some computers which are already resource constrained.
>
-> As a result, the DLL rule collection is not enabled by default.
+> As a result, the DLL rule collection isn't enabled by default.
For info about how to enable the DLL rule collection, see [Enable the DLL rule collection](enable-the-dll-rule-collection.md).
diff --git a/windows/security/application-security/application-control/app-control-for-business/applocker/understanding-applocker-rule-condition-types.md b/windows/security/application-security/application-control/app-control-for-business/applocker/understanding-applocker-rule-condition-types.md
index 1bbbc6329c..fcdb46f43a 100644
--- a/windows/security/application-security/application-control/app-control-for-business/applocker/understanding-applocker-rule-condition-types.md
+++ b/windows/security/application-security/application-control/app-control-for-business/applocker/understanding-applocker-rule-condition-types.md
@@ -2,7 +2,7 @@
title: Understanding AppLocker rule condition types
description: This article for the IT professional describes the three types of AppLocker rule conditions.
ms.localizationpriority: medium
-ms.topic: conceptual
+ms.topic: article
ms.date: 09/11/2024
---
diff --git a/windows/security/application-security/application-control/app-control-for-business/applocker/understanding-applocker-rule-exceptions.md b/windows/security/application-security/application-control/app-control-for-business/applocker/understanding-applocker-rule-exceptions.md
index b95fadae6e..1b3ef8493e 100644
--- a/windows/security/application-security/application-control/app-control-for-business/applocker/understanding-applocker-rule-exceptions.md
+++ b/windows/security/application-security/application-control/app-control-for-business/applocker/understanding-applocker-rule-exceptions.md
@@ -2,7 +2,7 @@
title: Understanding AppLocker rule exceptions
description: This article describes the result of applying AppLocker rule exceptions to rule collections.
ms.localizationpriority: medium
-ms.topic: conceptual
+ms.topic: concept-article
ms.date: 09/11/2024
---
diff --git a/windows/security/application-security/application-control/app-control-for-business/applocker/understanding-the-file-hash-rule-condition-in-applocker.md b/windows/security/application-security/application-control/app-control-for-business/applocker/understanding-the-file-hash-rule-condition-in-applocker.md
index b9460ff54a..690672cd30 100644
--- a/windows/security/application-security/application-control/app-control-for-business/applocker/understanding-the-file-hash-rule-condition-in-applocker.md
+++ b/windows/security/application-security/application-control/app-control-for-business/applocker/understanding-the-file-hash-rule-condition-in-applocker.md
@@ -2,7 +2,7 @@
title: Understanding the file hash rule condition in AppLocker
description: This article explains how to use the AppLocker file hash rule condition and its advantages and disadvantages.
ms.localizationpriority: medium
-ms.topic: conceptual
+ms.topic: concept-article
ms.date: 09/11/2024
---
diff --git a/windows/security/application-security/application-control/app-control-for-business/applocker/understanding-the-path-rule-condition-in-applocker.md b/windows/security/application-security/application-control/app-control-for-business/applocker/understanding-the-path-rule-condition-in-applocker.md
index 4175eba0ef..608669ebc2 100644
--- a/windows/security/application-security/application-control/app-control-for-business/applocker/understanding-the-path-rule-condition-in-applocker.md
+++ b/windows/security/application-security/application-control/app-control-for-business/applocker/understanding-the-path-rule-condition-in-applocker.md
@@ -2,7 +2,7 @@
title: Understanding the path rule condition in AppLocker
description: This article explains how to apply the AppLocker path rule condition and its advantages and disadvantages.
ms.localizationpriority: medium
-ms.topic: conceptual
+ms.topic: concept-article
ms.date: 09/11/2024
---
diff --git a/windows/security/application-security/application-control/app-control-for-business/applocker/understanding-the-publisher-rule-condition-in-applocker.md b/windows/security/application-security/application-control/app-control-for-business/applocker/understanding-the-publisher-rule-condition-in-applocker.md
index be3c3767d4..4250c2c57b 100644
--- a/windows/security/application-security/application-control/app-control-for-business/applocker/understanding-the-publisher-rule-condition-in-applocker.md
+++ b/windows/security/application-security/application-control/app-control-for-business/applocker/understanding-the-publisher-rule-condition-in-applocker.md
@@ -2,7 +2,7 @@
title: Understanding the publisher rule condition in AppLocker
description: This article explains how to apply the AppLocker publisher rule condition and what controls are available.
ms.localizationpriority: medium
-ms.topic: conceptual
+ms.topic: concept-article
ms.date: 09/11/2024
---
diff --git a/windows/security/application-security/application-control/app-control-for-business/applocker/use-a-reference-computer-to-create-and-maintain-applocker-policies.md b/windows/security/application-security/application-control/app-control-for-business/applocker/use-a-reference-computer-to-create-and-maintain-applocker-policies.md
index 8bc76ea93a..d9101a04ea 100644
--- a/windows/security/application-security/application-control/app-control-for-business/applocker/use-a-reference-computer-to-create-and-maintain-applocker-policies.md
+++ b/windows/security/application-security/application-control/app-control-for-business/applocker/use-a-reference-computer-to-create-and-maintain-applocker-policies.md
@@ -2,7 +2,7 @@
title: Use a reference device to create and maintain AppLocker policies
description: This article for the IT professional describes the steps to create and maintain AppLocker policies by using a reference computer.
ms.localizationpriority: medium
-ms.topic: conceptual
+ms.topic: how-to
ms.date: 09/11/2024
---
diff --git a/windows/security/application-security/application-control/app-control-for-business/applocker/use-the-applocker-windows-powershell-cmdlets.md b/windows/security/application-security/application-control/app-control-for-business/applocker/use-the-applocker-windows-powershell-cmdlets.md
index 574c33a03b..8bf591dcbe 100644
--- a/windows/security/application-security/application-control/app-control-for-business/applocker/use-the-applocker-windows-powershell-cmdlets.md
+++ b/windows/security/application-security/application-control/app-control-for-business/applocker/use-the-applocker-windows-powershell-cmdlets.md
@@ -2,7 +2,7 @@
title: Use the AppLocker Windows PowerShell cmdlets
description: This article for IT professionals describes how each AppLocker Windows PowerShell cmdlet can help you administer your AppLocker application control policies.
ms.localizationpriority: medium
-ms.topic: conceptual
+ms.topic: article
ms.date: 09/11/2024
---
diff --git a/windows/security/application-security/application-control/app-control-for-business/applocker/using-event-viewer-with-applocker.md b/windows/security/application-security/application-control/app-control-for-business/applocker/using-event-viewer-with-applocker.md
index 65fa1be015..e73c36db1f 100644
--- a/windows/security/application-security/application-control/app-control-for-business/applocker/using-event-viewer-with-applocker.md
+++ b/windows/security/application-security/application-control/app-control-for-business/applocker/using-event-viewer-with-applocker.md
@@ -2,7 +2,7 @@
title: Using Event Viewer with AppLocker
description: This article lists AppLocker events and describes how to use Event Viewer with AppLocker.
ms.localizationpriority: medium
-ms.topic: conceptual
+ms.topic: article
ms.date: 09/11/2024
---
diff --git a/windows/security/application-security/application-control/app-control-for-business/applocker/what-is-applocker.md b/windows/security/application-security/application-control/app-control-for-business/applocker/what-is-applocker.md
index 9fa362969d..9ea3549d83 100644
--- a/windows/security/application-security/application-control/app-control-for-business/applocker/what-is-applocker.md
+++ b/windows/security/application-security/application-control/app-control-for-business/applocker/what-is-applocker.md
@@ -2,7 +2,7 @@
title: What Is AppLocker
description: This article for the IT professional describes what AppLocker is.
ms.localizationpriority: medium
-ms.topic: conceptual
+ms.topic: concept-article
ms.date: 09/11/2024
---
diff --git a/windows/security/application-security/application-control/app-control-for-business/applocker/windows-installer-rules-in-applocker.md b/windows/security/application-security/application-control/app-control-for-business/applocker/windows-installer-rules-in-applocker.md
index cfc1ce02c6..bbf33108ab 100644
--- a/windows/security/application-security/application-control/app-control-for-business/applocker/windows-installer-rules-in-applocker.md
+++ b/windows/security/application-security/application-control/app-control-for-business/applocker/windows-installer-rules-in-applocker.md
@@ -2,7 +2,7 @@
title: Windows Installer rules in AppLocker
description: This article describes the file formats and available default rules for the Windows Installer rule collection.
ms.localizationpriority: medium
-ms.topic: conceptual
+ms.topic: article
ms.date: 09/11/2024
---
diff --git a/windows/security/application-security/application-control/app-control-for-business/applocker/working-with-applocker-policies.md b/windows/security/application-security/application-control/app-control-for-business/applocker/working-with-applocker-policies.md
index 2a7f5153ec..24899eecfc 100644
--- a/windows/security/application-security/application-control/app-control-for-business/applocker/working-with-applocker-policies.md
+++ b/windows/security/application-security/application-control/app-control-for-business/applocker/working-with-applocker-policies.md
@@ -2,7 +2,7 @@
title: Working with AppLocker policies
description: This article for IT professionals provides links to procedural articles about creating, maintaining, and testing AppLocker policies.
ms.localizationpriority: medium
-ms.topic: conceptual
+ms.topic: article
ms.date: 09/11/2024
---
diff --git a/windows/security/application-security/application-control/app-control-for-business/applocker/working-with-applocker-rules.md b/windows/security/application-security/application-control/app-control-for-business/applocker/working-with-applocker-rules.md
index c827358a61..74f328bc4a 100644
--- a/windows/security/application-security/application-control/app-control-for-business/applocker/working-with-applocker-rules.md
+++ b/windows/security/application-security/application-control/app-control-for-business/applocker/working-with-applocker-rules.md
@@ -4,7 +4,7 @@ description: This article for IT professionals describes AppLocker rule types an
ms.localizationpriority: medium
msauthor: jsuther
ms.date: 09/11/2024
-ms.topic: conceptual
+ms.topic: article
---
# Working with AppLocker rules
diff --git a/windows/security/application-security/application-control/app-control-for-business/deployment/appcontrol-deployment-guide.md b/windows/security/application-security/application-control/app-control-for-business/deployment/appcontrol-deployment-guide.md
index 4ee7ef2757..42881a0f12 100644
--- a/windows/security/application-security/application-control/app-control-for-business/deployment/appcontrol-deployment-guide.md
+++ b/windows/security/application-security/application-control/app-control-for-business/deployment/appcontrol-deployment-guide.md
@@ -43,7 +43,7 @@ All App Control for Business policy changes should be deployed in audit mode bef
## Choose how to deploy App Control policies
> [!IMPORTANT]
-> Due to a known issue, you should always activate new **signed** App Control Base policies with a reboot on systems with [**memory integrity**](../../../../hardware-security/enable-virtualization-based-protection-of-code-integrity.md) enabled. We recommend [deploying via script](deploy-appcontrol-policies-with-script.md) in this case.
+> Due to a known issue in Windows 11 updates earlier than 2024 (24H2), you should activate new **signed** App Control Base policies with a reboot on systems with [**memory integrity**](../../../../hardware-security/enable-virtualization-based-protection-of-code-integrity.md) enabled. We recommend [deploying via script](deploy-appcontrol-policies-with-script.md) in this case.
>
> This issue does not affect updates to signed Base policies that are already active on the system, deployment of unsigned policies, or deployment of supplemental policies (signed or unsigned). It also does not affect deployments to systems that are not running memory integrity.
diff --git a/windows/security/application-security/application-control/app-control-for-business/deployment/audit-appcontrol-policies.md b/windows/security/application-security/application-control/app-control-for-business/deployment/audit-appcontrol-policies.md
index 6f8919e77d..5689af4c35 100644
--- a/windows/security/application-security/application-control/app-control-for-business/deployment/audit-appcontrol-policies.md
+++ b/windows/security/application-security/application-control/app-control-for-business/deployment/audit-appcontrol-policies.md
@@ -3,7 +3,7 @@ title: Use audit events to create App Control policy rules
description: Audits allow admins to discover apps, binaries, and scripts that should be added to the App Control policy.
ms.localizationpriority: medium
ms.date: 09/11/2024
-ms.topic: conceptual
+ms.topic: how-to
---
# Use audit events to create App Control policy rules
diff --git a/windows/security/application-security/application-control/app-control-for-business/deployment/create-code-signing-cert-for-appcontrol.md b/windows/security/application-security/application-control/app-control-for-business/deployment/create-code-signing-cert-for-appcontrol.md
index 773daf6a82..3629311b66 100644
--- a/windows/security/application-security/application-control/app-control-for-business/deployment/create-code-signing-cert-for-appcontrol.md
+++ b/windows/security/application-security/application-control/app-control-for-business/deployment/create-code-signing-cert-for-appcontrol.md
@@ -2,7 +2,7 @@
title: Create a code signing cert for App Control for Business
description: Learn how to set up a publicly issued code signing certificate, so you can sign catalog files or App Control policies internally.
ms.localizationpriority: medium
-ms.topic: conceptual
+ms.topic: how-to
ms.date: 09/11/2024
---
diff --git a/windows/security/application-security/application-control/app-control-for-business/deployment/deploy-appcontrol-policies-with-script.md b/windows/security/application-security/application-control/app-control-for-business/deployment/deploy-appcontrol-policies-with-script.md
index 369252b993..2d47be74a6 100644
--- a/windows/security/application-security/application-control/app-control-for-business/deployment/deploy-appcontrol-policies-with-script.md
+++ b/windows/security/application-security/application-control/app-control-for-business/deployment/deploy-appcontrol-policies-with-script.md
@@ -16,13 +16,13 @@ This article describes how to deploy App Control for Business policies using scr
You should now have one or more App Control policies converted into binary form. If not, follow the steps described in [Deploying App Control for Business policies](appcontrol-deployment-guide.md).
> [!IMPORTANT]
-> Due to a known issue, you should always activate new **signed** App Control Base policies with a reboot on systems with [**memory integrity**](../../../../hardware-security/enable-virtualization-based-protection-of-code-integrity.md) enabled. Skip all steps below that use CiTool, RefreshPolicy.exe, or WMI to initiate a policy activation. Instead, copy the policy binary to the correct system32 and EFI locations and then activate the policy with a system restart.
+> Due to a known issue in Windows 11 updates earlier than 2024 (24H2), you should always activate new **signed** App Control Base policies with a reboot on systems with [**memory integrity**](../../../../hardware-security/enable-virtualization-based-protection-of-code-integrity.md) enabled. Skip all steps below that use CiTool, RefreshPolicy.exe, or WMI to initiate a policy activation. Instead, copy the policy binary to the correct system32 and EFI locations and then activate the policy with a system restart.
>
> This issue does not affect updates to signed Base policies that are already active on the system, deployment of unsigned policies, or deployment of supplemental policies (signed or unsigned). It also does not affect deployments to systems that are not running memory integrity.
-## Deploying policies for Windows 11 22H2 and above
+## Deploying policies for Windows 11 22H2 and above, and Windows Server 2025 and above
-You can use the inbox [CiTool](../operations/citool-commands.md) to apply policies on Windows 11 22H2 with the following commands. Be sure to replace **<Path to policy binary file to deploy>** in the following example with the actual path to your App Control policy binary file.
+You can use the inbox [CiTool](../operations/citool-commands.md) to deploy signed and unsigned policies on Windows 11 22H2 and Windows Server 2025 with the following commands. Be sure to replace `` in the following example with the actual path to your App Control policy binary file.
```powershell
# Policy binary files should be named as {GUID}.cip for multiple policy format files (where {GUID} = from the Policy XML)
@@ -58,7 +58,7 @@ To use this procedure, download and distribute the [App Control policy refresh t
## Deploying policies for all other versions of Windows and Windows Server
-Use WMI to apply policies on all other versions of Windows and Windows Server.
+Use WMI to deploy policies on all other versions of Windows and Windows Server.
1. Initialize the variables to be used by the script.
@@ -82,7 +82,7 @@ Use WMI to apply policies on all other versions of Windows and Windows Server.
## Deploying signed policies
-If you're using [signed App Control policies](use-signed-policies-to-protect-appcontrol-against-tampering.md), the policies must be deployed into your device's EFI partition in addition to the locations outlined in the earlier sections. Unsigned App Control policies don't need to be present in the EFI partition.
+If you're using [signed App Control policies](use-signed-policies-to-protect-appcontrol-against-tampering.md), the policies must be deployed into your device's EFI partition.
1. Mount the EFI volume and make the directory, if it doesn't exist, in an elevated PowerShell prompt:
diff --git a/windows/security/application-security/application-control/app-control-for-business/deployment/disable-appcontrol-policies.md b/windows/security/application-security/application-control/app-control-for-business/deployment/disable-appcontrol-policies.md
index c2434abfb4..8e1874bbe3 100644
--- a/windows/security/application-security/application-control/app-control-for-business/deployment/disable-appcontrol-policies.md
+++ b/windows/security/application-security/application-control/app-control-for-business/deployment/disable-appcontrol-policies.md
@@ -15,15 +15,17 @@ ms.topic: how-to
There may come a time when you want to remove one or more App Control policies, or remove all App Control policies you've deployed. This article describes the various ways to remove App Control policies.
> [!IMPORTANT]
-> **Signed App Control policy**
+> **Signed Base App Control policy**
>
-> If the policy you are trying to remove is a signed App Control policy, you must first deploy a signed replacement policy that includes option **6 Enabled:Unsigned System Integrity Policy**.
+> If the base policy you are trying to remove is a signed App Control policy, you must first deploy a signed replacement policy that includes option **6 Enabled:Unsigned System Integrity Policy**.
>
> The replacement policy must have the same PolicyId as the one it's replacing and a version that's equal to or greater than the existing policy. The replacement policy must also include \.
>
> To take effect, this policy must be signed with a certificate included in the \ section of the original policy you want to replace.
>
> You must then restart the computer so that the UEFI protection of the policy is deactivated. ***Failing to do so will result in a boot start failure.***
+>
+> Signed supplemental App Control policies can be removed in the same manner as unsigned policies, without the need to follow the aforementioned steps
Before removing any policy, you must first disable the method used to deploy it (such as Group Policy or MDM). Otherwise, the policy may redeploy to the computer.
@@ -35,9 +37,6 @@ To make a policy effectively inactive before removing it, you can first replace
4. Allow all COM objects. See [Allow COM object registration in an App Control policy](../design/allow-com-object-registration-in-appcontrol-policy.md#examples);
5. If applicable, remove option **0 Enabled:UMCI** to convert the policy to kernel mode only.
-> [!IMPORTANT]
-> After you remove a policy, restart the computer for it to take effect. You can't remove App Control policies without restarting the device.
-
### Remove App Control policies using CiTool.exe
Beginning with the Windows 11 2022 Update, you can remove App Control policies using CiTool.exe. From an elevated command window, run the following command. Be sure to replace the text *PolicyId GUID* with the actual PolicyId of the App Control policy you want to remove:
@@ -46,7 +45,8 @@ Beginning with the Windows 11 2022 Update, you can remove App Control policies u
CiTool.exe -rp "{PolicyId GUID}" -json
```
-Then restart the computer.
+> [!NOTE]
+> Beginning with the Windows 11 2024 update, unsigned policies can be removed using CiTool.exe without requiring a restart. In previous versions of Windows, however, a restart is required to complete the removal process.
### Remove App Control policies using MDM solutions like Intune
diff --git a/windows/security/application-security/application-control/app-control-for-business/deployment/use-code-signing-for-better-control-and-protection.md b/windows/security/application-security/application-control/app-control-for-business/deployment/use-code-signing-for-better-control-and-protection.md
index 69735b11bd..3710567ff2 100644
--- a/windows/security/application-security/application-control/app-control-for-business/deployment/use-code-signing-for-better-control-and-protection.md
+++ b/windows/security/application-security/application-control/app-control-for-business/deployment/use-code-signing-for-better-control-and-protection.md
@@ -2,7 +2,7 @@
title: Use code signing for added control and protection with App Control
description: Code signing can be used to better control Win32 app authorization and add protection for your App Control for Business policies.
ms.localizationpriority: medium
-ms.topic: conceptual
+ms.topic: article
ms.date: 09/11/2024
---
diff --git a/windows/security/application-security/application-control/app-control-for-business/deployment/use-signed-policies-to-protect-appcontrol-against-tampering.md b/windows/security/application-security/application-control/app-control-for-business/deployment/use-signed-policies-to-protect-appcontrol-against-tampering.md
index 6aa667b28a..af4b9ec7a8 100644
--- a/windows/security/application-security/application-control/app-control-for-business/deployment/use-signed-policies-to-protect-appcontrol-against-tampering.md
+++ b/windows/security/application-security/application-control/app-control-for-business/deployment/use-signed-policies-to-protect-appcontrol-against-tampering.md
@@ -2,7 +2,7 @@
title: Use signed policies to protect App Control for Business against tampering
description: Signed App Control for Business policies give organizations the highest level of malware protection available in Windows 10 and Windows 11.
ms.localizationpriority: medium
-ms.topic: conceptual
+ms.topic: how-to
ms.date: 09/11/2024
---
diff --git a/windows/security/application-security/application-control/app-control-for-business/design/appcontrol-and-dotnet.md b/windows/security/application-security/application-control/app-control-for-business/design/appcontrol-and-dotnet.md
index 6e31a5e523..5a5945c92c 100644
--- a/windows/security/application-security/application-control/app-control-for-business/design/appcontrol-and-dotnet.md
+++ b/windows/security/application-security/application-control/app-control-for-business/design/appcontrol-and-dotnet.md
@@ -3,7 +3,7 @@ title: App Control for Business and .NET
description: Understand how App Control and .NET work together and use Dynamic Code Security to verify code loaded by .NET at runtime.
ms.localizationpriority: medium
ms.date: 09/11/2024
-ms.topic: conceptual
+ms.topic: article
---
# App Control for Business and .NET
diff --git a/windows/security/application-security/application-control/app-control-for-business/design/appcontrol-design-guide.md b/windows/security/application-security/application-control/app-control-for-business/design/appcontrol-design-guide.md
index 73bbde562c..74cccbdaad 100644
--- a/windows/security/application-security/application-control/app-control-for-business/design/appcontrol-design-guide.md
+++ b/windows/security/application-security/application-control/app-control-for-business/design/appcontrol-design-guide.md
@@ -2,7 +2,7 @@
title: App Control for Business design guide
description: Microsoft App Control for Business allows organizations to control what apps and drivers will run on their managed Windows devices.
ms.localizationpriority: medium
-ms.topic: conceptual
+ms.topic: article
ms.date: 09/11/2024
---
diff --git a/windows/security/application-security/application-control/app-control-for-business/design/appcontrol-wizard-create-base-policy.md b/windows/security/application-security/application-control/app-control-for-business/design/appcontrol-wizard-create-base-policy.md
index 5de28ef21c..02e0814f1f 100644
--- a/windows/security/application-security/application-control/app-control-for-business/design/appcontrol-wizard-create-base-policy.md
+++ b/windows/security/application-security/application-control/app-control-for-business/design/appcontrol-wizard-create-base-policy.md
@@ -2,7 +2,7 @@
title: App Control for Business Wizard Base Policy Creation
description: Creating new base App Control policies with the App Control Wizard.
ms.localizationpriority: medium
-ms.topic: conceptual
+ms.topic: article
ms.date: 09/11/2024
---
diff --git a/windows/security/application-security/application-control/app-control-for-business/design/appcontrol-wizard-create-supplemental-policy.md b/windows/security/application-security/application-control/app-control-for-business/design/appcontrol-wizard-create-supplemental-policy.md
index 3cd72d3fcd..e0bb02d843 100644
--- a/windows/security/application-security/application-control/app-control-for-business/design/appcontrol-wizard-create-supplemental-policy.md
+++ b/windows/security/application-security/application-control/app-control-for-business/design/appcontrol-wizard-create-supplemental-policy.md
@@ -2,7 +2,7 @@
title: App Control for Business Wizard Supplemental Policy Creation
description: Creating supplemental App Control policies with the App Control Wizard.
ms.localizationpriority: medium
-ms.topic: conceptual
+ms.topic: article
ms.date: 09/11/2024
---
diff --git a/windows/security/application-security/application-control/app-control-for-business/design/appcontrol-wizard-editing-policy.md b/windows/security/application-security/application-control/app-control-for-business/design/appcontrol-wizard-editing-policy.md
index 8818dc5ae7..832e5b3936 100644
--- a/windows/security/application-security/application-control/app-control-for-business/design/appcontrol-wizard-editing-policy.md
+++ b/windows/security/application-security/application-control/app-control-for-business/design/appcontrol-wizard-editing-policy.md
@@ -2,7 +2,7 @@
title: Editing App Control for Business Policies with the Wizard
description: Editing existing base and supplemental policies with the Microsoft App Control Wizard.
ms.localizationpriority: medium
-ms.topic: conceptual
+ms.topic: article
ms.date: 09/11/2024
---
diff --git a/windows/security/application-security/application-control/app-control-for-business/design/appcontrol-wizard-merging-policies.md b/windows/security/application-security/application-control/app-control-for-business/design/appcontrol-wizard-merging-policies.md
index a0c8c1e69a..ad430e20d0 100644
--- a/windows/security/application-security/application-control/app-control-for-business/design/appcontrol-wizard-merging-policies.md
+++ b/windows/security/application-security/application-control/app-control-for-business/design/appcontrol-wizard-merging-policies.md
@@ -2,7 +2,7 @@
title: App Control for Business Wizard Policy Merging Operation
description: Merging multiple policies into a single App Control policy with the App Control Wizard.
ms.localizationpriority: medium
-ms.topic: conceptual
+ms.topic: article
ms.date: 09/11/2024
---
diff --git a/windows/security/application-security/application-control/app-control-for-business/design/appcontrol-wizard-parsing-event-logs.md b/windows/security/application-security/application-control/app-control-for-business/design/appcontrol-wizard-parsing-event-logs.md
index 5e2b4e4017..4cd50e9bd2 100644
--- a/windows/security/application-security/application-control/app-control-for-business/design/appcontrol-wizard-parsing-event-logs.md
+++ b/windows/security/application-security/application-control/app-control-for-business/design/appcontrol-wizard-parsing-event-logs.md
@@ -2,7 +2,7 @@
title: App Control for Business Wizard App Control Event Parsing
description: Creating App Control policy rules from the App Control event logs and the MDE Advanced Hunting App Control events.
ms.localizationpriority: medium
-ms.topic: conceptual
+ms.topic: article
ms.date: 09/11/2024
---
diff --git a/windows/security/application-security/application-control/app-control-for-business/design/appcontrol-wizard.md b/windows/security/application-security/application-control/app-control-for-business/design/appcontrol-wizard.md
index 5fab393481..5cd068e7b1 100644
--- a/windows/security/application-security/application-control/app-control-for-business/design/appcontrol-wizard.md
+++ b/windows/security/application-security/application-control/app-control-for-business/design/appcontrol-wizard.md
@@ -2,7 +2,7 @@
title: App Control for Business Wizard
description: The App Control for Business policy wizard tool allows you to create, edit, and merge App Control policies in a simple to use Windows application.
ms.localizationpriority: medium
-ms.topic: conceptual
+ms.topic: article
ms.date: 09/11/2024
---
diff --git a/windows/security/application-security/application-control/app-control-for-business/design/applications-that-can-bypass-appcontrol.md b/windows/security/application-security/application-control/app-control-for-business/design/applications-that-can-bypass-appcontrol.md
index 23d40c8440..f2ebb636f5 100644
--- a/windows/security/application-security/application-control/app-control-for-business/design/applications-that-can-bypass-appcontrol.md
+++ b/windows/security/application-security/application-control/app-control-for-business/design/applications-that-can-bypass-appcontrol.md
@@ -49,7 +49,7 @@ Unless your use scenarios explicitly require them, Microsoft recommends that you
- texttransform.exe
- visualuiaverifynative.exe
- system.management.automation.dll
-- webclnt.dll/davsvc.dll
+- webclnt.dll/davsvc.dll3
- wfc.exe
- windbg.exe
- wmic.exe
@@ -62,6 +62,8 @@ Unless your use scenarios explicitly require them, Microsoft recommends that you
2 If you're using your reference system in a development context and use msbuild.exe to build managed applications, we recommend that you allow msbuild.exe in your code integrity policies. Otherwise, we recommend that you block msbuild.exe.
+3 If you block WebDAV DLLs, we recommend that you also disable the **WebClient** service using a group policy or MDM policies.
+
* Microsoft recognizes the efforts of people in the security community who help us protect customers through responsible vulnerability disclosure, and extends thanks to the following people:
diff --git a/windows/security/application-security/application-control/app-control-for-business/design/common-appcontrol-use-cases.md b/windows/security/application-security/application-control/app-control-for-business/design/common-appcontrol-use-cases.md
index 4ba40200b3..bf802fc507 100644
--- a/windows/security/application-security/application-control/app-control-for-business/design/common-appcontrol-use-cases.md
+++ b/windows/security/application-security/application-control/app-control-for-business/design/common-appcontrol-use-cases.md
@@ -3,7 +3,7 @@ title: Policy creation for common App Control usage scenarios
description: Develop a plan for deploying App Control for Business in your organization based on these common scenarios.
ms.localizationpriority: medium
ms.date: 09/11/2024
-ms.topic: conceptual
+ms.topic: install-set-up-deploy
---
# App Control for Business deployment in different scenarios: types of devices
diff --git a/windows/security/application-security/application-control/app-control-for-business/design/create-appcontrol-policy-for-fully-managed-devices.md b/windows/security/application-security/application-control/app-control-for-business/design/create-appcontrol-policy-for-fully-managed-devices.md
index 1563a69a95..97c05323c3 100644
--- a/windows/security/application-security/application-control/app-control-for-business/design/create-appcontrol-policy-for-fully-managed-devices.md
+++ b/windows/security/application-security/application-control/app-control-for-business/design/create-appcontrol-policy-for-fully-managed-devices.md
@@ -1,7 +1,7 @@
---
title: Create an App Control policy for fully managed devices
description: App Control for Business restricts which applications users are allowed to run and the code that runs in system core.
-ms.topic: conceptual
+ms.topic: how-to
ms.localizationpriority: medium
ms.date: 09/11/2024
---
@@ -10,12 +10,12 @@ ms.date: 09/11/2024
[!INCLUDE [Feature availability note](../includes/feature-availability-note.md)]
-This section outlines the process to create an App Control for Business policy for **fully managed devices** within an organization. The key difference between this scenario and [lightly managed devices](create-appcontrol-policy-for-lightly-managed-devices.md) is that all software deployed to a fully managed device is managed by IT and users of the device can't install arbitrary apps. Ideally, all apps are deployed using a software distribution solution, such as Microsoft Intune. Additionally, users on fully managed devices should ideally run as standard user and only authorized IT pros have administrative access.
+This section outlines the process to create an App Control for Business policy for **fully managed devices** within an organization. The key difference between this scenario and [lightly managed devices](create-appcontrol-policy-for-lightly-managed-devices.md) is that all software that's deployed to a fully managed device is managed by IT and users of the device can't install arbitrary apps. Ideally, all apps are deployed using a software distribution solution, such as Microsoft Intune. Additionally, users on fully managed devices should ideally run as standard user and only authorized IT pros have administrative access.
> [!NOTE]
> Some of the App Control for Business options described in this topic are only available on Windows 10 version 1903 and above, or Windows 11. When using this topic to plan your own organization's App Control policies, consider whether your managed clients can use all or some of these features and assess the impact for any features that may be unavailable on your clients. You may need to adapt this guidance to meet your specific organization's needs.
-As described in [common App Control for Business deployment scenarios](common-appcontrol-use-cases.md), we'll use the example of **Lamna Healthcare Company (Lamna)** to illustrate this scenario. Lamna is attempting to adopt stronger application policies, including the use of App Control to prevent unwanted or unauthorized applications from running on their managed devices.
+As described in [common App Control for Business deployment scenarios](common-appcontrol-use-cases.md), we use the example of **Lamna Healthcare Company (Lamna)** to illustrate this scenario. Lamna is attempting to adopt stronger application policies, including the use of App Control to prevent unwanted or unauthorized applications from running on their managed devices.
**Alice Pena** is the IT team lead tasked with the rollout of App Control.
@@ -55,7 +55,7 @@ Having defined the "circle-of-trust", Alice is ready to generate the initial pol
Alice follows these steps to complete this task:
> [!NOTE]
-> If you do not use Configuration Manager or prefer to use a different [example App Control for Business base policy](example-appcontrol-base-policies.md) for your own policy, skip to step 2 and substitute the Configuration Manager policy path with your preferred example base policy.
+> If you don't use Configuration Manager or prefer to use a different [example App Control for Business base policy](example-appcontrol-base-policies.md) for your own policy, skip to step 2 and substitute the Configuration Manager policy path with your preferred example base policy.
1. [Use Configuration Manager to create and deploy an audit policy](/configmgr/protect/deploy-use/use-device-guard-with-configuration-manager) to a client device running Windows 10 version 1903 or above, or Windows 11.
diff --git a/windows/security/application-security/application-control/app-control-for-business/design/create-appcontrol-policy-for-lightly-managed-devices.md b/windows/security/application-security/application-control/app-control-for-business/design/create-appcontrol-policy-for-lightly-managed-devices.md
index b7c6837954..44d3e45252 100644
--- a/windows/security/application-security/application-control/app-control-for-business/design/create-appcontrol-policy-for-lightly-managed-devices.md
+++ b/windows/security/application-security/application-control/app-control-for-business/design/create-appcontrol-policy-for-lightly-managed-devices.md
@@ -1,7 +1,7 @@
---
title: Create an App Control policy for lightly managed devices
description: App Control for Business restricts which applications users are allowed to run and the code that runs in the system core.
-ms.topic: conceptual
+ms.topic: how-to
ms.localizationpriority: medium
ms.date: 09/11/2024
---
diff --git a/windows/security/application-security/application-control/app-control-for-business/design/microsoft-recommended-driver-block-rules.md b/windows/security/application-security/application-control/app-control-for-business/design/microsoft-recommended-driver-block-rules.md
index 3ce08b2022..67506d5785 100644
--- a/windows/security/application-security/application-control/app-control-for-business/design/microsoft-recommended-driver-block-rules.md
+++ b/windows/security/application-security/application-control/app-control-for-business/design/microsoft-recommended-driver-block-rules.md
@@ -81,7 +81,7 @@ The following recommended blocklist xml policy file can also be downloaded from
```xml
- 10.0.27685.0
+ 10.0.27770.0{2E07F7E4-194C-4D20-B7C9-6F44A6C5A234}
@@ -378,6 +378,26 @@ The following recommended blocklist xml policy file can also be downloaded from
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
@@ -552,6 +572,12 @@ The following recommended blocklist xml policy file can also be downloaded from
+
+
+
+
+
+
@@ -1015,10 +1041,10 @@ The following recommended blocklist xml policy file can also be downloaded from
-
-
-
-
+
+
+
+
@@ -1238,6 +1264,8 @@ The following recommended blocklist xml policy file can also be downloaded from
+
+
@@ -1266,150 +1294,150 @@ The following recommended blocklist xml policy file can also be downloaded from
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
@@ -1579,6 +1607,70 @@ The following recommended blocklist xml policy file can also be downloaded from
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
@@ -1716,6 +1808,7 @@ The following recommended blocklist xml policy file can also be downloaded from
+
@@ -1736,6 +1829,7 @@ The following recommended blocklist xml policy file can also be downloaded from
+
@@ -1781,6 +1875,7 @@ The following recommended blocklist xml policy file can also be downloaded from
+
@@ -1852,6 +1947,7 @@ The following recommended blocklist xml policy file can also be downloaded from
+
@@ -1879,6 +1975,7 @@ The following recommended blocklist xml policy file can also be downloaded from
+
@@ -1898,6 +1995,7 @@ The following recommended blocklist xml policy file can also be downloaded from
+
@@ -1925,6 +2023,7 @@ The following recommended blocklist xml policy file can also be downloaded from
+
@@ -1944,6 +2043,7 @@ The following recommended blocklist xml policy file can also be downloaded from
+
@@ -2016,6 +2116,7 @@ The following recommended blocklist xml policy file can also be downloaded from
+
@@ -2035,9 +2136,10 @@ The following recommended blocklist xml policy file can also be downloaded from
+
-
+
@@ -2053,6 +2155,7 @@ The following recommended blocklist xml policy file can also be downloaded from
+
@@ -2071,6 +2174,7 @@ The following recommended blocklist xml policy file can also be downloaded from
+
@@ -2103,7 +2207,7 @@ The following recommended blocklist xml policy file can also be downloaded from
-
+
@@ -2157,6 +2261,7 @@ The following recommended blocklist xml policy file can also be downloaded from
+
@@ -2176,6 +2281,7 @@ The following recommended blocklist xml policy file can also be downloaded from
+
@@ -2345,6 +2451,7 @@ The following recommended blocklist xml policy file can also be downloaded from
+
@@ -2663,7 +2770,17 @@ The following recommended blocklist xml policy file can also be downloaded from
-
+
+
+
+
+
+
+
+
+
+
+
@@ -2809,6 +2926,43 @@ The following recommended blocklist xml policy file can also be downloaded from
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
@@ -2916,12 +3070,40 @@ The following recommended blocklist xml policy file can also be downloaded from
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
@@ -2929,10 +3111,13 @@ The following recommended blocklist xml policy file can also be downloaded from
+
+
+
@@ -2956,6 +3141,10 @@ The following recommended blocklist xml policy file can also be downloaded from
+
+
+
+
@@ -2967,6 +3156,7 @@ The following recommended blocklist xml policy file can also be downloaded from
+
@@ -3011,6 +3201,10 @@ The following recommended blocklist xml policy file can also be downloaded from
+
+
+
+
@@ -3034,6 +3228,7 @@ The following recommended blocklist xml policy file can also be downloaded from
+
@@ -3071,6 +3266,8 @@ The following recommended blocklist xml policy file can also be downloaded from
+
+
@@ -3382,6 +3579,26 @@ The following recommended blocklist xml policy file can also be downloaded from
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
@@ -3556,6 +3773,12 @@ The following recommended blocklist xml policy file can also be downloaded from
+
+
+
+
+
+
@@ -4025,9 +4248,9 @@ The following recommended blocklist xml policy file can also be downloaded from
-
-
-
+
+
+
@@ -4243,6 +4466,8 @@ The following recommended blocklist xml policy file can also be downloaded from
+
+
@@ -4275,78 +4500,78 @@ The following recommended blocklist xml policy file can also be downloaded from
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
@@ -4356,78 +4581,78 @@ The following recommended blocklist xml policy file can also be downloaded from
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
@@ -4588,6 +4813,70 @@ The following recommended blocklist xml policy file can also be downloaded from
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
@@ -4713,16 +5002,16 @@ The following recommended blocklist xml policy file can also be downloaded from
-
-
-
-
-
-
-
-
-
-
+
+
+
+
+
+
+
+
+
+
@@ -4745,7 +5034,7 @@ The following recommended blocklist xml policy file can also be downloaded from
- 10.0.27685.0
+ 10.0.27770.0
diff --git a/windows/security/application-security/application-control/app-control-for-business/design/plan-appcontrol-management.md b/windows/security/application-security/application-control/app-control-for-business/design/plan-appcontrol-management.md
index ff41a98da8..90bef6240f 100644
--- a/windows/security/application-security/application-control/app-control-for-business/design/plan-appcontrol-management.md
+++ b/windows/security/application-security/application-control/app-control-for-business/design/plan-appcontrol-management.md
@@ -3,7 +3,7 @@ title: Plan for App Control policy management
description: Learn about the decisions you need to make to establish the processes for managing and maintaining App Control for Business policies.
ms.localizationpriority: medium
ms.date: 09/11/2024
-ms.topic: conceptual
+ms.topic: how-to
---
# Plan for App Control for Business lifecycle policy management
diff --git a/windows/security/application-security/application-control/app-control-for-business/design/script-enforcement.md b/windows/security/application-security/application-control/app-control-for-business/design/script-enforcement.md
index 16b4739600..48193d95b6 100644
--- a/windows/security/application-security/application-control/app-control-for-business/design/script-enforcement.md
+++ b/windows/security/application-security/application-control/app-control-for-business/design/script-enforcement.md
@@ -3,7 +3,7 @@ title: Understand App Control script enforcement
description: App Control script enforcement
ms.manager: jsuther
ms.date: 09/11/2024
-ms.topic: conceptual
+ms.topic: concept-article
ms.localizationpriority: medium
---
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
[!INCLUDE [Feature availability note](../includes/feature-availability-note.md)]
> [!IMPORTANT]
-> Option **11 Disabled:Script Enforcement** is not supported on **Windows Server 2016** or on **Windows 10 1607 LTSB** and should not be used on those platforms. Doing so will result in unexpected script enforcement behaviors.
+> Option **11 Disabled:Script Enforcement** isn't supported on **Windows Server 2016** or on **Windows 10 1607 LTSB** and shouldn't be used on those platforms. Doing so will result in unexpected script enforcement behaviors.
## Script enforcement overview
@@ -23,7 +23,7 @@ Validation for signed scripts is done using the [WinVerifyTrust API](/windows/wi
App Control shares the *AppLocker - MSI and Script* event log for all script enforcement events. Whenever a script host asks App Control if a script should be allowed, an event is logged with the answer App Control returned to the script host. For more information on App Control script enforcement events, see [Understanding App Control events](../operations/event-id-explanations.md#app-control-block-events-for-packaged-apps-msi-installers-scripts-and-com-objects).
> [!NOTE]
-> When a script runs that is not allowed by policy, App Control raises an event indicating that the script was "blocked." However, the actual script enforcement behavior is handled by the script host and may not actually completely block the file from running.
+> When a script runs that isn't allowed by policy, App Control raises an event indicating that the script was "blocked." However, the actual script enforcement behavior is handled by the script host and may not actually completely block the file from running.
>
> Also be aware that some script hosts may change how they behave even if an App Control policy is in audit mode only. You should review the script host specific information in this article and test thoroughly within your environment to ensure the scripts you need to run are working properly.
diff --git a/windows/security/application-security/application-control/app-control-for-business/design/select-types-of-rules-to-create.md b/windows/security/application-security/application-control/app-control-for-business/design/select-types-of-rules-to-create.md
index 8cdfe418ba..c35d1b5431 100644
--- a/windows/security/application-security/application-control/app-control-for-business/design/select-types-of-rules-to-create.md
+++ b/windows/security/application-security/application-control/app-control-for-business/design/select-types-of-rules-to-create.md
@@ -3,7 +3,7 @@ title: Understand App Control for Business policy rules and file rules
description: Learn how App Control policy rules and file rules can control your Windows 10 and Windows 11 computers.
ms.localizationpriority: medium
ms.date: 09/11/2024
-ms.topic: conceptual
+ms.topic: concept-article
---
# Understand App Control for Business policy rules and file rules
@@ -130,7 +130,9 @@ There's a defined list of SIDs that App Control recognizes as admins. If a filep
App Control's list of well-known admin SIDs are:
+```
S-1-3-0; S-1-5-18; S-1-5-19; S-1-5-20; S-1-5-32-544; S-1-5-32-549; S-1-5-32-550; S-1-5-32-551; S-1-5-32-577; S-1-5-32-559; S-1-5-32-568; S-1-15-2-1430448594-2639229838-973813799-439329657-1197984847-4069167804-1277922394; S-1-15-2-95739096-486727260-2033287795-3853587803-1685597119-444378811-2746676523.
+```
When filepath rules are generated using [New-CIPolicy](/powershell/module/configci/new-cipolicy), a unique, fully qualified path rule is generated for every file discovered in the scanned path(s). To create rules that instead allow all files under a specified folder path, use [New-CIPolicyRule](/powershell/module/configci/new-cipolicyrule) to define rules containing wildcards, using the [-FilePathRules](/powershell/module/configci/new-cipolicyrule#parameters) switch.
@@ -140,8 +142,8 @@ The following wildcards can be used in App Control filepath rules:
| Wildcard character | Meaning | Supported operating systems |
|------------ | ----------- | ----------- |
-| **`*`** | Matches zero or more characters. | Windows 11, Windows 10, and Windows Server 2022 |
-| **`?`** | Matches a single character. | Windows 11 only |
+| **`*`** | Matches zero or more characters. | Windows 10, Windows 11 and later, or Windows Server 2022 and later |
+| **`?`** | Matches a single character. | Windows 11 and later, or Windows Server 2025 and later |
You can also use the following macros when the exact volume may vary: `%OSDRIVE%`, `%WINDIR%`, `%SYSTEM32%`. These macros can be used in combination with the wildcards above.
@@ -154,9 +156,9 @@ You can also use the following macros when the exact volume may vary: `%OSDRIVE%
| Examples | Description | Supported operating systems |
|------------ | ----------- | ----------- |
-| **C:\\Windows\\\*** **D:\\EnterpriseApps\\MyApp\\\*** **%OSDRIVE%\\Windows\\\*** | Wildcards placed at the end of a path authorize all files in the immediate path and its subdirectories recursively. | Windows 11, Windows 10, and Windows Server 2022 |
-| **\*\\bar.exe** | Wildcards placed at the beginning of a path allow the exact specified filename in any location. | Windows 11, Windows 10, and Windows Server 2022 |
-| **C:\\\*\\CCMCACHE\\\*\\7z????-x64.exe** **%OSDRIVE%\\\*\\CCMCACHE\\\*\\7z????-x64.exe** | Wildcards used in the middle of a path allow all files that match that pattern. Consider carefully all the possible matches, particularly if your policy disables the admin-writeable check with the **Disabled:Runtime FilePath Rule Protection** option. In this example, both of these hypothetical paths would match: *`C:\WINDOWS\CCMCACHE\12345\7zabcd-x64.exe`* *`C:\USERS\AppControlUSER\Downloads\Malware\CCMCACHE\Pwned\7zhaha-x64.exe`* | Windows 11 only |
+| **C:\\Windows\\\*** **D:\\EnterpriseApps\\MyApp\\\*** **%OSDRIVE%\\Windows\\\*** | Wildcards placed at the end of a path authorize all files in the immediate path and its subdirectories recursively. | Windows 10, Windows 11 and later, or Windows Server 2022 and later |
+| **\*\\bar.exe** | Wildcards placed at the beginning of a path allow the exact specified filename in any location. | Windows 10, Windows 11 and later, or Windows Server 2022 and later |
+| **C:\\\*\\CCMCACHE\\\*\\7z????-x64.exe** **%OSDRIVE%\\\*\\CCMCACHE\\\*\\7z????-x64.exe** | Wildcards used in the middle of a path allow all files that match that pattern. Consider carefully all the possible matches, particularly if your policy disables the admin-writeable check with the **Disabled:Runtime FilePath Rule Protection** option. In this example, both of these hypothetical paths would match: *`C:\WINDOWS\CCMCACHE\12345\7zabcd-x64.exe`* *`C:\USERS\AppControlUSER\Downloads\Malware\CCMCACHE\Pwned\7zhaha-x64.exe`* | Windows 11 and later, or Windows Server 2025 and later |
Without a wildcard, the filepath rule allows only a specific file (ex. `C:\foo\bar.exe`).
diff --git a/windows/security/application-security/application-control/app-control-for-business/design/understand-appcontrol-policy-design-decisions.md b/windows/security/application-security/application-control/app-control-for-business/design/understand-appcontrol-policy-design-decisions.md
index f808763724..6bbb22ad79 100644
--- a/windows/security/application-security/application-control/app-control-for-business/design/understand-appcontrol-policy-design-decisions.md
+++ b/windows/security/application-security/application-control/app-control-for-business/design/understand-appcontrol-policy-design-decisions.md
@@ -3,7 +3,7 @@ title: Understand App Control for Business policy design decisions
description: Understand App Control for Business policy design decisions.
ms.localizationpriority: medium
ms.date: 09/11/2024
-ms.topic: conceptual
+ms.topic: concept-article
---
# Understand App Control for Business policy design decisions
diff --git a/windows/security/application-security/application-control/app-control-for-business/design/understanding-appcontrol-policy-settings.md b/windows/security/application-security/application-control/app-control-for-business/design/understanding-appcontrol-policy-settings.md
index 995deda446..f4cb6a9205 100644
--- a/windows/security/application-security/application-control/app-control-for-business/design/understanding-appcontrol-policy-settings.md
+++ b/windows/security/application-security/application-control/app-control-for-business/design/understanding-appcontrol-policy-settings.md
@@ -3,7 +3,7 @@ title: Understanding App Control for Business secure settings
description: Learn about secure settings in App Control for Business.
ms.localizationpriority: medium
ms.date: 09/11/2024
-ms.topic: conceptual
+ms.topic: concept-article
---
# Understanding App Control Policy Settings
diff --git a/windows/security/application-security/application-control/app-control-for-business/operations/citool-commands.md b/windows/security/application-security/application-control/app-control-for-business/operations/citool-commands.md
index c8bb39fb47..617ba5eb29 100644
--- a/windows/security/application-security/application-control/app-control-for-business/operations/citool-commands.md
+++ b/windows/security/application-security/application-control/app-control-for-business/operations/citool-commands.md
@@ -9,7 +9,7 @@ appliesto:
# CiTool technical reference
-CiTool makes App Control for Business policy management easier for IT admins. You can use this tool to manage App Control for Business policies and CI tokens. This article describes how to use CiTool to update and manage policies. It's currently included as part of the Windows image in Windows 11, version 22H2.
+CiTool makes App Control for Business policy management easier for IT admins. You can use this tool to manage App Control for Business policies and CI tokens. This article describes how to use CiTool to update and manage policies. It's included in the Windows images starting with Windows 11, version 22H2, and Windows Server 2025.
## Policy commands
diff --git a/windows/security/application-security/application-control/app-control-for-business/operations/event-tag-explanations.md b/windows/security/application-security/application-control/app-control-for-business/operations/event-tag-explanations.md
index 0f5513efc4..eb8c5af737 100644
--- a/windows/security/application-security/application-control/app-control-for-business/operations/event-tag-explanations.md
+++ b/windows/security/application-security/application-control/app-control-for-business/operations/event-tag-explanations.md
@@ -3,7 +3,7 @@ title: Understanding App Control event tags
description: Learn what different App Control for Business event tags signify.
ms.localizationpriority: medium
ms.date: 09/11/2024
-ms.topic: conceptual
+ms.topic: article
---
# Understanding App Control event tags
@@ -72,11 +72,11 @@ Represents why verification failed, or if it succeeded.
| 19 | Binary is revoked based on its file hash. |
| 20 | SHA1 cert hash's timestamp is missing or after valid cutoff as defined by Weak Crypto Policy. |
| 21 | Failed to pass App Control for Business policy. |
-| 22 | Not Isolated User Mode (IUM)) signed; indicates an attempt to load a standard Windows binary into a virtualization-based security (VBS) trustlet. |
+| 22 | Not Isolated User Mode (IUM) signed; indicates an attempt to load a standard Windows binary into a virtualization-based security (VBS) trustlet. |
| 23 | Invalid image hash. This error can indicate file corruption or a problem with the file's signature. Signatures using elliptic curve cryptography (ECC), such as ECDSA, return this VerificationError. |
| 24 | Flight root not allowed; indicates trying to run flight-signed code on production OS. |
| 25 | Anti-cheat policy violation. |
-| 26 | Explicitly denied by WADC policy. |
+| 26 | Explicitly denied by App Control policy. |
| 27 | The signing chain appears to be tampered/invalid. |
| 28 | Resource page hash mismatch. |
@@ -127,35 +127,34 @@ Next, use the bit addresses and their values from the following table to determi
| 23 | `Enabled:Advanced Boot Options Menu` |
| 24 | `Disabled:Script Enforcement` |
| 25 | `Required:Enforce Store Applications` |
-| 27 | `Enabled:Managed Installer` |
+| 27 | `Enabled:Managed Installer` |
| 28 | `Enabled:Update Policy No Reboot` |
## Microsoft Root CAs trusted by Windows
-The rule means trust anything signed by a certificate that chains to this root CA.
+The Microsoft Root certificates can be allowed and denied in policy using 'WellKnown' rules. The mapping between the root's ASN1 encoded RSA PKCS#1 public key and the WellKnown values, expressed in hexidecimal, are listed below
-| Root ID | Root Name |
+| Root ID | Root Name | Root Public Key |
|---|----------|
-| 0| None |
-| 1| Unknown |
-| 2 | Self-Signed |
-| 3 | Microsoft Authenticode(tm) Root Authority |
-| 4 | Microsoft Product Root 1997 |
-| 5 | Microsoft Product Root 2001 |
-| 6 | Microsoft Product Root 2010 |
-| 7 | Microsoft Standard Root 2011 |
-| 8 | Microsoft Code Verification Root 2006 |
-| 9 | Microsoft Test Root 1999 |
-| 10 | Microsoft Test Root 2010 |
-| 11 | Microsoft DMD Test Root 2005 |
-| 12 | Microsoft DMDRoot 2005 |
-| 13 | Microsoft DMD Preview Root 2005 |
-| 14 | Microsoft Flight Root 2014 |
-| 15 | Microsoft Third Party Marketplace Root |
-| 16 | Microsoft ECC Testing Root CA 2017 |
-| 17 | Microsoft ECC Development Root CA 2018 |
-| 18 | Microsoft ECC Product Root CA 2018 |
-| 19 | Microsoft ECC Devices Root CA 2017 |
+| 0| None | N/A |
+| 1| Unknown | N/A |
+| 2 | Self-Signed | N/A |
+| 3 | Microsoft Authenticode(tm) Root Authority | `3082010A0282010100DF08BAE33F6E649BF589AF28964A078F1B2E8B3E1DFCB88069A3A1CEDBDFB08E6C8976294FCA603539AD7232E00BAE293D4C16D94B3C9DDAC5D3D109C92C6FA6C2605345DD4BD155CD031CD2595624F3E578D807CCD8B31F903FC01A71501D2DA712086D7CB0866CC7BA853207E1616FAF03C56DE5D6A18F36F6C10BD13E69974872C97FA4C8C24A4C7EA1D194A6D7DCEB05462EB818B4571D8649DB694A2C21F55E0F542D5A43A97A7E6A8E504D2557A1BF1B1505437B2C058DBD3D038C93227D63EA0A5705060ADB6198652D4749A8E7E656755CB8640863A9304066B2F9B6E334E86730E1430B87FFC9BE72105E23F09BA74865BF09887BCD72BC2E799B7B0203010001` |
+| 4 | Microsoft Product Root 1997 | `3082010A0282010100A902BDC170E63BF24E1B289F97785E30EAA2A98D255FF8FE954CA3B7FE9DA2203E7C51A29BA28F60326BD1426479EEAC76C954DAF2EB9C861C8F9F8466B3C56B7A6223D61D3CDE0F0192E896C4BF2D669A9A682699D03A2CBF0CB55826C146E70A3E38962CA92839A8EC498342E3840FBB9A6C5561AC827CA1602D774CE999B4643B9A501C310824149FA9E7912B18E63D986314605805659F1D375287F7A7EF9402C61BD3BF5545B38980BF3AEC54944EAEFDA77A6D744EAF18CC96092821005790606937BB4B12073C56FF5BFBA4660A08A6D2815657EFB63B5E16817704DAF6BEAE8095FEB0CD7FD6A71A725C3CCABCF008A32230B30685C9B320771385DF0203010001` |
+| 5 | Microsoft Product Root 2001 | `3082020A0282020100F35DFA8067D45AA7A90C2C9020D035083C7584CDB707899C89DADECEC360FA91685A9E94712918767CC2E0C82576940E58FA043436E6DFAFF780BAE9580B2B93E59D05E3772291F734643C22911D5EE10990BC14FEFC755819E179B70792A3AE885908D89F07CA0358FC68296D32D7D2A8CB4BFCE10B48324FE6EBB8AD4FE45C6F139499DB95D575DBA81AB79491B4775BF5480C8F6A797D1470047D6DAF90F5DA70D847B7BF9B2F6CE705B7E11160AC7991147CC5D6A6E4E17ED5C37EE592D23C00B53682DE79E16DF3B56EF89F33C9CB527D739836DB8BA16BA295979BA3DEC24D26FF0696672506C8E7ACE4EE1233953199C835084E34CA7953D5B5BE6332594036C0A54E044D3DDB5B0733E458BFEF3F5364D842593557FD0F457C24044D9ED6387411972290CE684474926FD54B6FB086E3C73642A0D0FCC1C05AF9A361B9304771960A16B091C04295EF107F286AE32A1FB1E4CD033F777104C720FC490F1D4588A4D7CB7E88AD8E2DEC45DBC45104C92AFCEC869E9A11975BDECE5388E6E2B7FDAC95C22840DBEF0490DF813339D9B245A5238706A5558931BB062D600E41187D1F2EB597CB11EB15D524A594EF151489FD4B73FA325BFCD13300F95962700732EA2EAB402D7BCADD21671B30998F16AA23A841D1B06E119B36C4DE40749CE15865C1601E7A5B38C88FBB04267CD41640E5B66B6CAA86FD00BFCEC1350203010001`|
+| 6 | Microsoft Product Root 2010 | `3082020A028202010095E3A8C1B99C2654B099EF261FAC1EC73080BBF53FF2E4BBF8FE066A0AA688BCB48C45E070551988B405CBB5C1A1FAD47CC24253079C5456A897E09469BE1324EFE58A299CA6D02B2F8AA6E879442E8BEAC9BEB8548653BE07243454152220017B8A46FBD291079509B05611CC76B2D01F4479523428EC4F49C2CB61D386DCE4A37E559E9FEE106FCFE13DF8B78479A23B8D1CB0817CE44407E4CE46B098838D878FE5F5AE407AF1ED3D9B9A7C4AD1B9C394057BDCDAB8CEDC1E6CCFD99E37EFC35A367B908645DCF62ECADDEEDE27D9749A69F5D95D092D4541CCB7C282D42A8C162592973D944E89337E5B0354CDB083A08E41B7878DD9056352F6EEE64E139D54CD49FEE38B3B509B48BBB2E592D4ABA0C510AF3EB145213490DCADB9F7FE21AEEE50587A3AE5AAD8E382D6CF6D4DC915AC9C3117A516A742F6DA1278A76690ECFCCD0163FFF00EBAE1CDF0DB6B9A0FF60F040109BC9FCEB76C517057081BFF799A525DBAAC14E53B67CF2C52DE279A34036E2548B01974FC4D98C24B8C92E188AE482AABABCD144DB6610EA1098F2CDB45AF7D3B815608C93B41B7649F5D2E127FB969291F52454A23C6AFB6B238729D0833FFD0CF89B6EA6E8544943E9159EBEF9EBD9B9C1A47034EA21796FA620BE853B64EE3E82A7359E213B8F85A7EC6E20ADD4A43CCC3773B7A31040AC184963A636E1A3E0A0C25B87EB5520CB9AB0203010001`|
+| 7 | Microsoft Standard Root 2011 | `3082020A0282020100B28041AA35384D13723268224DB8B2F1FFD552BC6CC7F5D24A8C36EED1C25C7E8C8AAEAF13286FC073E33ACED025A85A3A6DEFA8B859AB132368CD0C2987D16F805C8F447F5D90015258AC51C55F2A87DCDCD80A1DC103B97BB056E8A3DE6461C29EF8F37CB9EC0DB554FE4CB6654F88F09C48990C420B097C315917790678288D893A4C0325BE716A5C0BE78460A49922E3D2AF84A4A7FBD198ED0CA9DE9489E10EA0DCC0CE993DEA0852BB5679E41F84BA1EB8B4C4495C4F314B87DDDD0567269980E07111A3B8A541E2A453B9F73229830C13BF365E04B34B43472F6BE2911ED3984FDD4207C8E81D12FC99A96B3E927EC8D6693AFC64BDB6099DCAFD0C0BA29B77604B0394A4306912D6422DC1414CCADCAAFD8F5B83469AD9FCB1D1E3B3C97F487ACD24F0418F5C74D0ACB010200649B7C72D21C857E3D086F30368FBD0CE71C189994A64016CFDEC3091CF413C92C7E5BA861D6184C75F833962AEB4922F47F30BF855EBA01F59D0BB749B1ED076E6F2E906D710E8FA64DE69C635968802F046B83F27996FCB71892935F7481602358FD5797C4D02CF5FEB8A834F457188F9A90D4E72E9C29C07CF491B4E040E63518C5ED800C1552CB6C6E0C2654EC93439F59CB3C47EE8616E135F15C45FD97EED1DCEEE44ECCB2E86B1EC38F670EDAB5C13C1D90F0DC780B255ED34F7AC9BE4C3DAE7473CA6B58F31DFC54BAFEBF10203010001`|
+| 8 | Microsoft Code Verification Root 2006 | `3082020A0282020100BD77C91C7F157838C50743215AFBE4CC3BC65531FC2189B1BCE7019CFB90BE20115576A74D02E7B2F42E8DEFB2874656CA47CEC8C363E308034B9606B9702244E64B7B443F75B7B8A62B910841EF4B0759D6A4199DF6CBA4BB8E02654DCADE0FB49022F1B56B5C22F6CAF938AA280B062D3C198DB7355F83EDDD65738446929F44E2894A8CD598A76D3DE819CB44AD180BEA5C5F7C0BC39A936844F3B6BF979930723F2859D070C8055778F54A82340A24C17AB064A53A6E12D5036138BB0E2DFD859CD648756A1CB2A2E891FAB7E4F53C5FFDC940ACC7A042F574D8B9DBD7FE73771AE0C4B709B1059A6DE35E8038757852B612D379AE43F765A7D1166469858F783AB894BF4512625A4D8748D6F819BC590106F51ADB60299F013F6E73F9FD8045CE95D78AF6920CC173402C6DAA32A6F17F30F890F1AE4527B9B40E3002BDC60EEC3C8C5BB63485CF140B0C500DA9E259912EA80139F42C15630480B840DF62F7FEB74C13A82CA966133862FC4070627B7577D52B8E1BA599E5B9B7C7ADEA01A0257B5846525654A2C9922B581D4851C01FFE3700D1E2AB10C2A959E942996E8FB51E4766741E98765757045EBD2F8593D50E0B9F2E7B2664A78612095063E7D1C78E7E0E3B07E7BBE4CD1A40D47ABA05594AD6D0EEDC965E224A271C45E3DEDAB2E9D343FDE96FC0C97D1FFD9F909C862008CC74DC40A729B3AB58656BB10203010001`|
+| 9 | Microsoft Test Root 1999 | `3081DF300D06092A864886F70D01010105000381CD003081C90281C100A9AA83586DB5D30C4B5B8090E5C30F280C7E3D3C24C52956638CEEC7834AD88C25D30ED312B7E1867274A78BFB0F05E965C19BD856C293F0FBE95A48857D95AADF0186B733334656CB5B7AC4AFA096533AE9FB3B78C1430CC76E1C2FD155F119B23FF8D6A0C724953BC845256F453A464FD2278BC75075C6805E0D9978617739C1B30F9D129CC4BB327BB24B26AA4EC032B02A1321BEED24F47D0DEAAA8A7AD28B4D97B54D64BAFB46DD696F9A0ECC5377AA6EAE20D6219869D946B96432D4170203010001`|
+| 0A | Microsoft Test Root 2010 | `3082020A028202010095E3A8C1B99C2654B099EF261FAC1EC73080BBF53FF2E4BBF8FE066A0AA688BCB48C45E070551988B405CBB5C1A1FAD47CC24253079C5456A897E09469BE1324EFE58A299CA6D02B2F8AA6E879442E8BEAC9BEB8548653BE07243454152220017B8A46FBD291079509B05611CC76B2D01F4479523428EC4F49C2CB61D386DCE4A37E559E9FEE106FCFE13DF8B78479A23B8D1CB0817CE44407E4CE46B098838D878FE5F5AE407AF1ED3D9B9A7C4AD1B9C394057BDCDAB8CEDC1E6CCFD99E37EFC35A367B908645DCF62ECADDEEDE27D9749A69F5D95D092D4541CCB7C282D42A8C162592973D944E89337E5B0354CDB083A08E41B7878DD9056352F6EEE64E139D54CD49FEE38B3B509B48BBB2E592D4ABA0C510AF3EB145213490DCADB9F7FE21AEEE50587A3AE5AAD8E382D6CF6D4DC915AC9C3117A516A742F6DA1278A76690ECFCCD0163FFF00EBAE1CDF0DB6B9A0FF60F040109BC9FCEB76C517057081BFF799A525DBAAC14E53B67CF2C52DE279A34036E2548B01974FC4D98C24B8C92E188AE482AABABCD144DB6610EA1098F2CDB45AF7D3B815608C93B41B7649F5D2E127FB969291F52454A23C6AFB6B238729D0833FFD0CF89B6EA6E8544943E9159EBEF9EBD9B9C1A47034EA21796FA620BE853B64EE3E82A7359E213B8F85A7EC6E20ADD4A43CCC3773B7A31040AC184963A636E1A3E0A0C25B87EB5520CB9AB0203010001`|
+| 0B | Microsoft DMD Test Root 2005 | `3082010A0282010100BCACAFF12BE9877F310994630F483012C16BEA7E0EFC58B8C890F3C7719F41B5BB29E3834735BF42DE7A9CC16D125094061E721B6FF8C0207FDF6DAD840F08BB9A3F93589D931F05B640AB878C7FAA4F033D7DFA6B3BBCFBE0C426B0173EB67ECC9D089875667A34AF189B3D2CCEFCD943599197F3933255B7DA328ADADE6826C30C6F7EAB434CF5C00A22FD5B47A7A9964617529FBB3B1D850A90CD818105342BCA43C29075574D6151C0D6D2648C412107BE5C824A4F9451087522B9AEB94828F7C78606040B7011F0CDCDA079D3CE9CC5367C579BB6DF5B83BE616BE258D2D9858D7EE1A446574661F9DF4F82B9AC8FD2DFEF6082EC1272BF14D20ACCAF3F0203010001`|
+| 0C | Microsoft DMDRoot 2005 | `3082020A0282020100BCFD36D32F1C7CBAC60458F2AB30A3F17DD4B983EF72DB009CCFE65F0CF144BE62225D2F77507CD68539FE7AAE991EC8B3F9C73CC0228DC7A7F9ED87E841ACE42DF2804E148BB4F5250B948D6FB42982CFE69EFDF79FE5B828B7366B2F6D00A449BF78814FA8069433D0D55720A8728BFED7F5632C8D44E960FE2FF539B625069E04C34D952ED52205304A4122610D5A24F0DF636C7FD8D2F69EF35E76E7B4BDBB9589F20AD44E73BD917E46103D2749427489C4E8AAA3A7407785A27F4626CCC6C0CBC3F2B88121A3BB68F3E2E57EF47C7107EBC10AF5DC038C510BE9C71373C1349EABD28E665811A57441CBD2D9E47480F089CB459896D7DB0815A598446CE223785693BC122A854CC29FD15917A1161025FAE7BD141A56F44E396FF563A256C50B7C9FD6F0B068151C6B367171F83983762354F755BC16E30CBC218BDE6DE9EB943D5440C3D320B0AF96BBE7C3B89DFBEEDC9B7153830D9A9FA6B3D216ACEAC8801D8D24243C8291463C497290BA698FBA7A30DDF6A6F13D68E537ED1A43528F19D71A52528CD80FB26428A5ABA70E04A267AA650B666FF696B2905FA5ECAE9BB3B984536DBC5FBE647036E6EE1DD17EB58AE4A137E8DB3E8FC2FDEAE9E35F74B494FCA0206E8FD396146BFBF56AD8122636955F1C7516AD18E50C9AC53774EC0CC367044FD6DAA68096D1263713BD7A0F21892B33B3189B3B37FDE451170203010001`|
+| 0D | Microsoft DMD Preview Root 2005 | `3082020A0282020100C3FF519F7576E65C5B6C6EBBB50760626E065740611131724066A5CE94519D702061FCE3C43A49BB6690D5BF94AFEB506B90F3AE5432F01A8AB0EFB064A7CC5EDCEDA6F8DA0FF0430A84B65AC746A1B4D8108CB74924F5FC6F7A4CD1232433E2554EC9778248C08FFDA9F89C189C5A23C608E68CD5C917954E424FA35F3F3649012BA2A1EC4C84FFC182E9B1F2E83773BAA7795AF85A421FDC904665DCE74FC8B3B9501C267F2B7E96790F170EC951E88BEC1E9D425C2DE4907722E6E8411265380A79D128255E67B79B393F76372FB388204E365FF7E952218B5D694CF0146BFFEAD4E8A5E82364E7AACE73E8F5DF25753A0446802321AFC923C322B2631D7B6364FA95FEE16191EBCD2F8755C61DF17B44DABD736FFEE5846569785AE835D35A893968487BB49890DA9FC166E87D5672EA9F73647A2BD0B4F340F0037226F6A0C500B721CC4B9B5E1756A1DA9B45B3B61E300DFFC85F13590147A57AB51950628FFD18ABA29A7CC5EF83CD5A1F00FDC8E854A5B9AEC755B5C572196A370D15A5736C1B9C772DA34B88C338E69044581C54F2EE23048ABAB7D5FEEF22C037163DCFE6D4E35CB088C5AFCA850ADF675CDB5E063412B262A912D0A1E25984BC5FEBFF0194F49A8B388DFD3C5EC02C31062B35D56F04BD1B3F29CE55113785FFAA000778EF5D080E911FF3432187AF0AD7786141429523F274EA749383187A47CF0203010001`|
+| 0E | Microsoft Flight Root 2014 | `3082020A0282020100C20F7F6D49BB39F04D943FE8FB4DC5EB3BE1285AB9892A467EA5C333271D82893FEB33A1876AEAE882B9DAC39D77D135C0CB833672A6571912BC15E2C83C7B83623414D5ABB6DE368BA15A71A65196A70633B3221D146253C2A5AF9A40CABE2C485499E72A9368A769190B99693BC1B2ACAE94DC5FAB7E02CADE3CA774A68C10A0E5AEB69C35EF838B10E5972ABA916B9A6A4595D9D054718E653FC48A53CA1E38470AE9D04184A5DA1E66016504E6505B7735F5B42E29320CC6BF5F61EE3220B77C39F911FAFF605EFEC669F46F1E1DED1D06E7651E9A112E6344065F31431733E9A32682D44B83124FD2A126032548E13ABD84F58AD5B46E1AE871200E45530167ADE31E6BE8B2E4ABFDF53B8EBA67AF5984CC5C75D09DAA5C72C42636A2AC324C6AB1F8331744D2A77D70EEEB70949ABCEABA1C104B635B38DDD2254504B2F0B35A7C0B0A8E21406437114D96694533E493839EF9B3B51C2B0571EA6DCCE748B6B6DE805010CA4938B35905704EBD9E880222586489EB40DAB12D2D6A40885D23C33ED0F5D5B7908A28543962A2C5C6B1BF74CD8695F9456BCCF207EAAC5CD336F7A27AB5B472532A063EC337945858B14A71BB5CCD9CB2AF109AD943363E528519E7422891118C8CE7BBDFE6C855087375F3960D86B7D2E506B2C08A54A86177207D6CD1FEBA68F3454AAF1184EB867D2F04F354EA20FFD5DB3D250270870203010001`|
+| 0F | Microsoft Third Party Marketplace Root | `3082020A0282020100F0AD5E8240052D682459CBDE0AE884CC48B93B1DB08B52250E1214C410153A84BE81E075E6BA0EF861E36B1DCE9D1EDF9F283336DA8332C8A1A1ED594AE28C600C6A82B19A09A25C222E39ED92F681017AFF91689085A39C8A97837112946E32D71527E6670B7FE57A02FB90FFF049001ACF300C7BFFE94EA806FD2231166DDE496D96AA91261603419B1614EE98B85B4BD3F12FDB7E30FC79A668124A86773CECE533C3DFEA815519AD085E65D3DEAFBD5E741326839CCE585648E08AA76992ED72DB6782C2E6384ECF5F2BA03BD3C38B9A9A17125554A6647394F85356F21DE1BBD9CE92E2275B7DC4569CEB57FC0D9EE4A27A5999BD23C4656C906D08B25E871A6EA7D1F0EA0532857806504996988928566B0D29793567B8629FA3CFEF8563F8BE16DCED94047C6D610F9B78341E824CDD2A1C8F6D80B6DD7A051F84EDD855D711EB8793179F9A4D0E2874AAAC094F0E08BFFE59BF66EEE2F3511C178E3E3E5B7F2478A31CF4CAC2D619FDE8EBED4F94A55F34C49CE254BA48838B6444D3423B156AC60A6810242A227F4BB079D6DEE5E317199098063AEB5981A64EF496233FA28DCC76C8194EBD68553CD8FD8F844439894D1061951AE89CCCAFF14D38AE821C631CBF68EA45A236B6886A042C6BCB66D4C741090DADF3B0B498127369278E60E606ECEE8A6F30E55DDB56F0F02B523CA73B2A1A7EC0FF03C5ECE029DF0203010001`|
+| 14 | Microsoft Trusted Root Store | N/A |
+| 15 | Microsoft OEM Root Certificate Authority 2017 | `3082020A0282020100F8DB3BE3FCDCEBA78508F59D89CEF3CE3B0FDA78135D682B2FA6977DA8111D685C2CAE4B190FC07E19EC30DA6079E1B9F728EAC5ACFAB79E824700F7015B1BD58112F57A43DCAF44179E179A9D40A8C05BD52F4155144E35C65A40C7D2D6216D4636B678E8311DF6812BC64A05354A5035A1A3783779702E7FB3D48E44B51A71E50F9F0DB4C261A91A664C6F88DC62DCEF19631FB43549D953AC564FAD2C9500C9EDCD351ABB2EFD1DDEFAC282E4CCAE8936D80AA4F28739F1A2E1D5735EA68723962540EAC1850E0619C2867A89584F4FFD372A05B4510BF6122F55A721FFB5B44C609D6160A8453A014F28F1545F78510D322020B06E6FEF9E248173B7D6DA3721C40E674ED45A000B390210BEF3D2C4B5E210144830E3E3049B70429F71A1C8128A333EBA664AF1B216C690D598CFFC160A18D609A2CAAF28BC0DDFE57C81BF0D93A320DAE44FF8E3AB00101D52C4A0049811ECFA872EC5765267A17911AA6D857060F821768C1120CE6FB778C1ED0DA2A3DC3C24B1F371630C174EF80A7EDA331B35A19A87CAA9DCC0DC1889BAF5A1B117899E8C4D70FFDC333ACF78A2BA37BC04A7D376660718B16DD69FE58D0F515680EB16A72E4D4F0233D132C561CFCB2FC0ADE8708AD0A2B50184DB995F8218CF49830367BD7E3A10A72919810D77101BAB42E54A021D45FC048F2C2C3A59A442E3F0E99EA3369537A1AA9D9DA7B90203010001`|
+| 16 | Microsoft Identity Verification Root Certificate Authority 2020 | `3082020A0282020100B3912A07830667FD9E9DE0C7C0B7A4E642047F0FA6DB5FFBD55AD745A0FB770BF080F3A66D5A4D7953D8A08684574520C7A254FBC7A2BF8AC76E35F3A215C42F4EE34A8596490DFFBE99D814F6BC2707EE429B2BF50B9206E4FD691365A89172F29884EB833D0EE4D771124821CB0DEDF64749B79BF9C9C717B6844FFFB8AC9AD773674985E386BD3740D02586D4DEB5C26D626AD5A978BC2D6F49F9E56C1414FD14C7D3651637DECB6EBC5E298DFD629B152CD605E6B9893233A362C7D7D6526708C42EF4562B9E0B87CCECA7B4A6AAEB05CD1957A53A0B04271C91679E2D622D2F1EBEDAC020CB0419CA33FB89BE98E272A07235BE79E19C836FE46D176F90F33D008675388ED0E0499ABBDBD3F830CAD55788684D72D3BF6D7F71D8FDBD0DAE926448B75B6F7926B5CD9B952184D1EF0F323D7B578CF345074C7CE05E180E35768B6D9ECB3674AB05F8E0735D3256946797250AC6353D9497E7C1448B80FDC1F8F47419E530F606FB21573E061C8B6B158627497B8293CA59E87547E83F38F4C75379A0B6B4E25C51EFBD5F38C113E6780C955A2EC5405928CC0F24C0ECBA0977239938A6B61CDAC7BA20B6D737D87F37AF08E33B71DB6E731B7D9972B0E486335974B516007B506DC68613DAFDC439823D24009A60DABA94C005512C34AC50991387BBB30580B24D30025CB826835DB46373EFAE23954F6028BE37D55BA50203010001`|
For well-known roots, the TBS hashes for the certificates are baked into the code for App Control for Business. For example, they don't need to be listed as TBS hashes in the policy file.
diff --git a/windows/security/application-security/application-control/app-control-for-business/operations/inbox-appcontrol-policies.md b/windows/security/application-security/application-control/app-control-for-business/operations/inbox-appcontrol-policies.md
index f62b037cb4..6520b17bbb 100644
--- a/windows/security/application-security/application-control/app-control-for-business/operations/inbox-appcontrol-policies.md
+++ b/windows/security/application-security/application-control/app-control-for-business/operations/inbox-appcontrol-policies.md
@@ -3,7 +3,7 @@ title: Inbox App Control policies
description: This article describes the inbox App Control policies that may be active on a device.
ms.manager: jsuther
ms.date: 09/11/2024
-ms.topic: conceptual
+ms.topic: article
ms.localizationpriority: medium
---
diff --git a/windows/security/application-security/application-control/introduction-to-virtualization-based-security-and-appcontrol.md b/windows/security/application-security/application-control/introduction-to-virtualization-based-security-and-appcontrol.md
index ce8d6225a0..9f6ad2b2dc 100644
--- a/windows/security/application-security/application-control/introduction-to-virtualization-based-security-and-appcontrol.md
+++ b/windows/security/application-security/application-control/introduction-to-virtualization-based-security-and-appcontrol.md
@@ -6,7 +6,7 @@ author: vinaypamnani-msft
ms.author: vinpa
manager: aaroncz
ms.date: 09/11/2024
-ms.topic: conceptual
+ms.topic: article
appliesto:
- ✅ Windows 11
- ✅ Windows 10
diff --git a/windows/security/application-security/application-control/user-account-control/settings-and-configuration.md b/windows/security/application-security/application-control/user-account-control/settings-and-configuration.md
index 8c81845b7b..68d64ea7fe 100644
--- a/windows/security/application-security/application-control/user-account-control/settings-and-configuration.md
+++ b/windows/security/application-security/application-control/user-account-control/settings-and-configuration.md
@@ -96,6 +96,7 @@ The registry keys are found under the key: `HKLM:\SOFTWARE\Microsoft\Windows\Cur
| Run all administrators in Admin Approval Mode | `EnableLUA` | 0 = Disabled 1 (Default) = Enabled |
| Switch to the secure desktop when prompting for elevation| `PromptOnSecureDesktop` | 0 = Disabled 1 (Default) = Enabled |
| Virtualize file and registry write failures to per-user locations | `EnableVirtualization` | 0 = Disabled 1 (Default) = Enabled |
+| Prioritise network logons over cached logons | `InteractiveLogonFirst` | 0 (Default) = Disabled 1 = Enabled |
[WIN-1]: /windows/client-management/mdm/policy-csp-localpoliciessecurityoptions
[MEM-1]: /mem/intune/configuration/custom-settings-windows-10
diff --git a/windows/security/application-security/application-isolation/microsoft-defender-application-guard/md-app-guard-overview.md b/windows/security/application-security/application-isolation/microsoft-defender-application-guard/md-app-guard-overview.md
index cc5f471678..436c24ff57 100644
--- a/windows/security/application-security/application-isolation/microsoft-defender-application-guard/md-app-guard-overview.md
+++ b/windows/security/application-security/application-isolation/microsoft-defender-application-guard/md-app-guard-overview.md
@@ -2,7 +2,7 @@
title: Microsoft Defender Application Guard
description: Learn about Microsoft Defender Application Guard and how it helps combat malicious content and malware out on the Internet.
ms.date: 07/11/2024
-ms.topic: conceptual
+ms.topic: overview
---
# Microsoft Defender Application Guard overview
diff --git a/windows/security/application-security/application-isolation/microsoft-defender-application-guard/test-scenarios-md-app-guard.md b/windows/security/application-security/application-isolation/microsoft-defender-application-guard/test-scenarios-md-app-guard.md
index 275a28dd9e..9fdffea69e 100644
--- a/windows/security/application-security/application-isolation/microsoft-defender-application-guard/test-scenarios-md-app-guard.md
+++ b/windows/security/application-security/application-isolation/microsoft-defender-application-guard/test-scenarios-md-app-guard.md
@@ -3,7 +3,7 @@ title: Testing scenarios with Microsoft Defender Application Guard
description: Suggested testing scenarios for Microsoft Defender Application Guard, showing how it works in both Standalone and Enterprise-managed mode.
ms.localizationpriority: medium
ms.date: 07/11/2024
-ms.topic: conceptual
+ms.topic: article
---
# Application Guard testing scenarios
diff --git a/windows/security/application-security/application-isolation/toc.yml b/windows/security/application-security/application-isolation/toc.yml
index c8ed951135..c2de68aab3 100644
--- a/windows/security/application-security/application-isolation/toc.yml
+++ b/windows/security/application-security/application-isolation/toc.yml
@@ -1,20 +1,16 @@
items:
- name: Microsoft Defender Application Guard (MDAG)
href: microsoft-defender-application-guard/md-app-guard-overview.md
-- name: MDAG for Edge standalone mode
- href: microsoft-defender-application-guard/md-app-guard-overview.md
-- name: MDAG for Edge enterprise mode and enterprise management 🔗
- href: /deployedge/microsoft-edge-security-windows-defender-application-guard
-- name: MDAG for Microsoft Office
- href: https://support.microsoft.com/office/application-guard-for-office-9e0fb9c2-ffad-43bf-8ba3-78f785fdba46
-- name: MDAG configure via MDM 🔗
- href: /windows/client-management/mdm/windowsdefenderapplicationguard-csp
+ items:
+ - name: MDAG for Microsoft Edge standalone mode
+ href: microsoft-defender-application-guard/md-app-guard-overview.md
+ - name: MDAG for Microsoft Edge enterprise mode and enterprise management 🔗
+ href: /deployedge/microsoft-edge-security-windows-defender-application-guard
+ - name: MDAG for Microsoft Office
+ href: https://support.microsoft.com/office/application-guard-for-office-9e0fb9c2-ffad-43bf-8ba3-78f785fdba46
+ - name: Configure MDAG via MDM 🔗
+ href: /windows/client-management/mdm/windowsdefenderapplicationguard-csp
- name: App containers 🔗
href: /virtualization/windowscontainers/about
- name: Windows Sandbox
- href: windows-sandbox/windows-sandbox-overview.md
- items:
- - name: Windows Sandbox architecture
- href: windows-sandbox/windows-sandbox-architecture.md
- - name: Windows Sandbox configuration
- href: windows-sandbox/windows-sandbox-configure-using-wsb-file.md
+ href: windows-sandbox/index.md
\ No newline at end of file
diff --git a/windows/security/application-security/application-isolation/windows-sandbox/index.md b/windows/security/application-security/application-isolation/windows-sandbox/index.md
new file mode 100644
index 0000000000..90957adc4b
--- /dev/null
+++ b/windows/security/application-security/application-isolation/windows-sandbox/index.md
@@ -0,0 +1,43 @@
+---
+title: Windows Sandbox
+description: Windows Sandbox overview
+ms.topic: overview
+ms.date: 09/09/2024
+---
+
+# Windows Sandbox
+
+Windows Sandbox (WSB) offers a lightweight, isolated desktop environment for safely running applications. It's ideal for testing, debugging, exploring unknown files, and experimenting with tools. Applications installed within the sandbox remain isolated from the host machine using hypervisor-based virtualization. As a disposable virtual machine (VM), Windows Sandbox ensures reboot persistence, quick launch times, and a lower memory footprint compared to full VMs. Its one-click setup simplifies the user experience.
+
+The sandbox is temporary; closing it deletes all software, files, and state. Each launch provides a fresh instance. Host-installed software isn't available in the sandbox. Applications needed within the sandbox must be installed there explicitly.
+
+> [!NOTE]
+> Starting with Windows 11, version 22H2, data persists through restarts initiated within the sandbox, useful for applications requiring a reboot.
+
+Windows Sandbox offers the following features:
+
+- **Part of Windows**: Everything required for this feature is included in the supported Windows editions like Pro, Enterprise, and Education. There's no need to maintain a separate VM installation.
+- **Disposable**: Nothing persists on the device. Everything is discarded when the user closes the application.
+- **Pristine**: Every time Windows Sandbox runs, it's as clean as a brand-new installation of Windows.
+- **Secure**: Uses hardware-based virtualization for kernel isolation. It relies on the Microsoft hypervisor to run a separate kernel that isolates Windows Sandbox from the host.
+- **Efficient**: Takes a few seconds to launch, supports virtual GPU, and has smart memory management that optimizes memory footprint.
+
+> [!IMPORTANT]
+> Windows Sandbox enables network connection by default. It can be disabled using the [Windows Sandbox configuration file](windows-sandbox-configure-using-wsb-file.md#networking). Enabling networking can expose untrusted applications to the internal network.
+
+WSB can be used without any technical skills in various scenarios where users need a secure, clean environment for testing or running potentially harmful software. Here are some ways in which you can use WSB:
+
+- **Clean environment for software testing**: Test or debug your applications in WSB's clean environment to identify and resolve bugs or compatibility issues.
+- **Secure web browsing**: Use WSB for secure web browsing, especially when accessing unfamiliar or potentially dangerous websites without putting your system at risk of malware infection.
+- **Running Untrusted Applications**: Mitigate security risks by opening untrusted applications or files, such as email attachments in WSB. Improve your safety and security by opening a sandbox with networking disabled and mapping the folder with the application or file you want to open to the sandbox in read-only mode. Check [Sample configuration files](windows-sandbox-sample-configuration.md) for more details.
+- **Testing or demoing new software for the first time**: Test drive or demo new software, preview versions, extensions, or add-ons without the hassle of installing and then uninstalling on your host machine.
+- **Maintaining multiple dev environments**: Streamline your development process by utilizing WSB to maintain multiple sandboxes for different development environments. For example, maintain a sandbox for each python version and its dependencies!
+
+> [!NOTE]
+> Windows Sandbox currently doesn't allow multiple instances to run simultaneously.
+
+
+[!INCLUDE [windows-sandbox](../../../../../includes/licensing/windows-sandbox.md)]
+
+> [!NOTE]
+> Windows Sandbox is currently not supported on Windows Home edition.
diff --git a/windows/security/application-security/application-isolation/windows-sandbox/toc.yml b/windows/security/application-security/application-isolation/windows-sandbox/toc.yml
new file mode 100644
index 0000000000..9654e55dcd
--- /dev/null
+++ b/windows/security/application-security/application-isolation/windows-sandbox/toc.yml
@@ -0,0 +1,26 @@
+items:
+- name: Windows Sandbox
+ href: index.md
+- name: Overview
+ expanded: true
+ items:
+ - name: Windows Sandbox versions
+ href: windows-sandbox-versions.md
+ - name: Architecture
+ href: windows-sandbox-architecture.md
+- name: Install Windows Sandbox
+ href: windows-sandbox-install.md
+- name: Use & configure Windows Sandbox
+ href: windows-sandbox-configure-using-wsb-file.md
+- name: Windows Sandbox command line interface
+ href: windows-sandbox-cli.md
+- name: Tutorials
+ items:
+ - name: Sample configuration files
+ href: windows-sandbox-sample-configuration.md
+- name: WindowsSandbox Policy CSP 🔗
+ href: /windows/client-management/mdm/policy-csp-windowssandbox
+- name: Frequently asked questions
+ href: windows-sandbox-faq.yml
+- name: Troubleshooting
+ href: windows-sandbox-troubleshoot.md
\ No newline at end of file
diff --git a/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-architecture.md b/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-architecture.md
index 0da205053a..671352b771 100644
--- a/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-architecture.md
+++ b/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-architecture.md
@@ -1,8 +1,8 @@
---
title: Windows Sandbox architecture
description: Windows Sandbox architecture
-ms.topic: conceptual
-ms.date: 03/26/2024
+ms.topic: article
+ms.date: 09/09/2024
---
# Windows Sandbox architecture
@@ -27,18 +27,10 @@ Traditional VMs apportion statically sized allocations of host memory. When reso
## Memory sharing
-Because Windows Sandbox runs the same operating system image as the host, it's enhanced to use the same physical memory pages as the host for operating system binaries via a technology referred to as "direct map." For example, when *ntdll.dll* is loaded into memory in the sandbox, it uses the same physical pages as those pages of the binary when loaded on the host. Memory sharing between the host and the sandbox results in a smaller memory footprint when compared to traditional VMs, without compromising valuable host secrets.
+Because Windows Sandbox runs the same operating system image as the host, it's enhanced to use the same physical memory pages as the host for operating system binaries via a technology referred to as "direct map." For example, when `ntdll.dll` is loaded into memory in the sandbox, it uses the same physical pages as those pages of the binary when loaded on the host. Memory sharing between the host and the sandbox results in a smaller memory footprint when compared to traditional VMs, without compromising valuable host secrets.
-## Integrated kernel scheduler
-
-With ordinary virtual machines, the Microsoft hypervisor controls the scheduling of the virtual processors running in the VMs. Windows Sandbox uses a new technology called "integrated scheduling," which allows the host scheduler to decide when the sandbox gets CPU cycles.
-
-
-
-Windows Sandbox employs a unique policy that allows the virtual processors of the Sandbox to be scheduled like host threads. Under this scheme, high-priority tasks on the host can preempt less important work in the Sandbox. This preemption means that the most important work is prioritized, whether it's on the host or in the container.
-
## WDDM GPU virtualization
Hardware accelerated rendering is key to a smooth and responsive user experience, especially for graphics-intensive use cases. Microsoft works with its graphics ecosystem partners to integrate modern graphics virtualization capabilities directly into DirectX and Windows Display Driver Model (WDDM), the driver model used by Windows.
diff --git a/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-cli.md b/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-cli.md
new file mode 100644
index 0000000000..c181a80a91
--- /dev/null
+++ b/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-cli.md
@@ -0,0 +1,101 @@
+---
+title: Windows Sandbox command line
+description: Windows Sandbox command line interface
+ms.topic: how-to
+ms.date: 10/22/2024
+---
+
+# Windows Sandbox command line interface
+
+Starting with Windows 11, version 24H2, the Windows Command Line Interface (CLI) offers powerful tools for creating, managing, and controlling sandboxes, executing commands, and sharing folders within sandbox sessions. This functionality is especially valuable for scripting, task automation, and improving development workflows. In this section, you'll explore how the Windows Sandbox CLI operates, with examples demonstrating how to use each command to enhance your development process.
+
+**Common parameters**:
+
+- `--raw`: Formats all outputs in JSON format.
+- `-?, -h, --help`: Show help and usage information
+
+## Start
+
+The start command creates and launches a new sandbox. The command returns the sandbox ID, which is a unique identifier for the sandbox. The sandbox ID can be used to refer to the sandbox in other commands.
+
+- `--id `: ID of the Windows Sandbox environment.
+- `--c, --config `: Formatted string with the settings that should be used to create the Windows Sandbox environment.
+
+**Examples**:
+
+- Create a Windows Sandbox environment with the default settings:
+
+ ```cmd
+ wsb start
+ ```
+
+- Create a Windows Sandbox environment with a custom configuration:
+
+ ```cmd
+ wsb start --config "Disabled"
+ ```
+
+## List
+
+The list command displays a table that shows the information the running Windows Sandbox sessions for the current user. The table includes the sandbox ID. The status can be either running or stopped. The uptime is the duration that the sandbox has been running.
+
+```cmd
+wsb list
+```
+
+## Exec
+
+The exec command executes a command in the sandbox. The command takes two arguments: the sandbox ID and the command to execute. The command can be either a built-in command or an executable file. The exec command runs the command in the sandbox and returns the exit code. The exec command can also take optional arguments that are passed to the process started in the sandbox.
+
+> [!NOTE]
+> Currently, there is no support for process I/O meaning that there is no way to retrieve the output of a command run in Sandbox.
+
+An active user session is required to execute a command in the context of the currently logged on user. Therefore, before running this command a remote desktop connection should be established. This can be done using the [connect](#connect) command.
+
+- `--id ` (REQUIRED): ID of the Windows Sandbox environment.
+- `-c, --command ` (REQUIRED): The command to execute within Windows Sandbox.
+- `-r, --run-as ` (REQUIRED): Specifies the user context to execute the command within. If the System option is selected, the command runs in the system context. If the ExistingLogin option is selected, the command runs in the currently active user session or fails if there's no active user session.
+- `-d, --working-directory `: Directory to execute command in.
+
+```cmd
+wsb exec –-id 12345678-1234-1234-1234-1234567890AB -c app.exe -r System
+```
+
+## Stop
+
+The stop command stops a running Windows Sandbox session. The command takes the sandbox ID as an argument.
+
+The stop command terminates the sandbox process and releases the resources allocated to the sandbox. The stop command also closes the window that shows the sandbox desktop.
+
+```cmd
+wsb stop --id 12345678-1234-1234-1234-1234567890AB
+```
+
+## Share
+
+The share command shares a host folder with the sandbox. The command takes three arguments: the sandbox ID, the host path, and the sandbox path. The host path should be a folder. The sandbox path can be either an existing or a new folder. An Additional, `--allow-write` option can be used to allow or disallow the Windows Sandbox environment to write to the folder.
+
+- `--id ` (REQUIRED): ID of the Windows Sandbox environment.
+- `-f, --host-path ` (REQUIRED): Path to folder that is shared from the host.
+- `-s, --sandbox-path ` (REQUIRED): Path to the folder within the Windows Sandbox.
+- `-w, --allow-write`: If specified, the Windows Sandbox environment is allowed to write to the shared folder.
+
+```cmd
+wsb share --id 12345678-1234-1234-1234-1234567890AB -f C:\host\folder -s C:\sandbox\folder --allow-write
+```
+
+## Connect
+
+The connect command starts a remote session within the sandbox. The command takes the sandbox ID as an argument. The connect command opens a new window with a remote desktop session. The connect command allows the user to interact with the sandbox using the mouse and keyboard.
+
+```cmd
+wsb connect --id 12345678-1234-1234-1234-1234567890AB
+```
+
+## IP
+
+The ip command displays the IP address of the sandbox. The command takes the sandbox ID as an argument.
+
+```cmd
+wsb ip --id 12345678-1234-1234-1234-1234567890AB
+```
diff --git a/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-configure-using-wsb-file.md b/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-configure-using-wsb-file.md
index 29d6d96ecb..f1a42226e3 100644
--- a/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-configure-using-wsb-file.md
+++ b/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-configure-using-wsb-file.md
@@ -1,11 +1,32 @@
---
-title: Windows Sandbox configuration
-description: Windows Sandbox configuration
+title: Use and configure Windows Sandbox
+description: Use and configure Windows Sandbox
ms.topic: how-to
-ms.date: 03/26/2024
+ms.date: 09/09/2024
---
-# Windows Sandbox configuration
+# Use and configure Windows Sandbox
+
+To launch a Windows Sandbox with default settings, locate and select Windows Sandbox on the Start menu or search for 'Windows Sandbox'. This launches a basic Sandbox with maximum capacity of 4GB memory with the following properties:
+
+- **vGPU (virtualized GPU)**: Enabled on non-Arm64 devices.
+- **Networking**: Enabled. The sandbox uses the Hyper-V default switch.
+- **Audio input**: Enabled. The sandbox shares the host's microphone input into the sandbox.
+- **Video input**: Disabled. The sandbox doesn't share the host's video input into the sandbox.
+- **Protected client**: Disabled. The sandbox doesn't use increased security settings on the Remote Desktop Protocol (RDP) session.
+- **Printer redirection**: Disabled. The sandbox doesn't share printers with the host.
+- **Clipboard redirection**: Enabled. The sandbox shares the host clipboard with the sandbox so that text and files can be pasted back and forth.
+
+> [!IMPORTANT]
+>
+> - Networking is enabled by default. This can expose untrusted applications to the internal network. To launch a Sandbox with networking disabled, use a custom .wsb file.
+> - With Clipboard redirection automatically enabled, you can easily copy files from the host and paste them into the Windows Sandbox window.
+
+You have the freedom to open files, install applications from the web, and perform various other tasks that benefit from an isolated clean environment.
+
+When you're finished experimenting, close the sandbox. A dialog box prompts you to confirm the deletion of all sandbox content. Select **Ok** to proceed. Confirm that your host machine doesn't exhibit any of the modifications that you made in Windows Sandbox.
+
+## Configure a custom Windows Sandbox
Windows Sandbox supports simple configuration files, which provide a minimal set of customization parameters for Sandbox. This feature can be used with Windows 10 build 18342 or Windows 11. Windows Sandbox configuration files are formatted as XML and are associated with Sandbox via the `.wsb` file extension.
@@ -14,7 +35,7 @@ A configuration file enables the user to control the following aspects of Window
- **vGPU (virtualized GPU)**: Enable or disable the virtualized GPU. If vGPU is disabled, the sandbox uses Windows Advanced Rasterization Platform (WARP).
- **Networking**: Enable or disable network access within the sandbox.
- **Mapped folders**: Share folders from the host with *read* or *write* permissions. Exposing host directories might allow malicious software to affect the system or steal data.
-- **Logon command**: A command that's executed when Windows Sandbox starts.
+- **Logon command**: A command to execute when Windows Sandbox starts.
- **Audio input**: Shares the host's microphone input into the sandbox.
- **Video input**: Shares the host's webcam input into the sandbox.
- **Protected client**: Places increased security settings on the Remote Desktop Protocol (RDP) session to the sandbox.
@@ -25,7 +46,7 @@ A configuration file enables the user to control the following aspects of Window
> [!NOTE]
> The size of the sandbox window currently isn't configurable.
-## Creating a configuration file
+## Create a configuration file
To create a configuration file:
@@ -37,10 +58,8 @@ To create a configuration file:
```
-3. Add appropriate configuration text between the two lines. For details, see [examples](#examples).
-4. Save the file with the desired name, but make sure its filename extension is `.wsb`. In Notepad, you should enclose the filename and the extension inside double quotation marks, for example, `"My config file.wsb"`.
-
-## Using a configuration file
+3. Add appropriate configuration text between the two lines. For details, see [examples](windows-sandbox-sample-configuration.md).
+4. Save the file with the desired name, but make sure its filename extension is `.wsb`. In Notepad, you should enclose the filename and the extension inside double quotation marks, for example, `"MyConfigFile.wsb"`.
To use a configuration file, double-click it to start Windows Sandbox according to its settings. You can also invoke it via the command line as shown here:
@@ -48,19 +67,21 @@ To use a configuration file, double-click it to start Windows Sandbox according
C:\Temp> MyConfigFile.wsb
```
-## Keywords, values, and limits
+## Configuration options
### vGPU
Enables or disables GPU sharing.
-`value`
+```xml
+value
+```
Supported values:
-- *Enable*: Enables vGPU support in the sandbox.
-- *Disable*: Disables vGPU support in the sandbox. If this value is set, the sandbox uses software rendering, which might be slower than virtualized GPU.
-- *Default* This value is the default value for vGPU support. Currently, this default value denotes that vGPU is enabled.
+- **Enable**: Enables vGPU support in the sandbox.
+- **Disable**: Disables vGPU support in the sandbox. If this value is set, the sandbox uses software rendering, which might be slower than virtualized GPU.
+- **Default**: This value is the default value for vGPU support. Currently, this default value denotes that vGPU is enabled.
> [!NOTE]
> Enabling virtualized GPU can potentially increase the attack surface of the sandbox.
@@ -69,25 +90,29 @@ Supported values:
Enables or disables networking in the sandbox. You can disable network access to decrease the attack surface exposed by the sandbox.
-`value`
+```xml
+value
+```
Supported values:
-- *Enable*: Enables networking in the sandbox.
-- *Disable*: Disables networking in the sandbox.
-- *Default*: This value is the default value for networking support. This value enables networking by creating a virtual switch on the host and connects the sandbox to it via a virtual NIC.
+- **Enable**: Enables networking in the sandbox.
+- **Disable**: Disables networking in the sandbox.
+- **Default**: This value is the default value for networking support. This value enables networking by creating a virtual switch on the host and connects the sandbox to it via a virtual NIC.
> [!NOTE]
> Enabling networking can expose untrusted applications to the internal network.
### Mapped folders
-An array of folders, each representing a location on the host machine that is shared with the sandbox at the specified path. At this time, relative paths aren't supported. If no path is specified, the folder is mapped to the container user's desktop.
+An array of folders, each representing a location on the host machine that is shared with the sandbox at the specified path. Currently, relative paths aren't supported.
+
+When using `` to map folders, the folders are mapped before the execution of the [Logon command](#logon-command). Beginning in Windows 11, version 23H2, you can use environment variables in the path.
```xml
- absolute path to the host folder
+ absolute or relative path to the host folderabsolute path to the sandbox foldervalue
@@ -97,12 +122,12 @@ An array of folders, each representing a location on the host machine that is sh
```
-- *HostFolder*: Specifies the folder on the host machine to share into the sandbox. The folder must already exist on the host, or the container fails to start.
-- *SandboxFolder*: Specifies the destination in the sandbox to map the folder to. If the folder doesn't exist, it is created. If no sandbox folder is specified, the folder is mapped to the container desktop.
-- *ReadOnly*: If *true*, enforces read-only access to the shared folder from within the container. Supported values: *true*/*false*. Defaults to *false*.
+- **HostFolder**: Specifies the folder on the host machine to share into the sandbox. The folder must already exist on the host, or the container fails to start.
+- **SandboxFolder**: Specifies the destination in the sandbox to map the folder to. If the folder doesn't exist, it gets created. If no sandbox folder is specified, the folder is mapped to the container user's desktop. The default user of Sandbox is `WDAGUtilityAccount`.
+- **ReadOnly**: If *true*, enforces read-only access to the shared folder from within the container. Supported values: *true*/*false*. Defaults to *false*.
> [!NOTE]
-> Files and folders mapped in from the host can be compromised by apps in the sandbox or potentially affect the host.
+> Files and folders mapped from the host can be compromised by apps in the sandbox or potentially affect the host. Changes made during a Sandbox session to a mapped folder with write-permissions will persist after a Sandbox is disposed.
### Logon command
@@ -114,22 +139,24 @@ Specifies a single command that will be invoked automatically after the sandbox
```
-*Command*: A path to an executable or script inside the container that will be executed after signing in.
+**Command**: A path to an executable or script inside the container that will be executed after signing in.
> [!NOTE]
-> Although very simple commands will work (such as launching an executable or script), more complicated scenarios involving multiple steps should be placed into a script file. This script file may be mapped into the container via a shared folder, and then executed via the *LogonCommand* directive.
+> Although very simple commands will work (such as launching an executable or script), more complicated scenarios involving multiple steps should be placed into a script file. This script file may be mapped into the container via a shared folder, and then executed via ``.
### Audio input
Enables or disables audio input to the sandbox.
-`value`
+```xml
+value
+```
Supported values:
-- *Enable*: Enables audio input in the sandbox. If this value is set, the sandbox can receive audio input from the user. Applications that use a microphone may require this capability.
-- *Disable*: Disables audio input in the sandbox. If this value is set, the sandbox can't receive audio input from the user. Applications that use a microphone may not function properly with this setting.
-- *Default*: This value is the default value for audio input support. Currently, this default value denotes that audio input is enabled.
+- **Enable**: Enables audio input in the sandbox. If this value is set, the sandbox can receive audio input from the user. Applications that use a microphone might require this capability.
+- **Disable**: Disables audio input in the sandbox. If this value is set, the sandbox can't receive audio input from the user. Applications that use a microphone might not function properly with this setting.
+- **Default**: This value is the default value for audio input support. Currently, this default value denotes that audio input is enabled.
> [!NOTE]
> There may be security implications of exposing host audio input to the container.
@@ -138,30 +165,32 @@ Supported values:
Enables or disables video input to the sandbox.
-`value`
+```xml
+value
+```
Supported values:
-- *Enable*: Enables video input in the sandbox.
-- *Disable*: Disables video input in the sandbox. Applications that use video input may not function properly in the sandbox.
-- *Default*: This value is the default value for video input support. Currently, this default value denotes that video input is disabled. Applications that use video input may not function properly in the sandbox.
+- **Enable**: Enables video input in the sandbox.
+- **Disable**: Disables video input in the sandbox. Applications that use video input might not function properly in the sandbox.
+- **Default**: This value is the default value for video input support. Currently, this default value denotes that video input is disabled. Applications that use video input might not function properly in the sandbox.
> [!NOTE]
> There may be security implications of exposing host video input to the container.
### Protected client
-When Protected Client mode is enabled, Sandbox adds a new layer of security boundary by running inside an [AppContainer Isolation](/windows/win32/secauthz/appcontainer-isolation) execution environment.
+When Protected Client mode is enabled, Sandbox adds a new layer of security boundary by running inside an [AppContainer Isolation](/windows/win32/secauthz/appcontainer-isolation) execution environment. AppContainer Isolation provides Credential, Device, File, Network, Process, and Window isolation.
-AppContainer Isolation provides Credential, Device, File, Network, Process, and Window isolation.
-
-`value`
+```xml
+value
+```
Supported values:
-- *Enable*: Runs Windows sandbox in Protected Client mode. If this value is set, the Sandbox runs in AppContainer Isolation.
-- *Disable*: Runs the Sandbox in the standard mode without extra security mitigations.
-- *Default*: This value is the default value for Protected Client mode. Currently, this default value denotes that the sandbox doesn't run in Protected Client mode.
+- **Enable**: Runs Windows sandbox in Protected Client mode. If this value is set, the Sandbox runs in AppContainer Isolation.
+- **Disable**: Runs the Sandbox in the standard mode without extra security mitigations.
+- **Default**: This value is the default value for Protected Client mode. Currently, this default value denotes that the sandbox doesn't run in Protected Client mode.
> [!NOTE]
> This setting may restrict the user's ability to copy/paste files in and out of the sandbox.
@@ -170,135 +199,36 @@ Supported values:
Enables or disables printer sharing from the host into the sandbox.
-`value`
+```xml
+value
+```
Supported values:
-- *Enable*: Enables sharing of host printers into the sandbox.
-- *Disable*: Disables printer redirection in the sandbox. If this value is set, the sandbox can't view printers from the host.
-- *Default*: This value is the default value for printer redirection support. Currently, this default value denotes that printer redirection is disabled.
+- **Enable**: Enables sharing of host printers into the sandbox.
+- **Disable**: Disables printer redirection in the sandbox. If this value is set, the sandbox can't view printers from the host.
+- **Default**: This value is the default value for printer redirection support. Currently, this default value denotes that printer redirection is disabled.
### Clipboard redirection
Enables or disables sharing of the host clipboard with the sandbox.
-`value`
+```xml
+value
+```
Supported values:
-- *Enable*: Enables sharing of the host clipboard with the sandbox.
-- *Disable*: Disables clipboard redirection in the sandbox. If this value is set, copy/paste in and out of the sandbox is restricted.
-- *Default*: This value is the default value for clipboard redirection. Currently, copy/paste between the host and sandbox are permitted under *Default*.
+- **Enable**: Enables sharing of the host clipboard with the sandbox.
+- **Disable**: Disables clipboard redirection in the sandbox. If this value is set, copy/paste in and out of the sandbox is restricted.
+- **Default**: This value is the default value for clipboard redirection. Currently, copy/paste between the host and sandbox are permitted under *Default*.
### Memory in MB
Specifies the amount of memory that the sandbox can use in megabytes (MB).
-`value`
-
-If the memory value specified is insufficient to boot a sandbox, it is automatically increased to the required minimum amount.
-
-## Examples
-
-### Example 1
-
-The following config file can be used to easily test the downloaded files inside the sandbox. To achieve this testing, networking and vGPU are disabled, and the sandbox is allowed read-only access to the shared downloads folder. For convenience, the logon command opens the downloads folder inside the sandbox when it's started.
-
-#### Downloads.wsb
-
```xml
-
- Disable
- Disable
-
-
- C:\Users\Public\Downloads
- C:\Users\WDAGUtilityAccount\Downloads
- true
-
-
-
- explorer.exe C:\users\WDAGUtilityAccount\Downloads
-
-
+value
```
-### Example 2
-
-The following config file installs Visual Studio Code in the sandbox, which requires a slightly more complicated LogonCommand setup.
-
-Two folders are mapped into the sandbox; the first (SandboxScripts) contains VSCodeInstall.cmd, which installs and runs Visual Studio Code. The second folder (CodingProjects) is assumed to contain project files that the developer wants to modify using Visual Studio Code.
-
-With the Visual Studio Code installer script already mapped into the sandbox, the LogonCommand can reference it.
-
-#### VSCodeInstall.cmd
-
-Downloads VS Code to `downloads` folder and runs installation from `downloads` folder.
-
-```batch
-REM Download Visual Studio Code
-curl -L "https://update.code.visualstudio.com/latest/win32-x64-user/stable" --output C:\users\WDAGUtilityAccount\Downloads\vscode.exe
-
-REM Install and run Visual Studio Code
-C:\users\WDAGUtilityAccount\Downloads\vscode.exe /verysilent /suppressmsgboxes
-```
-
-#### VSCode.wsb
-
-```xml
-
-
-
- C:\SandboxScripts
- C:\Users\WDAGUtilityAccount\Downloads\sandbox
- true
-
-
- C:\CodingProjects
- C:\Users\WDAGUtilityAccount\Documents\Projects
- false
-
-
-
- C:\Users\WDAGUtilityAccount\Downloads\sandbox\VSCodeInstall.cmd
-
-
-```
-
-### Example 3
-
-The following config file runs a PowerShell script as a logon command to swap the primary mouse button for left-handed users.
-
-`C:\sandbox` folder on the host is mapped to the `C:\sandbox` folder in the sandbox, so the `SwapMouse.ps1` script can be referenced in the sandbox configuration file.
-
-#### SwapMouse.ps1
-
-Create a PowerShell script using the following code, and save it in the `C:\sandbox` directory as `SwapMouse.ps1`.
-
-```powershell
-[Reflection.Assembly]::LoadWithPartialName("System.Windows.Forms") | Out-Null
-
-$SwapButtons = Add-Type -MemberDefinition @'
-[DllImport("user32.dll")]
-public static extern bool SwapMouseButton(bool swap);
-'@ -Name "NativeMethods" -Namespace "PInvoke" -PassThru
-
-$SwapButtons::SwapMouseButton(!([System.Windows.Forms.SystemInformation]::MouseButtonsSwapped))
-```
-
-### SwapMouse.wsb
-
-```xml
-
-
-
- C:\sandbox
- C:\sandbox
- True
-
-
-
- powershell.exe -ExecutionPolicy Bypass -File C:\sandbox\SwapMouse.ps1
-
-
-```
+If the memory value specified is insufficient to boot a sandbox, it's automatically increased to the required minimum amount of 2048 MB.
diff --git a/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-faq.yml b/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-faq.yml
new file mode 100644
index 0000000000..ca1408a957
--- /dev/null
+++ b/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-faq.yml
@@ -0,0 +1,107 @@
+### YamlMime:FAQ
+metadata:
+ title: Windows Sandbox frequently asked questions (FAQ)
+ description: Use these frequently asked questions (FAQ) to learn important details about Windows Sandbox.
+ author: vinaypamnani-msft
+ ms.author: vinpa
+ ms.topic: faq
+ ms.date: 10/23/2024
+
+title: Common questions about Windows Sandbox
+summary: Windows Sandbox (WSB) provides a lightweight desktop environment to safely run applications in isolation. This Frequently Asked Questions (FAQ) article is intended to help you learn more about Windows Sandbox.
+
+sections:
+
+ - name: Concepts
+ questions:
+
+ - question: Who can use WSB?
+ answer: |
+ WSB can be used in various scenarios by anyone without any technical skills. Here are some ways in which you can use WSB:
+
+ - **Clean environment for software testing**: Test or debug your applications in WSB's clean environment to identify and resolve bugs or compatibility issues.
+ - **Secure web browsing**: Use WSB for secure web browsing, especially when accessing unfamiliar or potentially dangerous websites without putting your system at risk of malware infection.
+ - **Running Untrusted Applications**: Mitigate security risks by running untrusted applications or files, such as email attachments in WSB.
+ - **Test software features risk-free**: Easily test out software without the need for installing or uninstalling on your host machine.
+ - **Maintaining multiple dev environments**: Streamline your development process by utilizing WSB to maintain multiple sandboxes for different development environments.
+ - **Privacy Protection**: Users concerned about online privacy can use Windows Sandbox for activities like social media browsing or online shopping to prevent tracking cookies and other privacy-invading techniques.
+
+ - question: What's the difference between a Hyper-V virtual machine (VM) and Windows Sandbox?
+ answer: |
+ 1. **Lightweight and Temporary**:
+ - Windows Sandbox: It's a lightweight, disposable environment that runs within your existing Windows installation. You can quickly launch it, test applications, and discard it without affecting your main system.
+ - Hyper-V VMs: Hyper-V VMs are more heavyweight. They require dedicated resources (CPU, memory, disk space) and take longer to set up.
+ 1. **Security Isolation**:
+ - Windows Sandbox: Provides a secure, isolated environment for testing untrusted software. Any changes made within the sandbox are discarded when you close it.
+ - Hyper-V VMs: While VMs also offer isolation, they persistently store changes unless you revert them manually.
+ 1. **Resource Efficiency**:
+ - Windows Sandbox: More resource efficient than a full VM. It adjusts memory usage according to the demand. It also reuses many of the host's read only OS files.
+ - Hyper-V VMs: VMs have fixed resource allocations, which can impact overall system performance.
+ 1. **Ease of Use**:
+ - Windows Sandbox: Simple to use—just open it, test your software, and close it. No complex setup or management.
+ - Hyper-V VMs: Require more configuration, including setting up virtual switches, network adapters, and managing VM snapshots.
+
+ - question: What applications aren't supported inside a Windows Sandbox?
+ answer: |
+ Inbox apps (for example, Store, Notepad) and Optional features turned on via 'Turn Windows Features On or Off' aren't supported.
+ While Store apps can be installed, you can't download them directly from the Store since the Store app isn't available in the Sandbox. However, if you have an `.appx` package, you can still install those apps.
+
+ - name: Usage
+ questions:
+
+ - question: Why can I not change certain settings using a config file?
+ answer: |
+ You can't make changes to properties if they're controlled by Group Policy. Contact your IT Administrator for more details.
+
+ - question: How do I open multiple Sandbox instances?
+ answer: |
+ Today, Windows Sandbox only allows users to launch one Sandbox instance at a time.
+
+ - question: Installing the latest version of Windows Sandbox fails. How do I fix this?
+ answer: |
+ Ensure that your device has access to the Internet, Windows Update, and Microsoft Store. Beginning from Windows 11 24H2, the old Windows Sandbox app attempts to download the latest version from the Store. If the upgrade fails on the first attempt, subsequent attempts continue in the background. Meanwhile, the app can still be used. Additionally, the update is queued in the "Updates & Downloads" section of the Microsoft Store app for users who wish to manually install.
+
+
+ - question: How do I know which version of Windows Sandbox am I running?
+ answer: |
+ Run `Get-AppxPackage -Name WindowsSandbox | Select-Object Version` in a PowerShell prompt. If the version is empty, you're running an older version of Windows Sandbox. If it returns a version number, you're running the newer version.
+ Alternatively, you can run `wsb --version`. If `wsb` is not available, you're running an older version of Windows Sandbox.
+ The new version of Windows Sandbox also appears in Windows Settings under **System** > **System components**.
+
+ - question: How do I save the Sandbox state?
+ answer: |
+ Windows Sandbox is temporary; closing it deletes all software, files, and state.
+
+ - question: How can I open Windows Sandbox with a different OS version?
+ answer: |
+ Windows Sandbox only allows you to use the same build as your host OS. This allows us to keep Windows Sandbox 'lightweight'.
+
+ - question: How do I uninstall Windows Sandbox?
+ answer: |
+ To remove Windows Sandbox, and all its components, navigate to **Settings > System > Optional features**, then select **More Windows features**, scroll down and unselect Windows Sandbox, then select OK.
+
+ - name: Feedback
+ questions:
+
+ - question: Where can I provide feedback?
+ answer: |
+ You can file a bug in Feedback Hub by:
+
+ 1. Open the Feedback Hub app.
+ 1. Select **Report a problem** or **Suggest a feature**.
+ 1. Fill in the **Summarize your feedback** and **Explain in more details** boxes with a detailed description of the issue or suggestion. A useful feedback item includes:
+ - Short and descriptive issue title.
+ - Windows version and build number, which can be gathered from a command prompt using the `cmd.exe --version` command.
+ - Device information (including CPU type, memory, disk etc.)
+ - Detailed repro steps. What steps do we need to take to reproduce the issue? Provide as much detail as you can. Provide error message text where possible or screenshots of errors if text can't be captured.
+ - Behavior you were expecting.
+ 1. Select an appropriate category and subcategory by using the dropdown menus. There's a dedicated option in Feedback Hub to file **Windows Sandbox** bugs and feedback. It's located under **Security and Privacy** category.
+ 1. Select **Next**.
+ 1. If you are able to reproduce the issue, please collect traces as follows: Select the Recreate my problem tile, then select Start capture, reproduce the issue, and then select **Stop capture**.
+ 1. Attach any relevant screenshots or files for the problem, then select **Submit**.
+
+ Alternatively, you can also use the [Windows Sandbox GitHub repository](https://github.com/microsoft/Windows-Sandbox) to:
+
+ - **Search existing issues** to see if there are any associated with a problem that you're having. In the search bar, you can remove "is:open" to include resolved issues in your search. Consider commenting or giving a thumbs up to any open issues that you would like to express your interest in moving forward as a priority.
+ - **File a new issue**: If you have found a problem with WSB or WSB documentation and there doesn't appear to be an existing issue, you can select the green **New issue** button and then choose **WSB - Bug Report**. Provide a title for the issue, your Windows build number, whether you're running inbox or undocked Windows Sandbox, any other software versions involved, the repro steps, expected behavior, actual behavior, and diagnostic logs if available and appropriate.
+ - **File a feature request** by selecting the green **New issue** button and then select **Feature request**, then answer the questions describing your request.
diff --git a/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-install.md b/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-install.md
new file mode 100644
index 0000000000..32b1aee636
--- /dev/null
+++ b/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-install.md
@@ -0,0 +1,59 @@
+---
+title: Install Windows Sandbox
+description: Install Windows Sandbox
+ms.topic: how-to
+ms.date: 09/09/2024
+---
+
+# Install Windows Sandbox
+
+## Prerequisites
+
+- Arm64 (for Windows 11, version 22H2 and later) or AMD64 architecture
+- Virtualization capabilities enabled in BIOS
+- At least 4 GB of RAM (8 GB recommended)
+- At least 1 GB of free disk space (SSD recommended)
+- At least two CPU cores (four cores with hyper-threading recommended)
+
+> [!NOTE]
+> Beginning in Windows 11, version 24H2, inbox store apps like Calculator, Photos, Notepad and Terminal are not available inside Windows Sandbox. Ability to use these apps will be added soon.
+
+## Installation
+
+1. Ensure that your machine is using Windows 11 or Windows 10, version 1903 or later.
+
+2. Enable virtualization on the machine.
+
+ - If you're using a physical machine, make sure virtualization capabilities are enabled in the BIOS.
+ - If you're using a virtual machine, you need to enable nested virtualization. If needed, also update the VM to support nested virtualization. Run the following PowerShell commands on the host:
+
+ ```powershell
+ Set-VMProcessor -VMName -ExposeVirtualizationExtensions $true
+ Update-VMVersion -VMName
+ ```
+
+3. Use the search bar on the task bar and type **Turn Windows Features on or off** to access the Windows Optional Features tool. Select **Windows Sandbox** and then **OK**. Restart the computer if you're prompted.
+
+ If the **Windows Sandbox** option is unavailable, your computer doesn't meet the requirements to run Windows Sandbox. If you think this analysis is incorrect, review the prerequisite list and steps 1 and 2.
+
+ > [!NOTE]
+ > To enable Sandbox using PowerShell, open PowerShell as Administrator and run the following command:
+ >
+ > ```powershell
+ > Enable-WindowsOptionalFeature -FeatureName "Containers-DisposableClientVM" -All -Online
+ > ```
+
+4. Locate and select **Windows Sandbox** on the Start menu to run it for the first time.
+
+ > [!NOTE]
+ > Beginning in Windows 11, version 24H2, Windows Sandbox adheres to the mouse settings of the host system.
+ >
+ > If you are on an older build and if the host system is set to use a left-handed mouse, you must apply these settings in Windows Sandbox manually when Windows Sandbox starts. Alternatively, you can use a sandbox configuration file to run a logon command to swap the mouse setting. For an example, see [Example 3](windows-sandbox-sample-configuration.md#example-3---mapping-folders-and-running-a-powershell-script-as-a-logon-command).
+
+## Try WSB preview features by joining the Windows Insider Program
+
+To try the most recent features or updates to WSB, join the [Windows Insiders Program](https://insider.windows.com/getting-started). After joining the Windows Insiders Program, you can choose the channel you would like to receive preview builds from inside the Windows settings menu. You can choose from:
+
+- **Dev channel**: Most recent updates, but low stability.
+- **Beta channel**: Ideal for early adopters, more reliable builds than the Dev channel.
+- **Release Preview channel**: Preview fixes and key features on the next version of Windows just before its available to the general public.
diff --git a/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-overview.md b/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-overview.md
deleted file mode 100644
index 8d8f873a38..0000000000
--- a/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-overview.md
+++ /dev/null
@@ -1,75 +0,0 @@
----
-title: Windows Sandbox
-description: Windows Sandbox overview
-ms.topic: conceptual
-ms.date: 03/26/2024
----
-
-# Windows Sandbox
-
-Windows Sandbox provides a lightweight desktop environment to safely run applications in isolation. Software installed inside the Windows Sandbox environment remains "sandboxed" and runs separately from the host machine.
-
-A sandbox is temporary. When it's closed, all the software and files and the state are deleted. You get a brand-new instance of the sandbox every time you open the application. Note, however, that as of Windows 11, version 22H2, your data persists through a restart initiated from inside the virtualized environment—useful for installing applications that require the OS to reboot.
-
-Software and applications installed on the host aren't directly available in the sandbox. If you need specific applications available inside the Windows Sandbox environment, they must be explicitly installed within the environment.
-
-Windows Sandbox has the following properties:
-
-- **Part of Windows**: Everything required for this feature is included in Windows 10 Pro and Enterprise. There's no need to download a Virtual Hard Disk (VHD).
-- **Pristine**: Every time Windows Sandbox runs, it's as clean as a brand-new installation of Windows.
-- **Disposable**: Nothing persists on the device. Everything is discarded when the user closes the application.
-- **Secure**: Uses hardware-based virtualization for kernel isolation. It relies on the Microsoft hypervisor to run a separate kernel that isolates Windows Sandbox from the host.
-- **Efficient:** Uses the integrated kernel scheduler, smart memory management, and virtual GPU.
-
-> [!IMPORTANT]
-> Windows Sandbox enables network connection by default. It can be disabled using the [Windows Sandbox configuration file](/windows/security/threat-protection/windows-sandbox/windows-sandbox-configure-using-wsb-file#networking).
-
-[!INCLUDE [windows-sandbox](../../../../../includes/licensing/windows-sandbox.md)]
-
-## Prerequisites
-
-- ARM64 (for Windows 11, version 22H2 and later) or AMD64 architecture
-- Virtualization capabilities enabled in BIOS
-- At least 4 GB of RAM (8 GB recommended)
-- At least 1 GB of free disk space (SSD recommended)
-- At least two CPU cores (four cores with hyper-threading recommended)
-
-> [!NOTE]
-> Windows Sandbox is currently not supported on Windows Home edition.
-> Beginning in Windows 11, version 24H2, all inbox store apps like calculator, photos, notepad and terminal are not available inside Windows Sandbox. Ability to use these apps will be added soon.
-## Installation
-
-1. Ensure that your machine is using Windows 10 Pro or Enterprise, build version 18305 or Windows 11.
-
-2. Enable virtualization on the machine.
-
- - If you're using a physical machine, make sure virtualization capabilities are enabled in the BIOS.
- - If you're using a virtual machine, you need to enable nested virtualization. If needed, also update the VM to support nested virtualization. Run the following PowerShell commands on the host:
-
- ```powershell
- Set-VMProcessor -VMName -ExposeVirtualizationExtensions $true
- Update-VMVersion -VMName
- ```
-
-3. Use the search bar on the task bar and type **Turn Windows Features on or off** to access the Windows Optional Features tool. Select **Windows Sandbox** and then **OK**. Restart the computer if you're prompted.
-
- If the **Windows Sandbox** option is unavailable, your computer doesn't meet the requirements to run Windows Sandbox. If you think this analysis is incorrect, review the prerequisite list and steps 1 and 2.
-
- > [!NOTE]
- > To enable Sandbox using PowerShell, open PowerShell as Administrator and run the following command:
- >
- > ```powershell
- > Enable-WindowsOptionalFeature -FeatureName "Containers-DisposableClientVM" -All -Online
- > ```
-
-4. Locate and select **Windows Sandbox** on the Start menu to run it for the first time.
-
- > [!NOTE]
- > Windows Sandbox does not adhere to the mouse settings of the host system, so if the host system is set to use a left-handed mouse, you must apply these settings in Windows Sandbox manually when Windows Sandbox starts. Alternatively, you can use a sandbox configuration file to run a logon command to swap the mouse setting. For an example, see [Example 3](windows-sandbox-configure-using-wsb-file.md#example-3).
-
-## Usage
-
-1. Copy an executable file (and any other files needed to run the application) from the host and paste them into the **Windows Sandbox** window.
-2. Run the executable file or installer inside the sandbox.
-3. When you're finished experimenting, close the sandbox. A dialog box will state that all sandbox content will be discarded and permanently deleted. Select **Ok**.
-4. Confirm that your host machine doesn't exhibit any of the modifications that you made in Windows Sandbox.
diff --git a/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-sample-configuration.md b/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-sample-configuration.md
new file mode 100644
index 0000000000..8d1a0ca697
--- /dev/null
+++ b/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-sample-configuration.md
@@ -0,0 +1,112 @@
+---
+title: Windows Sandbox sample configuration files
+description: Windows Sandbox sample configuration files
+ms.topic: how-to
+ms.date: 09/09/2024
+---
+
+# Windows Sandbox sample configuration files
+
+## Example 1 - Mapping Folders and testing an unknown downloaded file in a Sandbox
+
+The following config file can be used to easily test unknown downloaded files inside a sandbox. To achieve this testing, networking and vGPU are disabled, and the sandbox is allowed read-only access to the downloads folder from the host and is placed inside a 'temp' folder in the sandbox. For convenience, the logon command opens the downloads folder inside the sandbox when it's started.
+
+### Downloads.wsb
+
+```xml
+
+ Disable
+ Disable
+
+
+ C:\Users\Public\Downloads
+ C:\temp
+ true
+
+
+
+ explorer.exe C:\temp
+
+
+
+```
+
+## Example 2 - Installing Visual Studio Code at launch in a Sandbox
+
+The following config file installs Visual Studio Code in the sandbox, which requires a slightly more complicated LogonCommand setup.
+
+Two folders are mapped into the sandbox; the first (`SandboxScripts`) contains VSCodeInstall.cmd, which installs and runs Visual Studio Code. The second folder (`CodingProjects`) is assumed to contain project files that the developer wants to modify using Visual Studio Code.
+
+With the Visual Studio Code installer script already mapped into the sandbox, the `` can reference it.
+
+### VSCodeInstall.cmd
+
+This batch file should be created in the `C:\SandboxScripts` directory on the host. It downloads VS Code to `temp` folder inside the sandbox and runs installation from `temp` folder.
+
+```batch
+REM Download Visual Studio Code
+curl -L "https://update.code.visualstudio.com/latest/win32-x64-user/stable" --output C:\temp\vscode.exe
+
+REM Install and run Visual Studio Code
+C:\temp\vscode.exe /verysilent /suppressmsgboxes
+```
+
+### VSCode.wsb
+
+```xml
+
+
+
+ C:\SandboxScripts
+ C:\temp\sandbox
+ true
+
+
+ C:\CodingProjects
+ C:\temp\Projects
+ false
+
+
+
+ C:\temp\sandbox\VSCodeInstall.cmd
+
+
+```
+
+## Example 3 - Mapping Folders and running a PowerShell script as a Logon Command
+
+Beginning in Windows 11, version 24H2, Windows Sandbox adheres to the mouse settings of the host system. If you are on an older build and if the host system is set to use a left-handed mouse, you must apply these settings in Windows Sandbox manually when Windows Sandbox starts. Alternatively, you can use a sandbox configuration file to run a logon command to swap the mouse setting.
+
+In this example, the `C:\sandbox` folder on the host is mapped to the `C:\sandbox` folder in the sandbox, so the `SwapMouse.ps1` script can be referenced in the sandbox configuration file.
+
+### SwapMouse.ps1
+
+Create a PowerShell script using the following code, and save it in the `C:\sandbox` directory as `SwapMouse.ps1`.
+
+```powershell
+[Reflection.Assembly]::LoadWithPartialName("System.Windows.Forms") | Out-Null
+
+$SwapButtons = Add-Type -MemberDefinition @'
+[DllImport("user32.dll")]
+public static extern bool SwapMouseButton(bool swap);
+'@ -Name "NativeMethods" -Namespace "PInvoke" -PassThru
+
+$SwapButtons::SwapMouseButton(!([System.Windows.Forms.SystemInformation]::MouseButtonsSwapped))
+```
+
+### SwapMouse.wsb
+
+```xml
+
+
+
+ C:\sandbox
+ C:\sandbox
+ True
+
+
+
+ powershell.exe -ExecutionPolicy Bypass -File C:\sandbox\SwapMouse.ps1
+
+
+```
\ No newline at end of file
diff --git a/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-troubleshoot.md b/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-troubleshoot.md
new file mode 100644
index 0000000000..a908b5875c
--- /dev/null
+++ b/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-troubleshoot.md
@@ -0,0 +1,21 @@
+---
+title: Troubleshoot Windows Sandbox
+description: Troubleshoot Windows Sandbox
+ms.topic: troubleshooting
+ms.date: 09/09/2024
+---
+
+# Troubleshoot Windows Sandbox
+
+This article lists some common issues with Windows Sandbox and possible solutions. To submit feedback about Windows Sandbox, see [Where can I provide feedback?](windows-sandbox-faq.yml#where-can-i-provide-feedback)
+
+| Error | Possible Solution |
+|--|--|
+| `WININET_E_NAME_NOT_RESOLVED` `WU_E_PT_ENDPOINT_UNREACHABLE` | Upgrade to Windows Sandbox app fails because user isn't connected to internet or network adapter is connected but no internet connection. Check your internet connection. |
+| `ERROR_FILE_NOT_FOUND` | `.wsb` config file provided by the user doesn't exist. Make sure that the path to the `.wsb` file is correct. |
+| `E_INVALIDARG` | The `.wsb` file provided by the user is invalid or has errors. Check the `.wsb` file. |
+| `REGDB_E_IIDNOTREG` | Verify if Windows Sandbox component is enabled under 'Turn Windows features on or off'. For more information, see [Install Windows Sandbox](windows-sandbox-install.md) |
+| `The following settings are enforced by your IT administrator.` | `.wsb` file has a setting enabled that is controlled via group policy. |
+| `No hypervisor was found. Please enable hypervisor support.` | Windows Sandbox only supports Hyper-V Hypervisor. Third-party hypervisors are not supported. Ensure that Hyper-V is enabled. |
+| `Cannot upgrade to the latest version of Windows Sandbox` | Ensure that your device has access to the Internet, Windows Update and Microsoft Store. Beginning with Windows 11, version 24H2, the old Windows Sandbox app attempts to download the latest version from the Store. If the upgrade fails initially, installation continues in the background while the user can still use the app. Additionally, the app is queued in the "Updates & downloads" section of the Microsoft Store app for users who wish to install it manually. |
+| `E_FAIL`, or `E_UNEXPECTED` or general failure during installation. | Possible causes:
- Installing Windows Sandbox is disabled via group policy. Check with your IT Admin. - Timeout error where we can't reach the Microsoft Store. Try again later. |
diff --git a/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-versions.md b/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-versions.md
new file mode 100644
index 0000000000..aa15412076
--- /dev/null
+++ b/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-versions.md
@@ -0,0 +1,32 @@
+---
+title: Windows Sandbox versions
+description: Windows Sandbox versions
+ms.topic: article
+ms.date: 10/22/2024
+---
+
+# Windows Sandbox versions
+
+Starting with Windows 11, version 24H2, a newer version of Windows Sandbox is available from the Microsoft Store, featuring an improved user experience and new command line functionality.
+
+- **Faster Updates**: With the app now being updated through the Microsoft Store, you can install the bug fixes and new features as soon as they're available, rather than needing to wait for an update of the Windows operating system.
+- **Revamped UI**: The app now features WinUI 3, a modern and sleek user interface built on the Fluent design system.
+- **New Runtime Features**: Users can now access clipboard redirection, audio/video input control, and folder sharing directly during runtime using the "…" icon in the top-right corner without needing a preconfigured `.wsb` file.
+- **Command Line Preview**: An early version of [command line support](windows-sandbox-cli.md) for Windows Sandbox is now available.
+
+## Upgrading to the newer version
+
+### Prerequisites
+
+- Windows Sandbox must already be installed. If it isn't already installed, [install Windows Sandbox](windows-sandbox-install.md).
+- Device must be running Windows 11, version 24H2, with KB10D or later.
+- Internet access for Microsoft Store and Windows Update.
+
+### Upgrade
+
+- Launch **Windows Sandbox** from the Start menu.
+- If the app isn't upgraded to the latest version, a progress dialog appears as it automatically attempts to update. This process typically takes 30 seconds to 2 minutes.
+- Once the installation is complete, you're directed to the updated version of the app.
+
+> [!NOTE]
+> If the upgrade fails on the first try, the installation continues in the background while you use the older version of the app. Additionally, the app is queued in the "Updates & downloads" section of the Microsoft Store app for users who wish to install it manually.
\ No newline at end of file
diff --git a/windows/security/application-security/index.md b/windows/security/application-security/index.md
deleted file mode 100644
index 6d2ac65456..0000000000
--- a/windows/security/application-security/index.md
+++ /dev/null
@@ -1,14 +0,0 @@
----
-title: Windows application security
-description: Get an overview of application security in Windows
-ms.date: 08/02/2023
-ms.topic: conceptual
----
-
-# Windows application security
-
-Cybercriminals can take advantage of poorly secured applications to access valuable resources. With Windows, IT admins can combat common application attacks from the moment a device is provisioned. For example, IT can remove local admin rights from user accounts, so that PCs run with least privilege to prevent malicious applications from accessing sensitive resources.
-
-Learn more about application security features in Windows.
-
-[!INCLUDE [application](../includes/sections/application.md)]
diff --git a/windows/security/application-security/toc.yml b/windows/security/application-security/toc.yml
index 84c5873b45..c8a80ddfef 100644
--- a/windows/security/application-security/toc.yml
+++ b/windows/security/application-security/toc.yml
@@ -1,6 +1,4 @@
items:
-- name: Overview
- href: index.md
- name: Application and driver control
href: application-control/toc.yml
- name: Application isolation
diff --git a/windows/security/book/application-security-application-and-driver-control.md b/windows/security/book/application-security-application-and-driver-control.md
index 462cf9cf11..d69dbb0445 100644
--- a/windows/security/book/application-security-application-and-driver-control.md
+++ b/windows/security/book/application-security-application-and-driver-control.md
@@ -1,68 +1,20 @@
---
-title: Application and driver control
-description: Windows 11 security book - Application and driver control.
+title: Windows 11 Security Book - Application And Driver Control
+description: Application and driver control.
ms.topic: overview
-ms.date: 04/09/2024
+ms.date: 12/11/2024
---
# Application and driver control
-:::image type="content" source="images/application-security.png" alt-text="Diagram of containing a list of application security features." lightbox="images/application-security.png" border="false":::
+:::image type="content" source="images/application-security.png" alt-text="Diagram containing a list of application security features." lightbox="images/application-security.png" border="false":::
-Windows 11 offers a rich application platform with layers of security like isolation and code integrity that help protect your valuable data. Developers can also take advantage of these
-capabilities to build in security from the ground up to protect against breaches and malware.
+[!INCLUDE [smart-app-control](includes/smart-app-control.md)]
-## Smart App Control
+[!INCLUDE [app-control-for-business](includes/app-control-for-business.md)]
-Smart App Control prevents users from running malicious applications on Windows devices by blocking untrusted or unsigned applications. Smart App Control goes beyond previous built-in browser protections by adding another layer of security that is woven directly into the core of the OS at the process level. Using AI, our new Smart App Control only allows processes to run if they are predicted to be safe based on existing and new intelligence updated daily.
+[!INCLUDE [administrator-protection](includes/administrator-protection.md)]
-Smart App Control builds on top of the same cloud-based AI used in App Control for Business to predict the safety of an application so that users can be confident that their applications are safe and reliable on their new Windows devices. Additionally, Smart App Control blocks unknown script files and macros from the web are blocked, greatly improving security for everyday users.
-Smart App Control will ship with new devices with Windows 11, version 22H2 installed.
+[!INCLUDE [microsoft-vulnerable-driver-blocklist](includes/microsoft-vulnerable-driver-blocklist.md)]
-Devices running previous versions of Windows 11 will have to be reset with a clean installation of Windows 11, version 22H2 to take advantage of this feature. Smart App Control will be disabled on devices enrolled in enterprise management. We suggest enterprises running line-of-business applications continue to leverage App Control for Business.
-
-:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
-
-- [Smart App Control](/windows/apps/develop/smart-app-control/overview)
-
-## App Control for Business
-
-Your organization is only as secure as the applications that run on your devices. With application control, apps must earn trust to run, in contrast to an application trust model where all code is assumed trustworthy. By helping prevent unwanted or malicious code from running, application control is an important part of an effective security strategy. Many organizations cite application control as one of the most effective means of defending against executable file-based malware.
-
-Windows 10 and above include App Control for Business (previously called Windows Defender Application Control) as well as AppLocker. App Control for Business is the next-generation app control solution for Windows and provides powerful control over what runs in your environment. Customers who were using AppLocker on previous versions of Windows can continue to use the feature as they consider whether to switch to App Control for Business for stronger protection.
-
-Customers using Microsoft Intune[\[9\]](conclusion.md#footnote9) to manage their devices are now able to configure App Control for Business in the admin console, including setting up Intune as a managed installer.
-
-Customers can use some built-in options for App Control for Business or upload their own policy as an XML file for Intune to package and deploy.
-
-:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
-
-- [Application Control for Windows](/windows/security/application-security/application-control/windows-defender-application-control/wdac)
-
-## User Account Control
-
-User Account Control (UAC) helps prevent malware from damaging a PC and enables organizations to deploy a better-managed desktop. With UAC, apps and tasks always run in the security context of a non-administrator account unless an administrator specifically authorizes administrator-level access to the system. UAC can block the automatic installation of unauthorized apps and prevent inadvertent changes to system settings.
-
-Organizations can use a modern device management (MDM) solution like Microsoft Intune[\[9\]](conclusion.md#footnote9) to remotely configure UAC settings. Organizations without MDM can change settings directly
-on the device.
-
-Enabling UAC helps prevent malware from altering PC settings and potentially gaining access to networks and sensitive data. UAC can also block the automatic installation of unauthorized
-apps and prevent inadvertent changes to system settings.
-
-Users with standard accounts, or those using administrative accounts with UAC enabled, run most programs with limited access rights. This includes the Windows shell and any apps started from the shell, such as Windows Explorer, a web browser, productivity suite, graphics programs, or games.
-
-Some apps require additional permissions and will not work properly (or at all) when running with limited permissions. When an app needs to run with more than standard user rights, UAC allows users to run apps with a "full" administrator token (with administrative groups and privileges) instead of their default user access token. Users continue to operate in the standard user security context while enabling certain executables to run with elevated privileges if needed.
-
-:::image type="content" source="images/uac-settings.png" alt-text="Screenshot of the UAC settings." border="false":::
-
-:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
-
-- [How User Account Control works](/windows/security/identity-protection/user-account-control/how-user-account-control-works)
-
-## Microsoft vulnerable driver blocklist
-
-The Windows kernel is the most privileged software and is therefore a compelling target for malware authors. Since Windows has strict requirements for code running in the kernel, cybercriminals commonly exploit vulnerabilities in kernel drivers to get access. Microsoft works with ecosystem partners to constantly identify and respond to potentially vulnerable kernel drivers. Prior to the Windows 11 2022 Update, Windows enforced a block policy when hypervisor-protected code integrity (HVCI) was enabled to prevent vulnerable versions of drivers from running. Beginning with the Windows 11 2022 Update, the block policy is now on by default for all new Windows PCs, and users can opt in to enforce the policy from the Windows Security app.
-
-:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
-
-- [Microsoft recommended driver block rules](/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules)
+[!INCLUDE [trusted-signing](includes/trusted-signing.md)]
diff --git a/windows/security/book/application-security-application-isolation.md b/windows/security/book/application-security-application-isolation.md
index 603d0138a4..00bf51928f 100644
--- a/windows/security/book/application-security-application-isolation.md
+++ b/windows/security/book/application-security-application-isolation.md
@@ -1,53 +1,20 @@
---
-title: Application isolation
-description: Windows 11 security book - Application isolation.
+title: Windows 11 Security Book - Application Isolation
+description: Application isolation.
ms.topic: overview
-ms.date: 04/09/2024
+ms.date: 12/11/2024
---
# Application isolation
-:::image type="content" source="images/application-security.png" alt-text="Diagram of containing a list of application security features." lightbox="images/application-security.png" border="false":::
+:::image type="content" source="images/application-security.png" alt-text="Diagram containing a list of application security features." lightbox="images/application-security.png" border="false":::
-## Win32 app isolation
+[!INCLUDE [win32-app-isolation](includes/win32-app-isolation.md)]
-Win32 app isolation is a new security feature in public preview designed to be the default isolation standard on Windows clients. It's built on [AppContainer](/windows/win32/secauthz/implementing-an-appcontainer), and offers several added security features to help the Windows platform defend against attacks that leverage vulnerabilities in applications or third-party libraries. To isolate their apps, developers can update their applications using the tools provided by Microsoft.
+[!INCLUDE [app-containers](includes/app-containers.md)]
-Win32 app isolation follows a two-step process. In the first step, the Win32 application is launched as a low-integrity process using AppContainer, which is recognized as a security boundary by Microsoft. Consequently, the process is limited to a specific set of Windows APIs by default and is unable to inject code into any process operating at a higher integrity level.
+[!INCLUDE [windows-sandbox](includes/windows-sandbox.md)]
-In the second step, least privilege is enforced by granting authorized access to Windows securable objects. This access is determined by capabilities that are added to the application manifest through MSIX packaging. Securable objects in this context refer to Windows resources whose access is safeguarded by capabilities. These capabilities enable the implantation of a [Discretionary Access Control List](/windows/win32/secauthz/access-control-lists) on Windows.
+[!INCLUDE [windows-subsystem-for-linux](includes/windows-subsystem-for-linux.md)]
-To help ensure that isolated applications run smoothly, developers must define the access requirements for the application via access capability declarations in the application package manifest. The Application Capability Profiler (ACP) simplifies the entire process by allowing the application to run in "learn mode" with low privileges. Instead of denying access if the capability is not present, ACP allows access and logs additional capabilities required for access if the application were to run isolated. For more information on ACP, please refer to the [GitHub documentation page](https://github.com/microsoft/win32-app-isolation/blob/main/docs/profiler/application-capability-profiler.md#stack-tracing---acp-stacktracewpaprofile).
-
-To create a smooth user experience that aligns with nonisolated, native Win32 applications, two key factors should be taken into consideration:
-
-- Approaches for accessing data and privacy information
-- Integrating Win32 apps for compatibility with other Windows interfaces
-
-The first factor relates to implementing methods to manage access to files and privacy information within and outside the isolation boundary ([AppContainer](/windows/win32/secauthz/implementing-an-appcontainer)). The second factor involves integrating Win32 apps with other Windows interfaces in a way that helps enable seamless functionality without causing perplexing user consent prompts.
-
-:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
-
-- [Win32 app isolation](https://github.com/microsoft/win32-app-isolation)
-
-## Windows Sandbox
-
-Windows Sandbox provides a lightweight desktop environment to safely run untrusted Win32 applications in isolation using the same hardware-based Hyper-V virtualization technology without fear of lasting impact to the PC. Any untrusted Win32 app installed in Windows Sandbox stays only in the sandbox and can't affect the host.
-
-Once Windows Sandbox is closed, nothing persists on the device. All the software with all its files and state are permanently deleted after the untrusted Win32 application is closed.
-
-:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
-
-- [Windows Sandbox](/windows/security/threat-protection/windows-sandbox/windows-sandbox-overview)
-- [Windows Sandbox is a new lightweight desktop environment tailored for safely
-running applications in isolation](https://techcommunity.microsoft.com/t5/windows-os-platform-blog/windows-sandbox/ba-p/301849)
-
-## App containers
-
-In addition to Windows Sandbox for Win32 apps, Universal Windows Platform (UWP) applications run in Windows containers known as *app containers*. App containers act as process and resource isolation boundaries, but unlike Docker containers, these are special containers designed to run Windows applications.
-
-Processes that run in app containers operate at a low integrity level, meaning they have limited access to resources they don't own. Because the default integrity level of most resources is medium integrity level, the UWP app can access only a subset of the file system, registry, and other resources. The app container also enforces restrictions on network connectivity. For example, access to a local host isn't allowed. As a result, malware or infected apps have limited footprint for escape.
-
-:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
-
-- [Windows and app container](/windows/apps/windows-app-sdk/migrate-to-windows-app-sdk/feature-mapping-table?source=recommendations)
+[!INCLUDE [virtualization-based-security-enclaves](includes/virtualization-based-security-enclaves.md)]
diff --git a/windows/security/book/application-security.md b/windows/security/book/application-security.md
index 5b8a5238ab..7270a50314 100644
--- a/windows/security/book/application-security.md
+++ b/windows/security/book/application-security.md
@@ -1,16 +1,16 @@
---
-title: Application security
-description: Windows 11 security book - Application security chapter.
+title: Windows 11 Security Book - Application Security
+description: Application security chapter.
ms.topic: overview
-ms.date: 04/09/2024
+ms.date: 11/18/2024
---
# Application security
:::image type="content" source="images/application-security-cover.png" alt-text="Cover of the application security chapter." border="false":::
+Applications are prime vectors for cyberattacks due to their frequent usage and access to valuable data. Common attempts include injection attacks that insert malicious code, man-in-the-middle attacks that intercept and potentially alter communication between users and applications, and various methods of tricking users into divulging sensitive information or changing system settings.
+
+Windows 11 protects users, apps, and data with features like Windows App Control for Business and the Microsoft vulnerable driver blocklist, which help ensure that only trusted apps and drivers can run on the device.
+
:::image type="content" source="images/application-security-on.png" alt-text="Diagram of containing a list of security features." lightbox="images/application-security.png" border="false":::
-
-Cybercriminals can take advantage of poorly secured applications to access valuable resources. With Windows 11, IT admins can combat common application attacks from the moment a device is provisioned. For example, IT can remove local admin rights from user accounts so that PCs run with the least amount of privileges to prevent malicious applications from accessing sensitive resources.
-
-In addition, organizations can control which applications run on their devices with App Control for Business (previously called Windows Defender Application Control - WDAC).
diff --git a/windows/security/book/cloud-services-protect-your-personal-information.md b/windows/security/book/cloud-services-protect-your-personal-information.md
index 39b189a20f..085aecff6a 100644
--- a/windows/security/book/cloud-services-protect-your-personal-information.md
+++ b/windows/security/book/cloud-services-protect-your-personal-information.md
@@ -1,58 +1,18 @@
---
-title: Cloud services - Protect your personal information
-description: Windows 11 security book - Cloud services chapter - Protect your personal information.
+title: Windows 11 security book - Cloud services - Protect your personal information
+description: Cloud services chapter - Protect your personal information.
ms.topic: overview
-ms.date: 04/09/2024
+ms.date: 11/18/2024
---
# Protect your personal information
-:::image type="content" source="images/cloud-security.png" alt-text="Diagram of containing a list of security features for cloud security." lightbox="images/cloud-security.png" border="false":::
+:::image type="content" source="images/cloud-security.png" alt-text="Diagram containing a list of security features for cloud security." lightbox="images/cloud-security.png" border="false":::
-## Microsoft Account
+[!INCLUDE [microsoft-account](includes/microsoft-account.md)]
-Your Microsoft Account (MSA) gives you access to Microsoft products and services with just one login, allowing you to manage everything all in one place. Keep tabs on your subscriptions and order history, update your privacy and security settings, track the health and safety of your devices, and get rewards. Everything stays with you in the cloud, across devices, and between OS ecosystems, including iOS and Android.
+[!INCLUDE [find-my-device](includes/find-my-device.md)]
-You can even go passwordless with your Microsoft Account by removing the password from your MSA and using the Microsoft Authenticator app on your mobile Android or iOS phone.
+[!INCLUDE [onedrive-for-personal](includes/onedrive-for-personal.md)]
-:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
-
-- [What is a Microsoft account?](https://support.microsoft.com/windows/what-is-a-microsoft-account-4a7c48e9-ff5a-e9c6-5a5c-1a57d66c3bfa)
-
-## User reauthentication before password disablement
-
-Windows provides greater flexibility for users to balance ease of use with security. Users can choose the interval that the machine remains idle before it automatically signs the user out. To avoid a security breach and prevent users from accidentally making settings changes, Windows reauthenticates the user before they are allowed to change the setting to not sign out the user even after the device remains idle indefinitely.
-
-This setting is available on the Sign-in options page in Settings and is available on Windows 11 and onward for MSA users worldwide.
-
-## Find my device
-
-When location services and Find my device settings are turned on, basic system services like time zone and Find my device will be allowed to use the device's location. When enabled, Find my device can be used by the admin on the device to help recover lost or stolen Windows devices to reduce security threats that rely on physical access.
-
-:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
-
-- [How to set up, find, and lock a lost Windows device using a Microsoft Account](https://support.microsoft.com/account-billing/find-and-lock-a-lost-windows-device-890bf25e-b8ba-d3fe-8253-e98a12f26316)
-
-## OneDrive for personal
-
-Microsoft OneDrive17 for personal provides additional security, backup, and restore options for important personal files. OneDrive stores and protects files in the cloud, allowing users to access them from laptops, desktops, and mobile devices. Plus, OneDrive provides an excellent solution for backing up folders. If a device is lost or stolen, the user can quickly recover all their important files from the cloud.
-
-:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
-
-- [OneDrive](/onedrive/plan-onedrive-enterprise)
-
-In the event of a ransomware attack, OneDrive can enable recovery. And if backups are configured in OneDrive, users have additional options to mitigate and recover from a ransomware attack.
-
-:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
-
-- [How to recover from a ransomware attack using Microsoft 365](/microsoft-365/security/office-365-security/recover-from-ransomware)
-
-:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
-
-- [How to restore from OneDrive](https://support.microsoft.com/office/restore-your-onedrive-fa231298-759d-41cf-bcd0-25ac53eb8a15)
-
-## OneDrive Personal Vault
-
-OneDrive Personal Vault[\[9\]](conclusion.md#footnote9) also provides protection for the most important or sensitive files and photos without sacrificing the convenience of anywhere access. Protect digital copies of important documents in OneDrive Personal Vault. Files will be secured by identity verification yet are still easily accessible across devices.
-
-Learn how to [set up a Personal Vault](https://support.microsoft.com/office/protect-your-onedrive-files-in-personal-vault-6540ef37-e9bf-4121-a773-56f98dce78c4) with a strong authentication method or a second step of identity verification, such as fingerprint, face, PIN, or a code sent via email or SMS.
+[!INCLUDE [personal-vault](includes/personal-vault.md)]
diff --git a/windows/security/book/cloud-services-protect-your-work-information.md b/windows/security/book/cloud-services-protect-your-work-information.md
index 97aafdbec1..d29800ce98 100644
--- a/windows/security/book/cloud-services-protect-your-work-information.md
+++ b/windows/security/book/cloud-services-protect-your-work-information.md
@@ -1,269 +1,36 @@
---
-title: Cloud services - Protect your work information
-description: Windows 11 security book - Cloud services chapter - Protect your work information.
+title: Windows 11 security book - Cloud services - Protect your work information
+description: Cloud services chapter - Protect your work information.
ms.topic: overview
-ms.date: 04/09/2024
+ms.date: 11/04/2024
---
# Protect your work information
-:::image type="content" source="images/cloud-security.png" alt-text="Diagram of containing a list of security features for cloud security." lightbox="images/cloud-security.png" border="false":::
+:::image type="content" source="images/cloud-security.png" alt-text="Diagram containing a list of security features for cloud security." lightbox="images/cloud-security.png" border="false":::
-## Microsoft Entra ID
+[!INCLUDE [microsoft-entra-id](includes/microsoft-entra-id.md)]
-Microsoft Entra ID, formerly Azure Active Directory is a comprehensive cloud-based identity management solution that helps enable secure access to applications, networks, and other resources and guard against threats. Microsoft Entra ID can also be used with Windows Autopilot for zero-touch provisioning of devices preconfigured with corporate security policies.
+[!INCLUDE [azure-attestation-service](includes/azure-attestation-service.md)]
-Organizations can deploy Microsoft Entra ID joined devices to enable access to both cloud and on-premises apps and resources. Access to resources can be controlled based on the Microsoft Entra ID account and Conditional Access policies applied to the device. By registering devices with Microsoft Entra ID - also called Workplace joined - IT admins can support users in bring your own device (BYOD) or mobile device scenarios. Credentials are authenticated and bound to the joined device and cannot be copied to another device without explicit reverification.
+[!INCLUDE [microsoft-defender-for-endpoint](includes/microsoft-defender-for-endpoint.md)]
-To provide more security and control for IT and a seamless experience for end users, Microsoft Entra ID works with apps and services, including on-premises software and thousands of software-as-a-service (SaaS) applications. Microsoft Entra ID protections include single sign-on, multifactor authentication, conditional access policies, identity protection, identity governance, and privileged identity management.
+[!INCLUDE [cloud-native-device-management](includes/cloud-native-device-management.md)]
-Windows 11 works with Microsoft Entra ID to provide secure access, identity management, and single sign-on to apps and services from anywhere. Windows has built-in settings to add work or school accounts by syncing the device configuration to an Active Directory domain or Microsoft Entra ID tenant.
+[!INCLUDE [microsoft-intune](includes/microsoft-intune.md)]
-:::image type="content" source="images/access-work-or-school.png" alt-text="Screenshot of the add work or school account in Settings." border="false":::
+[!INCLUDE [security-baselines](includes/security-baselines.md)]
-When a device is Microsoft Entra ID joined and managed with Microsoft Intune[\[9\]](conclusion.md#footnote9), it receives the following security benefits:
+[!INCLUDE [windows-laps](includes/windows-laps.md)]
-- Default managed user and device settings and policies
-- Single sign-in to all Microsoft Online Services
-- Full suite of authentication management capabilities using Windows Hello for Business
-- Single sign-on (SSO) to enterprise and SaaS applications
-- No use of consumer Microsoft Account identity
+[!INCLUDE [windows-autopilot](includes/windows-autopilot.md)]
-Organizations and users can join or register their Windows devices with Microsoft Entra ID to get a seamless experience to both native and web applications. In addition, users can setup Windows Hello for Business or FIDO2 security keys with Microsoft Entra ID and benefit from greater security with passwordless authentication.
+[!INCLUDE [windows-update-for-business](includes/windows-update-for-business.md)]
-In combination with Microsoft Intune, Microsoft Entra ID offers powerful security control through Conditional Access to restrict access to organizational resources to healthy and compliant devices. Note that Microsoft Entra ID is only supported on Windows Pro and Enterprise editions.
+[!INCLUDE [windows-autopatch](includes/windows-autopatch.md)]
-Every Windows device has a built-in local administrator account that must be secured and protected to mitigate any Pass-the-Hash (PtH) and lateral traversal attacks. Many customers have been using our standalone, on-premises Windows Local Administrator Password Solution (LAPS) to manage their domain-joined Windows machines. We heard from many customers that LAPS support was needed as they modernized their Windows environment to join directly to Microsoft Entra ID.
+[!INCLUDE [windows-hotpatch](includes/windows-hotpatch.md)]
-:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
+[!INCLUDE [onedrive-for-work-or-school](includes/onedrive-for-work-or-school.md)]
-- [Windows Local Administrator Password Solution with Microsoft Entra (Azure AD)](https://techcommunity.microsoft.com/t5/microsoft-entra-azure-ad-blog/introducing-windows-local-administrator-password-solution-with/ba-p/1942487)
-- [Microsoft Entra plans and pricing](https://www.microsoft.com/security/business/microsoft-entra-pricing?rtc=1)
-
-## Modern device management through (MDM)
-
-Windows 11 supports modern device management through mobile device management (MDM) protocols so that IT professionals can manage company security policies and business applications without compromising user privacy on corporate or employee-owned devices. With MDM solutions like Microsoft Intune[\[9\]](conclusion.md#footnote9), IT can manage Windows 11 using industry standard protocols. To simplify setup for users, management features are built directly into Windows, eliminating the need for a separate MDM client.
-
-Windows 11 built-in management features include:
-
-- The enrollment client, which enrolls and configures the device to securely communicate with the enterprise device management server
-- The management client, which periodically synchronizes with the management server to check for updates and apply the latest policies set by IT
-
-:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
-
-- [Mobile device management overview](/windows/client-management/mdm-overview)
-
-## Microsoft security baselines
-
-Every organization faces security threats. However, different organizations can be concerned with different types of security threats. For example, an e-commerce company may focus on protecting its internet-facing web apps, while a hospital may focus on protecting confidential patient information. The one thing that all organizations have in common is a need to keep their apps and devices secure. These devices must be compliant with the security standards (or security baselines) defined by the organization.
-
-A security baseline is a group of Microsoft-recommended configuration settings that explains their security implications. These settings are based on feedback from Microsoft security engineering teams, product groups, partners, and customers.
-
-:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
-
-- [Windows security baselines you can deploy with Microsoft Intune](/mem/intune/protect/security-baselines)
-
-## MDM security baseline
-
-Windows 11 can be configured with Microsoft's MDM security baseline backed by ADMX policies, which functions like the Microsoft GP-based security baseline. The security baseline enables IT administrators to easily address security concerns and compliance needs for modern cloud-managed devices.
-
-The security baseline includes policies for:
-
-- Microsoft inbox security technology such as BitLocker, Microsoft Defender SmartScreen, virtualization-based security, Exploit Guard, Microsoft Defender Antivirus, and Windows Firewall
-- Restricting remote access to devices
-- Setting credential requirements for passwords and PINs
-- Restricting use of legacy technology
-
-:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
-
-- [MDM security baseline](/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines)
-
-## Microsoft Intune
-
-Microsoft Intune15 is a comprehensive endpoint management solution that helps secure, deploy, and manage users, apps, and devices. Intune brings together technologies like Microsoft Configuration Manager and Windows Autopilot to simplify provisioning, configuration management, and software updates across the organization.
-
-Intune works with Microsoft Entra ID to manage security features and processes, including multifactor authentication.
-
-Organizations can cut costs while securing and managing remote PCs through the cloud in compliance with company policies.16 For example, organizations save time and money by provisioning preconfigured devices to remote employees using Windows Autopilot for zerotouch deployment.
-
-Windows 11 enables IT professionals to move to the cloud while consistently enforcing security policies. Windows 11 provides expanded support for Group Policy administrative templates (ADMX-backed policies) in MDM solutions like Microsoft Intune, enabling IT professionals to easily apply the same security policies to both on-premises and remote devices.
-
-### Endpoint Privilege Management (EPM)
-
-Intune Endpoint Privilege Management supports organizations' Zero Trust journeys by helping them achieve a broad user base running with least privilege, while still permitting users to run tasks allowed by the organization to remain productive.
-
-### Local Administrator Password (LAPs)
-
-Local Administrator Password solution was a key consideration for many customers when deciding to make the transition from on-premises to cloud-managed devices using Intune. With LAPS (available in preview), organizations can automatically manage and back up the password of a local administrator account on Microsoft Entra ID joined or hybrid Microsoft Entra ID joined devices.
-
-### Mobile Application Management (MAM)
-
-With Intune, organizations can also extend MAM App Config, MAM App Protection, and App Protection Conditional Access capabilities to Windows. This enables people to access protected organizational content without having the device managed by IT. The first application to support MAM for Windows is Microsoft Edge.
-
-Customers have asked for App Control for Business (previously called Windows Defender Application Control) to manage Installer support for a long time. Now customers will be able to enable allowlisting of Win32 apps within their enterprise to proactively reduce the number of malware infections.
-
-Finally, Config Refresh helps organizations move to cloud from on-premises by protecting against settings deviating from the admin's intent.
-
-:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
-
-- [Windows LAPS overview](/windows-server/identity/laps/laps-overview)
-
-Microsoft Intune also has policies and settings to configure and manage the flow of operating system updates to devices, working with WUfB and WUfB-DS and giving admins great control over their deployments
-
-With Intune, organizations can also extend MAM App Config, MAM App Protection, and App Protection Conditional Access capabilities to Windows. This enables people to access protected organizational content without having the device managed by IT. The first application to support MAM for Windows is Microsoft Edge.
-
-:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
-
-- [What is Microsoft Intune](/mem/intune/fundamentals/what-is-intune)
-
-## Remote Wipe
-
-When a device is lost or stolen, IT administrators might want to remotely wipe data stored in memory and hard disks. A helpdesk agent might also want to reset devices to fix issues encountered by remote workers. A remote wipe can also be used to prepare a previously used device for a new user.
-
-Windows 11 supports the Remote Wipe configuration service provider (CSP) so that MDM Solutions[\[9\]](conclusion.md#footnote9) can remotely initiate any of the following operations:
-
-- Reset the device and remove user accounts and data
-- Reset the device and clean the drive
-- Reset the device but persist user accounts and data
-
-Learn More: [Remote Wipe CSP](/windows/client-management/mdm/remotewipe-csp)
-
-## Microsoft Azure Attestation Service
-
-Remote attestation helps ensure that devices are compliant with security policies and are operating in a trusted state before they are allowed to access resources. Microsoft Intune[\[9\]](conclusion.md#footnote9) integrates with [Microsoft Azure Attestation Service](/azure/attestation/overview) to review Windows device health comprehensively and connect this information with Microsoft Entra ID[\[9\]](conclusion.md#footnote9) Conditional Access.
-
-**Attestation policies are configured in the Microsoft Azure Attestation Service which can then:**
-
-- Verify the integrity of evidence provided by the Windows Attestation component by validating the signature and ensuring the Platform Configuration Registers (PCRs) match the values recomputed by replaying the measured boot log
-- Verify that the TPM has a valid Attestation Identity Key issued by the authenticated TPM
-- Verify that security features are in the expected states
-
-Once this verification is complete, the attestation service returns a signed report with the security features state to the relying party - such as Microsoft Intune - to assess the trustworthiness of the platform relative to the admin-configured device compliance specifications. Conditional access is then granted or denied based on the device's compliance.
-
-:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
-
-- [Azure Attestation overview](/azure/attestation/overview)
-
-## Windows Update for Business deployment service
-
-The Windows Update for Business deployment service, a core component of the Windows Update for Business product family, is a cloud-based solution that transforms the way update management is handled. Complementing existing [Windows Update for Business](/windows/deployment/update/waas-manage-updates-wufb) policies and [Windows Update for Business reports](/windows/deployment/update/wufb-reports-overview), the service provides control over the approval, scheduling, and safeguarding of updates - delivered straight from Windows Update to managed devices.
-
-The Windows Update for Business deployment service powers Windows Update management via Microsoft Intune[\[9\]](conclusion.md#footnote9) and Autopatch. The deployment services currently allows the management of [drivers and firmware](/graph/windowsupdates-manage-driver-update), expedited [quality updates](/graph/windowsupdates-deploy-expedited-update) and [feature updates](/graph/windowsupdates-deploy-update).
-
-For an in-depth understanding of this service, including its benefits and prerequisites for use, practical guides on specific capabilities, Microsoft Graph training, and a behind-the-scenes look at how the deployment service functions, read [here](/windows/deployment/update/waas-manage-updates-wufb)[.](/windows/deployment/update/waas-manage-updates-wufb)
-
-:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
-
-- [Windows Update for Business - Windows Deployment](/windows/deployment/update/waas-manage-updates-wufb)
-
-## Windows Autopatch
-
-Cybercriminals often target outdated or unpatched software to gain access to networks. Keeping endpoints up to date is critical in closing existing vulnerabilities, but planning, monitoring, and reporting on update compliance can take IT resources away from other important tasks.
-
-Available as part of Windows Enterprise E3 and E5, Windows Autopatch automates update management for Windows, drivers, firmware, Microsoft 365, Edge, and Teams apps. The service can even manage the upgrade to Windows 11. While the service is designed to be simple by default, admins can customize the service to reflect their business organization with Autopatch groups. This allows custom content or deployment schedules to be applied to different populations of devices.
-
-From a technical standpoint, Windows Autopatch configures the policies and deployment service of Windows Update for Business to deliver updates, all within Microsoft Intune.[\[9\]](conclusion.md#footnote9) The results for IT admins: up-to-date endpoints and detailed reports to demonstrate compliance or help identify issues. The goal is to help IT teams be more secure and update more efficiently with less effort.
-
-There's a lot more to learn about Windows Autopatch:
-
-- This [Forrester study](https://aka.ms/AutopatchProductivity) commissioned by Microsoft, analyzes the impact of Windows Autopatch on real customers
-- [IT pro blogs](https://aka.ms/MoreAboutAutopatch) provide updates and background on Autopatch features and the future of the service
-- The [Windows Autopatch community](https://aka.ms/AutopatchCommunity) allows IT professionals to get answers to questions from their peers and the Autopatch team
-
-:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
-
-- [Windows Autopatch documentation](https://aka.ms/Autopatchdocs)
-
-## Windows Autopilot and zero-touch deployment
-
-Traditionally, IT professionals spend significant time building and customizing images that will later be deployed to devices. Windows Autopilot introduces a new approach with a collection of technologies used to set up and preconfigure new devices, getting them ready for productive use and ensuring they are delivered locked down and compliant with corporate security policies.
-
-- From a user perspective, it only takes a few simple operations to get their device ready for use
-- From an IT professional perspective, the only interaction required from the end user is to connect to a network and verify their credentials. Setup is automated after that point
-
-Windows Autopilot enables you to:
-
-- Automatically join devices to Microsoft Entra ID[\[9\]](conclusion.md#footnote9) or Active Directory via hybrid Microsoft Entra ID Join. For more information about the differences between these two join options, see [Introduction to device management in Microsoft Entra ID](/azure/active-directory/device-management-introduction).
-- Auto-enroll devices into MDM services such as Microsoft Intune (requires an Microsoft Entra ID Premium subscription for configuration)
-- Automatic upgrade to Enterprise Edition if required
-- Restrict administrator account creation
-- Create and auto-assign devices to configuration groups based on a device's profile
-- Customize Out of Box Experience (OOBE) content specific to the organization
-
-Existing devices can also be quickly prepared for a new user with [Windows Autopilot Reset](/mem/autopilot/windows-autopilot-reset). The reset capability is also useful in break/fix scenarios to quickly bring a device back to a business-ready state.
-
-:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
-
-- [Windows Autopilot](https://aka.ms/WindowsAutopilot)
-
-## Enterprise State Roaming with Azure
-
-Available to any organization with a Microsoft Entra ID Premium[\[9\]](conclusion.md#footnote9) or Enterprise Mobility + Security (EMS)[\[9\]](conclusion.md#footnote9) license, Enterprise State Roaming provides users with a unified Windows Settings experience across their Windows devices and reduces the time needed for configuring a new device.
-
-:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
-
-- [Enterprise State Roaming FAQ](/azure/active-directory/devices/enterprise-state-roaming-faqs)
-
-## Universal Print
-
-Universal Print eliminates the need for on-premises print servers. It also eliminates the need for print drivers from the users' Windows devices and makes the devices secure, reducing the malware attacks that typically exploit vulnerabilities in driver model. It enables Universal Print-ready printers (with native support) to connect directly to the Microsoft Cloud. All major printer OEMs have these [models](/universal-print/fundamentals/universal-print-partner-integrations). It also supports existing printers by using the connector software that comes with Universal Print.
-
-Unlike traditional print solutions that rely on Windows print servers, Universal Print is a Microsoft-hosted cloud subscription service that supports a Zero Trust security model when using the Universal Print-ready printers. Customers can enable network isolation of printers, including the Universal Print connector software, from the rest of the organization's resources. Users and their devices do not need to be on the same local network as the printers or the Universal Print connector.
-
-Universal Print supports Zero Trust security by requiring that:
-
-- Each connection and API call to Universal Print cloud service requires authentication validated by Microsoft Entra ID[\[9\]](conclusion.md#footnote9). A hacker would have to have knowledge of the right credentials to successfully connect to the Universal Print service
-- Every connection established by the user's device (client), the printer, or another cloud service to the Universal Print cloud service uses SSL with TLS 1.2 protection. This protects network snooping of traffic to gain access to sensitive data
-- Each printer registered with Universal Print is created as a device object in the customer's Microsoft Entra ID tenant and issued its own device certificate. Every connection from the printer is authenticated using this certificate. The printer can access only its own data and no other device's data
-- Applications can connect to Universal Print using either user, device, or application authentication. To ensure data security, it is highly recommended that only cloud applications use application authentication
-- Each acting application must register with Microsoft Entra ID and specify the set of permission scopes it requires. Microsoft's own acting applications - for example, the Universal Print connector - are registered with the Microsoft Entra ID service. Customer administrators need to provide their consent to the required permission scopes as part of onboarding the application to their tenant
-- Each authentication with Microsoft Entra ID from an acting application cannot extend the permission scope as defined by the acting client app. This prevents the app from requesting additional permissions if the app is breached
-
-Additionally, Windows 11 and Windows 10 include MDM support to simplify printer setup for users. With initial support from Microsoft Intune[\[9\]](conclusion.md#footnote9), admins can now configure policies to provision specific printers onto the user's Windows devices.
-
-Universal Print stores the print data in cloud securely in Office Storage, the same storage used by other Microsoft Office products.
-
-More information about handling of Microsoft 365 data (this includes Universal Print data) can be found [here](/microsoft-365/enterprise/m365-dr-overview).
-
-The Universal Print secure release platform ensures user privacy, secures organizational data, and reduces print wastage. It eliminates the need for people to rush to a shared printer as soon as they send a print job to ensure that no one sees the private or confidential content. Sometimes, printed documents are picked up by another person or not picked up at all and discarded. Detailed support and configuration information can be found [here](/universal-print/fundamentals/universal-print-qrcode).
-
-Universal Print has integrated with Administrative Units in Microsoft Entra ID to enable customers to assign a Printer Administrator role to their local IT team in the same way customers assign User Administrator or Groups Administrator roles. The local IT team can configure only the printers that are part of the same Administrative Unit.
-
-:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
-
-- [Universal Print](https://www.microsoft.com/microsoft-365/windows/universal-print)
-- [Data handling in Universal Print](/universal-print/data-handling)
-- [Delegate Printer Administration with Administrative Units](/universal-print/portal/delegated-admin)
-
-For customers who want to stay on Print Servers, we recommend using the Microsoft IPP Print driver. For features beyond what's covered in the standard IPP driver, use Print Support Applications (PSA) for Windows from the respective printer OEM.
-
-:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
-
-- [Print support app design guide](/windows-hardware/drivers/devapps/print-support-app-design-guide)
-
-## OneDrive for work or school
-
-Data in OneDrive for work or school is protected both in transit and at rest.
-
-When data transits either into the service from clients or between datacenters, it's protected using transport layer security (TLS) encryption. OneDrive only permits secure access.
-
-Authenticated connections are not allowed over HTTP and instead redirect to HTTPS.
-
-There are several ways that OneDrive for work or school is protected at rest:
-
-- Physical protection: Microsoft understands the importance of protecting customer data and is committed to securing the datacenters that contain it. Microsoft datacenters are designed, built, and operated to strictly limit physical access to the areas where customer data is stored. Physical security at datacenters is in alignment with the defense-in-depth principle. Multiple security measures are implemented to reduce the risk of unauthorized users accessing data and other datacenter resources. Learn more [here](/compliance/assurance/assurance-datacenter-physical-access-security)
-- Network protection: The networks and identities are isolated from the corporate network. Firewalls limit traffic into the environment from unauthorized locations
-- Application security: Engineers who build features follow the security development lifecycle. Automated and manual analyses help identify possible vulnerabilities. The [Microsoft Security Response Center](https://technet.microsoft.com/security/dn440717.aspx) helps triage incoming vulnerability reports and evaluate mitigations. Through the [Microsoft Cloud Bug Bounty Terms](https://technet.microsoft.com/dn800983), people across the world can earn money by reporting vulnerabilities
-- Content protection: Each file is encrypted at rest with a unique AES-256 key. These unique keys are encrypted with a set of master keys that are stored in Azure Key Vault
-
-:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
-
-- [How OneDrive safeguards data in the cloud](https://support.microsoft.com/office/how-onedrive-safeguards-your-data-in-the-cloud-23c6ea94-3608-48d7-8bf0-80e142edd1e1)
-
-## MDM enrollment certificate attestation
-
-When a device is enrolled into device management, the administrator assumes that the device will enroll and receive appropriate policies to secure and manage the PC as they expect. In some circumstances, enrollment certificates can be removed by malicious actors and then used on unmanaged PCs to appear as though they are enrolled, but without the security and management policies the administrator intended. With MDM enrollment certificate attestation, the certificate and keys are bound to a specific machine through the use of the Trusted Platform Module (TPM) to ensure that they can't be lifted from one device and applied to another. This capability has existed for physical PCs since Windows 11 22H2 and is now being extended to Windows 11-based Cloud PCs and Azure Virtual Desktop VMs.
-
-:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
-
-- [Configuration Service Provider - Windows Client Management](/windows/client-management/mdm/)
+[!INCLUDE [universal-print](includes/universal-print.md)]
diff --git a/windows/security/book/cloud-services.md b/windows/security/book/cloud-services.md
index 9c78f4867b..cd8be85df1 100644
--- a/windows/security/book/cloud-services.md
+++ b/windows/security/book/cloud-services.md
@@ -1,16 +1,16 @@
---
-title: Cloud services
-description: Windows 11 security book - Cloud services chapter.
+title: Windows 11 security book - Cloud services
+description: Cloud services chapter.
ms.topic: overview
-ms.date: 04/09/2024
+ms.date: 11/18/2024
---
# Cloud services
:::image type="content" source="images/cloud-services-cover.png" alt-text="Cover of the cloud services chapter." border="false":::
-:::image type="content" source="images/cloud-security-on.png" alt-text="Diagram of containing a list of security features." lightbox="images/cloud-security.png" border="false":::
+The workplace is constantly evolving, with many users working outside the office at least some of the time. While remote work and cloud services provide more flexibility, they also result in more endpoints and locations for organizations to worry about.
-Today's workforce has more freedom and mobility than ever before, but the risk of data exposure is also at its highest. At Microsoft, we are focused on getting customers to the cloud to benefit from modern hybrid workstyles while improving security management. Built on Zero Trust principles, Windows 11 works with Microsoft cloud services to safeguard sensitive information while controlling access and mitigating threats.
+Windows 11, combined with Microsoft Entra ID for identity management, and cloud-based device management solutions like Microsoft Intune, can be the foundation of a *Zero Trust* security model that enables flexible workstyles while controlling access, safeguarding sensitive information, and mitigating threats.
-From identity and device management to Office apps and data storage, Windows 11 and integrated cloud services can help improve productivity, security, and resilience anywhere.
+:::image type="content" source="images/cloud-security-on.png" alt-text="Diagram containing a list of security features." lightbox="images/cloud-security.png" border="false":::
diff --git a/windows/security/book/conclusion.md b/windows/security/book/conclusion.md
index c8137e0758..7a9d69992d 100644
--- a/windows/security/book/conclusion.md
+++ b/windows/security/book/conclusion.md
@@ -1,13 +1,13 @@
---
-title: Conclusion
-description: Conclusion
+title: Windows 11 security book - Conclusion
+description: Windows 11 security book conclusion.
ms.topic: overview
-ms.date: 04/09/2024
+ms.date: 11/18/2024
---
# Conclusion
-We will continue to bring you new features to protect against evolving threats, simplify management, and securely enable new workstyles. With Windows 11 devices, organizations of all sizes can benefit from the security and performance to thrive anywhere.
+We will continue to innovate with security by design and security by default at the heart of every new Windows 11 PC and Windows 11 IoT device. This commitment ensures that our products not only meet, but exceed, the security expectations of our customers by providing robust protection against modern cyber threats while maintaining ease-of-use and performance. By integrating advanced security measures from the ground up, we aim to create a safer digital environment for everyone.
:::image type="content" source="images/chip-to-cloud.png" alt-text="Diagram of chip-to-cloud containing a list of security features." lightbox="images/chip-to-cloud.png" border="false":::
@@ -15,31 +15,30 @@ We will continue to bring you new features to protect against evolving threats,
New:
-- Config Refresh
-- 5G and eSIM
-- Win32 apps in isolation (public preview)
-- Passkey
-- Sign-in Session Token Protection
-- Windows Local Administrator Password Solution (LAPS) (public preview)
-- Microsoft Intune Suite Endpoint Privilège Management (EPM)
-- Microsoft Intune Suite Endpoint Privilege Management (EPM)
+- [Administrator protection](application-security-application-and-driver-control.md#-administrator-protection)
+- [Config Refresh](operating-system-security-system-security.md#-config-refresh)
+- [Rust for Windows](operating-system-security-system-security.md#-rust-for-windows)
+- [Trusted Signing](application-security-application-and-driver-control.md#-trusted-signing)
+- [VBS key protection](identity-protection-advanced-credential-protection.md#-vbs-key-protection)
+- [Virtualization-based security enclaves](application-security-application-isolation.md#-virtualization-based-security-enclaves)
+- [Win32 app isolation](application-security-application-isolation.md#-win32-app-isolation)
+- [Windows Hotpatch](cloud-services-protect-your-work-information.md#-windows-hotpatch)
+- [Windows protected print](operating-system-security-system-security.md#-windows-protected-print)
Enhanced:
-- Hardware security user experience
-- BitLocker to go
-- Device encryption
-- Windows Firewall
-- Server Message Block direct
-- Smart App Control (SAC) going into Enforcement mode
-- Application Control for Business
-- Enhanced Sign-in security (ESS)
-- Windows Hello for Business
-- Presence Detection
-- Wake on approach, lock on leave
-- Universal Print
-- Lockout policies for local admin
-- Enhanced Phishing protection
+- [BitLocker](operating-system-security-encryption-and-data-protection.md#bitlocker)
+- [Credential Guard](identity-protection-advanced-credential-protection.md#credential-guard)
+- [Device encryption](operating-system-security-encryption-and-data-protection.md#device-encryption)
+- [Local Security Authority (LSA) protection](identity-protection-advanced-credential-protection.md#local-security-authority-lsa-protection)
+- [Passkeys](identity-protection-passwordless-sign-in.md#passkeys)
+- [Personal data encryption](operating-system-security-encryption-and-data-protection.md#personal-data-encryption)
+- [Secured kernel](hardware-security-silicon-assisted-security.md#secured-kernel)
+- [Server Message Block file services](operating-system-security-network-security.md#server-message-block-file-services)
+- [Windows Hello PIN](identity-protection-passwordless-sign-in.md#windows-hello-pin)
+- [Windows Firewall](operating-system-security-network-security.md#windows-firewall)
+- [Windows Local Administrator Password Solution (LAPS)](cloud-services-protect-your-work-information.md#windows-local-administrator-password-solution-laps)
+- [Windows Subsystem for Linux (WSL)](application-security-application-isolation.md#windows-subsystem-for-linux-wsl)
## Document revision history
@@ -48,30 +47,27 @@ Enhanced:
|November 2021 |Link updates and formatting.|
|February 2022 |Revisions to Hardware root-of-trust, Virus and threat protection, and Windows Hello for Business content.|
|April 2022| Added Upcoming features section.|
-| September 2022| Updates with Windows 11 2022 Update features and enhancements.|
+|September 2022| Updates with Windows 11, version 22H2, features and enhancements.|
|April 2023| Minor edits and updates to edition availability.|
-|September 2023| Updates with Windows 11 2023 Update features and enhancement.|
-|May 2024| Move form PDF format to web format.|
+|September 2023| Updates with Windows 11, version 23H2, features and enhancements.|
+|May 2024| Move from PDF format to web format.|
+|November 2024| Updates with Windows 11, version 24H2, features and enhancements.|
## Endnotes
-1 "2023 Data Breach Investigations Report" - Verizon, 2023.\
-2 "Microsoft Digital Defense Report 2022" - Microsoft, 2022.\
-3 Compared to Windows 10 devices. "Improve your day-to-day experience with Windows 11 Pro laptops" - Principled Technologies, February 2023.\
-4 Based on Monthly Active Device data. "Earnings Release FY23 Q3" - Microsoft, April 2023.\
-5 Windows 11 results are in comparison with Windows 10 devices. "Windows 11 Survey Report," Techaisle, February 2022.\
-6 Requires developer enablement.\
-7 Requires Microsoft Entra ID and Microsoft Intune, or other modern device management solution product required; sold separately.\
-8 Commissioned study delivered by Forrester Consulting. "The Total Economic Impact™ of Windows 11 Pro Devices", December 2022. Note: quantified benefits reflect results over three years combined into a single composite organization that generates $1 billion in annual revenue, has 2,000 employees, refreshes hardware on a four-year cycle, and migrates the entirety of its workforce to Windows 11 devices.\
-9 Sold separately.\
-10 Email encryption is supported on products such as Microsoft Exchange Server and Microsoft Exchange Online.\
-11 Microsoft internal data.\
-12 Microsoft Entra ID Basic is included with Microsoft Azure and Microsoft 365 subscriptions, and other commercial services subscriptions.\
-13 Requires Microsoft Entra ID (formerly AAD) Premium; sold separately.\
-14 Hardware dependent.\
-15 Microsoft 365 E3 or E5 required; sold separately.\
-16 The Total Economic Impact™ of Windows Pro Device, Forrester study commissioned by Microsoft, June 2020.\
-17 All users with a Microsoft Account get 5GB of OneDrive storage free, and all Microsoft 365 subscriptions include 1TB of OneDrive storage. Additional OneDrive storage is sold separately.
+||Details|
+|-|-|
+|**1**| [Microsoft digital defense report, CISO executive summary, October 2023](https://www.microsoft.com/security/security-insider/microsoft-digital-defense-report-2023).|
+|**2**| Windows 11 Survey Report. Techaisle, September 2024. Windows 11 results are in comparison with Windows 10 devices.|
+|**3**| Requires developer enablement.|
+|**4**| Sold separately.|
+|**5**| The Passkey can be saved locally to the Windows device and authenticated via Windows Hello or Windows Hello for Business. Hardware dependent.|
+|**6**| Commissioned study delivered by Forrester Consulting "The Total Economic Impact™ of Windows 11 Pro Devices", December 2022. Note, quantified benefits reflect results over three years combined into a single composite organization that generates $1 billion in annual revenue, has 2,000 employees, refreshes hardware on a four-year cycle, and migrates the entirety of its workforce to Windows 11 devices.|
+|**7**| Feature or functionality delivered using [servicing technology](https://support.microsoft.com/topic/b0aa0a27-ea9a-4365-9224-cb155e517f12).|
+|**8**| Email encryption is supported on products such as Microsoft Exchange Server and Microsoft Exchange Online.|
+|**9**| Hardware dependent.|
+|**10**|All users with a Microsoft account get 5GB of OneDrive storage free, and all Microsoft 365 subscriptions include 1TB of OneDrive storage. Additional OneDrive storage is sold separately.|
+|**11**|The Total Economic Impact™ of Windows Pro Device, Forrester study commissioned by Microsoft, June 2020.|
---
@@ -89,4 +85,4 @@ Enhanced:
>
> The names of actual companies and products mentioned herein may be the trademarks of their respective owners.
>
-> Part No. May 2024
+> Part No. November 2024
diff --git a/windows/security/book/features-index.md b/windows/security/book/features-index.md
new file mode 100644
index 0000000000..09081404bf
--- /dev/null
+++ b/windows/security/book/features-index.md
@@ -0,0 +1,10 @@
+---
+title: Windows 11 security book - Features index
+description: Windows security book features index.
+ms.topic: overview
+ms.date: 11/18/2024
+---
+
+# Features index
+
+[5G and eSIM](operating-system-security-network-security.md#5g-and-esim) [Access management and control](identity-protection-advanced-credential-protection.md#access-management-and-control) [Account lockout policies](identity-protection-advanced-credential-protection.md#account-lockout-policies) [Administrator protection](application-security-application-and-driver-control.md#-administrator-protection) [App containers](application-security-application-isolation.md#app-containers) [App Control for Business](application-security-application-and-driver-control.md#app-control-for-business) [Attack surface reduction rules](operating-system-security-virus-and-threat-protection.md#attack-surface-reduction-rules) [Azure Attestation service](cloud-services-protect-your-work-information.md#-azure-attestation-service) [BitLocker To Go](operating-system-security-encryption-and-data-protection.md#bitlocker-to-go) [BitLocker](operating-system-security-encryption-and-data-protection.md#bitlocker) [Bluetooth protection](operating-system-security-network-security.md#bluetooth-protection) [Certificates](operating-system-security-system-security.md#certificates) [Cloud-native device management](cloud-services-protect-your-work-information.md#cloud-native-device-management) [Code signing and integrity](operating-system-security-system-security.md#code-signing-and-integrity) [Common Criteria (CC)](security-foundation-certification.md#common-criteria-cc) [Config Refresh](operating-system-security-system-security.md#-config-refresh) [Controlled folder access](operating-system-security-virus-and-threat-protection.md#controlled-folder-access) [Credential Guard](identity-protection-advanced-credential-protection.md#credential-guard) [Cryptography](operating-system-security-system-security.md#cryptography) [Device Encryption](operating-system-security-encryption-and-data-protection.md#device-encryption) [Device Health Attestation](operating-system-security-system-security.md#device-health-attestation) [Domain Name System (DNS) security](operating-system-security-network-security.md#domain-name-system-dns-security) [Email encryption](operating-system-security-encryption-and-data-protection.md#email-encryption) [Encrypted hard drive](operating-system-security-encryption-and-data-protection.md#encrypted-hard-drive) [Enhanced phishing protection in Microsoft Defender SmartScreen](identity-protection-passwordless-sign-in.md#enhanced-phishing-protection-in-microsoft-defender-smartscreen) [Enhanced Sign-in Security (ESS)](identity-protection-passwordless-sign-in.md#enhanced-sign-in-security-ess) [Exploit Protection](operating-system-security-virus-and-threat-protection.md#exploit-protection) [Federal Information Processing Standard (FIPS)](security-foundation-certification.md#federal-information-processing-standard-fips) [Federated sign-in](identity-protection-passwordless-sign-in.md#federated-sign-in) [FIDO2](identity-protection-passwordless-sign-in.md#fido2) [Find my device](cloud-services-protect-your-personal-information.md#find-my-device) [Kernel direct memory access (DMA) protection](hardware-security-silicon-assisted-security.md#kernel-direct-memory-access-dma-protection) [Kiosk mode](operating-system-security-system-security.md#kiosk-mode) [Local Security Authority (LSA) protection](identity-protection-advanced-credential-protection.md#local-security-authority-lsa-protection) [Microsoft account](cloud-services-protect-your-personal-information.md#microsoft-account) [Microsoft Authenticator](identity-protection-passwordless-sign-in.md#microsoft-authenticator) [Microsoft Cloud PKI](cloud-services-protect-your-work-information.md#microsoft-cloud-pki) [Microsoft Defender Antivirus](operating-system-security-virus-and-threat-protection.md#microsoft-defender-antivirus) [Microsoft Defender for Endpoint](cloud-services-protect-your-work-information.md#-microsoft-defender-for-endpoint) [Microsoft Defender SmartScreen](operating-system-security-virus-and-threat-protection.md#microsoft-defender-smartscreen) [Microsoft Entra ID](cloud-services-protect-your-work-information.md#-microsoft-entra-id) [Microsoft Intune](cloud-services-protect-your-work-information.md#-microsoft-intune) [Microsoft Offensive Research and Security Engineering](security-foundation-offensive-research.md#microsoft-offensive-research-and-security-engineering) [Microsoft Pluton security processor](hardware-security-hardware-root-of-trust.md#microsoft-pluton-security-processor) [Microsoft Privacy Dashboard](privacy-controls.md#microsoft-privacy-dashboard) [Microsoft Security Development Lifecycle (SDL)](security-foundation-offensive-research.md#microsoft-security-development-lifecycle-sdl) [Microsoft vulnerable driver blocklist](application-security-application-and-driver-control.md#microsoft-vulnerable-driver-blocklist) [Network protection](operating-system-security-virus-and-threat-protection.md#network-protection) [OneDrive for personal](cloud-services-protect-your-personal-information.md#onedrive-for-personal) [OneDrive for work or school](cloud-services-protect-your-work-information.md#-onedrive-for-work-or-school) [OneFuzz service](security-foundation-offensive-research.md#onefuzz-service) [Personal Data Encryption](operating-system-security-encryption-and-data-protection.md#personal-data-encryption) [Personal Vault](cloud-services-protect-your-personal-information.md#personal-vault) [Privacy resource usage](privacy-controls.md#privacy-resource-usage) [Privacy transparency and controls](privacy-controls.md#privacy-transparency-and-controls) [Remote Credential Guard](identity-protection-advanced-credential-protection.md#remote-credential-guard) [Remote Wipe](cloud-services-protect-your-work-information.md#remote-wipe) [Rust for Windows](operating-system-security-system-security.md#-rust-for-windows) [Secure Future Initiative (SFI)](security-foundation-offensive-research.md#secure-future-initiative-sfi) [Secured kernel](hardware-security-silicon-assisted-security.md#secured-kernel) [Secured-core PC and Edge Secured-Core](hardware-security-silicon-assisted-security.md#secured-core-pc-and-edge-secured-core) [Security baselines](cloud-services-protect-your-work-information.md#security-baselines) [Server Message Block file services](operating-system-security-network-security.md#server-message-block-file-services) [Smart App Control](application-security-application-and-driver-control.md#smart-app-control) [Smart cards](identity-protection-passwordless-sign-in.md#smart-cards) [Software bill of materials (SBOM)](security-foundation-secure-supply-chain.md#software-bill-of-materials-sbom) [Tamper protection](operating-system-security-virus-and-threat-protection.md#tamper-protection) [Token protection (preview)](identity-protection-advanced-credential-protection.md#token-protection-preview) [Transport Layer Security (TLS)](operating-system-security-network-security.md#transport-layer-security-tls) [Trusted Boot (Secure Boot + Measured Boot)](operating-system-security-system-security.md#trusted-boot-secure-boot--measured-boot) [Trusted Platform Module (TPM)](hardware-security-hardware-root-of-trust.md#trusted-platform-module-tpm) [Trusted Signing](application-security-application-and-driver-control.md#-trusted-signing) [Universal Print](cloud-services-protect-your-work-information.md#-universal-print) [VBS key protection](identity-protection-advanced-credential-protection.md#-vbs-key-protection) [Virtual private networks (VPN)](operating-system-security-network-security.md#virtual-private-networks-vpn) [Virtualization-based security enclaves](application-security-application-isolation.md#-virtualization-based-security-enclaves) [Web sign-in](identity-protection-passwordless-sign-in.md#web-sign-in) [Wi-Fi connections](operating-system-security-network-security.md#wi-fi-connections) [Win32 app isolation](application-security-application-isolation.md#-win32-app-isolation) [Windows Autopatch](cloud-services-protect-your-work-information.md#windows-autopatch) [Windows Autopilot](cloud-services-protect-your-work-information.md#windows-autopilot) [Windows diagnostic data processor configuration](privacy-controls.md#windows-diagnostic-data-processor-configuration) [Windows enrollment attestation](cloud-services-protect-your-work-information.md#windows-enrollment-attestation) [Windows Firewall](operating-system-security-network-security.md#windows-firewall) [Windows Hello for Business](identity-protection-passwordless-sign-in.md#windows-hello-for-business) [Windows Hello](identity-protection-passwordless-sign-in.md#windows-hello) [Windows Hotpatch](cloud-services-protect-your-work-information.md#-windows-hotpatch) [Windows Insider and Microsoft Bug Bounty Programs](security-foundation-offensive-research.md#windows-insider-and-microsoft-bug-bounty-programs) [Windows Local Administrator Password Solution (LAPS)](cloud-services-protect-your-work-information.md#windows-local-administrator-password-solution-laps) [Windows presence sensing](identity-protection-passwordless-sign-in.md#windows-presence-sensing) [Windows protected print](operating-system-security-system-security.md#-windows-protected-print) [Windows Sandbox](application-security-application-isolation.md#windows-sandbox) [Windows security policy settings and auditing](operating-system-security-system-security.md#windows-security-policy-settings-and-auditing) [Windows Security](operating-system-security-system-security.md#windows-security) [Windows Software Development Kit (SDK)](security-foundation-secure-supply-chain.md#windows-software-development-kit-sdk) [Windows Subsystem for Linux (WSL)](application-security-application-isolation.md#windows-subsystem-for-linux-wsl) [Windows Update for Business](cloud-services-protect-your-work-information.md#windows-update-for-business)
\ No newline at end of file
diff --git a/windows/security/book/hardware-security-hardware-root-of-trust.md b/windows/security/book/hardware-security-hardware-root-of-trust.md
index 871680e2f4..e7b5572e7f 100644
--- a/windows/security/book/hardware-security-hardware-root-of-trust.md
+++ b/windows/security/book/hardware-security-hardware-root-of-trust.md
@@ -1,35 +1,14 @@
---
-title: Hardware root-of-trust
-description: Windows 11 security book - Hardware root-of-trust.
+title: Windows 11 security book - Hardware root-of-trust
+description: Hardware root-of-trust.
ms.topic: overview
-ms.date: 04/09/2024
+ms.date: 11/18/2024
---
# Hardware root-of-trust
-:::image type="content" source="images/hardware.png" alt-text="Diagram of containing a list of security features." lightbox="images/hardware.png" border="false":::
+:::image type="content" source="images/hardware.png" alt-text="Diagram containing a list of security features." lightbox="images/hardware.png" border="false":::
-## Trusted Platform Module (TPM)
+[!INCLUDE [trusted-platform-module](includes/trusted-platform-module.md)]
-Trusted Platform Module (TPM) technology is designed to provide hardware-based, security-related functions. TPMs provide security and privacy benefits for system hardware, platform owners, and users. Windows Hello, BitLocker, System Guard (previously called Windows Defender System Guard), and other Windows features rely on the TPM for capabilities such as key generation, secure storage, encryption, boot integrity measurements, and attestation. These capabilities in turn help organizations strengthen the protection of their identities and data. The 2.0 version of TPM includes support for newer algorithms, which provides improvements like support for stronger cryptography. To upgrade to Windows 11, existing Windows 10 devices much meet minimum system requirements for CPU, RAM, storage, firmware, TPM, and more. All new Windows 11 devices come with TPM 2.0 built in. With Windows 11, both new and upgraded devices must have TPM 2.0. The requirement strengthens the security posture across all Windows 11 devices and helps ensure that these devices can benefit from future security capabilities that depend on a hardware root-of-trust.
-
-:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
-
-- [Windows 11 TPM specifications](https://www.microsoft.com/windows/windows-11-specifications)
-- [Enabling TPM 2.0 on your PC](https://support.microsoft.com/windows/enable-tpm-2-0-on-your-pc-1fd5a332-360d-4f46-a1e7-ae6b0c90645c)
-- [Trusted Platform Module Technology Overview](../hardware-security/tpm/trusted-platform-module-overview.md)
-
-## Microsoft Pluton security processor
-
-The Microsoft Pluton security processor is the result of Microsoft's close partnership with silicon partners. Pluton enhances the protection of Windows 11 devices, including Secured-core PCs, with a hardware security processor that provides additional protection for cryptographic keys and other secrets. Pluton is designed to reduce the attack surface by integrating the security chip directly into the processor. It can be used as a TPM 2.0 or as a standalone security processor. When a security processor is located on a separate, discrete chip on the motherboard, the communication path between the hardware root-of-trust and the CPU can be vulnerable to physical attack. Embedding Pluton into the CPU makes it harder to exploit the communication path.
-
-Pluton supports the TPM 2.0 industry standard, allowing customers to immediately benefit from enhanced security for Windows features that rely on TPMs, including BitLocker, Windows Hello, and System Guard. Pluton can also support other security functionality beyond what is possible with the TPM 2.0 specification. This extensibility allows for additional Pluton firmware and OS features to be delivered over time via Windows Update.
-
-As with other TPMs, credentials, encryption keys, and other sensitive information cannot be easily extracted from Pluton even if an attacker has installed malware or has complete physical possession of the PC. Storing sensitive data like encryption keys securely within the Pluton processor, which is isolated from the rest of the system, helps ensure that attackers cannot access sensitive data - even if attackers use emerging techniques like speculative execution.
-
-Pluton also solves the major security challenge of keeping its own security processor firmware up to date across the entire PC ecosystem. Today customers receive updates to their security firmware from a variety of different sources, which may make it difficult for customers to get alerts about security updates, keeping systems in a vulnerable state. Pluton provides a flexible, updateable platform for its firmware that implements end-to-end security functionality authored, maintained, and updated by Microsoft. Pluton is integrated with the Windows Update service, benefiting from over a decade of operational experience in reliably delivering updates across over a billion endpoint systems. Microsoft Pluton is available with select new Windows PCs.
-
-:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
-
-- [Meet the Microsoft Pluton processor - The security chip designed for the future of Windows PCs](https://www.microsoft.com/security/blog/2020/11/17/meet-the-microsoft-pluton-processor-the-security-chip-designed-for-the-future-of-windows-pcs/)
-- [Microsoft Pluton security processor](../hardware-security/pluton/microsoft-pluton-security-processor.md)
+[!INCLUDE [microsoft-pluton-security-processor](includes/microsoft-pluton-security-processor.md)]
\ No newline at end of file
diff --git a/windows/security/book/hardware-security-silicon-assisted-security.md b/windows/security/book/hardware-security-silicon-assisted-security.md
index 8be924910a..09f47b09a5 100644
--- a/windows/security/book/hardware-security-silicon-assisted-security.md
+++ b/windows/security/book/hardware-security-silicon-assisted-security.md
@@ -1,82 +1,18 @@
---
-title: Silicon assisted security
-description: Windows 11 security book - Silicon assisted security.
+title: Windows 11 security book - Silicon assisted security
+description: Silicon assisted security.
ms.topic: overview
-ms.date: 04/09/2024
+ms.date: 11/18/2024
---
# Silicon assisted security
-:::image type="content" source="images/hardware.png" alt-text="Diagram of containing a list of security features." lightbox="images/hardware.png" border="false":::
+:::image type="content" source="images/hardware.png" alt-text="Diagram containing a list of security features." lightbox="images/hardware.png" border="false":::
-In addition to a modern hardware root-of-trust, there are numerous other capabilities in the latest chips that harden the operating system against threats by protecting the boot process, safeguarding the integrity of memory, isolating security-sensitive compute logic, and more.
+In addition to a modern hardware root-of-trust, there are multiple capabilities in the latest chips that harden the operating system against threats. These capabilities protect the boot process, safeguard the integrity of memory, isolate security-sensitive compute logic, and more.
-## Secured kernel
+[!INCLUDE [secured-kernel](includes/secured-kernel.md)]
-To secure the kernel we have two key features: virtualization-based security (VBS) and hypervisor-protected code integrity (HVCI). All Windows 11 devices will support HVCI and most new devices will come with VBS and HVCI protection turned on by default.
+[!INCLUDE [kernel-direct-memory-access-protection](includes/kernel-direct-memory-access-protection.md)]
-Virtualization-based security (VBS), also known as core isolation, is a critical building block in a secure system. VBS uses hardware virtualization features to host a secure kernel separated from the operating system. This means that even if the operating system is compromised, the secure kernel is still protected. The isolated VBS environment protects processes, such as security solutions and credential managers, from other processes running in memory. Even if malware gains access to the main OS kernel, the hypervisor and virtualization hardware help prevent the malware from executing unauthorized code or accessing platform secrets in the VBS environment. VBS
-implements virtual trust level 1 (VTL1), which has higher privilege than the virtual trust level 0 (VTL0) implemented in the main kernel.
-
-Since more privileged VTLs can enforce their own memory protections, higher VTLs can effectively protect areas of memory from lower VTLs. In practice, this allows a lower VTL to protect isolated memory regions by securing them with a higher VTL. For example, VTL0 could store a secret in VTL1, at which point only VTL1 could access it. Even if VTL0 is compromised, the secret would be safe.
-
-:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
-
-- [Virtualization-based security (VBS)](/windows-hardware/design/device-experiences/oem-vbs)
-
-Hypervisor-protected code integrity (HVCI), also called memory integrity, uses VBS to run Kernel Mode Code Integrity (KMCI) inside the secure VBS environment instead of the main Windows kernel. This helps prevent attacks that attempt to modify kernel-mode code for things like drivers. The KMCI checks that all kernel code is properly signed and hasn't been tampered with before it is allowed to run. HVCI ensures that only validated code can be executed in kernel mode. The hypervisor leverages processor virtualization extensions to enforce memory protections that prevent kernel-mode software from executing code that has not been first validated by the code integrity subsystem. HVCI protects against common attacks like WannaCry that rely on the ability to inject malicious code into the kernel. HVCI can prevent injection of malicious kernel-mode code even when drivers and other kernel-mode software have bugs.
-
-With new installs of Windows 11, OS support for VBS and HVCI is turned on by default for all devices that meet prerequisites.
-
-:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
-
-- [Enable virtualization-based protection of code integrity](../hardware-security/enable-virtualization-based-protection-of-code-integrity.md)
-- [Hypervisor-protected Code Integrity (HVCI)](/windows/security/hardware-security/enable-virtualization-based-protection-of-code-integrity)
-
-## Hardware-enforced stack protection
-
-Hardware-enforced stack protection integrates software and hardware for a modern defense against cyberthreats like memory corruption and zero-day exploits. Based on Control- flow Enforcement Technology (CET) from Intel and AMD Shadow Stacks, hardware-enforced stack protection is designed to protect against exploit techniques that try to hijack return addresses on the stack.
-
-Application code includes a program processing stack that hackers seek to corrupt or disrupt in a type of attack called stack smashing. When defenses like executable space protection began thwarting such attacks, hackers turned to new methods like return-oriented programming. Return-oriented programming, a form of advanced stack smashing, can bypass defenses, hijack the data stack, and ultimately force a device to perform harmful operations. To guard against these control-flow hijacking attacks, the Windows kernel creates a separate "shadow stack" for return addresses. Windows 11 extends stack protection capabilities to provide both user mode and kernel mode support.
-
-:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
-
-- [Understanding Hardware-enforced Stack Protection](https://techcommunity.microsoft.com/t5/windows-os-platform-blog/understanding-hardware-enforced-stack-protection/ba-p/1247815)
-- [Developer Guidance for Hardware-enforced Stack Protection](https://techcommunity.microsoft.com/t5/windows-kernel-internals/developer-guidance-for-hardware-enforced-stack-protection/ba-p/2163340)
-
-## Kernel Direct Memory Access (DMA) protection
-
-Windows 11 protects against physical threats such as drive-by Direct Memory Access (DMA) attacks. Peripheral Component Interconnect Express (PCIe) hot-pluggable devices such as Thunderbolt, USB4, and CFexpress allow users to attach new classes of external peripherals, including graphics cards or other PCI devices, to their PCs with the plug-and-play ease of USB. Because PCI hot-plug ports are external and easily accessible, PCs are susceptible to drive-by DMA attacks. Memory access protection (also known as Kernel DMA Protection) protects against these attacks by preventing external peripherals from gaining unauthorized access to memory. Drive-by DMA attacks typically happen quickly while the system owner isn't present. The attacks are performed using simple to moderate attacking tools created with affordable, off-the-shelf hardware and software that do not require the disassembly of the PC. For example, a PC owner might leave a device for a quick coffee break. Meanwhile, an attacker plugs an external tool into a port to steal information or inject code that gives the attacker remote control over the PCs, including the ability to bypass the lock screen. With memory access protection built in and enabled, Windows 11 is protected against physical attack wherever people work.
-
-:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
-
-- [Kernel Direct Memory Access (DMA) protection](/windows/security/hardware-security/kernel-dma-protection-for-thunderbolt)
-
-## Secured-core PC
-
-The March 2021 Security Signals report found that more than 80% of enterprises have experienced at least one firmware attack in the past two years. For customers in data-sensitive industries like financial services, government, and healthcare, Microsoft has worked with OEM partners to offer a special category of devices called Secured-core PCs (SCPCs). The devices ship with additional security measures enabled at the firmware layer, or device core, that underpins Windows.
-
-Secured-core PCs help prevent malware attacks and minimize firmware vulnerabilities by launching into a clean and trusted state at startup with a hardware-enforced root-of-trust. Virtualization-based security comes enabled by default. With built-in hypervisor-protected code integrity (HVCI) shielding system memory, Secured-core PCs ensure that all kernel executable code is signed only by known and approved authorities. Secured-core PCs also protect against physical threats such as drive-by Direct Memory Access (DMA) attacks with kernel DMA protection.
-
-Secured-core PCs provide multiple layers of robust protection against hardware and firmware attacks. Sophisticated malware attacks may commonly attempt to install "bootkits" or "rootkits" on the system to evade detection and achieve persistence. This malicious software may run at the firmware level prior to Windows being loaded or during the Windows boot process itself, enabling the system to start with the highest level of privilege. Because critical subsystems in Windows leverage virtualization-based security, protecting the hypervisor becomes increasingly important. To ensure that no unauthorized firmware or software can start before the Windows bootloader, Windows PCs rely on the Unified Extensible Firmware Interface (UEFI) Secure Boot standard, a baseline security feature of all Windows 11 PCs. Secure Boot helps ensure that only authorized firmware and software with trusted digital signatures can execute. In addition, measurements of all boot components are securely stored in the TPM to help establish a non-repudiable audit log of the boot called the Static Root of Trust for Measurement (SRTM).
-
-Thousands of PC vendors produce numerous device models with diverse UEFI firmware components, which in turn creates an incredibly large number of SRTM signatures and measurements at bootup. Because these signatures and measurements are inherently trusted by Secure Boot, it can be challenging to constrain trust to only what is needed to boot on any specific device. Traditionally, blocklists and allowlists were the two main techniques used to constrain trust, and they continue to expand if devices rely only on SRTM measurements.
-
-In Secured-core PCs, [System Guard Secure Launch](/windows/security/hardware-security/system-guard-secure-launch-and-smm-protection) protects bootup with a technology known as the Dynamic Root of Trust for Measurement (DRTM). With DRTM, the system initially follows the normal UEFI Secure Boot process. However, before launching, the system enters a hardware-controlled trusted state that forces the CPU(s) down a hardware-secured code path. If a malware rootkit or bootkit has bypassed UEFI Secure Boot and resides in memory, DRTM will prevent it from accessing secrets and critical code protected by the virtualization-based security environment. [Firmware Attack Surface Reduction (FASR) technology](/windows-hardware/drivers/bringup/firmware-attack-surface-reduction) can be used instead of DRTM on supported devices, such as Microsoft Surface.
-
-System Management Mode (SMM) isolation is an execution mode in x86-based processors that runs at a higher effective privilege than the hypervisor. SMM complements the protections provided by DRTM by helping to reduce the attack surface. Relying on capabilities provided by silicon providers like Intel and AMD, SMM isolation enforces policies that implement restrictions such as preventing SMM code from accessing OS memory. The SMM isolation policy is included as part of the DRTM measurements that can be sent to a verifier like Microsoft Azure Remote Attestation.
-
-:::image type="content" source="images/secure-launch.png" alt-text="Diagram of secure launch components." lightbox="images/secure-launch.png" border="false":::
-
-:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
-
-- [Dynamic Root of Trust measure and SMM isolation](https://www.microsoft.com/security/blog/2020/09/01/force-firmware-code-to-be-measured-and-attested-by-secure-launch-on-windows-10/)
-- [Secured-core PC firmware protection](/windows-hardware/design/device-experiences/oem-highly-secure-11)
-
-## Secured-core configuration lock
-
-In many organizations, IT administrators enforce policies on their corporate devices to protect the OS and keep devices in a compliant state by preventing users from changing configurations and creating configuration drift. Configuration drift occurs when users with local admin rights change settings and put the device out of sync with security policies. Devices in a non-compliant state can be vulnerable until the next sync, when configuration is reset with the mobile device management (MDM) solution. Secured-core configuration lock (config lock) is a Secured-core PC (SCPC) feature that prevents users from making unwanted changes to security settings. With config lock, the OS monitors the registry keys that are supported and reverts to the IT-desired SCPC state in seconds after detecting a drift.
-
-:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
-
-- [Windows 11 with config lock](/windows/client-management/mdm/config-lock)
+[!INCLUDE [secured-core-pc-and-edge-secured-core](includes/secured-core-pc-and-edge-secured-core.md)]
diff --git a/windows/security/book/hardware-security.md b/windows/security/book/hardware-security.md
index f6a8137aac..7d1f8669b1 100644
--- a/windows/security/book/hardware-security.md
+++ b/windows/security/book/hardware-security.md
@@ -1,16 +1,16 @@
---
-title: Hardware security
-description: Windows 11 security book - Hardware security chapter.
+title: Windows 11 security book - Hardware security
+description: Hardware security chapter.
ms.topic: overview
-ms.date: 04/09/2024
+ms.date: 11/18/2024
---
# Hardware security
:::image type="content" source="images/hardware-security-cover.png" alt-text="Cover of the hardware security chapter." border="false":::
-:::image type="content" source="images/hardware-on.png" alt-text="Diagram of containing a list of security features." lightbox="images/hardware.png" border="false":::
+Today's ever-evolving threats require strong alignment between hardware and software to keep users, data, and devices protected. The operating system and software alone can't defend against the wide range of tools used by cybercriminals to steal credentials, take data, and implant malware.
-Today's ever-evolving threats require strong alignment between hardware and software technologies to keep users, data, and devices protected. The operating system alone cannot defend against the wide range of tools and techniques cybercriminals use to compromise a computer. Once they gain a foothold, intruders can be difficult to detect as they engage in multiple nefarious activities ranging from stealing important data and credentials to implanting malware into low-level device firmware. Once malware is installed in firmware, it becomes difficult to identify and remove. These new threats call for computing hardware that is secure down to the very core, including the hardware chips and processors that store sensitive business information. With hardware-based protection, we can enable strong mitigation against entire classes of vulnerabilities that are difficult to thwart with software alone. Hardware-based protection can also improve the system's overall security without measurably slowing performance, compared to implementing the same capability in software.
+In partnership with our silicon and device manufacturing partners, Windows 11 devices shield software, hardware, and firmware with features like Trusted Platform Module (TPM) 2.0, Microsoft Pluton, and Virtualization-based security (VBS). Windows 11 devices provide hardware-backed protection by default to significantly improve security while maintaining the performance that users expect.
-With Windows 11, Microsoft has raised the hardware security bar to design the most secure version of Windows ever from chip to cloud. We have carefully chosen the hardware requirements and default security features based on threat intelligence, global regulatory requirements, and our own Microsoft Security team's expertise. We have worked with our chip and device manufacturing partners to integrate advanced security capabilities across software, firmware, and hardware. Through a powerful combination of hardware root-of-trust and silicon-assisted security, Windows 11 delivers built-in hardware protection out of the box.
+:::image type="content" source="images/hardware-on.png" alt-text="Diagram containing a list of security features." lightbox="images/hardware.png" border="false":::
diff --git a/windows/security/book/identity-protection-advanced-credential-protection.md b/windows/security/book/identity-protection-advanced-credential-protection.md
index f5b1e3d1a4..0a7d8cad1f 100644
--- a/windows/security/book/identity-protection-advanced-credential-protection.md
+++ b/windows/security/book/identity-protection-advanced-credential-protection.md
@@ -1,96 +1,26 @@
---
-title: Identity protection - Advanced credential protection
-description: Windows 11 security book -Identity protection chapter.
+title: Windows 11 security book - Advanced credential protection
+description: Identity protection chapter - Advanced credential protection.
ms.topic: overview
-ms.date: 04/09/2024
+ms.date: 11/18/2024
---
# Advanced credential protection
-:::image type="content" source="images/identity-protection.png" alt-text="Diagram of containing a list of security features." lightbox="images/identity-protection.png" border="false":::
+:::image type="content" source="images/identity-protection.png" alt-text="Diagram containing a list of security features." lightbox="images/identity-protection.png" border="false":::
In addition to adopting passwordless sign-in, organizations can strengthen security for user and domain credentials in Windows 11 with Credential Guard and Remote Credential Guard.
-## Enhanced phishing protection with Microsoft Defender SmartScreen
+[!INCLUDE [local-security-authority-protection](includes/local-security-authority-protection.md)]
-As malware protection and other safeguards evolve, cybercriminals look for new ways to circumvent security measures. Phishing has emerged as a leading threat, with apps and websites designed to steal credentials by tricking people into voluntarily entering passwords. As a result, many organizations are transitioning to the ease and security of passwordless sign-in with Windows Hello or Windows Hello for Business.
+[!INCLUDE [credential-guard](includes/credential-guard.md)]
-However, people who are still using passwords can also benefit from powerful credential protection in Windows 11. Microsoft Defender SmartScreen now includes enhanced phishing protection to automatically detect when a user's Microsoft password is entered into any app or website. Windows then identifies if the app or site is securely authenticating to Microsoft and warns if the credentials are at risk. Because the user is alerted at the moment of potential credential theft, they can take preemptive action before the password is used against them or their organization.
+[!INCLUDE [remote-credential-guard](includes/remote-credential-guard.md)]
-:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
+[!INCLUDE [vbs-key-protection](includes/vbs-key-protection.md)]
-- [Enhanced phishing protection in Microsoft Defender SmartScreen](/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/enhanced-phishing-protection)
+[!INCLUDE [token-protection](includes/token-protection.md)]
-## Local Security Authority (LSA) protection
+[!INCLUDE [account-lockout-policies](includes/account-lockout-policies.md)]
-Windows has several critical processes to verify a user's identity. Verification processes include Local Security Authority (LSA), which is responsible for authenticating users and verifying Windows sign-ins. LSA handles tokens and credentials that are used for single sign-on to a Microsoft account and Azure services.
-
-To help keep these credentials safe, additional LSA protection will be enabled by default on new, enterprise-joined Windows 11 devices. By loading only trusted, signed code, LSA provides significant protection against credential theft. LSA protection also now supports configuration using Group Policy and modern device management.
-
-:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
-
-- [Configuring additional LSA protection](/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection)
-
-## Credential Guard
-
-Enabled by default in Windows 11 Enterprise, Credential Guard uses hardware-backed, virtualization-based security (VBS) to protect against credential theft. With Credential Guard, the Local Security Authority (LSA) stores and protects Active Directory (AD) secrets in an isolated environment that isn't accessible to the rest of the operating system. LSA uses remote procedure calls to communicate with the isolated LSA process.
-
-By protecting the LSA process with virtualization-based security, Credential Guard shields systems from credential theft attack techniques like Pass-the-Hash or Pass-the-Ticket. It also helps prevent malware from accessing system secrets even if the process is running with admin privileges.
-
-:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
-
-- [Protect derived domain credentials with Credential Guard](/windows/security/identity-protection/credential-guard/credential-guard)
-
-## Remote Credential Guard
-
-Remote Credential Guard helps organizations protect credentials over a Remote Desktop connection by redirecting the Kerberos requests back to the device that is requesting the connection. It also provides single sign-on experiences for Remote Desktop sessions.
-
-Administrator credentials are highly privileged and must be protected. When Remote Credential Guard is configured and enabled to connect during Remote Desktop sessions, the credential and credential derivatives are never passed over the network to the target device. If the target device is compromised, the credentials aren't exposed.
-
-:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
-
-- [Remote Credential Guard - Windows Security | Microsoft Learn](/windows/security/identity-protection/remote-credential-guard?tabs=intune)
-
-## Token protection
-
-Token protection attempts to reduce attacks using Microsoft Entra ID token theft. Token protection makes tokens usable only from their intended device by cryptographically binding a token with a device secret. When using the token, both the token and proof of the device secret must be provided. Conditional Access policies[\[9\]](conclusion.md#footnote9) can be configured to require token protection when using sign-in tokens for specific services.
-
-:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
-
-- [Token protection in Entra ID Conditional Access](/azure/active-directory/conditional-access/concept-token-protection)
-
-## Sign-in session token protection policy
-
-At the inaugural Microsoft Secure event in March 2023, we announced the public preview of token protection for sign-ins. This feature allows applications and services to cryptographically bind security tokens to the device, restricting attackers' ability to impersonate users on a different device if tokens are stolen.
-
-:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
-
-- [Conditional Access: Token protection (preview)](/azure/active-directory/conditional-access/concept-token-protection)
-
-## Account lockout policies
-
-New devices with Windows 11 installed will have account lockout policies that are secure by default. These policies will mitigate brute-force attacks such as hackers attempting to access Windows devices via the Remote Desktop Protocol (RDP).
-
-The account lockout threshold policy is now set to 10 failed sign-in attempts by default, with the account lockout duration set to 10 minutes. The Allow Administrator account lockout is now enabled by default. The Reset account lockout counter after is now set to 10 minutes by default as well.
-
-:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
-
-- [Account lockout policy](/windows/security/threat-protection/security-policy-settings/account-lockout-policy)
-
-## Access management and control
-
-Access control in Windows ensures that shared resources are available to users and groups other than the resource's owner and are protected from unauthorized use. IT administrators can manage users', groups', and computers' access to objects and assets on a network or computer. After a user is authenticated, the Windows operating system implements the second phase of protecting resources by using built-in authorization and access control technologies to determine if an authenticated user has the correct permissions.
-
-Access Control Lists (ACLs) describe the permissions for a specific object and can also contain System Access Control Lists (SACLs). SACLs provide a way to audit specific system level events, such as when a user attempts to access file system objects. These events are essential for tracking activity for objects that are sensitive or valuable and require extra monitoring. Being able to audit when a resource attempts to read or write part of the operating system is critical to understanding a potential attack.
-
-IT administrators can refine the application and management of access to:
-
-- Protect a greater number and variety of network resources from misuse
-- Provision users to access resources in a manner that is consistent with organizational policies and the requirements of their jobs. Organizations can implement the principle of least-privilege access, which asserts that users should be granted access only to the data and operations they require to perform their jobs
-- Update users' ability to access resources on a regular basis as an organization's policies change or as users' jobs change
-- Support evolving workplace needs, including access from hybrid or remote locations, or from a rapidly expanding array of devices, including tablets and mobile phones
-- Identify and resolve access issues when legitimate users are unable to access resources that they need to perform their jobs
-
-:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
-
-- [Access control](/windows/security/identity-protection/access-control/access-control)
+[!INCLUDE [access-management-and-control](includes/access-management-and-control.md)]
diff --git a/windows/security/book/identity-protection-passwordless-sign-in.md b/windows/security/book/identity-protection-passwordless-sign-in.md
index 00ee61f822..8c8b1efb2f 100644
--- a/windows/security/book/identity-protection-passwordless-sign-in.md
+++ b/windows/security/book/identity-protection-passwordless-sign-in.md
@@ -1,172 +1,32 @@
---
-title: Identity protection - Passwordless sign-in
-description: Windows 11 security book -Identity protection chapter.
+title: Windows 11 security book - Passwordless sign-in
+description: Identity protection chapter - Passwordless sign-in.
ms.topic: overview
-ms.date: 04/09/2024
+ms.date: 11/18/2024
---
# Passwordless sign-in
-:::image type="content" source="images/identity-protection.png" alt-text="Diagram of containing a list of security features." lightbox="images/identity-protection.png" border="false":::
+:::image type="content" source="images/identity-protection.png" alt-text="Diagram containing a list of security features." lightbox="images/identity-protection.png" border="false":::
-Passwords are inconvenient to use and prime targets for cybercriminals - and they've been an important part of digital security for years. That changes with the passwordless protection available with Windows 11. After a secure authorization process, credentials are protected behind layers of hardware and software security, giving users secure, passwordless access to their apps and cloud services.
+Passwords are a fundamental part of digital security, but they're often inconvenient and vulnerable to cyberattacks. With Windows 11, users can enjoy passwordless protection, which offers a more secure and user-friendly alternative. After a secure authorization process, credentials are safeguarded by multiple layers of hardware and software security, providing users with seamless, passwordless access to their apps and cloud services.
-## Windows Hello
+[!INCLUDE [windows-hello](includes/windows-hello.md)]
-Too often, passwords are weak, stolen, or forgotten. Organizations are moving toward passwordless sign-in to reduce the risk of breaches, lower the cost of managing passwords, and improve productivity and satisfaction for their employees and customers. Microsoft is committed to helping customers move toward a secure, passwordless future with Windows Hello, a cornerstone of Windows security and identity protection.
+[!INCLUDE [windows-presence-sensing](includes/windows-presence-sensing.md)]
-[Windows Hello](/windows/security/identity-protection/hello-for-business/passwordless-strategy) can enable passwordless sign-in using biometric or PIN verification and provides built-in support for the FIDO2 passwordless industry standard. As a result, people no longer need to carry external hardware like a security key for authentication.
+[!INCLUDE [windows-hello-for-business](includes/windows-hello-for-business.md)]
-The secure, convenient sign-in experience can augment or replace passwords with a stronger authentication model based on a PIN or biometric data such as facial or fingerprint recognition secured by the Trusted Platform Module (TPM). Step-by-step guidance makes setup easy.
+[!INCLUDE [enhanced-sign-in-security](includes/enhanced-sign-in-security.md)]
-Using asymmetric keys provisioned in the TPM, Windows Hello protects authentication by binding a user's credentials to their device. Windows Hello validates the user based on either a PIN or biometrics match and only then allows the use of cryptographic keys bound to that user in the TPM.
+[!INCLUDE [fido2](includes/fido2.md)]
-PIN and biometric data stay on the device and cannot be stored or accessed externally. Since the data cannot be accessed by anyone without physical access to the device, credentials are protected against replay attacks, phishing, and spoofing as well as password reuse and leaks.
+[!INCLUDE [microsoft-authenticator](includes/microsoft-authenticator.md)]
-Windows Hello can authenticate users to a Microsoft account (MSA), identity provider services, or the relying parties that also implement the FIDO2 or WebAuthn standards.
+[!INCLUDE [web-sign-in](includes/web-sign-in.md)]
-## Windows Hello for Business
+[!INCLUDE [federated-sign-in](includes/federated-sign-in.md)]
-Windows Hello for Business extends Windows Hello to work with an organization's Active Directory and Microsoft Entra ID accounts. It provides single sign-on access to work or school resources such as OneDrive for Business, work email, and other business apps. Windows Hello for Business also give IT admins the ability to manage PIN and other sign-in requirements for devices connecting to work or school resources.
+[!INCLUDE [smart-cards](includes/smart-cards.md)]
-## Windows Hello for Business Passwordless
-
-Windows 11 devices with Windows Hello for Business can protect user identities by removing the need to use passwords from day one.
-
-IT can now set a policy for Microsoft Entra ID joined machines so users no longer see the option to enter a password when accessing company resources.12 Once the policy is set, passwords are removed from the Windows user experience, both for device unlock as well as in-session authentication scenarios via CredUI. However, passwords are not eliminated from the identity directory yet. Users are expected to navigate through their core authentication scenarios using strong, phish-resistant, possession-based credentials like Windows Hello for Business and FIDO2 security keys. If necessary, users can leverage passwordless recovery mechanisms such as Windows Hello for Business PIN reset or Web Sign-in.
-
-During a device's lifecycle, a password may only need to be used once during the provisioning process. After that, people can use a PIN, face, or fingerprint to unlock credentials and sign into the device.
-
-Provisioning methods include:
-
-- Temporary Access Pass (TAP), a time-limited passcode with strong authentication requirements issued through Microsoft Entra ID
-- Existing multifactor authentication with Microsoft Entra ID, including authentication methods like the Microsoft Authenticator app
-
-Windows Hello for Business replaces the username and password by combining a security key or certificate with a PIN or biometric data and then mapping the credentials to a user account during setup. There are multiple ways to deploy Windows Hello for Business depending on an organization's needs. Organizations that rely on certificates typically use on-premises public key infrastructure (PKI) to support authentication through Certificate Trust. Organizations using key trust deployment require root-of-trust provided by certificates on domain controllers.
-
-Organizations with hybrid scenarios can eliminate the need for on-premises domain controllers and simplify passwordless adoption by using Windows Hello for Business cloud Kerberos trust.13 This solution uses security keys and replaces on-premises domain controllers with a cloud-based root-of-trust. As a result, organizations can take advantage of Windows Hello for Business and deploy passwordless security keys with minimal additional setup or infrastructure.
-
-Users will authenticate directly with Microsoft Entra ID, helping speed access to on- premises applications and other resources.
-
-:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
-
-- [Windows Hello for Business overview](/windows/security/identity-protection/hello-for-business/)
-
-## Windows Hello PIN
-
-The Windows Hello PIN, which can only be entered by someone with physical access to the device, can be used for strong multifactor authentication. The PIN is protected by the TPM and, like biometric data, never leaves the device. When a user enters their PIN, an authentication key is unlocked and used to sign a request sent to the authenticating server.
-
-The TPM protects against threats including PIN brute-force attacks on lost or stolen devices. After too many incorrect guesses, the device locks. IT admins can set security policies for PINs, such as complexity, length, and expiration requirements.
-
-## Windows Hello biometric sign-in
-
-Windows Hello biometric sign-in enhances both security and productivity with a quick, convenient sign-in experience. There's no need to enter a password every time when a face or fingerprint is the credential.
-
-Windows devices that support biometric hardware such as fingerprint or facial recognition cameras integrate directly with Windows Hello, enabling access to Windows client resources and services. Biometric readers for both face and fingerprint must comply with [Microsoft](/windows-hardware/design/device-experiences/windows-hello-biometric-requirements) [Windows Hello biometric requirements](/windows-hardware/design/device-experiences/windows-hello-biometric-requirements). Windows Hello facial recognition is designed to only authenticate from trusted cameras used at the time of enrollment.
-
-If a peripheral camera is attached to the device after enrollment, that camera will only be allowed for facial authentication after it has been validated by signing in with the internal camera. For additional security, external cameras can be disabled for use with Windows Hello facial recognition.
-
-## Windows Hello Enhanced Sign-in Security
-
-Windows Hello biometrics also supports Enhanced Sign-in Security, which uses specialized hardware and software components to raise the security bar even higher for biometric sign-in.
-
-Enhanced Sign-in Security biometrics uses virtualization-based security (VBS) and the TPM to isolate user authentication processes and data and secure the pathway by which the information is communicated.
-
-These specialized components protect against a class of attacks that includes biometric sample injection, replay, and tampering. For example, fingerprint readers must implement Secure Device Connection Protocol, which uses key negotiation and a Microsoft-issued certificate to protect and securely store user authentication data. For facial recognition, components such as the Secure Devices (SDEV) table and process isolation with trustlets help prevent additional attack classes.
-
-Enhanced Sign-in Security is configured by device manufacturers during the manufacturing process and is most typically supported in Secured-core PCs. For facial recognition, Enhanced Sign-in Security is supported by specific silicon and camera combinations - please check with the specific device manufacturer. Fingerprint authentication is available across all processor types. Please reach out to specific OEMs for support details.
-
-:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
-
-- [Windows Hello Enhanced Sign-in Security](/windows-hardware/design/device-experiences/windows-hello-enhanced-sign-in-security)
-
-## Windows Hello for Business multi-factor unlock
-
-For organizations that need an extra layer of sign-in security, multi-factor unlock enables IT admins to configure Windows by requiring a combination of two unique trusted signals to sign in. Trusted signal examples include a PIN or biometric data (face or fingerprint) combined with either a PIN, Bluetooth, IP configuration, or Wi-Fi.
-
-Multi-factor unlock is useful for organizations who need to prevent information workers from sharing credentials or need to comply with regulatory requirements for a two-factor authentication policy.
-
-:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
-
-- [Multi-factor unlock](/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock)
-
-## Windows presence sensing
-
-Windows presence sensing14 provides another layer of data security protection for hybrid workers. Windows 11 devices can intelligently adapt to a user's presence to help them stay secure and productive, whether they're working at home, the office, or a public environment.
-
-Windows presence sensing combines presence detection sensors with Windows Hello facial recognition to sign the user in hands-free and automatically locks the device when the user leaves. With adaptive dimming, the PC dims the screen when the user looks away on compatible devices with presence sensors. It's also easier than ever to configure presence sensors on devices, with easy enablement in the out-of-the-box experience and new links in Settings to help find presence sensing features. Device manufacturers will be able to customize and build extensions for the presence sensor.
-
-## Developer APIs and app privacy support for presence sensing
-
-Privacy is top of mind and more important than ever. Customers want to have greater transparency and control over the use of their information. We are pleased to announce new app privacy settings that enable users to allow or block access to their presence sensor information. Users can decide on these settings during the initial Windows 11 setup.
-
-Users can also take advantage of more granular settings to easily enable and disable differentiated presence sensing features like wake on approach, lock on leave, and adaptive dimming. We are also supporting developers with new APIs for presence sensing for thirdparty applications. Third-party applications can now access user presence information on devices with modern presence sensors.
-
-:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
-
-- [Presence sensing](/windows-hardware/design/device-experiences/sensors-presence-sensing)
-- [Manage presence sensing settings in Windows 11](https://support.microsoft.com/windows/managing-presence-sensing-settings-in-windows-11-82285c93-440c-4e15-9081-c9e38c1290bb)
-
-## FIDO support
-
-The FIDO Alliance, the Fast Identity Online industry standards body, was established to promote authentication technologies and standards that reduce reliance on passwords. FIDO Alliance and World Wide Web Consortium (W3C) have worked together to define the Client to Authenticator Protocol (CTAP2) and Web Authentication (WebAuthn) specifications, which are the industry standard for providing strong, phishing-resistant, user friendly, and privacy preserving authentication across the web and apps. FIDO standards and certifications are becoming recognized as the leading standard for creating secure authentication solutions across enterprises, governments, and consumer markets.
-
-Windows 11 can also use passkeys from external FIDO2 security keys for authentication alongside or in addition to Windows Hello and Windows Hello for Business, which is also a FIDO2-certified passwordless solution. As a result, Windows 11 can be used as a FIDO authenticator for many popular identity management services.
-
-:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
-
-- [Passwordless security key sign-in](/azure/active-directory/authentication/howto-authentication-passwordless-security-key)
-
-## Passkeys
-
-Windows 11 makes it much harder for hackers who exploit stolen passwords via phishing attacks by empowering users to replace passwords with passkeys. Passkeys are the crossplatform future of secure sign-in. Microsoft and other technology leaders are supporting passkeys across their platforms and services.
-
-A passkey is a unique, unguessable cryptographic secret that is securely stored on the device. Instead of using a username and password to sign in to a website or application, Windows 11 users can create and use a passkey from Windows Hello, an external security provider, or their mobile device.
-
-Passkeys on Windows 11 are protected by Windows Hello or Windows Hello for Business. This enables users to sign in to the site or app using their face, fingerprint, or device PIN. Passkeys on Windows work in any browser or app that supports them for sign in. Users can manage passkeys on their device on Windows 11 account settings.
-
-:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
-
-- [Passkeys (passkey authentication)](https://fidoalliance.org/passkeys/)
-
-## Microsoft Authenticator
-
-The Microsoft Authenticator app, which runs on iOS and Android devices, helps keep
-
-Windows 11 users secure and productive. Microsoft Authenticator can be used to bootstrap Windows Hello for Business, which removes the need for a password to get started on Windows 11.
-
-Microsoft Authenticator also enables easy, secure sign-in for all online accounts using multifactor authentication, passwordless phone sign-in, or password autofill. The accounts in the Authenticator app are secured with a public/private key pair in hardware-backed storage such as the Keychain in iOS and Keystore on Android. IT admins can leverage different tools to nudge their users to set up the Authenticator app, provide them with extra context about where the authentication is coming from, and ensure that they are actively using it.
-
-Individual users can back up their credentials to the cloud by enabling the encrypted backup option in settings. They can also see their sign-in history and security settings for Microsoft personal, work, or school accounts.
-
-Using this secure app for authentication and authorization enables people to be in control of how, where, and when their credentials are used. To keep up with an ever-changing security landscape, the app is constantly updated, and new capabilities are added to stay ahead of emerging threat vectors.
-
-:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
-
-- [Microsoft Authenticator](/azure/active-directory/authentication/concept-authentication-authenticator-app)
-
-## Smart cards for Windows service
-
-Organizations also have the option of using smart cards, an authentication method that predates biometric authentication. Smart cards are tamper-resistant, portable storage devices that can enhance Windows security when authenticating users, signing code, securing e-mail, and signing in with Windows domain accounts.
-
-**Smart cards provide:**
-
-- Ease of use in scenarios such as healthcare where employees need to sign in and out quickly without using their hands or when sharing a workstation
-- Isolation of security-critical computations that involve authentication, digital signatures, and key exchange from other parts of the computer. These computations are performed on the smart card
-- Portability of credentials and other private information between computers at work, home, or on the road
-
-Smart cards can only be used to sign in to domain accounts or Microsoft Entra ID accounts.
-
-When a password is used to sign in to a domain account, Windows uses the Kerberos Version 5 (V5) protocol for authentication. If you use a smart card, the operating system uses Kerberos V5 authentication with X.509 V3 certificates. On Microsoft Entra ID joined devices, a smart card can be used with Entra ID certificate-based authentication. Smart cards cannot be used with local accounts.
-
-:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
-
-- [Smart Card technical reference](/windows/security/identity-protection/smart-cards/smart-card-windows-smart-card-technical-reference)
-
-## Federated sign-in
-
-Windows 11 supports federated sign-in with external education identity management services. For students unable to type easily or remember complex passwords, this capability enables secure sign-in through methods like QR codes or pictures. Additionally, we have added shared device support. It allows multiple students (one at a time) to use the device throughout the school day.
-
-:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
-
-- [Configure federated sign-in for Windows devices](/education/windows/federated-sign-in)
+[!INCLUDE [enhanced-phishing-protection-in-microsoft-defender-smartscreen](includes/enhanced-phishing-protection-in-microsoft-defender-smartscreen.md)]
diff --git a/windows/security/book/identity-protection.md b/windows/security/book/identity-protection.md
index d614925654..41d1b6bca6 100644
--- a/windows/security/book/identity-protection.md
+++ b/windows/security/book/identity-protection.md
@@ -1,16 +1,16 @@
---
-title: Identity protection
-description: Windows 11 security book -Identity protection chapter.
+title: Windows 11 security book - Identity protection
+description: Identity protection chapter.
ms.topic: overview
-ms.date: 04/09/2024
+ms.date: 11/18/2024
---
# Identity protection
:::image type="content" source="images/identity-protection-cover.png" alt-text="Cover of the identity protection chapter." border="false":::
-:::image type="content" source="images/identity-protection-on.png" alt-text="Diagram of containing a list of security features." lightbox="images/identity-protection.png" border="false":::
+Employes are increasingly targets for cyberattacks in organizations, making identity protection a priority. Weak or reused passwords, password spraying, social engineering, and phishing are just a few of the risks businesses face today.
-Today's flexible workstyles and the security of your organization depend on secure access to corporate resources, including strong identity protection. Weak or reused passwords, password spraying, social engineering, and phishing are some of the top attack vectors. In the last 12 months, we saw an average of more than 4,000 password attacks per second.11 And phishing threats have increased, making identity a continuous battleground. As Bret Arsenault, Chief Information Security Officer at Microsoft says, *Hackers don't break in, they log in.*
+Identity protection in Windows 11 continuously evolves to provide organizations with the latest defenses, including Windows Hello for Business passwordless and Windows Hello Enhanced Sign-in Security (ESS). By leveraging these powerful identity safeguards, organizations of all sizes can reduce the risk of credential theft and unauthorized access to devices, data, and other company resources.
-Because threats are constantly evolving and often difficult for employees to detect, organizations need proactive protection, including effortlessly secure authentication and features that defend users in real time while they work. Windows 11 is designed with powerful identity protection from chip to cloud, keeping identities and personal and business data safe anywhere people work.
+:::image type="content" source="images/identity-protection-on.png" alt-text="Diagram containing a list of security features." lightbox="images/identity-protection.png" border="false":::
diff --git a/windows/security/book/images/access-work-or-school.png b/windows/security/book/images/access-work-or-school.png
index 4c256ca182..69fca1f5fa 100644
Binary files a/windows/security/book/images/access-work-or-school.png and b/windows/security/book/images/access-work-or-school.png differ
diff --git a/windows/security/book/images/application-security-cover.png b/windows/security/book/images/application-security-cover.png
index 3d8d9aa3d9..d49cf4a173 100644
Binary files a/windows/security/book/images/application-security-cover.png and b/windows/security/book/images/application-security-cover.png differ
diff --git a/windows/security/book/images/application-security-on.png b/windows/security/book/images/application-security-on.png
index d15844943d..97b86789d5 100644
Binary files a/windows/security/book/images/application-security-on.png and b/windows/security/book/images/application-security-on.png differ
diff --git a/windows/security/book/images/application-security.png b/windows/security/book/images/application-security.png
index bebbcf3891..2188dd6a91 100644
Binary files a/windows/security/book/images/application-security.png and b/windows/security/book/images/application-security.png differ
diff --git a/windows/security/book/images/azure-attestation.svg b/windows/security/book/images/azure-attestation.svg
new file mode 100644
index 0000000000..c4df2e11d2
--- /dev/null
+++ b/windows/security/book/images/azure-attestation.svg
@@ -0,0 +1,20 @@
+
diff --git a/windows/security/book/images/chip-to-cloud.png b/windows/security/book/images/chip-to-cloud.png
index 08f370e1f9..e26a786101 100644
Binary files a/windows/security/book/images/chip-to-cloud.png and b/windows/security/book/images/chip-to-cloud.png differ
diff --git a/windows/security/book/images/cloud-security-on.png b/windows/security/book/images/cloud-security-on.png
index eb2666b9fa..a902352b0e 100644
Binary files a/windows/security/book/images/cloud-security-on.png and b/windows/security/book/images/cloud-security-on.png differ
diff --git a/windows/security/book/images/cloud-security.png b/windows/security/book/images/cloud-security.png
index 2d1b118594..e483a71861 100644
Binary files a/windows/security/book/images/cloud-security.png and b/windows/security/book/images/cloud-security.png differ
diff --git a/windows/security/book/images/cloud-services-cover.png b/windows/security/book/images/cloud-services-cover.png
index d5961c347e..f33886677a 100644
Binary files a/windows/security/book/images/cloud-services-cover.png and b/windows/security/book/images/cloud-services-cover.png differ
diff --git a/windows/security/book/images/cover.png b/windows/security/book/images/cover.png
index 4d5b549c44..dd1c91f28b 100644
Binary files a/windows/security/book/images/cover.png and b/windows/security/book/images/cover.png differ
diff --git a/windows/security/book/images/credential-guard-architecture.png b/windows/security/book/images/credential-guard-architecture.png
new file mode 100644
index 0000000000..fd55100713
Binary files /dev/null and b/windows/security/book/images/credential-guard-architecture.png differ
diff --git a/windows/security/book/images/defender-for-endpoint.svg b/windows/security/book/images/defender-for-endpoint.svg
new file mode 100644
index 0000000000..bf135a593b
--- /dev/null
+++ b/windows/security/book/images/defender-for-endpoint.svg
@@ -0,0 +1,3 @@
+
diff --git a/windows/security/book/images/device-registration.png b/windows/security/book/images/device-registration.png
new file mode 100644
index 0000000000..b6ee9cebf1
Binary files /dev/null and b/windows/security/book/images/device-registration.png differ
diff --git a/windows/security/book/images/hardware-on.png b/windows/security/book/images/hardware-on.png
index 89bc3c7a69..79dbe2aee5 100644
Binary files a/windows/security/book/images/hardware-on.png and b/windows/security/book/images/hardware-on.png differ
diff --git a/windows/security/book/images/hardware-security-cover.png b/windows/security/book/images/hardware-security-cover.png
index 5328456231..da283d2f4f 100644
Binary files a/windows/security/book/images/hardware-security-cover.png and b/windows/security/book/images/hardware-security-cover.png differ
diff --git a/windows/security/book/images/hardware.png b/windows/security/book/images/hardware.png
index 9f526775df..a16761650c 100644
Binary files a/windows/security/book/images/hardware.png and b/windows/security/book/images/hardware.png differ
diff --git a/windows/security/book/images/identity-protection-cover.png b/windows/security/book/images/identity-protection-cover.png
index 6fe6084305..12dd9d85bd 100644
Binary files a/windows/security/book/images/identity-protection-cover.png and b/windows/security/book/images/identity-protection-cover.png differ
diff --git a/windows/security/book/images/identity-protection-on.png b/windows/security/book/images/identity-protection-on.png
index c099ebb82f..5c8f53c733 100644
Binary files a/windows/security/book/images/identity-protection-on.png and b/windows/security/book/images/identity-protection-on.png differ
diff --git a/windows/security/book/images/identity-protection.png b/windows/security/book/images/identity-protection.png
index 300e3d89ef..08f3192393 100644
Binary files a/windows/security/book/images/identity-protection.png and b/windows/security/book/images/identity-protection.png differ
diff --git a/windows/security/book/images/information.svg b/windows/security/book/images/information.svg
new file mode 100644
index 0000000000..570c319c9a
--- /dev/null
+++ b/windows/security/book/images/information.svg
@@ -0,0 +1,12 @@
+
diff --git a/windows/security/book/images/kiosk.png b/windows/security/book/images/kiosk.png
new file mode 100644
index 0000000000..01a7daaee9
Binary files /dev/null and b/windows/security/book/images/kiosk.png differ
diff --git a/windows/security/book/images/learn-more.svg b/windows/security/book/images/learn-more.svg
deleted file mode 100644
index 947593db41..0000000000
--- a/windows/security/book/images/learn-more.svg
+++ /dev/null
@@ -1,3 +0,0 @@
-
diff --git a/windows/security/book/images/microsoft-entra-id.svg b/windows/security/book/images/microsoft-entra-id.svg
new file mode 100644
index 0000000000..5cb2cfe7be
--- /dev/null
+++ b/windows/security/book/images/microsoft-entra-id.svg
@@ -0,0 +1,8 @@
+
diff --git a/windows/security/book/images/microsoft-intune.svg b/windows/security/book/images/microsoft-intune.svg
new file mode 100644
index 0000000000..714722c739
--- /dev/null
+++ b/windows/security/book/images/microsoft-intune.svg
@@ -0,0 +1,23 @@
+
diff --git a/windows/security/book/images/new-button-title.svg b/windows/security/book/images/new-button-title.svg
new file mode 100644
index 0000000000..15ea7247a2
--- /dev/null
+++ b/windows/security/book/images/new-button-title.svg
@@ -0,0 +1,6 @@
+
diff --git a/windows/security/book/images/new-button.svg b/windows/security/book/images/new-button.svg
new file mode 100644
index 0000000000..49bd889d96
--- /dev/null
+++ b/windows/security/book/images/new-button.svg
@@ -0,0 +1,13 @@
+
diff --git a/windows/security/book/images/onedrive.svg b/windows/security/book/images/onedrive.svg
new file mode 100644
index 0000000000..6f9ac42e61
--- /dev/null
+++ b/windows/security/book/images/onedrive.svg
@@ -0,0 +1,29 @@
+
diff --git a/windows/security/book/images/operating-system-on.png b/windows/security/book/images/operating-system-on.png
index d97bd2a9ba..524c7ac372 100644
Binary files a/windows/security/book/images/operating-system-on.png and b/windows/security/book/images/operating-system-on.png differ
diff --git a/windows/security/book/images/operating-system-security-cover.png b/windows/security/book/images/operating-system-security-cover.png
index 955891f34d..c3b24e0a2a 100644
Binary files a/windows/security/book/images/operating-system-security-cover.png and b/windows/security/book/images/operating-system-security-cover.png differ
diff --git a/windows/security/book/images/operating-system.png b/windows/security/book/images/operating-system.png
index 288e01fc73..c5bfb38b42 100644
Binary files a/windows/security/book/images/operating-system.png and b/windows/security/book/images/operating-system.png differ
diff --git a/windows/security/book/images/passkey-save-3p.png b/windows/security/book/images/passkey-save-3p.png
new file mode 100644
index 0000000000..747bdc074b
Binary files /dev/null and b/windows/security/book/images/passkey-save-3p.png differ
diff --git a/windows/security/book/images/pde.png b/windows/security/book/images/pde.png
new file mode 100644
index 0000000000..5ed0a99cf5
Binary files /dev/null and b/windows/security/book/images/pde.png differ
diff --git a/windows/security/book/images/privacy-cover.png b/windows/security/book/images/privacy-cover.png
index 09a4364bb0..e7a0a5825c 100644
Binary files a/windows/security/book/images/privacy-cover.png and b/windows/security/book/images/privacy-cover.png differ
diff --git a/windows/security/book/images/privacy-on.png b/windows/security/book/images/privacy-on.png
index 83e4d59c8b..be6f888dce 100644
Binary files a/windows/security/book/images/privacy-on.png and b/windows/security/book/images/privacy-on.png differ
diff --git a/windows/security/book/images/privacy.png b/windows/security/book/images/privacy.png
index f0772e28ba..4a87f077fb 100644
Binary files a/windows/security/book/images/privacy.png and b/windows/security/book/images/privacy.png differ
diff --git a/windows/security/book/images/secure-launch.png b/windows/security/book/images/secure-launch.png
index dd00cdc393..d83d884e44 100644
Binary files a/windows/security/book/images/secure-launch.png and b/windows/security/book/images/secure-launch.png differ
diff --git a/windows/security/book/images/security-foundation-cover.png b/windows/security/book/images/security-foundation-cover.png
index 5fdd9c7a92..9c97b0284c 100644
Binary files a/windows/security/book/images/security-foundation-cover.png and b/windows/security/book/images/security-foundation-cover.png differ
diff --git a/windows/security/book/images/security-foundation-on.png b/windows/security/book/images/security-foundation-on.png
index d6ddf2af1f..c0c23101bb 100644
Binary files a/windows/security/book/images/security-foundation-on.png and b/windows/security/book/images/security-foundation-on.png differ
diff --git a/windows/security/book/images/security-foundation.png b/windows/security/book/images/security-foundation.png
index 2810449234..ba54e5a0ba 100644
Binary files a/windows/security/book/images/security-foundation.png and b/windows/security/book/images/security-foundation.png differ
diff --git a/windows/security/book/images/sfi.png b/windows/security/book/images/sfi.png
new file mode 100644
index 0000000000..4bd6163fb2
Binary files /dev/null and b/windows/security/book/images/sfi.png differ
diff --git a/windows/security/book/images/soon-arrow.svg b/windows/security/book/images/soon-arrow.svg
new file mode 100644
index 0000000000..fc259c2605
--- /dev/null
+++ b/windows/security/book/images/soon-arrow.svg
@@ -0,0 +1,14 @@
+
diff --git a/windows/security/book/images/soon-button-title.svg b/windows/security/book/images/soon-button-title.svg
new file mode 100644
index 0000000000..c0b233518c
--- /dev/null
+++ b/windows/security/book/images/soon-button-title.svg
@@ -0,0 +1,7 @@
+
diff --git a/windows/security/book/images/uac-settings.png b/windows/security/book/images/uac-settings.png
deleted file mode 100644
index d4a8fc4bb0..0000000000
Binary files a/windows/security/book/images/uac-settings.png and /dev/null differ
diff --git a/windows/security/book/images/universal-print.svg b/windows/security/book/images/universal-print.svg
new file mode 100644
index 0000000000..3c5d0761a2
--- /dev/null
+++ b/windows/security/book/images/universal-print.svg
@@ -0,0 +1,24 @@
+
diff --git a/windows/security/book/images/vbs-diagram.png b/windows/security/book/images/vbs-diagram.png
new file mode 100644
index 0000000000..c8a27ea370
Binary files /dev/null and b/windows/security/book/images/vbs-diagram.png differ
diff --git a/windows/security/book/images/windows-security.png b/windows/security/book/images/windows-security.png
new file mode 100644
index 0000000000..558b4790e0
Binary files /dev/null and b/windows/security/book/images/windows-security.png differ
diff --git a/windows/security/book/images/windows-security.svg b/windows/security/book/images/windows-security.svg
new file mode 100644
index 0000000000..7882c89525
--- /dev/null
+++ b/windows/security/book/images/windows-security.svg
@@ -0,0 +1,24 @@
+
diff --git a/windows/security/book/includes/5g-and-esim.md b/windows/security/book/includes/5g-and-esim.md
new file mode 100644
index 0000000000..5fd47718b9
--- /dev/null
+++ b/windows/security/book/includes/5g-and-esim.md
@@ -0,0 +1,14 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 12/11/2024
+ms.topic: include
+---
+
+## 5G and eSIM
+
+5G networks use stronger encryption and better network segmentation compared to previous generations of cellular protocols. Unlike Wi-Fi, 5G access is always mutually authenticated. Access credentials are stored in an EAL4-certified eSIM that is physically embedded in the device, making it much harder for attackers to tamper with. Together, 5G and eSIM provide a strong foundation for security.
+
+[!INCLUDE [learn-more](learn-more.md)]
+
+- [eSIM configuration of a download server](/mem/intune/configuration/esim-device-configuration-download-server)
diff --git a/windows/security/book/includes/access-management-and-control.md b/windows/security/book/includes/access-management-and-control.md
new file mode 100644
index 0000000000..9558f332b2
--- /dev/null
+++ b/windows/security/book/includes/access-management-and-control.md
@@ -0,0 +1,24 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 12/11/2024
+ms.topic: include
+---
+
+## Access management and control
+
+Access control in Windows ensures that shared resources are available to users and groups other than the resource's owner and are protected from unauthorized use. IT administrators can manage the access of users, groups, and computers to objects and assets on a network or computer. After a user is authenticated, Windows implements the second phase of protecting resources with built-in authorization and access control technologies. These technologies determine if an authenticated user has the correct permissions.
+
+Access Control Lists (ACLs) describe the permissions for a specific object and can also contain System Access Control Lists (SACLs). SACLs provide a way to audit specific system level events, such as when a user attempts to access file system objects. These events are essential for tracking activity for objects that are sensitive or valuable and require extra monitoring. Being able to audit when a resource attempts to read or write part of the operating system is critical to understanding a potential attack.
+
+IT administrators can refine the application and management of access to:
+
+- Protect a greater number and variety of network resources from misuse
+- Provision users to access resources in a manner that is consistent with organizational policies and the requirements of their jobs. Organizations can implement the principle of least-privilege access, which asserts that users should be granted access only to the data and operations they require to perform their jobs
+- Update users' ability to access resources regularly, as an organization's policies change or as users' jobs change
+- Support evolving workplace needs, including access from hybrid or remote locations, or from a rapidly expanding array of devices, including tablets and phones
+- Identify and resolve access issues when legitimate users are unable to access resources that they need to perform their jobs
+
+[!INCLUDE [learn-more](learn-more.md)]
+
+- [Access control](/windows/security/identity-protection/access-control/access-control)
diff --git a/windows/security/book/includes/account-lockout-policies.md b/windows/security/book/includes/account-lockout-policies.md
new file mode 100644
index 0000000000..1ba4ef6d8b
--- /dev/null
+++ b/windows/security/book/includes/account-lockout-policies.md
@@ -0,0 +1,16 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 12/11/2024
+ms.topic: include
+---
+
+## Account lockout policies
+
+New devices with Windows 11 installed will have account lockout policies that are secure by default. These policies mitigate brute-force attacks such as hackers attempting to access Windows devices via the Remote Desktop Protocol (RDP).
+
+The account lockout threshold policy is now set to 10 failed sign-in attempts by default, with the account lockout duration set to 10 minutes. The *Allow Administrator account lockout* is now enabled by default. The Reset account lockout counter after is now set to 10 minutes by default as well.
+
+[!INCLUDE [learn-more](learn-more.md)]
+
+- [Account lockout policy](/windows/security/threat-protection/security-policy-settings/account-lockout-policy)
diff --git a/windows/security/book/includes/administrator-protection.md b/windows/security/book/includes/administrator-protection.md
new file mode 100644
index 0000000000..94e0654680
--- /dev/null
+++ b/windows/security/book/includes/administrator-protection.md
@@ -0,0 +1,17 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 12/11/2024
+ms.topic: include
+---
+
+## :::image type="icon" source="../images/soon-button-title.svg" border="false"::: Administrator protection
+
+When users sign in with administrative rights to Windows, they have the power to make significant changes to the system, which can impact its overall security. These rights can be a target for malicious software.
+
+Administrator protection is a new security feature in Windows 11 designed to safeguard these administrative rights. It allows administrators to perform all necessary functions with **just-in-time administrative rights**, while running most tasks without administrative privileges. The goal of administrator protection is to provide a secure and seamless experience, ensuring users operate with the least required privileges.
+
+When administrator protection is enabled, if an app needs special permissions like administrative rights, the user is asked for approval. When an approval is needed, Windows Hello provides a secure and easy way to approve or deny these requests.
+
+> [!NOTE]
+> Administrator protection is currently in preview. For devices running previous versions of Windows, refer to [User Account Control (UAC)](/windows/security/identity-protection/user-account-control/how-user-account-control-works).
\ No newline at end of file
diff --git a/windows/security/book/includes/app-containers.md b/windows/security/book/includes/app-containers.md
new file mode 100644
index 0000000000..805fc850e7
--- /dev/null
+++ b/windows/security/book/includes/app-containers.md
@@ -0,0 +1,16 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 12/11/2024
+ms.topic: include
+---
+
+## App containers
+
+In addition to Windows Sandbox for Win32 apps, Universal Windows Platform (UWP) applications run in Windows containers known as *app containers*. App containers act as process and resource isolation boundaries, but unlike Docker containers, these are special containers designed to run Windows applications.
+
+Processes that run in app containers operate at a low integrity level, meaning they have limited access to resources they don't own. Because the default integrity level of most resources is medium integrity level, the UWP app can access only a subset of the file system, registry, and other resources. The app container also enforces restrictions on network connectivity. For example, access to a local host isn't allowed. As a result, malware or infected apps have limited footprint for escape.
+
+[!INCLUDE [learn-more](learn-more.md)]
+
+- [Windows and app container](/windows/apps/windows-app-sdk/migrate-to-windows-app-sdk/feature-mapping-table?source=recommendations)
diff --git a/windows/security/book/includes/app-control-for-business.md b/windows/security/book/includes/app-control-for-business.md
new file mode 100644
index 0000000000..7f07d0c010
--- /dev/null
+++ b/windows/security/book/includes/app-control-for-business.md
@@ -0,0 +1,19 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 12/11/2024
+ms.topic: include
+---
+
+## App Control for Business
+
+Your organization is only as secure as the applications that run on your devices. With *application control*, apps must earn trust to run, in contrast to an application trust model where all code is assumed trustworthy. By helping prevent unwanted or malicious code from running, application control is an important part of an effective security strategy. Many organizations cite application control as one of the most effective means of defending against executable file-based malware.
+
+App Control for Business (previously called *Windows Defender Application Control*) and AppLocker are both included in Windows. App Control for Business is the next-generation app control solution for Windows and provides powerful control over what runs in your environment. Organizations that were using AppLocker on previous versions of Windows, can continue to use the feature as they consider whether to switch to App Control for Business for stronger protection.
+
+Microsoft Intune[\[4\]](..\conclusion.md#footnote4) can configure App Control for Business in the admin console, including setting up Intune as a managed installer. Intune includes built-in options for App Control for Business and the possibility to upload policies as an XML file for Intune to package and deploy.
+
+[!INCLUDE [learn-more](learn-more.md)]
+
+- [Application Control for Windows](/windows/security/application-security/application-control/windows-defender-application-control/wdac)
+- [Automatically allow apps deployed by a managed installer with App Control for Business](/windows/security/application-security/application-control/app-control-for-business/design/configure-authorized-apps-deployed-with-a-managed-installer)
diff --git a/windows/security/book/includes/attack-surface-reduction-rules.md b/windows/security/book/includes/attack-surface-reduction-rules.md
new file mode 100644
index 0000000000..b5afd2b419
--- /dev/null
+++ b/windows/security/book/includes/attack-surface-reduction-rules.md
@@ -0,0 +1,20 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 12/11/2024
+ms.topic: include
+---
+
+## Attack surface reduction rules
+
+Attack surface reduction rules help prevent actions and applications or scripts that are often abused to compromise devices and networks. By controlling when and how executables and/or script can run, thereby reducing the attack surface, you can reduce the overall vulnerability of your organization. Administrators can configure specific attack surface reduction rules to help block certain behaviors, such as:
+
+- Launching executable files and scripts that attempt to download or run files
+- Running obfuscated or otherwise suspicious scripts
+- Performing behaviors that apps don't usually initiate during normal day-to-day work
+
+For example, an attacker might try to run an unsigned script from a USB drive or have a macro in an Office document make calls directly to the Win32 API. Attack surface reduction rules can constrain these kinds of risky behaviors and improve the defensive posture of the device. For comprehensive protection, follow steps for enabling hardware-based isolation
+
+[!INCLUDE [learn-more](learn-more.md)]
+
+- [Attack surface reduction](/defender-endpoint/overview-attack-surface-reduction)
diff --git a/windows/security/book/includes/azure-attestation-service.md b/windows/security/book/includes/azure-attestation-service.md
new file mode 100644
index 0000000000..a25cd36b5e
--- /dev/null
+++ b/windows/security/book/includes/azure-attestation-service.md
@@ -0,0 +1,22 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 12/11/2024
+ms.topic: include
+---
+
+## :::image type="icon" source="../images/azure-attestation.svg" border="false"::: Azure Attestation service
+
+Remote attestation helps ensure that devices are compliant with security policies and are operating in a trusted state before they're allowed to access resources. Microsoft Intune[\[4\]](../conclusion.md#footnote4) integrates with Azure Attestation service to review Windows device health comprehensively and connect this information with Microsoft Entra ID[\[4\]](../conclusion.md#footnote4) Conditional Access.
+
+**Attestation policies are configured in the Azure Attestation service which can then:**
+
+- Verify the integrity of evidence provided by the Windows Attestation component by validating the signature and ensuring the Platform Configuration Registers (PCRs) match the values recomputed by replaying the measured boot log
+- Verify that the TPM has a valid Attestation Identity Key issued by the authenticated TPM
+- Verify that security features are in the expected states
+
+Once this verification is complete, the attestation service returns a signed report with the security features state to the relying party - such as Microsoft Intune - to assess the trustworthiness of the platform relative to the admin-configured device compliance specifications. Conditional access is then granted or denied based on the device's compliance.
+
+[!INCLUDE [learn-more](learn-more.md)]
+
+- [Azure Attestation overview](/azure/attestation/overview)
diff --git a/windows/security/book/includes/bitlocker.md b/windows/security/book/includes/bitlocker.md
new file mode 100644
index 0000000000..1a4fe7f87e
--- /dev/null
+++ b/windows/security/book/includes/bitlocker.md
@@ -0,0 +1,28 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 12/11/2024
+ms.topic: include
+---
+
+## BitLocker
+
+BitLocker is a data protection feature that integrates with the operating system to address the threats of data theft or exposure from lost, stolen, or improperly decommissioned devices. It uses the AES algorithm in XTS or CBC mode with 128-bit or 256-bit key lengths to encrypt data on the volume. During the initial setup, when BitLocker is enabled during OOBE and the user signs into their Microsoft account for the first time, BitLocker automatically saves its recovery password to the Microsoft account for retrieval if needed. Users also have the option to export the recovery password if they manually enable BitLocker. Recovery key content can be saved to cloud storage on OneDrive or Azure[\[4\]](../conclusion.md#footnote4).
+
+For organizations, BitLocker can be managed via group policy or with a device management solution like Microsoft Intune[\[3\]](../conclusion.md#footnote3). It provides encryption for the OS, fixed data, and removable data drives (BitLocker To Go), using technologies such as Hardware Security Test Interface (HSTI), Modern Standby, UEFI Secure Boot, and TPM.
+
+[!INCLUDE [new-24h2](new-24h2.md)]
+
+The BitLocker preboot recovery screen includes the Microsoft account (MSA) hint, if the recovery password is saved to an MSA. This hint helps the user to understand which MSA account was used to store recovery key information.
+
+[!INCLUDE [learn-more](learn-more.md)]
+
+- [BitLocker overview](/windows/security/operating-system-security/data-protection/bitlocker/index)
+
+### BitLocker To Go
+
+BitLocker To Go refers to BitLocker on removable data drives. BitLocker To Go includes the encryption of USB flash drives, SD cards, and external hard disk drives. Drives can be unlocked using a password, certificate on a smart card, or recovery password.
+
+[!INCLUDE [learn-more](learn-more.md)]
+
+- [BitLocker FAQ](/windows/security/operating-system-security/data-protection/bitlocker/faq)
diff --git a/windows/security/book/includes/bluetooth-protection.md b/windows/security/book/includes/bluetooth-protection.md
new file mode 100644
index 0000000000..6ee4c77147
--- /dev/null
+++ b/windows/security/book/includes/bluetooth-protection.md
@@ -0,0 +1,16 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 12/11/2024
+ms.topic: include
+---
+
+## Bluetooth protection
+
+The number of Bluetooth devices connected to Windows 11 continues to increase. Windows users connect their Bluetooth headsets, mice, keyboards, and other accessories and improve their day-to-day PC experience by enjoying streaming, productivity, and gaming. Windows supports all standard Bluetooth pairing protocols, including classic and LE Secure connections, secure simple pairing, and classic and LE legacy pairing. Windows also implements host-based LE privacy. Windows updates help users stay current with OS and driver security features in accordance with the Bluetooth Special Interest Group (SIG) and Standard Vulnerability Reports, as well as issues beyond those required by the Bluetooth core industry standards. Microsoft strongly recommends that Bluetooth accessories' firmware and software are kept up to date.
+
+IT-managed environments have a number policy settings available via configuration service providers, group policy, and PowerShell. These settings can be managed through device management solutions like Microsoft Intune[\[4\]](../conclusion.md#footnote4). You can configure Windows to use Bluetooth technology while supporting the security needs of your organization. For example, you can allow input and audio while blocking file transfer, force encryption standards, limit Windows discoverability, or even disable Bluetooth entirely for the most sensitive environments.
+
+[!INCLUDE [learn-more](learn-more.md)]
+
+- [Policy CSP - Bluetooth](/windows/client-management/mdm/policy-csp-bluetooth)
diff --git a/windows/security/book/includes/certificates.md b/windows/security/book/includes/certificates.md
new file mode 100644
index 0000000000..baeffee1ce
--- /dev/null
+++ b/windows/security/book/includes/certificates.md
@@ -0,0 +1,10 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 12/11/2024
+ms.topic: include
+---
+
+## Certificates
+
+To help safeguard and authenticate information, Windows provides comprehensive support for certificates and certificate management. The built-in certificate management command-line utility (certmgr.exe) or Microsoft Management Console (MMC) snap-in (certmgr.msc) can be used to view and manage certificates, certificate trust lists (CTLs), and certificate revocation lists (CRLs). Whenever a certificate is used in Windows, we validate that the leaf certificate and all the certificates in its chain of trust haven't been revoked or compromised. The trusted root and intermediate certificates and publicly revoked certificates on the machine are used as a reference for Public Key Infrastructure (PKI) trust and are updated monthly by the Microsoft Trusted Root program. If a trusted certificate or root is revoked, all global devices are updated, meaning users can trust that Windows will automatically protect against vulnerabilities in public key infrastructure. For cloud and enterprise deployments, Windows also offers users the ability to autoenroll and renew certificates in Active Directory with group policy to reduce the risk of potential outages due to certificate expiration or misconfiguration.
diff --git a/windows/security/book/includes/cloud-native-device-management.md b/windows/security/book/includes/cloud-native-device-management.md
new file mode 100644
index 0000000000..9a41462bfa
--- /dev/null
+++ b/windows/security/book/includes/cloud-native-device-management.md
@@ -0,0 +1,33 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 12/11/2024
+ms.topic: include
+---
+
+## Cloud-native device management
+
+Microsoft recommends cloud-based device management so that IT professionals can manage company security policies and business applications without compromising user privacy on corporate or employee-owned devices. With cloud-native device management solutions like Microsoft Intune[\[4\]](../conclusion.md#footnote4), IT can manage Windows 11 using industry standard protocols. To simplify setup for users, management features are built directly into Windows, eliminating the need for a separate device management client.
+
+Windows 11 built-in management features include:
+
+- The enrollment client, which enrolls and configures the device to securely communicate with the enterprise device management server
+- The management client, which periodically synchronizes with the management server to check for updates and apply the latest policies set by IT
+
+[!INCLUDE [learn-more](learn-more.md)]
+
+- [Mobile device management overview](/windows/client-management/mdm-overview)
+
+### Remote wipe
+
+When a device is lost or stolen, IT administrators might want to remotely wipe data stored in memory and hard disks. A helpdesk agent might also want to reset devices to fix issues encountered by remote workers. A remote wipe can also be used to prepare a previously used device for a new user.
+
+Windows 11 supports the Remote Wipe configuration service provider (CSP) so that device management solutions can remotely initiate any of the following operations:
+
+- Reset the device and remove user accounts and data
+- Reset the device and clean the drive
+- Reset the device but persist user accounts and data
+
+[!INCLUDE [learn-more](learn-more.md)]
+
+- [Remote wipe CSP](/windows/client-management/mdm/remotewipe-csp)
diff --git a/windows/security/book/includes/code-signing-and-integrity.md b/windows/security/book/includes/code-signing-and-integrity.md
new file mode 100644
index 0000000000..addb51e857
--- /dev/null
+++ b/windows/security/book/includes/code-signing-and-integrity.md
@@ -0,0 +1,12 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 12/11/2024
+ms.topic: include
+---
+
+## Code signing and integrity
+
+To ensure that Windows files haven't been tampered with, the Windows Code Integrity process verifies the signature of each file in Windows. Code signing is core to establishing the integrity of firmware, drivers, and software across the Windows platform. Code signing creates a digital signature by encrypting the hash of the file with the private key portion of a code-signing certificate and embedding the signature into the file. The Windows code integrity process verifies the signed file by decrypting the signature to check the integrity of the file and confirm that it is from a reputable publisher, ensuring that the file hasn't been tampered with.
+
+The digital signature is evaluated across the Windows environment on Windows boot code, Windows kernel code, and Windows user mode applications. Secure Boot and Code Integrity verify the signature on bootloaders, Option ROMs, and other boot components to ensure that it's trusted and from a reputable publisher. For drivers not published by Microsoft, Kernel Code Integrity verifies the signature on kernel drivers and requires that drivers be signed by Windows or certified by the [Windows Hardware Compatibility Program (WHCP)](/windows-hardware/design/compatibility/). This program ensures that third-party drivers are compatible with various hardware and Windows and that the drivers are from vetted driver developers.
diff --git a/windows/security/book/includes/coming-soon.md b/windows/security/book/includes/coming-soon.md
new file mode 100644
index 0000000000..7a334c6765
--- /dev/null
+++ b/windows/security/book/includes/coming-soon.md
@@ -0,0 +1,8 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 11/18/2024
+ms.topic: include
+---
+
+:::image type="icon" source="../images/soon-arrow.svg" border="false"::: **Coming soon[\[7\]](..\conclusion.md#footnote7)**
diff --git a/windows/security/book/includes/common-criteria.md b/windows/security/book/includes/common-criteria.md
new file mode 100644
index 0000000000..ce3d43a27b
--- /dev/null
+++ b/windows/security/book/includes/common-criteria.md
@@ -0,0 +1,16 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 12/11/2024
+ms.topic: include
+---
+
+## Common Criteria (CC)
+
+Common Criteria (CC) is an international standard currently maintained by national governments who participate in the Common Criteria Recognition Arrangement. Common Criteria defines a common taxonomy for security functional requirements, security assurance requirements, and an evaluation methodology used to ensure products undergoing evaluation satisfy the functional and assurance requirements.
+
+Microsoft ensures that products incorporate the features and functions required by relevant Common Criteria Protection Profiles and completes Common Criteria certifications of Microsoft Windows products.
+
+[!INCLUDE [learn-more](learn-more.md)]
+
+- [Common Criteria certifications](/windows/security/threat-protection/windows-platform-common-criteria)
diff --git a/windows/security/book/includes/config-refresh.md b/windows/security/book/includes/config-refresh.md
new file mode 100644
index 0000000000..0840ffa1ed
--- /dev/null
+++ b/windows/security/book/includes/config-refresh.md
@@ -0,0 +1,20 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 12/11/2024
+ms.topic: include
+---
+
+## :::image type="icon" source="../images/new-button-title.svg" border="false"::: Config Refresh
+
+With traditional group policy, policy settings are refreshed on a PC when a user signs in and every 90 minutes by default. Administrators can adjust that timing to be shorter to ensure that the policy settings are compliant with the management settings set by IT.
+
+By contrast, with a device management solution like Microsoft Intune[\[4\]](../conclusion.md#footnote4), policies are refreshed when a user signs in and then at eight-hours interval by default. But policy settings are migrated from GPO to a device management solution, one remaining gap is the longer period between the reapplication of a changed policy.
+
+Config Refresh allows settings in the Policy configuration service provider (CSP) that drift due to misconfiguration, registry edits, or malicious software on a PC to be reset to the value the administrator intended every 90 minutes by default. It's configurable to refresh every 30 minutes if desired. The Policy CSP covers hundreds of settings that were traditionally set with group policy and are now set through Mobile Device Management (MDM) protocols.
+
+Config Refresh can also be paused for a configurable period of time, after which it will be reenabled. This is to support scenarios where a helpdesk technician might need to reconfigure a device for troubleshooting purposes. It can also be resumed at any time by an administrator.
+
+[!INCLUDE [learn-more](learn-more.md)]
+
+- [Config Refresh](https://techcommunity.microsoft.com/blog/windows-itpro-blog/intro-to-config-refresh-%e2%80%93-a-refreshingly-new-mdm-feature/4176921)
diff --git a/windows/security/book/includes/controlled-folder-access.md b/windows/security/book/includes/controlled-folder-access.md
new file mode 100644
index 0000000000..ff63f852ba
--- /dev/null
+++ b/windows/security/book/includes/controlled-folder-access.md
@@ -0,0 +1,18 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 12/11/2024
+ms.topic: include
+---
+
+## Controlled folder access
+
+You can protect your valuable information in specific folders by managing app access to them. Only trusted apps can access protected folders, which are specified when controlled folder access is configured. Typically, commonly used folders, such as those used for documents, pictures, and downloads, are included in the list of controlled folders.
+
+Controlled folder access works with a list of trusted apps. Apps that are included in the list of trusted software work as expected. Apps that aren't included in the trusted list are prevented from making any changes to files inside protected folders.
+
+Controlled folder access helps protect user's valuable data from malicious apps and threats such as ransomware.
+
+[!INCLUDE [learn-more](learn-more.md)]
+
+- [Controlled folder access](/defender-endpoint/controlled-folders)
diff --git a/windows/security/book/includes/credential-guard.md b/windows/security/book/includes/credential-guard.md
new file mode 100644
index 0000000000..585a959e83
--- /dev/null
+++ b/windows/security/book/includes/credential-guard.md
@@ -0,0 +1,27 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 12/11/2024
+ms.topic: include
+---
+
+## Credential Guard
+
+:::row:::
+ :::column:::
+ Credential Guard uses hardware-backed, Virtualization-based security (VBS) to protect against credential theft. With Credential Guard, the Local Security Authority (LSA) stores and protects Active Directory (AD) secrets in an isolated environment that isn't accessible to the rest of the operating system. LSA uses remote procedure calls to communicate with the isolated LSA process.
+
+By protecting the LSA process with Virtualization-based security, Credential Guard shields systems from user credential theft attack techniques like Pass-the-Hash or Pass-the-Ticket. It also helps prevent malware from accessing system secrets even if the process is running with admin privileges.
+ :::column-end:::
+ :::column:::
+:::image type="content" source="../images/credential-guard-architecture.png" alt-text="Diagram of the Credential Guard's architecture." lightbox="../images/credential-guard-architecture.png" border="false":::
+ :::column-end:::
+:::row-end:::
+
+[!INCLUDE [new-24h2](new-24h2.md)]
+
+Credential Guard protections are expanded to optionally include machine account passwords for Active Directory-joined devices. Administrators can enable audit mode or enforcement of this capability using Credential Guard policy settings.
+
+[!INCLUDE [learn-more](learn-more.md)]
+
+- [Protect derived domain credentials with Credential Guard](/windows/security/identity-protection/credential-guard)
diff --git a/windows/security/book/includes/cryptography.md b/windows/security/book/includes/cryptography.md
new file mode 100644
index 0000000000..afcd245f7d
--- /dev/null
+++ b/windows/security/book/includes/cryptography.md
@@ -0,0 +1,33 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 12/11/2024
+ms.topic: include
+---
+
+## Cryptography
+
+Cryptography is designed to protect user and system data. The cryptography stack in Windows 11 extends from the chip to the cloud, enabling Windows, applications, and services to protect system and user secrets. For example, data can be encrypted so that only a specific reader with a unique key can read it. As a basis for data security, cryptography helps prevent anyone except the intended recipient from reading data, performs integrity checks to ensure data is free of tampering, and authenticates identity to ensure that communication is secure. Windows 11 cryptography is certified to meet the Federal Information Processing Standard (FIPS) 140. FIPS 140 certification ensures that US government-approved algorithms are correctly implemented.
+
+[!INCLUDE [learn-more](learn-more.md)]
+
+- FIPS 140 validation
+
+Windows cryptographic modules provide low-level primitives such as:
+
+- Random number generators (RNG)
+- Support for AES 128/256 with XTS, ECB, CBC, CFB, CCM, and GCM modes of operation; RSA and DSA 2048, 3072, and 4,096 key sizes; ECDSA over curves P-256, P-384, P-521
+- Hashing (support for SHA1, SHA-256, SHA-384, and SHA-512)
+- Signing and verification (padding support for OAEP, PSS, and PKCS1)
+- Key agreement and key derivation (support for ECDH over NIST-standard prime curves P-256, P-384, P-521 and HKDF)
+
+Application developers can use these cryptographic modules to perform low-level cryptographic operations (Bcrypt), key storage operations (NCrypt), protect static data (DPAPI), and securely share secrets (DPAPI-NG).
+
+[!INCLUDE [learn-more](learn-more.md)]
+
+- Cryptography and certificate management
+
+Developers can access the modules on Windows through the Cryptography Next Generation API (CNG), which is powered by Microsoft's open-source cryptographic library, SymCrypt. SymCrypt supports complete transparency through its open-source code. In addition, SymCrypt offers performance optimization for cryptographic operations by taking advantage of assembly and hardware acceleration when available.
+
+SymCrypt is part of Microsoft's commitment to transparency, which includes the global Microsoft Government Security Program that aims to provide the confidential security information and resources people need to trust Microsoft's products and services. The program offers controlled access to source code, threat and vulnerability information
+exchange, opportunities to engage with technical content about Microsoft's products and services, and access to five globally distributed Transparency Centers.
diff --git a/windows/security/book/includes/device-encryption.md b/windows/security/book/includes/device-encryption.md
new file mode 100644
index 0000000000..90c1598aca
--- /dev/null
+++ b/windows/security/book/includes/device-encryption.md
@@ -0,0 +1,20 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 12/11/2024
+ms.topic: include
+---
+
+## Device encryption
+
+Device encryption is a Windows feature that simplifies the process of enabling BitLocker encryption on certain devices. It ensures that only the OS drive and fixed drives are encrypted, while external/USB drives remain unencrypted. Additionally, devices with externally accessible ports that allow DMA access are not eligible for device encryption. Unlike standard BitLocker implementation, device encryption is enabled automatically to ensure continuous protection. Once a clean installation of Windows is completed and the out-of-box experience is finished, the device is prepared for first use with encryption already in place.
+
+Organizations have the option to disable device encryption in favor of a full BitLocker implementation. This allows for more granular control over encryption policies and settings, ensuring that the organization's specific security requirements are met.
+
+[!INCLUDE [new-24h2](new-24h2.md)]
+
+The Device encryption prerequisites of DMA and HSTI/Modern Standby are removed. This change makes more devices eligible for both automatic and manual device encryption.
+
+[!INCLUDE [learn-more](learn-more.md)]
+
+- [Device encryption](/windows/security/operating-system-security/data-protection/bitlocker#device-encryption)
diff --git a/windows/security/book/includes/device-health-attestation.md b/windows/security/book/includes/device-health-attestation.md
new file mode 100644
index 0000000000..f2e29c7df4
--- /dev/null
+++ b/windows/security/book/includes/device-health-attestation.md
@@ -0,0 +1,23 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 12/11/2024
+ms.topic: include
+---
+
+## Device Health Attestation
+
+The Windows Device Health Attestation process supports a Zero Trust paradigm that shifts the focus from static, network-based perimeters to users, assets, and resources. The attestation process confirms the device, firmware, and boot process are in a good state and haven't been tampered with before they can access corporate resources. These determinations are made with data stored in the TPM, which provides a secure root-of-trust. The information is sent to an attestation service such as Azure Attestation to verify that the device is in a trusted state. Then a cloud-native device management solution like Microsoft Intune[\[4\]](../conclusion.md#footnote4) reviews device health and connects this information with Microsoft Entra ID[\[4\]](../conclusion.md#footnote4) for conditional access.
+
+Windows includes many security features to help protect users from malware and attacks. However, security components are trustworthy only if the platform boots as expected and isn't tampered with. As noted above, Windows relies on Unified Extensible Firmware Interface (UEFI) Secure Boot, ELAM, DRTM, Trusted Boot, and other low-level hardware and firmware security features to protect your PC from attacks. From the moment you power on your PC until your anti-malware starts, Windows is backed with the appropriate hardware configurations that help keep you safe. Measured Boot, implemented by bootloaders and BIOS, verifies and cryptographically records each step of the boot in a chained manner. These events are bound to the TPM, that functions as a hardware root-of-trust. Remote attestation is the mechanism by which these events are read and verified by a service to provide a verifiable, unbiased, and tamper-resilient report. Remote attestation is the trusted auditor of your system's boot, allowing reliant parties to bind trust to the device and its security.
+
+A summary of the steps involved in attestation and Zero-Trust on a Windows device are as follows:
+
+- During each step of the boot process - such as a file load, update of special variables, and more - information such as file hashes and signature(s) are measured in the TPM Platform Configuration Register (PCRs). The measurements are bound by a Trusted Computing Group specification that dictates which events can be recorded and the format of each event. The data provides important information about device security from the moment it powers on
+- Once Windows has booted, the attestor (or verifier) requests the TPM get the measurements stored in its PCRs alongside the Measured Boot log. Together, these form the attestation evidence that's sent to the Azure Attestation service
+- The TPM is verified by using the keys or cryptographic material available on the chipset with an Azure Certificate Service
+- The above information is sent to the Azure Attestation Service to verify that the device is in a trusted state.
+
+[!INCLUDE [learn-more](learn-more.md)]
+
+- [Control the health of Windows devices](/windows/security/operating-system-security/system-security/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices)
diff --git a/windows/security/book/includes/domain-name-system-security.md b/windows/security/book/includes/domain-name-system-security.md
new file mode 100644
index 0000000000..aab79775f9
--- /dev/null
+++ b/windows/security/book/includes/domain-name-system-security.md
@@ -0,0 +1,16 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 12/11/2024
+ms.topic: include
+---
+
+## Domain Name System (DNS) security
+
+In Windows 11, the Windows DNS client supports DNS over HTTPS and DNS over TLS, two encrypted DNS protocols. These allow administrators to ensure their devices protect their
+name queries from on-path attackers, whether they're passive observers logging browsing behavior or active attackers trying to redirect clients to malicious sites. In a Zero Trust
+model where no trust is placed in a network boundary, having a secure connection to a trusted name resolver is required.
+
+Windows 11 provides group policy and programmatic controls to configure DNS over HTTPS behavior. As a result, IT administrators can extend existing security to adopt new models such as Zero Trust. IT administrators can mandate DNS over HTTPS protocol, ensuring that devices that use insecure DNS will fail to connect to network resources. IT administrators also have the option not to use DNS over HTTPS or DNS over TLS for legacy deployments where network edge appliances are trusted to inspect plain-text DNS traffic. By default, Windows 11 will defer to the local administrator on which resolvers should use encrypted DNS.
+
+Support for DNS encryption integrates with existing Windows DNS configurations such as the Name Resolution Policy Table (NRPT), the system Hosts file, and resolvers specified per network adapter or network profile. The integration helps Windows 11 ensure that the benefits of greater DNS security do not regress existing DNS control mechanisms.
diff --git a/windows/security/book/includes/email-encryption.md b/windows/security/book/includes/email-encryption.md
new file mode 100644
index 0000000000..911c19fb82
--- /dev/null
+++ b/windows/security/book/includes/email-encryption.md
@@ -0,0 +1,20 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 12/11/2024
+ms.topic: include
+---
+
+## Email encryption
+
+Email encryption allows users to secure email messages and attachments so that only the intended recipients with a digital identification (ID), or certificate, can read them[\[8\]](../conclusion.md#footnote8). Users can also *digitally sign* a message, which verifies the sender's identity and ensures the message hasn't been tampered with.
+
+The new Outlook app included in Windows 11 supports various types of email encryption, including Microsoft Purview Message Encryption, S/MIME, and Information Rights Management (IRM).
+
+When using Secure/Multipurpose Internet Mail Extensions (S/MIME), users can send encrypted messages to people within their organization and to external contacts who have the proper encryption certificates. Recipients can only read encrypted messages if they have the corresponding decryption keys. If an encrypted message is sent to recipients whose encryption certificates aren't available, Outlook asks you to remove these recipients before sending the email.
+
+[!INCLUDE [learn-more](learn-more.md)]
+
+- [S/MIME for message signing and encryption in Exchange Online](/exchange/security-and-compliance/smime-exo/smime-exo)
+- [Get started with the new Outlook for Windows](https://support.microsoft.com/topic/656bb8d9-5a60-49b2-a98b-ba7822bc7627)
+- [Email encryption](/purview/email-encryption)
diff --git a/windows/security/book/includes/encrypted-hard-drive.md b/windows/security/book/includes/encrypted-hard-drive.md
new file mode 100644
index 0000000000..03fbd3f9c4
--- /dev/null
+++ b/windows/security/book/includes/encrypted-hard-drive.md
@@ -0,0 +1,23 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 12/11/2024
+ms.topic: include
+---
+
+## Encrypted hard drive
+
+Encrypted hard drives are a class of hard drives that are self-encrypted at the hardware level. They allow for full-disk hardware encryption and are transparent to the user. These drives combine the security and management benefits provided by BitLocker, with the power of self-encrypting drives.
+
+By offloading the cryptographic operations to hardware, encrypted hard drives increase BitLocker performance and reduce CPU usage and power consumption. Because encrypted hard drives encrypt data quickly, BitLocker deployment can be expanded across enterprise devices with little to no impact on productivity.
+
+Encrypted hard drives enable:
+
+- Smooth performance: encryption hardware integrated into the drive controller allows the drive to operate at full data rate without performance degradation
+- Strong security based in hardware: encryption is always-on, and the keys for encryption never leave the hard drive. The drive authenticates the user independently from the operating system before it unlocks
+- Ease of use: encryption is transparent to the user, and the user doesn't need to enable it. Encrypted hard drives are easily erased using an onboard encryption key. There's no need to re-encrypt data on the drive
+- Lower cost of ownership: there's no need for new infrastructure to manage encryption keys since BitLocker uses your existing infrastructure to store recovery information. Your device operates more efficiently because processor cycles don't need to be used for the encryption process
+
+[!INCLUDE [learn-more](learn-more.md)]
+
+- [Encrypted hard drive](/windows/security/operating-system-security/data-protection/encrypted-hard-drive)
diff --git a/windows/security/book/includes/enhanced-phishing-protection-in-microsoft-defender-smartscreen.md b/windows/security/book/includes/enhanced-phishing-protection-in-microsoft-defender-smartscreen.md
new file mode 100644
index 0000000000..28cd032482
--- /dev/null
+++ b/windows/security/book/includes/enhanced-phishing-protection-in-microsoft-defender-smartscreen.md
@@ -0,0 +1,16 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 12/11/2024
+ms.topic: include
+---
+
+## Enhanced phishing protection in Microsoft Defender SmartScreen
+
+As malware protection and other safeguards evolve, cybercriminals look for new ways to circumvent security measures. Phishing is a leading threat, with apps and websites designed to steal credentials by tricking people into voluntarily entering passwords. As a result, many organizations are transitioning to the ease and security of passwordless sign-in with Windows Hello or Windows Hello for Business.
+
+We know that people are in different parts of their passwordless journey. To help on that journey for people still using passwords, Windows 11 offers powerful credential protection. Microsoft Defender SmartScreen now includes enhanced phishing protection to automatically detect when a user's Microsoft password is entered into any app or website. Windows then identifies if the app or site is securely authenticating to Microsoft and warns if the credentials are at risk. Because the user is alerted at the moment of potential credential theft, they can take preemptive action before the password is used against them or their organization.
+
+[!INCLUDE [learn-more](learn-more.md)]
+
+- [Enhanced phishing protection in Microsoft Defender SmartScreen](/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/enhanced-phishing-protection)
diff --git a/windows/security/book/includes/enhanced-sign-in-security.md b/windows/security/book/includes/enhanced-sign-in-security.md
new file mode 100644
index 0000000000..09b15d70c5
--- /dev/null
+++ b/windows/security/book/includes/enhanced-sign-in-security.md
@@ -0,0 +1,20 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 12/11/2024
+ms.topic: include
+---
+
+## Enhanced Sign-in Security (ESS)
+
+Windows Hello supports Enhanced Sign-in Security, which uses specialized hardware and software components to raise the security bar even higher for biometric sign-in.
+
+Enhanced Sign-in Security biometrics uses Virtualization-based security (VBS) and the TPM to isolate user authentication processes and data and secure the pathway by which the information is communicated.
+
+These specialized components protect against a class of attacks that includes biometric sample injection, replay, and tampering. For example, fingerprint readers must implement Secure Device Connection Protocol, which uses key negotiation and a Microsoft-issued certificate to protect and securely store user authentication data. For facial recognition, components such as the Secure Devices (SDEV) table and process isolation with trustlets help prevent more attack classes.
+
+Enhanced Sign-in Security is configured by device manufacturers during the manufacturing process and is most typically supported in secured-core PCs. For facial recognition, Enhanced Sign-in Security is supported by specific silicon and camera combinations - check with the specific device manufacturer. Fingerprint authentication is available across all processor types. Reach out to specific OEMs for support details.
+
+[!INCLUDE [learn-more](learn-more.md)]
+
+- [Windows Hello Enhanced Sign-in Security](/windows-hardware/design/device-experiences/windows-hello-enhanced-sign-in-security)
diff --git a/windows/security/book/includes/exploit-protection.md b/windows/security/book/includes/exploit-protection.md
new file mode 100644
index 0000000000..aa573e5c43
--- /dev/null
+++ b/windows/security/book/includes/exploit-protection.md
@@ -0,0 +1,20 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 12/11/2024
+ms.topic: include
+---
+
+## Exploit Protection
+
+Exploit Protection automatically applies several exploit mitigation techniques to operating system processes and apps. Exploit Protection works best with Microsoft Defender for Endpoint[\[4\]](../conclusion.md#footnote4), which gives organizations detailed reporting into Exploit Protection events and blocks as part of typical alert investigation scenarios. You can enable Exploit Protection on an individual device and then use policy settings to distribute the configuration XML file to multiple devices simultaneously.
+
+When a mitigation is encountered on the device, a notification will be displayed from the Action Center. You can customize the notification with your company details and contact information. You can also enable the rules individually to customize which techniques the feature monitors.
+
+You can use audit mode to evaluate how Exploit Protection would impact your organization if it were enabled. And go through safe deployment practices (SDP).
+
+Windows 11 provides configuration options for Exploit Protection. You can prevent users from modifying these specific options with device management solutions like Microsoft Intune or group policy.
+
+[!INCLUDE [learn-more](learn-more.md)]
+
+- [Protecting devices from exploits](/defender-endpoint/enable-exploit-protection)
diff --git a/windows/security/book/includes/federal-information-processing-standard.md b/windows/security/book/includes/federal-information-processing-standard.md
new file mode 100644
index 0000000000..3968fa8c02
--- /dev/null
+++ b/windows/security/book/includes/federal-information-processing-standard.md
@@ -0,0 +1,14 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 12/11/2024
+ms.topic: include
+---
+
+## Federal Information Processing Standard (FIPS)
+
+The Federal Information Processing Standard (FIPS) Publication 140 is a U.S. government standard that specifies the minimum security requirements for cryptographic modules in IT products. Microsoft is dedicated to adhering to the requirements in the FIPS 140 standard, consistently validating its cryptographic modules against FIPS 140 since the standard's inception. Microsoft products, including Windows 11, Windows 10, Windows Server, and many cloud services, use these cryptographic modules.
+
+[!INCLUDE [learn-more](learn-more.md)]
+
+- [Windows FIPS 140 validation](/windows/security/security-foundations/certification/fips-140-validation)
diff --git a/windows/security/book/includes/federated-sign-in.md b/windows/security/book/includes/federated-sign-in.md
new file mode 100644
index 0000000000..51165aa8a2
--- /dev/null
+++ b/windows/security/book/includes/federated-sign-in.md
@@ -0,0 +1,14 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 12/11/2024
+ms.topic: include
+---
+
+## Federated sign-in
+
+Windows 11 supports federated sign-in with external education identity management services. For students unable to type easily or remember complex passwords, this capability enables secure sign-in through methods like QR codes or pictures.
+
+[!INCLUDE [learn-more](learn-more.md)]
+
+- [Configure federated sign-in for Windows devices](/education/windows/federated-sign-in)
diff --git a/windows/security/book/includes/fido2.md b/windows/security/book/includes/fido2.md
new file mode 100644
index 0000000000..24498aad60
--- /dev/null
+++ b/windows/security/book/includes/fido2.md
@@ -0,0 +1,36 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 12/11/2024
+ms.topic: include
+---
+
+## FIDO2
+
+The FIDO Alliance, the Fast Identity Online industry standards body, was established to promote authentication technologies and standards that reduce reliance on passwords. FIDO Alliance and World Wide Web Consortium (W3C) worked together to define the Client to Authenticator Protocol (CTAP2) and Web Authentication (WebAuthn) specifications. These specifications are the industry standard for providing strong, phishing-resistant, user friendly, and privacy preserving authentication across the web and apps. FIDO standards and certifications are becoming recognized as the leading standard for creating secure authentication solutions across enterprises, governments, and consumer markets.
+
+Windows 11 can also use external FIDO2 security keys for authentication alongside or in addition to Windows Hello and Windows Hello for Business, which is also a FIDO2-certified passwordless solution. As a result, Windows 11 can be used as a FIDO authenticator for many popular identity management services.
+
+### Passkeys
+
+Windows 11 makes it much harder for hackers who exploit stolen passwords via phishing attacks by empowering users to replace passwords with passkeys. Passkeys are the cross-platform future of secure sign-in. Microsoft and other technology leaders are supporting passkeys across their platforms and services.
+
+A passkey is a unique, unguessable cryptographic secret that is securely stored on the device. Instead of using a username and password to sign in to a website or application, Windows 11 users can create and use a passkey with Windows Hello, a third-party passkey provider, an external FIDO2 security key, or their mobile device. Passkeys on Windows work in any browsers or apps that support them for sign in.
+
+Passkeys created and saved with Windows Hello are protected by Windows Hello or Windows Hello for Business. Users can sign in to the site or app using their face, fingerprint, or device PIN. Users can manage their passkeys from **Settings** > **Accounts** > **Passkeys**.
+
+:::row:::
+ :::column span="2":::
+[!INCLUDE [coming-soon](coming-soon.md)]
+
+The plug-in model for third-party passkey providers enables users to manage their passkeys with third-party passkey managers. This model ensures a seamless platform experience, regardless of whether passkeys are managed directly by Windows or by a third-party authenticator. When a third-party passkey provider is used, the passkeys are securely protected and managed by the third-party provider.
+ :::column-end:::
+ :::column span="2":::
+:::image type="content" border="false" source="../images/passkey-save-3p.png" alt-text="Screenshot of the save passkey dialog box showing third-party providers." lightbox="../images/passkey-save-3p.png":::
+ :::column-end:::
+:::row-end:::
+
+[!INCLUDE [learn-more](learn-more.md)]
+
+- [Support for passkeys in Windows](/windows/security/identity-protection/passkeys)
+- [Enable passkeys (FIDO2) for your organization](/entra/identity/authentication/how-to-enable-passkey-fido2)
diff --git a/windows/security/book/includes/find-my-device.md b/windows/security/book/includes/find-my-device.md
new file mode 100644
index 0000000000..a39d698fa9
--- /dev/null
+++ b/windows/security/book/includes/find-my-device.md
@@ -0,0 +1,14 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 12/11/2024
+ms.topic: include
+---
+
+## Find my device
+
+When location services and *Find my device* settings are turned on, basic system services like time zone and Find my device are allowed to use the device's location. Find my device can be used to help recover lost or stolen Windows devices, reducing the security threats that rely on physical access.
+
+[!INCLUDE [learn-more](learn-more.md)]
+
+- [How to set up, find, and lock a lost Windows device using a Microsoft account](https://support.microsoft.com/topic/890bf25e-b8ba-d3fe-8253-e98a12f26316)
\ No newline at end of file
diff --git a/windows/security/book/includes/kernel-direct-memory-access-protection.md b/windows/security/book/includes/kernel-direct-memory-access-protection.md
new file mode 100644
index 0000000000..de343c3873
--- /dev/null
+++ b/windows/security/book/includes/kernel-direct-memory-access-protection.md
@@ -0,0 +1,14 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 12/11/2024
+ms.topic: include
+---
+
+## Kernel direct memory access (DMA) protection
+
+Windows 11 protects against physical threats such as drive-by direct memory access (DMA) attacks. Peripheral Component Interconnect Express (PCIe) hot-pluggable devices, including Thunderbolt, USB4, and CFexpress, enable users to connect a wide variety of external peripherals to their PCs with the same plug-and-play convenience as USB. These devices encompass graphics cards and other PCI components. Since PCI hot-plug ports are external and easily accessible, PCs are susceptible to drive-by DMA attacks. Memory access protection (also known as Kernel DMA Protection) protects against these attacks by preventing external peripherals from gaining unauthorized access to memory. Drive-by DMA attacks typically happen quickly while the system owner isn't present. The attacks are performed using simple to moderate attacking tools created with affordable, off-the-shelf hardware and software that don't require the disassembly of the PC. For example, a PC owner might leave a device for a quick coffee break. Meanwhile, an attacker plugs an external tool into a port to steal information or inject code that gives the attacker remote control over the PCs, including the ability to bypass the lock screen. With memory access protection built in and enabled, Windows 11 is protected against physical attack wherever people work.
+
+[!INCLUDE [learn-more](learn-more.md)]
+
+- [Kernel direct memory access (DMA) protection](/windows/security/hardware-security/kernel-dma-protection-for-thunderbolt)
diff --git a/windows/security/book/includes/kiosk-mode.md b/windows/security/book/includes/kiosk-mode.md
new file mode 100644
index 0000000000..cfd97b6215
--- /dev/null
+++ b/windows/security/book/includes/kiosk-mode.md
@@ -0,0 +1,21 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 12/11/2024
+ms.topic: include
+---
+
+## Kiosk mode
+
+:::row:::
+ :::column span="2":::
+ Windows allows you to restrict functionality to specific applications using built-in features, making it ideal for public-facing or shared devices like kiosks. You can set up Windows as a kiosk either locally on the device, or through a cloud-based device management solution like Microsoft Intune[\[7\]](../conclusion.md#footnote7). Kiosk mode can be configured to run a single app, multiple apps, or a full-screen web browser. You can also configure the device to automatically sign in and launch the designated kiosk app at startup.
+ :::column-end:::
+ :::column span="2":::
+:::image type="content" source="../images/kiosk.png" alt-text="Screenshot of a Windows kiosk." border="false" lightbox="../images/kiosk.png" :::
+ :::column-end:::
+:::row-end:::
+
+[!INCLUDE [learn-more](learn-more.md)]
+
+- [Windows kiosks and restricted user experiences](/windows/configuration/assigned-access)
diff --git a/windows/security/book/includes/learn-more.md b/windows/security/book/includes/learn-more.md
new file mode 100644
index 0000000000..22dcad82dc
--- /dev/null
+++ b/windows/security/book/includes/learn-more.md
@@ -0,0 +1,8 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 11/18/2024
+ms.topic: include
+---
+
+:::image type="icon" source="../images/information.svg" border="false"::: **Learn more**
diff --git a/windows/security/book/includes/local-security-authority-protection.md b/windows/security/book/includes/local-security-authority-protection.md
new file mode 100644
index 0000000000..fac74d5553
--- /dev/null
+++ b/windows/security/book/includes/local-security-authority-protection.md
@@ -0,0 +1,24 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 12/11/2024
+ms.topic: include
+---
+
+## Local Security Authority (LSA) protection
+
+Windows has several critical processes to verify a user's identity. Verification processes include Local Security Authority (LSA), which is responsible for authenticating users, and verifying Windows sign-ins. LSA handles tokens and credentials that are used for single sign-on to a Microsoft account and Entra ID account.
+
+By loading only trusted, signed code, LSA provides significant protection against credential theft. LSA protection supports configuration using group policy and other device management solutions.
+
+[!INCLUDE [new-24h2](new-24h2.md)]
+
+To help keep these credentials safe, LSA protection is enabled by default on all devices (MSA, Microsoft Entra joined, hybrid, and local). For new installs, it is enabled immediately. For upgrades, it is enabled after rebooting after an evaluation period of 10 days.
+
+Users have the ability to manage the LSA protection state in the Windows Security application under **Device Security** > **Core Isolation** > **Local Security Authority protection**.
+
+To ensure a seamless transition and enhanced security for all users, the enterprise policy for LSA protection takes precedence over enablement on upgrade.
+
+[!INCLUDE [learn-more](learn-more.md)]
+
+- [Configuring additional LSA protection](/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection)
\ No newline at end of file
diff --git a/windows/security/book/includes/microsoft-account.md b/windows/security/book/includes/microsoft-account.md
new file mode 100644
index 0000000000..3d91117714
--- /dev/null
+++ b/windows/security/book/includes/microsoft-account.md
@@ -0,0 +1,20 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 12/11/2024
+ms.topic: include
+---
+
+## Microsoft account
+
+Your Microsoft account (MSA) provides seamless access to Microsoft products and services with just one sign-in, allowing you to manage everything in one place. You can easily keep track of your subscriptions and order history, update your privacy and security settings, monitor the health and safety of your devices, and earn rewards. Your information stays with you in the cloud, accessible across devices and operating systems, including iOS and Android.
+
+You can even go passwordless with your Microsoft account by removing the password from your MSA:
+
+- Use Windows Hello to eliminate the password sign-in method for an even more secure experience
+- Use the Microsoft Authenticator app on your Android or iOS device
+
+[!INCLUDE [learn-more](learn-more.md)]
+
+- [What is a Microsoft account?](https://support.microsoft.com/topic/4a7c48e9-ff5a-e9c6-5a5c-1a57d66c3bfa)
+- [Go passwordless with your Microsoft account](https://support.microsoft.com/topic/585a71d7-2295-4878-aeac-a014984df856)
\ No newline at end of file
diff --git a/windows/security/book/includes/microsoft-authenticator.md b/windows/security/book/includes/microsoft-authenticator.md
new file mode 100644
index 0000000000..3343772fe9
--- /dev/null
+++ b/windows/security/book/includes/microsoft-authenticator.md
@@ -0,0 +1,20 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 12/11/2024
+ms.topic: include
+---
+
+## Microsoft Authenticator
+
+The Microsoft Authenticator app, which runs on iOS and Android devices, helps keeping Windows 11 users secure and productive. Microsoft Authenticator with Microsoft Entra passkeys can be used as a phish-resistant method to bootstrap Windows Hello for Business.
+
+Microsoft Authenticator also enables easy, secure sign-in for all online accounts using multifactor authentication, passwordless phone sign-in, phishing-resistant authentication (passkeys), or password autofill. The accounts in the Authenticator app are secured with a public/private key pair in hardware-backed storage such as the Keychain in iOS and Keystore on Android. IT admins can use different tools to nudge their users to set up the Authenticator app, provide them with extra context about where the authentication is coming from, and ensure that they're actively using it.
+
+Individual users can back up their credentials to the cloud by enabling the encrypted backup option in settings. They can also see their sign-in history and security settings for Microsoft personal, work, or school accounts.
+
+Using this secure app for authentication and authorization enables people to be in control of how, where, and when their credentials are used. To keep up with an ever-changing security landscape, the app is constantly updated, and new capabilities are added to stay ahead of emerging threat vectors.
+
+[!INCLUDE [learn-more](learn-more.md)]
+
+- [Authentication methods in Microsoft Entra ID - Microsoft Authenticator app](/entra/identity/authentication/concept-authentication-authenticator-app)
diff --git a/windows/security/book/includes/microsoft-defender-antivirus.md b/windows/security/book/includes/microsoft-defender-antivirus.md
new file mode 100644
index 0000000000..838e3f57c6
--- /dev/null
+++ b/windows/security/book/includes/microsoft-defender-antivirus.md
@@ -0,0 +1,20 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 12/11/2024
+ms.topic: include
+---
+
+## Microsoft Defender Antivirus
+
+Microsoft Defender Antivirus is a next-generation protection solution included in all versions of Windows 10 and Windows 11. From the moment you turn on Windows, Microsoft Defender Antivirus continually monitors for malware, viruses, and security threats. In addition to real-time protection, updates are downloaded automatically to help keep your device safe and protect it from threats. If you have another antivirus app installed and turned on, Microsoft Defender Antivirus turns off automatically. If you uninstall the other app, Microsoft Defender Antivirus turns back on.
+
+Microsoft Defender Antivirus includes real-time, behavior-based, and heuristic antivirus protection. This combination of always-on content scanning, file and process behavior monitoring, and other heuristics effectively prevents security threats. Microsoft Defender Antivirus continually scans for malware and threats and also detects and blocks potentially unwanted applications (PUA), applications deemed to negatively impact your device but aren't considered malware.
+
+Microsoft Defender Antivirus always-on protection is integrated with cloud-delivered protection, which helps ensure near-instant detection and blocking of new and emerging threats. This combination of local and cloud-delivered technologies including advanced memory scanning, behavior monitoring, and machine learning, provides award-winning protection at home and at work.
+
+:::image type="content" source="../images/defender-antivirus.png" alt-text="Diagram of the Microsoft Defender Antivirus components." border="false":::
+
+[!INCLUDE [learn-more](learn-more.md)]
+
+- [Microsoft Defender Antivirus in Windows Overview](/defender-endpoint/microsoft-defender-antivirus-windows)
diff --git a/windows/security/book/includes/microsoft-defender-for-endpoint.md b/windows/security/book/includes/microsoft-defender-for-endpoint.md
new file mode 100644
index 0000000000..53de82c725
--- /dev/null
+++ b/windows/security/book/includes/microsoft-defender-for-endpoint.md
@@ -0,0 +1,27 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 12/11/2024
+ms.topic: include
+---
+
+## :::image type="icon" source="../images/defender-for-endpoint.svg" border="false"::: Microsoft Defender for Endpoint
+
+Microsoft Defender for Endpoint[\[4\]](../conclusion.md#footnote4) is an enterprise endpoint detection and response solution that helps security teams detect, disrupt, investigate, and respond to advanced threats. Organizations can use the rich event data and attack insights Defender for Endpoint provides to investigate incidents.
+
+Defender for Endpoint brings together the following elements to provide a more complete picture of security incidents:
+
+- Endpoint behavioral sensors: Embedded in Windows, these sensors collect and process behavioral signals from the operating system and send this sensor data to your private, isolated cloud instance of Microsoft Defender for Endpoint
+- With Automatic Attack Disruption uses AI, machine learning, and Microsoft Security Intelligence to analyze the entire attack and respond at the incident level, where it's able to contain a device, and/or a user which reduces the impact of attacks such as ransomware, human-operated attacks, and other advanced attacks.
+- Cloud security analytics: Behavioral signals are translated into insights, detections, and recommended responses to advanced threats. These analytics leverage big data, device learning, and unique Microsoft optics across the Windows ecosystem, enterprise cloud products such as Microsoft 365[\[4\]](../conclusion.md#footnote4), and online assets
+- Threat intelligence: Microsoft processes over 43 trillion security signals every 24 hours, yielding a deep and broad view into the evolving threat landscape. Combined with our global team of security experts and cutting-edge artificial intelligence and machine learning, we can see threats that others miss. This threat intelligence helps provide unparalleled protection for our customers. The protections built into our platforms and products blocked attacks that include 31 billion identity threats and 32 billion email threats
+- Rich response capabilities: Defender for Endpoint empowers SecOps teams to isolate, remediate, and remote into machines to further investigate and stop active threats in their environment, as well as block files, network destinations, and create alerts for them. In addition, Automated Investigation and Remediation can help reduce the load on the SOC by automatically performing otherwise manual steps towards remediation and providing
+detailed investigation outcomes
+
+Defender for Endpoint is also part of Microsoft Defender XDR, our end-to-end, cloud-native extended detection and response (XDR) solution that combines best-of-breed endpoint, email, and identity security products. It enables organizations to prevent, detect, investigate, and remediate attacks by delivering deep visibility, granular context, and actionable insights generated from raw signals harnessed across the Microsoft 365 environment and other
+platforms, all synthesized into a single dashboard. This solution offers tremendous value to organizations of any size, especially those that are looking to break away from the added complexity of multiple point solutions, keeping them protected from sophisticated attacks and saving IT and security teams' time and resources.
+
+[!INCLUDE [learn-more](learn-more.md)]
+
+- [Microsoft Defender for Endpoint](/defender-endpoint/microsoft-defender-endpoint)
+- [Microsoft 365 Defender](/defender-xdr/microsoft-365-defender)
diff --git a/windows/security/book/includes/microsoft-defender-smartscreen.md b/windows/security/book/includes/microsoft-defender-smartscreen.md
new file mode 100644
index 0000000000..a0de2dec1e
--- /dev/null
+++ b/windows/security/book/includes/microsoft-defender-smartscreen.md
@@ -0,0 +1,28 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 12/11/2024
+ms.topic: include
+---
+
+## Microsoft Defender SmartScreen
+
+Microsoft Defender SmartScreen protects against phishing, malware websites and applications, and the downloading of potentially malicious files.
+
+SmartScreen determines whether a site is potentially malicious by:
+
+- Analyzing visited webpages to find indications of suspicious behavior. If it determines a page is suspicious, it will show a warning page advising caution
+- Checking the visited sites against a dynamic list of reported phishing sites and malicious software sites. If it finds a match, SmartScreen warns that the site might be malicious
+
+SmartScreen also determines whether a downloaded app or app installer is potentially malicious by:
+
+- Checking downloaded files against a list of reported malicious software sites and programs known to be unsafe. If it finds a match, SmartScreen warns that the file might be malicious
+- Checking downloaded files against a list of well-known files. If the file is of a dangerous type and not well-known, SmartScreen displays a caution alert
+
+With enhanced phishing protection in Windows 11, SmartScreen also alerts people when they're entering their Microsoft credentials into a potentially risky location, regardless of which application or browser is used. IT can customize which notifications appear through Microsoft Intune[\[4\]](../conclusion.md#footnote4). This protection runs in audit mode by default, giving IT admins full control to make decisions around policy creation and enforcement.
+
+Because Windows 11 comes with these enhancements already built in and enabled, users have extra security from the moment they turn on their device.
+
+[!INCLUDE [learn-more](learn-more.md)]
+
+- [Microsoft Defender SmartScreen documentation library](/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/)
\ No newline at end of file
diff --git a/windows/security/book/includes/microsoft-entra-id.md b/windows/security/book/includes/microsoft-entra-id.md
new file mode 100644
index 0000000000..a3be65569d
--- /dev/null
+++ b/windows/security/book/includes/microsoft-entra-id.md
@@ -0,0 +1,83 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 12/11/2024
+ms.topic: include
+---
+
+## :::image type="icon" source="../images/microsoft-entra-id.svg" border="false"::: Microsoft Entra ID
+
+Microsoft Entra ID is a comprehensive cloud-based identity management solution that helps enable secure access to applications, networks, and other resources and guard against threats. Microsoft Entra ID can also be used with Windows Autopilot for zero-touch provisioning of devices preconfigured with corporate security policies.
+
+Organizations can deploy Microsoft Entra ID joined devices to enable access to both cloud and on-premises apps and resources. Access to resources can be controlled based on the Microsoft Entra ID account and Conditional Access policies applied to the device. For the most seamless and delightful end to end single sign-on (SSO) experience, we recommend users configure Windows Hello for Business during the out of box experience for easy passwordless sign-in to Entra ID .
+
+:::row:::
+ :::column:::
+ For users wanting to connect to Microsoft Entra on their personal devices, they can do so by adding their work or school account to Windows. This action registers the user's personal device with Microsoft Entra ID, allowing IT admins to support users in bring your own device (BYOD) scenarios. Credentials are authenticated and bound to the joined device, and can't be copied to another device without explicit reverification.
+ :::column-end:::
+ :::column:::
+:::image type="content" source="../images/device-registration.png" alt-text="Screenshot of the Entra account registration page." border="false" lightbox="../images/device-registration.png":::
+ :::column-end:::
+:::row-end:::
+
+To provide more security and control for IT and a seamless experience for users, Microsoft Entra ID works with apps and services, including on-premises software and thousands of software-as-a-service (SaaS) applications. Microsoft Entra ID protections include single sign-on, multifactor authentication, conditional access policies, identity protection, identity governance, and privileged identity management.
+
+Windows 11 works with Microsoft Entra ID to provide secure access, identity management, and single sign-on to apps and services from anywhere. Windows has built-in settings to add work or school accounts by syncing the device configuration to an Active Directory domain or Microsoft Entra ID tenant.
+
+:::image type="content" source="../images/access-work-or-school.png" alt-text="Screenshot of the add work or school account in Settings." border="false":::
+
+When a device is Microsoft Entra ID joined and managed with Microsoft Intune[\[4\]](../conclusion.md#footnote4), it receives the following security benefits:
+
+- Default managed user and device settings and policies
+- Single sign-in to all Microsoft Online Services
+- Full suite of authentication management capabilities using Windows Hello for Business
+- Single sign-on (SSO) to enterprise and SaaS applications
+- No use of consumer Microsoft account identity
+
+Organizations and users can join or register their Windows devices with Microsoft Entra ID to get a seamless experience to both native and web applications. In addition, users can set up Windows Hello for Business or FIDO2 security keys with Microsoft Entra ID and benefit from greater security with passwordless authentication.
+
+In combination with Microsoft Intune, Microsoft Entra ID offers powerful security control through Conditional Access to restrict access to organizational resources to healthy and compliant devices. Note that Microsoft Entra ID is only supported on Windows Pro and Enterprise editions.
+
+Every Windows device has a built-in local administrator account that must be secured and protected to mitigate any Pass-the-Hash (PtH) and lateral traversal attacks. Many customers have been using our standalone, on-premises Windows Local Administrator Password Solution (LAPS) to manage their domain-joined Windows machines. We heard from many customers that LAPS support was needed as they modernized their Windows environment to join directly to Microsoft Entra ID.
+
+[!INCLUDE [learn-more](learn-more.md)]
+
+- [Microsoft Entra ID documentation][LINK-1]
+- [Microsoft Entra plans and pricing][LINK-2]
+
+### Microsoft Entra Private Access
+
+Microsoft Entra Private Access provides organizations the ability to manage and give users access to private or internal fully qualified domain names (FQDNs) and IP addresses. With Private Access, you can modernize how your organization's users access private apps and resources. Remote workers don't need to use a VPN to access these resources if they have the Global Secure Access Client installed. The client quietly and seamlessly connects them to the resources they need.
+
+[!INCLUDE [learn-more](learn-more.md)]
+
+- [Microsoft Entra Private Access][LINK-4]
+
+### Microsoft Entra Internet Access
+
+Microsoft Entra Internet Access provides an identity-centric Secure Web Gateway (SWG) solution for Software as a Service (SaaS) applications and other Internet traffic. It protects users, devices, and data from the Internet's wide threat landscape with best-in-class security controls and visibility through Traffic Logs.
+
+> [!NOTE]
+> Both Microsoft Entra Private Access and Microsoft Entra Internet Access requires Microsoft Entra ID and Microsoft Entra Joined devices for deployment. The two solutions use the Global Secure Access client for Windows, which secures and controls the features.
+
+[!INCLUDE [learn-more](learn-more.md)]
+
+- [Microsoft Entra Internet Access][LINK-3]
+- [Global Secure Access client for Windows][LINK-6]
+- [Microsoft's Security Service Edge Solution Deployment Guide for Microsoft Entra Internet Access Proof of Concept][LINK-5]
+
+### Enterprise State Roaming
+
+Available to any organization with a Microsoft Entra ID Premium[\[4\]](../conclusion.md#footnote4) license, Enterprise State Roaming provides users with a unified Windows Settings experience across their Windows devices and reduces the time needed for configuring a new device.
+
+[!INCLUDE [learn-more](learn-more.md)]
+
+- [Enterprise State Roaming in Microsoft Entra ID][LINK-7]
+
+[LINK-1]: /entra
+[LINK-2]: https://www.microsoft.com/security/business/microsoft-entra-pricing
+[LINK-3]: /entra/global-secure-access/concept-internet-access
+[LINK-4]: /entra/global-secure-access/concept-private-access
+[LINK-5]: /entra/architecture/sse-deployment-guide-internet-access
+[LINK-6]: /entra/global-secure-access/how-to-install-windows-client
+[LINK-7]: /entra/identity/devices/enterprise-state-roaming-enable
diff --git a/windows/security/book/includes/microsoft-intune.md b/windows/security/book/includes/microsoft-intune.md
new file mode 100644
index 0000000000..37580c57b1
--- /dev/null
+++ b/windows/security/book/includes/microsoft-intune.md
@@ -0,0 +1,65 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 12/11/2024
+ms.topic: include
+---
+
+## :::image type="icon" source="../images/microsoft-intune.svg" border="false"::: Microsoft Intune
+
+Microsoft Intune[\[4\]](../conclusion.md#footnote4) is a comprehensive cloud-native endpoint management solution that helps secure, deploy, and manage users, apps, and devices. Intune brings together technologies like Microsoft Configuration Manager and Windows Autopilot to simplify provisioning, configuration management, and software updates across the organization.
+
+Intune works with Microsoft Entra ID to manage security features and processes, including multifactor authentication and conditional access.
+
+Organizations can cut costs while securing and managing remote devices through the cloud in compliance with company policies[\[11\]](../conclusion.md#footnote11). For example, organizations can save time and money by provisioning preconfigured devices to remote employees using Windows Autopilot.
+
+Windows 11 enables IT professionals to move to the cloud while consistently enforcing security policies. Windows 11 provides expanded support for group policy administrative templates (ADMX-backed policies) in cloud-native device management solutions like Microsoft Intune, enabling IT professionals to easily apply the same security policies to both on-premises and remote devices.
+
+Customers have asked for App Control for Business (previously called *Windows Defender Application Control*) to support manage installer for a long time. Now it's possible to enable allowlisting of Win32 apps to proactively reduce the number of malware infections.
+
+[!INCLUDE [learn-more](learn-more.md)]
+
+- [What is Microsoft Intune](/mem/intune/fundamentals/what-is-intune)
+
+### Windows enrollment attestation
+
+When a device enrolls into device management, the administrator expects it to receive the appropriate policies to secure and manage the PC. However, in some cases, malicious actors can remove enrollment certificates and use them on unmanaged PCs, making them appear enrolled but without the intended security and management policies.
+
+With Windows enrollment attestation, Microsoft Entra and Microsoft Intune certificates are bound to a device using the Trusted Platform Module (TPM). This ensures that the certificates can't be transferred from one device to another, maintaining the integrity of the enrollment process.
+
+[!INCLUDE [learn-more](learn-more.md)]
+
+- [Windows enrollment attestation](/mem/intune/enrollment/windows-enrollment-attestation)
+
+### Microsoft Cloud PKI
+
+Microsoft Cloud PKI is a cloud-based service included in the Microsoft Intune Suite[\[4\]](../conclusion.md#footnote4) that simplifies and automates the management of a Public Key Infrastructure (PKI) for organizations. It eliminates the need for on-premises servers, hardware, and connectors, making it easier to set up and manage a PKI compared to, for instance, Microsoft Active Directory Certificate Services (AD CS) combined with the Certificate Connector for Microsoft Intune.
+
+Key features include:
+
+- Certificate lifecycle management: automates the lifecycle of certificates, including issuance, renewal, and revocation, for all devices managed by Intune
+- Multi-platform support: supports certificate management for Windows, iOS/iPadOS, macOS, and Android devices
+- Enhanced security: enables certificate-based authentication for Wi-Fi, VPN, and other scenarios, improving security over traditional password-based methods. All certificate requests leverage Simple Certificate Enrollment Protocol (SCEP), making sure that the private key never leaves the requesting client
+- Simplified management: provides easy management of certification authorities (CAs), registration authorities (RAs), certificate revocation lists (CRLs), monitoring, and reporting
+
+With Microsoft Cloud PKI, organizations can accelerate their digital transformation and achieve a fully managed cloud PKI service with minimal effort.
+
+[!INCLUDE [learn-more](learn-more.md)]
+
+- [Overview of Microsoft Cloud PKI for Microsoft Intune](/mem/intune/protect/microsoft-cloud-pki-overview)
+
+### Endpoint Privilege Management (EPM)
+
+Intune Endpoint Privilege Management supports organizations' Zero Trust journeys by helping them achieve a broad user base running with least privilege, while still permitting users to run elevated tasks allowed by the organization to remain productive.
+
+[!INCLUDE [learn-more](learn-more.md)]
+
+- [Endpoint Privilege Management](/mem/intune/protect/epm-overview?formCode=MG0AV3)
+
+### Mobile application management (MAM)
+
+With Intune, organizations can also extend MAM App Config, MAM App Protection, and App Protection Conditional Access capabilities to Windows. This enables people to access protected organizational content without having the device managed by IT. The first application to support MAM for Windows is Microsoft Edge.
+
+[!INCLUDE [learn-more](learn-more.md)]
+
+- [Data protection for Windows MAM](/mem/intune/apps/protect-mam-windows?formCode=MG0AV3)
diff --git a/windows/security/book/includes/microsoft-offensive-research-and-security-engineering.md b/windows/security/book/includes/microsoft-offensive-research-and-security-engineering.md
new file mode 100644
index 0000000000..75c37b8a7a
--- /dev/null
+++ b/windows/security/book/includes/microsoft-offensive-research-and-security-engineering.md
@@ -0,0 +1,15 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 12/11/2024
+ms.topic: include
+---
+
+## Microsoft Offensive Research and Security Engineering
+
+Microsoft Offensive Research and Security Engineering (MORSE) performs targeted design reviews, audits, and deep penetration testing of Windows features using Microsoft's open-source OneFuzz platform as part of their development and testing cycle.
+
+[!INCLUDE [learn-more](learn-more.md)]
+
+- [MORSE security team takes proactive approach to finding bugs](https://news.microsoft.com/source/features/innovation/morse-microsoft-offensive-research-security-engineering)
+- [MORSE Blog](https://www.microsoft.com/security/blog/author/microsoft-offensive-research-security-engineering-team)
diff --git a/windows/security/book/includes/microsoft-pluton-security-processor.md b/windows/security/book/includes/microsoft-pluton-security-processor.md
new file mode 100644
index 0000000000..fe93c04335
--- /dev/null
+++ b/windows/security/book/includes/microsoft-pluton-security-processor.md
@@ -0,0 +1,25 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 12/11/2024
+ms.topic: include
+---
+
+## Microsoft Pluton security processor
+
+The Microsoft Pluton security processor is the result of Microsoft's close partnership with silicon partners. Pluton enhances the protection of Windows 11 devices with a hardware security processor that provides extra protection for cryptographic keys and other secrets. Pluton is designed to reduce the attack surface by integrating the security chip directly into the processor. It can be used as a TPM 2.0 or as a standalone security processor. When a security processor is located on a separate, discrete chip on the motherboard, the communication path between the hardware root-of-trust and the CPU can be vulnerable to physical attack. Embedding Pluton into the CPU makes it harder to exploit the communication path.
+
+Pluton supports the TPM 2.0 industry standard, allowing customers to immediately benefit from enhanced security for Windows features that rely on TPMs, including BitLocker, Windows Hello, and System Guard. Pluton can also support other security functionality beyond what is possible with the TPM 2.0 specification. This extensibility allows for more Pluton firmware and OS features to be delivered over time via Windows Update.
+
+As with other TPMs, credentials, encryption keys, and other sensitive information can't be easily extracted from Pluton even if an attacker installed malware or has physical possession of the PC. Storing sensitive data like encryption keys securely within the Pluton processor, which is isolated from the rest of the system, helps ensure that attackers can't access sensitive data - even if attackers use emerging techniques like speculative execution.
+
+Pluton also solves the major security challenge of keeping its own security processor firmware up to date across the entire PC ecosystem. Today customers receive security firmware updates from different sources, which might make it difficult to get alerts about security updates, and keeping systems in a vulnerable state. Pluton provides a flexible, updateable platform for its firmware that implements end-to-end security functionality authored, maintained, and updated by Microsoft. Pluton is integrated with the Windows Update service, benefiting from over a decade of operational experience in reliably delivering updates across over a billion endpoint systems. Microsoft Pluton is available with select new Windows PCs.
+
+Pluton aims to ensure long-term security resilience. With the rising threat landscape influenced by artificial intelligence, memory safety will become ever more critical. To meet these demands, in addition to facilitating reliable updates to security processor firmware, we chose the open-source Tock system as the Rust-based foundation to develop the Pluton security processor firmware and actively contribute back to the Tock community. This collaboration with an open community ensures rigorous security scrutiny, and using Rust mitigates memory safety threats.
+
+Ultimately, Pluton establishes the security backbone for Copilot + PC, thanks to tight partnerships with our silicon collaborators and OEMs. The Qualcomm Snapdragon X, AMD Ryzen AI, and Intel Core Ultra 200V mobile processors (codenamed Lunar Lake) processor platforms all incorporate Pluton as their security subsystem .
+
+[!INCLUDE [learn-more](learn-more.md)]
+
+- [Microsoft Pluton processor - The security chip designed for the future of Windows PCs](https://www.microsoft.com/security/blog/2020/11/17/meet-the-microsoft-pluton-processor-the-security-chip-designed-for-the-future-of-windows-pcs/)
+- [Microsoft Pluton security processor](/windows/security/hardware-security/pluton/microsoft-pluton-security-processor)
diff --git a/windows/security/book/includes/microsoft-privacy-dashboard.md b/windows/security/book/includes/microsoft-privacy-dashboard.md
new file mode 100644
index 0000000000..4046ba5fb2
--- /dev/null
+++ b/windows/security/book/includes/microsoft-privacy-dashboard.md
@@ -0,0 +1,15 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 12/11/2024
+ms.topic: include
+---
+
+## Microsoft Privacy Dashboard
+
+Customers can use the Microsoft Privacy Dashboard to view, export, and delete their information, giving them further transparency and control. They can also use the Microsoft Privacy Report to learn more about Windows data collection and how to manage it. For organizations, we provide a guide for Windows Privacy Compliance that includes more details on the available controls and transparency.
+
+[!INCLUDE [learn-more](learn-more.md)]
+
+- [Microsoft Privacy Dashboard](https://account.microsoft.com/privacy)
+- [Microsoft Privacy Report](https://privacy.microsoft.com/privacy-report)
diff --git a/windows/security/book/includes/microsoft-security-development-lifecycle.md b/windows/security/book/includes/microsoft-security-development-lifecycle.md
new file mode 100644
index 0000000000..687e9a1b80
--- /dev/null
+++ b/windows/security/book/includes/microsoft-security-development-lifecycle.md
@@ -0,0 +1,10 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 12/11/2024
+ms.topic: include
+---
+
+## Microsoft Security Development Lifecycle (SDL)
+
+The Microsoft Security Development Lifecycle (SDL) introduces security best practices, tools, and processes throughout all phases of engineering and development.
diff --git a/windows/security/book/includes/microsoft-vulnerable-driver-blocklist.md b/windows/security/book/includes/microsoft-vulnerable-driver-blocklist.md
new file mode 100644
index 0000000000..dd34d489ee
--- /dev/null
+++ b/windows/security/book/includes/microsoft-vulnerable-driver-blocklist.md
@@ -0,0 +1,14 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 12/11/2024
+ms.topic: include
+---
+
+## Microsoft vulnerable driver blocklist
+
+The Windows kernel is the most privileged software and is therefore a compelling target for malware authors. Since Windows has strict requirements for code running in the kernel, cybercriminals commonly exploit vulnerabilities in kernel drivers to get access. Microsoft works with ecosystem partners to constantly identify and respond to potentially vulnerable kernel drivers. To prevent vulnerable versions of drivers from running, Windows has a *block policy* turned on by default. Users can configure the policy from the Windows Security app.
+
+[!INCLUDE [learn-more](learn-more.md)]
+
+- [Microsoft recommended driver block rules](/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules)
\ No newline at end of file
diff --git a/windows/security/book/includes/network-protection.md b/windows/security/book/includes/network-protection.md
new file mode 100644
index 0000000000..ce1c9d0173
--- /dev/null
+++ b/windows/security/book/includes/network-protection.md
@@ -0,0 +1,18 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 12/11/2024
+ms.topic: include
+---
+
+## Network protection
+
+While Microsoft Defender Smartscreen works with Microsoft Edge, for third-party browsers and processes, Windows 11 has Network protection that protects against phishing scams, malware websites, and the downloading of potentially malicious files.
+
+When using Network Protection with Microsoft Defender for Endpoint, you can use *Indicators of Compromise* to block specific URLs and/or ip addresses.
+Also integrates with Microsoft Defender for Cloud Apps to block unsactioned web apps in your organization. Allow or block access to websites based on category with Microsoft Defender for Endpoint's Web Content Filtering.
+
+[!INCLUDE [learn-more](learn-more.md)]
+
+- [Network Protection library](/defender-endpoint/network-protection)
+- [Web protection library](/defender-endpoint/web-protection-overview)
diff --git a/windows/security/book/includes/new-24h2.md b/windows/security/book/includes/new-24h2.md
new file mode 100644
index 0000000000..8d1dcba478
--- /dev/null
+++ b/windows/security/book/includes/new-24h2.md
@@ -0,0 +1,8 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 11/18/2024
+ms.topic: include
+---
+
+:::image type="icon" source="../images/new-button.svg" border="false"::: **New in Windows 11, version 24H2**
diff --git a/windows/security/book/includes/onedrive-for-personal.md b/windows/security/book/includes/onedrive-for-personal.md
new file mode 100644
index 0000000000..912f163c57
--- /dev/null
+++ b/windows/security/book/includes/onedrive-for-personal.md
@@ -0,0 +1,19 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 12/11/2024
+ms.topic: include
+---
+
+## OneDrive for personal
+
+Microsoft OneDrive for personal[\[10\]](../conclusion.md#footnote10) offers enhanced security, backup, and restore options for important personal files. Users can access their data from anywhere, since their files are stored and protected in the cloud. OneDrive provides an excellent solution for backing up folders, ensuring that:
+
+- If a device is lost or stolen, users can quickly recover all their important files from the cloud
+- If a user is targeted by a ransomware attack, OneDrive enables recovery. With configured backups, users have more options to mitigate and recover from such attacks
+
+[!INCLUDE [learn-more](learn-more.md)]
+
+- [Get started with OneDrive](https://support.microsoft.com/onedrive)
+- [How to recover from a ransomware attack using Microsoft 365](/microsoft-365/security/office-365-security/recover-from-ransomware)
+- [How to restore from OneDrive](https://support.microsoft.com/topic/fa231298-759d-41cf-bcd0-25ac53eb8a15)
\ No newline at end of file
diff --git a/windows/security/book/includes/onedrive-for-work-or-school.md b/windows/security/book/includes/onedrive-for-work-or-school.md
new file mode 100644
index 0000000000..77069d92a2
--- /dev/null
+++ b/windows/security/book/includes/onedrive-for-work-or-school.md
@@ -0,0 +1,25 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 12/11/2024
+ms.topic: include
+---
+
+## :::image type="icon" source="../images/onedrive.svg" border="false"::: OneDrive for work or school
+
+OneDrive for work or school is a cloud storage service that allows users to store, share, and collaborate on files. It's a part of Microsoft 365 and is designed to help organizations protect their data and comply with regulations. OneDrive for work or school is protected both in transit and at rest.
+
+When data transits either into the service from clients or between datacenters, it's protected using transport layer security (TLS) encryption. OneDrive only permits secure access.
+
+Authenticated connections aren't allowed over HTTP and instead redirect to HTTPS.
+
+There are several ways that OneDrive for work or school is protected at rest:
+
+- Physical protection: Microsoft understands the importance of protecting customer data and is committed to securing the datacenters that contain it. Microsoft datacenters are designed, built, and operated to strictly limit physical access to the areas where customer data is stored. Physical security at datacenters is in alignment with the defense-in-depth principle. Multiple security measures are implemented to reduce the risk of unauthorized users accessing data and other datacenter resources. Learn more [here](/compliance/assurance/assurance-datacenter-physical-access-security).
+- Network protection: The networks and identities are isolated from the corporate network. Firewalls limit traffic into the environment from unauthorized locations
+- Application security: Engineers who build features follow the security development lifecycle. Automated and manual analyses help identify possible vulnerabilities. The [Microsoft Security Response Center](https://technet.microsoft.com/security/dn440717.aspx) helps triage incoming vulnerability reports and evaluate mitigations. Through the [Microsoft Cloud Bug Bounty Terms](https://technet.microsoft.com/dn800983), people across the world can earn money by reporting vulnerabilities
+- Content protection: Each file is encrypted at rest with a unique AES-256 key. These unique keys are encrypted with a set of master keys that are stored in Azure Key Vault
+
+[!INCLUDE [learn-more](learn-more.md)]
+
+- [How OneDrive safeguards data in the cloud](https://support.microsoft.com/topic/23c6ea94-3608-48d7-8bf0-80e142edd1e1)
diff --git a/windows/security/book/includes/onefuzz-service.md b/windows/security/book/includes/onefuzz-service.md
new file mode 100644
index 0000000000..d8a11df8c5
--- /dev/null
+++ b/windows/security/book/includes/onefuzz-service.md
@@ -0,0 +1,10 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 12/11/2024
+ms.topic: include
+---
+
+## OneFuzz service
+
+A range of tools and techniques - such as threat modeling, static analysis, fuzz testing, and code quality checks - enable continued security value to be embedded into Windows by every engineer on the team from day one. Through the SDL practices, Microsoft engineers are continuously provided with actionable and up-to-date methods to improve development workflows and overall product security before the code is released.
diff --git a/windows/security/book/includes/personal-data-encryption.md b/windows/security/book/includes/personal-data-encryption.md
new file mode 100644
index 0000000000..df921aa6a5
--- /dev/null
+++ b/windows/security/book/includes/personal-data-encryption.md
@@ -0,0 +1,22 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 12/11/2024
+ms.topic: include
+---
+
+## Personal Data Encryption
+
+Personal Data Encryption is a user-authenticated encryption mechanism designed to protect user's content. Personal Data Encryption uses Windows Hello for Business as its modern authentication scheme, with PIN or biometric authentication methods. The encryption keys used by Personal Data Encryption are securely stored within the Windows Hello container. When a user signs in with Windows Hello, the container is unlocked, making the keys available to decrypt the user's content.
+
+The initial release of Personal Data Encryption in Windows 11, version 22H2, introduced a set of public APIs that applications can adopt to safeguard content.
+
+[!INCLUDE [new-24h2](new-24h2.md)]
+
+Personal Data Encryption is further enhanced with *Personal Data Encryption for known folders*, which extends protection to the Windows folders: Documents, Pictures, and Desktop.
+
+:::image type="content" source="../images/pde.png" alt-text="Screenshot of files encrypted with Personal Data Encryption showing a padlock." border="false":::
+
+[!INCLUDE [learn-more](learn-more.md)]
+
+- [Personal Data Encryption](/windows/security/operating-system-security/data-protection/personal-data-encryption)
diff --git a/windows/security/book/includes/personal-vault.md b/windows/security/book/includes/personal-vault.md
new file mode 100644
index 0000000000..2dde8778f3
--- /dev/null
+++ b/windows/security/book/includes/personal-vault.md
@@ -0,0 +1,16 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 12/11/2024
+ms.topic: include
+---
+
+## Personal Vault
+
+Personal Vault offers robust protection for the most important or sensitive files, without sacrificing the convenience of anywhere access. Secure digital copies of crucial documents in Personal Vault, where they're protected by identity verification and are easily accessible across devices.
+
+Once the Personal Vault is configured, users can access it using a strong authentication method or a second step of identity verification. The second steps of verification include fingerprint, face recognition, PIN, or a code sent via email or text.
+
+[!INCLUDE [learn-more](learn-more.md)]
+
+- [Protect your OneDrive files in Personal Vault](https://support.microsoft.com/topic/6540ef37-e9bf-4121-a773-56f98dce78c4)
\ No newline at end of file
diff --git a/windows/security/book/includes/privacy-resource-usage.md b/windows/security/book/includes/privacy-resource-usage.md
new file mode 100644
index 0000000000..80e2023a9e
--- /dev/null
+++ b/windows/security/book/includes/privacy-resource-usage.md
@@ -0,0 +1,12 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 12/11/2024
+ms.topic: include
+---
+
+## Privacy resource usage
+
+Every Microsoft customer should be able to use our products secure in the knowledge that we protect their privacy, and give them the information and tools they need to easily make privacy decisions with confidence. From Settings, the app usage history feature provides users with a seven-day history of resource access for Location, Camera, Microphone, Phone Calls, Messaging, Contacts, Pictures, Videos, Music library, Screenshots, and other apps.
+
+This information helps you determine if an app is behaving as expected so that you can change the app's access to resources as desired.
diff --git a/windows/security/book/includes/privacy-transparency-and-controls.md b/windows/security/book/includes/privacy-transparency-and-controls.md
new file mode 100644
index 0000000000..310dfda7b3
--- /dev/null
+++ b/windows/security/book/includes/privacy-transparency-and-controls.md
@@ -0,0 +1,10 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 12/11/2024
+ms.topic: include
+---
+
+## Privacy transparency and controls
+
+Prominent system tray icons show users when resources and apps like microphones and location are in use. A description of the app and its activity are presented in a simple tooltip that appears when you hover over an icon with your cursor. Apps can also make use of new Windows APIs to support Quick Mute functionality and more.
diff --git a/windows/security/book/includes/remote-credential-guard.md b/windows/security/book/includes/remote-credential-guard.md
new file mode 100644
index 0000000000..1f3048a2bd
--- /dev/null
+++ b/windows/security/book/includes/remote-credential-guard.md
@@ -0,0 +1,16 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 12/11/2024
+ms.topic: include
+---
+
+## Remote Credential Guard
+
+Remote Credential Guard helps organizations protect credentials over a Remote Desktop connection by redirecting the Kerberos requests back to the device that is requesting the connection. It also provides single sign-on experiences for Remote Desktop sessions.
+
+Administrator credentials are highly privileged and must be protected. When Remote Credential Guard is configured to connect during Remote Desktop sessions, the credential and credential derivatives are never passed over the network to the target device. If the target device is compromised, the credentials aren't exposed.
+
+[!INCLUDE [learn-more](learn-more.md)]
+
+- [Remote Credential Guard](/windows/security/identity-protection/remote-credential-guard)
diff --git a/windows/security/book/includes/rust-for-windows.md b/windows/security/book/includes/rust-for-windows.md
new file mode 100644
index 0000000000..85428c1b32
--- /dev/null
+++ b/windows/security/book/includes/rust-for-windows.md
@@ -0,0 +1,15 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 12/11/2024
+ms.topic: include
+---
+
+## :::image type="icon" source="../images/new-button-title.svg" border="false"::: Rust for Windows
+
+Rust is a modern programming language known for its focus on safety, performance, and concurrency. It was designed to prevent common programming errors such as null pointer dereferencing and buffer overflows, which can lead to security vulnerabilities and crashes. Rust achieves this through its unique ownership system, which ensures memory safety without needing a garbage collector.
+We're expanding the integration of Rust into the Windows kernel to enhance the safety and reliability of Windows' codebase. This strategic move underscores our commitment to adopting modern technologies to improve the quality and security of Windows.
+
+[!INCLUDE [learn-more](learn-more.md)]
+
+- [Rust for Windows, and the windows crate](/windows/dev-environment/rust/rust-for-windows)
diff --git a/windows/security/book/includes/secure-future-initiative.md b/windows/security/book/includes/secure-future-initiative.md
new file mode 100644
index 0000000000..cb14affd1d
--- /dev/null
+++ b/windows/security/book/includes/secure-future-initiative.md
@@ -0,0 +1,21 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 12/11/2024
+ms.topic: include
+---
+
+## Secure Future Initiative (SFI)
+
+Launched in November 2023, the Microsoft Secure Future Initiative (SFI) is a multiyear commitment dedicated to advancing the way we design, build, test, and operate our technology. Our goal is to ensure that our solutions meet the highest possible standards for security.
+
+The increasing scale and high stakes of cyberattacks prompted the launch of SFI. This program brings together every part of Microsoft to enhance cybersecurity protection across our company and products. We carefully considered our internal observations and feedback from customers, governments, and partners to identify the greatest opportunities to impact the future of security.
+
+To maintain accountability and keep our customers, partners, and the security community informed, Microsoft provides regular updates on the progress of SFI.
+
+:::image type="content" source="../images/sfi.png" alt-text="Diagram of the SFI initiative." lightbox="../images/sfi.png" border="false":::
+
+[!INCLUDE [learn-more](learn-more.md)]
+
+- [Microsoft Secure Future Initiative](https://www.microsoft.com/security/blog/2024/09/23/securing-our-future-september-2024-progress-update-on-microsofts-secure-future-initiative-sfi/)
+- [September 2024 progress update on SFI](https://www.microsoft.com/trust-center/security/secure-future-initiative)
diff --git a/windows/security/book/includes/secured-core-pc-and-edge-secured-core.md b/windows/security/book/includes/secured-core-pc-and-edge-secured-core.md
new file mode 100644
index 0000000000..0255043353
--- /dev/null
+++ b/windows/security/book/includes/secured-core-pc-and-edge-secured-core.md
@@ -0,0 +1,41 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 12/11/2024
+ms.topic: include
+---
+
+## Secured-core PC and Edge Secured-Core
+
+The March 2021 Security Signals report found that more than 80% of enterprises have experienced at least one firmware attack in the past two years. For customers in data-sensitive industries like financial services, government, and healthcare, Microsoft has worked with OEM partners to offer a special category of devices called Secured-core PCs (SCPCs), and an equivalent category of embedded IoT devices called Edge Secured-Core (ESc). The devices ship with more security measures enabled at the firmware layer, or device core, that underpins Windows.
+
+Secured-core PCs and edge devices help prevent malware attacks and minimize firmware vulnerabilities by launching into a clean and trusted state at startup with a hardware-enforced root-of-trust. Virtualization-based security comes enabled by default. Built-in hypervisor-protected code integrity (HVCI) shield system memory, ensuring that all kernel executable code is signed only by known and approved authorities. Secured-core PCs and edge devices also protect against physical threats such as drive-by direct memory access (DMA) attacks with kernel DMA protection.
+
+Secured-core PCs and edge devices provide multiple layers of robust protection against hardware and firmware attacks. Sophisticated malware attacks commonly attempt to install *bootkits* or *rootkits* on the system to evade detection and achieve persistence. This malicious software may run at the firmware level prior to Windows being loaded or during the Windows boot process itself, enabling the system to start with the highest level of privilege. Because critical subsystems in Windows use Virtualization-based security, protecting the hypervisor becomes increasingly important. To ensure that no unauthorized firmware or software can start before the Windows bootloader, Windows PCs rely on the Unified Extensible Firmware Interface (UEFI) Secure Boot standard, a baseline security feature of all Windows 11 PCs. Secure Boot helps ensure that only authorized firmware and software with trusted digital signatures can execute. In addition, measurements of all boot components are securely stored in the TPM to help establish a nonrepudiable audit log of the boot called the Static Root of Trust for Measurement (SRTM).
+
+Thousands of OEM vendors produce numerous device models with diverse UEFI firmware components, which in turn creates an incredibly large number of SRTM signatures and measurements at bootup. Because these signatures and measurements are inherently trusted by Secure Boot, it can be challenging to constrain trust to only what is needed to boot on any specific device. Traditionally, blocklists and allowlists were the two main techniques used to constrain trust, and they continue to expand if devices rely only on SRTM measurements.
+
+### Dynamic Root of Trust for Measurement (DRTM)
+
+In secured-core PCs and edge devices, System Guard Secure Launch protects bootup with a technology known as the *Dynamic Root of Trust for Measurement (DRTM)*. With DRTM, the system initially follows the normal UEFI Secure Boot process. However, before launching, the system enters a hardware-controlled trusted state that forces the CPU down a hardware-secured code path. If a malware rootkit or bootkit bypasses UEFI Secure Boot and resides in memory, DRTM prevents it from accessing secrets and critical code protected by the Virtualization-based security environment. Firmware Attack Surface Reduction (FASR) technology can be used instead of DRTM on supported devices, such as Microsoft Surface.
+
+System Management Mode (SMM) isolation is an execution mode in x86-based processors that runs at a higher effective privilege than the hypervisor. SMM complements the protections provided by DRTM by helping to reduce the attack surface. Relying on capabilities provided by silicon providers like Intel and AMD, SMM isolation enforces policies that implement restrictions such as preventing SMM code from accessing OS memory. The SMM isolation policy is included as part of the DRTM measurements that can be sent to a verifier like Microsoft Azure Remote Attestation.
+
+:::image type="content" source="../images/secure-launch.png" alt-text="Diagram of secure launch components." lightbox="../images/secure-launch.png" border="false":::
+
+[!INCLUDE [learn-more](learn-more.md)]
+
+- [System Guard Secure Launch](/windows/security/hardware-security/system-guard-secure-launch-and-smm-protection)
+- [Firmware Attack Surface Reduction](/windows-hardware/drivers/bringup/firmware-attack-surface-reduction)
+- [Windows 11 secured-core PCs](/windows-hardware/design/device-experiences/oem-highly-secure-11)
+- [Edge Secured-Core](/azure/certification/overview)
+
+### Configuration lock
+
+In many organizations, IT administrators enforce policies on their corporate devices to protect the OS and keep devices in a compliant state by preventing users from changing configurations and creating configuration drift. Configuration drift occurs when users with local admin rights change settings and put the device out of sync with security policies. Devices in a noncompliant state can be vulnerable until the next sync, when configuration is reset with the device management solution.
+
+Configuration lock is a secured-core PC and edge device feature that prevents users from making unwanted changes to security settings. With configuration lock, Windows monitors supported registry keys and reverts to the IT-desired state in seconds after detecting a drift.
+
+[!INCLUDE [learn-more](learn-more.md)]
+
+- [Secured-core PC configuration lock](/windows/client-management/mdm/config-lock)
diff --git a/windows/security/book/includes/secured-kernel.md b/windows/security/book/includes/secured-kernel.md
new file mode 100644
index 0000000000..e375041c7c
--- /dev/null
+++ b/windows/security/book/includes/secured-kernel.md
@@ -0,0 +1,52 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 12/11/2024
+ms.topic: include
+---
+
+## Secured kernel
+
+To secure the kernel, we have two key features: Virtualization-based security (VBS) and hypervisor-protected code integrity (HVCI). All Windows 11 devices support HVCI and come with VBS and HVCI protection turned on by default on most/all devices.
+
+### Virtualization-based security (VBS)
+
+:::row:::
+ :::column:::
+ Virtualization-based security (VBS), also known as core isolation, is a critical building block in a secure system. VBS uses hardware virtualization features to host a secure kernel separated from the operating system. This means that even if the operating system is compromised, the secure kernel is still protected. The isolated VBS environment protects processes, such as security solutions and credential managers, from other processes running in memory. Even if malware gains access to the main OS kernel, the hypervisor and virtualization hardware help prevent the malware from executing unauthorized code or accessing platform secrets in the VBS environment. VBS implements virtual trust level 1 (VTL1), which has higher privilege than the virtual trust level 0 (VTL0) implemented in the main kernel.
+ :::column-end:::
+ :::column:::
+:::image type="content" source="../images/vbs-diagram.png" alt-text="Diagram of VBS architecture." lightbox="../images/vbs-diagram.png" border="false":::
+ :::column-end:::
+:::row-end:::
+
+Since more privileged virtual trust levels (VTLs) can enforce their own memory protections, higher VTLs can effectively protect areas of memory from lower VTLs. In practice, this allows a lower VTL to protect isolated memory regions by securing them with a higher VTL. For example, VTL0 could store a secret in VTL1, at which point only VTL1 could access it. Even if VTL0 is compromised, the secret would be safe.
+
+[!INCLUDE [learn-more](learn-more.md)]
+
+- [Virtualization-based security (VBS)](/windows-hardware/design/device-experiences/oem-vbs)
+
+### Hypervisor-protected code integrity (HVCI)
+
+Hypervisor-protected code integrity (HVCI), also called memory integrity, uses VBS to run Kernel Mode Code Integrity (KMCI) inside the secure VBS environment instead of the main Windows kernel. This helps prevent attacks that attempt to modify kernel-mode code for things like drivers. The KMCI checks that all kernel code is properly signed and hasn't been tampered with before it's allowed to run. HVCI ensures that only validated code can be executed in kernel mode. The hypervisor uses processor virtualization extensions to enforce memory protections that prevent kernel-mode software from executing code that hasn't been first validated by the code integrity subsystem. HVCI protects against common attacks like WannaCry that rely on the ability to inject malicious code into the kernel. HVCI can prevent injection of malicious kernel-mode code even when drivers and other kernel-mode software have bugs.
+
+With new installs of Windows 11, OS support for VBS and HVCI is turned on by default for all devices that meet prerequisites.
+
+[!INCLUDE [learn-more](learn-more.md)]
+
+- [Enable virtualization-based protection of code integrity](/windows/security/hardware-security/enable-virtualization-based-protection-of-code-integrity)
+
+### :::image type="icon" source="../images/new-button-title.svg" border="false"::: Hypervisor-enforced Paging Translation (HVPT)
+
+Hypervisor-enforced Paging Translation (HVPT) is a security enhancement to enforce the integrity of guest virtual address to guest physical address translations. HVPT helps protect critical system data from write-what-where attacks where the attacker can write an arbitrary value to an arbitrary location often as the result of a buffer overflow. HVPT helps to protect page tables that configure critical system data structures.
+
+### Hardware-enforced stack protection
+
+Hardware-enforced stack protection integrates software and hardware for a modern defense against cyberthreats like memory corruption and zero-day exploits. Based on Control-flow Enforcement Technology (CET) from Intel and AMD Shadow Stacks, hardware-enforced stack protection is designed to protect against exploit techniques that try to hijack return addresses on the stack.
+
+Application code includes a program processing stack that hackers seek to corrupt or disrupt in a type of attack called *stack smashing*. When defenses like executable space protection began thwarting such attacks, hackers turned to new methods like return-oriented programming. Return-oriented programming, a form of advanced stack smashing, can bypass defenses, hijack the data stack, and ultimately force a device to perform harmful operations. To guard against these control-flow hijacking attacks, the Windows kernel creates a separate *shadow stack* for return addresses. Windows 11 extends stack protection capabilities to provide both user mode and kernel mode support.
+
+[!INCLUDE [learn-more](learn-more.md)]
+
+- [Understanding Hardware-enforced Stack Protection](https://techcommunity.microsoft.com/blog/windowsosplatform/understanding-hardware-enforced-stack-protection/1247815)
+- [Developer Guidance for hardware-enforced stack protection](https://techcommunity.microsoft.com/blog/windowsosplatform/developer-guidance-for-hardware-enforced-stack-protection/2163340)
diff --git a/windows/security/book/includes/security-baselines.md b/windows/security/book/includes/security-baselines.md
new file mode 100644
index 0000000000..7b505a86c4
--- /dev/null
+++ b/windows/security/book/includes/security-baselines.md
@@ -0,0 +1,32 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 12/11/2024
+ms.topic: include
+---
+
+## Security baselines
+
+Every organization faces security threats. However, different organizations can be concerned with different types of security threats. For example, an e-commerce company might focus on protecting its internet-facing web apps, while a hospital on confidential patient information. The one thing that all organizations have in common is a need to keep their apps and devices secure. These devices must be compliant with the security standards (or security baselines) defined by the organization.
+
+A security baseline is a group of Microsoft-recommended configuration settings that explains their security implications. These settings are based on feedback from Microsoft security engineering teams, product groups, partners, and customers.
+
+[!INCLUDE [learn-more](learn-more.md)]
+
+- [Security baselines](/windows/security/operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines)
+
+### Security baseline for cloud-based device management solutions
+
+Windows 11 can be configured with Microsoft's security baseline, designed for cloud-based device management solutions like Microsoft Intune[\[4\]](../conclusion.md#footnote4). These security baselines function similarly to group policy-based ones and can be easily integrated into existing device management tools.
+
+The security baseline includes policies for:
+
+- Microsoft inbox security technologies such as BitLocker, Microsoft Defender SmartScreen, Virtualization-based security, Exploit Guard, Microsoft Defender Antivirus, and Windows Firewall
+- Restricting remote access to devices
+- Setting credential requirements for passwords and PINs
+- Restricting the use of legacy technology
+
+[!INCLUDE [learn-more](learn-more.md)]
+
+- [Intune security baseline overview](/mem/intune/protect/security-baselines)
+- [List of the settings in the Windows security baseline in Intune](/mem/intune/protect/security-baseline-settings-mdm-all)
diff --git a/windows/security/book/includes/server-message-block-file-services.md b/windows/security/book/includes/server-message-block-file-services.md
new file mode 100644
index 0000000000..c1786ce7d5
--- /dev/null
+++ b/windows/security/book/includes/server-message-block-file-services.md
@@ -0,0 +1,21 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 12/11/2024
+ms.topic: include
+---
+
+## Server Message Block file services
+
+Server Message Block (SMB) and file services are the most common Windows workloads in the commercial and public sector ecosystem. Users and applications rely on SMB to access the files that run organizations of all sizes.
+
+Windows 11 introduced significant security updates to meet today's threats, including AES-256 SMB encryption, accelerated SMB signing, Remote Directory Memory Access (RDMA) network encryption, and SMB over QUIC for untrusted networks.
+
+[!INCLUDE [new-24h2](new-24h2.md)]
+
+New security options include mandatory SMB signing by default, NTLM blocking, authentication rate limiting, and several other enhancements.
+
+[!INCLUDE [learn-more](learn-more.md)]
+
+- [Server Message Block (SMB) protocol changes in Windows 11, version 24H2](/windows/whats-new/whats-new-windows-11-version-24h2#server-message-block-smb-protocol-changes)
+- [File sharing using the SMB 3 protocol](/windows-server/storage/file-server/file-server-smb-overview)
diff --git a/windows/security/book/includes/smart-app-control.md b/windows/security/book/includes/smart-app-control.md
new file mode 100644
index 0000000000..b5ac53b02f
--- /dev/null
+++ b/windows/security/book/includes/smart-app-control.md
@@ -0,0 +1,22 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 12/11/2024
+ms.topic: include
+---
+
+## Smart App Control
+
+Smart App Control prevents users from running malicious applications by blocking untrusted or unsigned applications. Smart App Control goes beyond previous built-in browser protections by adding another layer of security that is woven directly into the core of the OS at the process level. Using AI, Smart App Control only allows processes to run if they're predicted to be safe based on existing and new intelligence updated daily.
+
+Smart App Control builds on top of the same cloud-based AI used in *App Control for Business* to predict the safety of an application, so that users can be confident that their applications are safe and reliable. Additionally, Smart App Control blocks unknown script files and macros from the web, greatly improving security for everyday users.
+
+We've been making significant improvements to Smart App Control to increase the security, usability, and cloud intelligence response for apps in the Windows ecosystem. Users can get the latest and best experience with Smart App Control by keeping their devices up to date via Windows Update every month.
+
+To ensure that users have a seamless experience with Smart App Control enabled, we ask developers to sign their applications with a code signing certificate from the Microsoft Trusted Root Program. Developers should include all binaries, such as exe, dll, temp installer files, and uninstallers. Trusted Signing makes the process of obtaining, maintaining, and signing with a trusted certificate simple and secure.
+
+Smart App Control is disabled on devices enrolled in enterprise management. We suggest enterprises running line-of-business applications continue to use *App Control for Business*.
+
+[!INCLUDE [learn-more](learn-more.md)]
+
+- [Smart App Control](/windows/apps/develop/smart-app-control/overview)
\ No newline at end of file
diff --git a/windows/security/book/includes/smart-cards.md b/windows/security/book/includes/smart-cards.md
new file mode 100644
index 0000000000..99e1902345
--- /dev/null
+++ b/windows/security/book/includes/smart-cards.md
@@ -0,0 +1,26 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 12/11/2024
+ms.topic: include
+---
+
+## Smart cards
+
+Organizations can also opt for smart cards, an authentication method that existed before biometric authentication. These tamper-resistant, portable storage devices enhance Windows security by authenticating users, signing code, securing e-mails, and signing in with Windows domain accounts.
+
+Smart cards provide:
+
+- Ease of use in scenarios such as healthcare, where users need to sign in and out quickly without using their hands or when sharing a workstation
+- Isolation of security-critical computations that involve authentication, digital signatures, and key exchange from other parts of the computer. These computations are performed on the smart card
+- Portability of credentials and other private information between computers at work, home, or on the road
+
+Smart cards can only be used to sign in to domain accounts or Microsoft Entra ID accounts.
+
+When a password is used to sign in to a domain account, Windows uses the Kerberos Version 5 (V5) protocol for authentication. If you use a smart card, the operating system uses Kerberos V5 authentication with X.509 V3 certificates. On Microsoft Entra ID joined devices, a smart card can be used with Microsoft Entra ID certificate-based authentication. Smart cards can't be used with local accounts.
+
+Windows Hello for Business and FIDO2 security keys are modern, two-factor authentication methods for Windows. Customers using virtual smart cards are encouraged to move to Windows Hello for Business or FIDO2. For new Windows installations, we recommend Windows Hello for Business or FIDO2 security keys.
+
+[!INCLUDE [learn-more](learn-more.md)]
+
+- [Smart Card technical reference](/windows/security/identity-protection/smart-cards/smart-card-windows-smart-card-technical-reference)
diff --git a/windows/security/book/includes/software-bill-of-materials.md b/windows/security/book/includes/software-bill-of-materials.md
new file mode 100644
index 0000000000..2313e00800
--- /dev/null
+++ b/windows/security/book/includes/software-bill-of-materials.md
@@ -0,0 +1,19 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 12/11/2024
+ms.topic: include
+---
+
+## Software bill of materials (SBOM)
+
+In the Windows ecosystem, ensuring the integrity and authenticity of software components is paramount. To achieve this, we utilize Software Bill of Materials (SBOMs) and COSE (CBOR Object Signing and Encryption) sign all evidence. SBOMs provide a comprehensive inventory of software components, including their dependencies and associated metadata. Transparency is crucial for vulnerability management and compliance with security standards.
+
+The COSE signing process enhances the trustworthiness of SBOMs by providing cryptographic signatures that verify the integrity and authenticity of the SBOM content. The CoseSignTool, a platform-agnostic command line application, is employed to apply and verify these digital signatures. This tool ensures that all SBOMs and other build evidence are signed and validated, maintaining a high level of security within the software supply chain.
+
+By integrating SBOMs and COSE signing evidence, we offer stakeholders visibility into the components they use, ensuring that all software artifacts are trustworthy and secure. This approach aligns with our commitment to end-to-end supply chain security, providing a robust framework for managing and verifying software components across the Windows ecosystem.
+
+[!INCLUDE [learn-more](learn-more.md)]
+
+- [SBOM tool](https://github.com/microsoft/sbom-tool)
+- [Code Sign Tool](https://github.com/microsoft/CoseSignTool)
diff --git a/windows/security/book/includes/tamper-protection.md b/windows/security/book/includes/tamper-protection.md
new file mode 100644
index 0000000000..86c6148c0b
--- /dev/null
+++ b/windows/security/book/includes/tamper-protection.md
@@ -0,0 +1,26 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 12/11/2024
+ms.topic: include
+---
+
+## Tamper protection
+
+Attacks like ransomware attempt to disable security features, such as anti-virus protection. Bad actors like to disable security features to get easier access to user's data, to install malware, or otherwise exploit user's data, identity, and devices without fear of being blocked. Tamper protection helps prevent these kinds of activities.
+
+With tamper protection, malware is prevented from taking actions such as:
+
+- Disabling real-time protection
+- Turning off behavior monitoring
+- Disabling antivirus protection, such as Scan all downloaded files and attachments (IOfficeAntivirus (IOAV))
+- Disabling cloud-delivered protection
+- Removing security intelligence updates
+- Disabling automatic actions on detected threats
+- Disabling archived files
+- Altering exclusions
+- Disabling notifications in the Windows Security app
+
+[!INCLUDE [learn-more](learn-more.md)]
+
+- [Tamper protection](/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection)
diff --git a/windows/security/book/includes/token-protection.md b/windows/security/book/includes/token-protection.md
new file mode 100644
index 0000000000..17d3df3d13
--- /dev/null
+++ b/windows/security/book/includes/token-protection.md
@@ -0,0 +1,18 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 12/11/2024
+ms.topic: include
+---
+
+## Token protection (preview)
+
+Token protection attempts to reduce attacks using Microsoft Entra ID token theft. Token protection makes tokens usable only from their intended device by cryptographically binding a token with a device secret. When using the token, both the token and proof of the device secret must be provided. Conditional Access policies[\[4\]](../conclusion.md#footnote4) can be configured to require token protection when using sign-in tokens for specific services.
+
+[!INCLUDE [learn-more](learn-more.md)]
+
+- [Token protection in Entra ID Conditional Access](/azure/active-directory/conditional-access/concept-token-protection)
+
+### Sign-in session token protection policy
+
+This feature allows applications and services to cryptographically bind security tokens to the device, restricting attackers' ability to impersonate users on a different device if tokens are stolen.
diff --git a/windows/security/book/includes/transport-layer-security.md b/windows/security/book/includes/transport-layer-security.md
new file mode 100644
index 0000000000..765bf1db96
--- /dev/null
+++ b/windows/security/book/includes/transport-layer-security.md
@@ -0,0 +1,15 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 12/11/2024
+ms.topic: include
+---
+
+## Transport Layer Security (TLS)
+
+Transport Layer Security (TLS) is a popular security protocol, encrypting data in transit to help provide a more secure communication channel between two endpoints. Windows enables the latest protocol versions and strong cipher suites by default and offers a full suite of extensions such as client authentication for enhanced server security, or session resumption for improved application performance. TLS 1.3 is the latest version of the protocol and is enabled by default in Windows. This version helps to eliminate obsolete cryptographic algorithms, enhance security over older versions, and aim to encrypt as much of the TLS handshake as possible. The handshake is more performant with one less round trip per connection on average and supports only strong cipher suites which provide perfect forward secrecy and less operational risk. Using TLS 1.3 provides more privacy and lower latencies for encrypted online connections. If the client or server application on either side of the connection doesn't support TLS 1.3, the connection falls back to TLS 1.2. Windows uses the latest Datagram Transport Layer Security (DTLS) 1.2 for UDP communications.
+
+[!INCLUDE [learn-more](learn-more.md)]
+
+- [TLS/SSL overview (Schannel SSP)](/windows-server/security/tls/tls-ssl-schannel-ssp-overview)
+- [TLS 1.0 and TLS 1.1 soon to be disabled in Windows](https://techcommunity.microsoft.com/blog/windows-itpro-blog/tls-1-0-and-tls-1-1-soon-to-be-disabled-in-windows/3887947)
diff --git a/windows/security/book/includes/trusted-boot.md b/windows/security/book/includes/trusted-boot.md
new file mode 100644
index 0000000000..275e3da5b3
--- /dev/null
+++ b/windows/security/book/includes/trusted-boot.md
@@ -0,0 +1,21 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 12/11/2024
+ms.topic: include
+---
+
+## Trusted Boot (Secure Boot + Measured Boot)
+
+Windows 11 requires all PCs to use Unified Extensible Firmware Interface (UEFI)'s Secure Boot feature. When a Windows 11 device starts, Secure Boot and Trusted Boot work together to prevent malware and corrupted components from loading. Secure Boot provides initial protection, then Trusted Boot picks up the process.
+
+Secure Boot makes a safe and trusted path from the Unified Extensible Firmware Interface (UEFI) through the Windows kernel's Trusted Boot sequence. Malware attacks on the Windows boot sequence are blocked by the signature-enforcement handshakes throughout the boot sequence between the UEFI, bootloader, kernel, and application environments.
+
+To mitigate the risk of firmware rootkits, the PC verifies the digital signature of the firmware at the start of the boot process. Secure Boot then checks the digital signature of the OS bootloader and all code that runs before the operating system starts, ensuring that the signature and code are uncompromised and trusted according to the Secure Boot policy.
+
+Trusted Boot picks up the process that begins with Secure Boot. The Windows bootloader verifies the digital signature of the Windows kernel before loading it. The Windows kernel, in turn, verifies every other component of the Windows startup process, including boot drivers, startup files, and any anti-malware product's early-launch anti-malware (ELAM) driver. If any of these files have been tampered with, the bootloader detects the problem and refuses to load the corrupted component. Often, Windows can automatically repair the corrupted component, restoring the integrity of Windows and allowing the PC to start normally.
+
+[!INCLUDE [learn-more](learn-more.md)]
+
+- [Secure the Windows boot process](/windows/security/operating-system-security/system-security/secure-the-windows-10-boot-process)
+- [Secure Boot and Trusted Boot](/windows/security/operating-system-security/system-security/trusted-boot)
diff --git a/windows/security/book/includes/trusted-platform-module.md b/windows/security/book/includes/trusted-platform-module.md
new file mode 100644
index 0000000000..54688ee765
--- /dev/null
+++ b/windows/security/book/includes/trusted-platform-module.md
@@ -0,0 +1,16 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 12/11/2024
+ms.topic: include
+---
+
+## Trusted Platform Module (TPM)
+
+Trusted Platform Module (TPM) technology is designed to provide hardware-based, security-related functions. TPMs provide security and privacy benefits for system hardware, platform owners, and users. Windows Hello, BitLocker, System Guard, and other Windows features rely on the TPM for capabilities such as key generation, secure storage, encryption, boot integrity measurements, and attestation. These capabilities in turn help organizations strengthen the protection of their identities and data. The 2.0 version of TPM includes support for newer algorithms, which provides improvements like support for stronger cryptography. To upgrade to Windows 11, existing Windows 10 devices much meet minimum system requirements for CPU, RAM, storage, firmware, TPM, and more. All new Windows 11 devices come with TPM 2.0 built-in. With Windows 11, both new and upgraded devices must have TPM 2.0. The requirement strengthens the security posture across all Windows 11 devices and helps ensure that these devices can benefit from future security capabilities that depend on a hardware root-of-trust.
+
+[!INCLUDE [learn-more](learn-more.md)]
+
+- [Windows 11 TPM specifications](https://www.microsoft.com/windows/windows-11-specifications)
+- [Enable TPM 2.0 on your PC](https://support.microsoft.com/topic/1fd5a332-360d-4f46-a1e7-ae6b0c90645c)
+- [Trusted Platform Module Technology Overview](/windows/security/hardware-security/tpm/trusted-platform-module-overview)
diff --git a/windows/security/book/includes/trusted-signing.md b/windows/security/book/includes/trusted-signing.md
new file mode 100644
index 0000000000..3d0d8437ed
--- /dev/null
+++ b/windows/security/book/includes/trusted-signing.md
@@ -0,0 +1,14 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 12/11/2024
+ms.topic: include
+---
+
+## :::image type="icon" source="../images/new-button-title.svg" border="false"::: Trusted Signing
+
+Trusted Signing is a Microsoft fully managed, end-to-end signing solution that simplifies the signing process and empowers third-party developers to easily build and distribute applications.
+
+[!INCLUDE [learn-more](learn-more.md)]
+
+- [What is Trusted Signing](/azure/trusted-signing/overview)
diff --git a/windows/security/book/includes/universal-print.md b/windows/security/book/includes/universal-print.md
new file mode 100644
index 0000000000..e7c33679f1
--- /dev/null
+++ b/windows/security/book/includes/universal-print.md
@@ -0,0 +1,50 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 12/11/2024
+ms.topic: include
+---
+
+## :::image type="icon" source="../images/universal-print.svg" border="false"::: Universal Print
+
+Universal Print eliminates the need for on-premises print servers. It also eliminates the need for print drivers from the users' Windows devices and makes the devices secure, reducing the malware attacks that typically exploit vulnerabilities in driver model. It enables Universal Print-ready printers (with native support) to connect directly to the Microsoft Cloud. All major printer OEMs have these [models][LINK-23]. It also supports existing printers by using the connector software that comes with Universal Print.
+
+Unlike traditional print solutions that rely on Windows print servers, Universal Print is a Microsoft-hosted cloud subscription service that supports a Zero Trust security model when using the Universal Print-ready printers. Customers can enable network isolation of printers, including the Universal Print connector software, from the rest of the organization's resources. Users and their devices don't need to be on the same local network as the printers or the Universal Print connector.
+
+Universal Print supports Zero Trust security by requiring that:
+
+- Each connection and API call to Universal Print cloud service requires authentication validated by Microsoft Entra ID[\[4\]](../conclusion.md#footnote4). A hacker would have to have knowledge of the right credentials to successfully connect to the Universal Print service
+- Every connection established by the user's device (client), the printer, or another cloud service to the Universal Print cloud service uses SSL with TLS 1.2 protection. This protects network snooping of traffic to gain access to sensitive data
+- Each printer registered with Universal Print is created as a device object in the customer's Microsoft Entra ID tenant and issued its own device certificate. Every connection from the printer is authenticated using this certificate. The printer can access only its own data and no other device's data
+- Applications can connect to Universal Print using either user, device, or application authentication. To ensure data security, it's highly recommended that only cloud applications use application authentication
+- Each acting application must register with Microsoft Entra ID and specify the set of permission scopes it requires. Microsoft's own acting applications - for example, the Universal Print connector - are registered with the Microsoft Entra ID service. Customer administrators need to provide their consent to the required permission scopes as part of onboarding the application to their tenant
+- Each authentication with Microsoft Entra ID from an acting application can't extend the permission scope as defined by the acting client app. This prevents the app from requesting additional permissions if the app is breached
+
+Additionally, Windows 11 includes device management support to simplify printer setup for users. With support from Microsoft Intune[\[4\]](../conclusion.md#footnote4), admins can now configure policy settings to provision specific printers onto the user's Windows devices.
+
+Universal Print stores the print data in cloud securely in Office Storage, the same storage used by other Microsoft 365 products.
+
+More information about handling of Microsoft 365 data (this includes Universal Print data) can be found [here][LINK-24].
+
+The Universal Print secure release platform ensures user privacy, secures organizational data, and reduces print wastage. It eliminates the need for people to rush to a shared printer as soon as they send a print job to ensure that no one sees the private or confidential content. Sometimes, printed documents are picked up by another person or not picked up at all and discarded. Detailed support and configuration information can be found [here][LINK-25].
+
+Universal Print supports Administrative Units in Microsoft Entra ID to enable the assignments of a *Printer Administrator* role to specific teams in the organization. The assigned team can configure only the printers that are part of the same Administrative Unit.
+
+For customers who want to stay on print servers, we recommend using the Microsoft IPP Print driver. For features beyond what's covered in the standard IPP driver, use Print Support Applications (PSA) for Windows from the respective printer OEM.
+
+[!INCLUDE [learn-more](learn-more.md)]
+
+- [Universal Print][LINK-26]
+- [Data handling in Universal Print][LINK-27]
+- [Delegate Printer Administration with Administrative Units][LINK-28]
+- [Print support app design guide][LINK-29]
+
+
+
+[LINK-23]: /universal-print/fundamentals/universal-print-partner-integrations
+[LINK-24]: /microsoft-365/enterprise/m365-dr-overview
+[LINK-25]: /universal-print/fundamentals/universal-print-qrcode
+[LINK-26]: https://www.microsoft.com/microsoft-365/windows/universal-print
+[LINK-27]: /universal-print/data-handling
+[LINK-28]: /universal-print/portal/delegated-admin
+[LINK-29]: /windows-hardware/drivers/devapps/print-support-app-design-guide
diff --git a/windows/security/book/includes/vbs-key-protection.md b/windows/security/book/includes/vbs-key-protection.md
new file mode 100644
index 0000000000..9e7d9a6b4b
--- /dev/null
+++ b/windows/security/book/includes/vbs-key-protection.md
@@ -0,0 +1,14 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 12/11/2024
+ms.topic: include
+---
+
+## :::image type="icon" source="../images/new-button-title.svg" border="false"::: VBS key protection
+
+VBS key protection enables developers to secure cryptographic keys using Virtualization-based security (VBS). VBS uses the virtualization extension capability of the CPU to create an isolated runtime outside of the normal OS. When in use, VBS keys are isolated in a secure process, allowing key operations to occur without ever exposing the private key material outside of this space. At rest, private key material is encrypted by a TPM key, which binds VBS keys to the device. Keys protected in this way can't be dumped from process memory or exported in plain text from a user's machine, preventing exfiltration attacks by any admin-level attacker.
+
+[!INCLUDE [learn-more](learn-more.md)]
+
+- [Advancing key protection in Windows using VBS](https://techcommunity.microsoft.com/blog/windows-itpro-blog/advancing-key-protection-in-windows-using-vbs/4050988)
diff --git a/windows/security/book/includes/virtual-private-networks.md b/windows/security/book/includes/virtual-private-networks.md
new file mode 100644
index 0000000000..e12da89a32
--- /dev/null
+++ b/windows/security/book/includes/virtual-private-networks.md
@@ -0,0 +1,24 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 12/11/2024
+ms.topic: include
+---
+
+## Virtual private networks (VPN)
+
+Organizations have long relied on Windows to provide reliable, secured, and manageable virtual private network (VPN) solutions. The Windows VPN client platform includes built-in VPN
+protocols, configuration support, a common VPN user interface, and programming support for custom VPN protocols. VPN apps are available in the Microsoft Store for both enterprise and
+consumer VPNs, including apps for the most popular enterprise VPN gateways.
+
+In Windows 11, we've integrated the most commonly used VPN controls right into the Windows 11 Quick Actions pane. From the Quick Actions pane, users can verify the status of their VPN, start and stop the connection, and easily open Settings for more controls.
+
+The Windows VPN platform connects to Microsoft Entra ID[\[4\]](../conclusion.md#footnote4) and Conditional Access for single sign-on, including multifactor authentication (MFA) through Microsoft Entra ID. The VPN platform also supports classic domain-joined authentication. It's supported by Microsoft Intune[\[4\]](../conclusion.md#footnote4) and other device management solutions. The flexible VPN profile supports both built-in protocols and custom protocols. It can configure multiple authentication methods and can be automatically started as needed or manually started by the end user. It also supports split-tunnel VPN and exclusive VPN with exceptions for trusted external sites.
+
+With Universal Windows Platform (UWP) VPN apps, end users never get stuck on an old version of their VPN client. VPN apps from the store will be automatically updated as needed. Naturally, the updates are in the control of your IT admins.
+
+The Windows VPN platform is tuned and hardened for cloud-based VPN providers like Azure VPN. Features like Microsoft Entra ID authentication, Windows user interface integration, plumbing IKE traffic selectors, and server support are all built into the Windows VPN platform. The integration into the Windows VPN platform leads to a simpler IT admin experience. User authentication is more consistent, and users can easily find and control their VPN.
+
+[!INCLUDE [learn-more](learn-more.md)]
+
+- [Windows VPN technical guide](/windows/security/operating-system-security/network-security/vpn/vpn-guide)
diff --git a/windows/security/book/includes/virtualization-based-security-enclaves.md b/windows/security/book/includes/virtualization-based-security-enclaves.md
new file mode 100644
index 0000000000..ac2c868d50
--- /dev/null
+++ b/windows/security/book/includes/virtualization-based-security-enclaves.md
@@ -0,0 +1,16 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 12/11/2024
+ms.topic: include
+---
+
+## :::image type="icon" source="../images/new-button-title.svg" border="false"::: Virtualization-based security enclaves
+
+A **Virtualization-based security enclave** is a software-based trusted execution environment (TEE) inside a host application. VBS enclaves enable developers to use VBS to protect their application's secrets from admin-level attacks.
+
+VBS enclaves are available starting in Windows 11, version 24H2, and Windows Server 2025 on both x64 and ARM64.
+
+[!INCLUDE [learn-more](learn-more.md)]
+
+- [Virtualization-based security enclave](/windows/win32/trusted-execution/vbs-enclaves)
diff --git a/windows/security/book/includes/web-sign-in.md b/windows/security/book/includes/web-sign-in.md
new file mode 100644
index 0000000000..0bdcc9906e
--- /dev/null
+++ b/windows/security/book/includes/web-sign-in.md
@@ -0,0 +1,14 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 12/11/2024
+ms.topic: include
+---
+
+## Web sign-in
+
+With the support of web sign-in, users can sign in without a password using the Microsoft Authenticator app or a Temporary Access Pass (TAP). Web sign in also enables federated sign in with a SAML-P identity provider.
+
+[!INCLUDE [learn-more](learn-more.md)]
+
+- [Web sign-in for Windows](/windows/security/identity-protection/web-sign-in)
diff --git a/windows/security/book/includes/wi-fi-connections.md b/windows/security/book/includes/wi-fi-connections.md
new file mode 100644
index 0000000000..3af4c8a6f8
--- /dev/null
+++ b/windows/security/book/includes/wi-fi-connections.md
@@ -0,0 +1,16 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 12/11/2024
+ms.topic: include
+---
+
+## Wi-Fi connections
+
+Windows Wi-Fi supports industry-standard authentication and encryption methods when connecting to Wi-Fi networks. WPA (Wi-Fi Protected Access) is a security standard defined by the Wi-Fi Alliance (WFA) to provide sophisticated data encryption and better user authentication.
+
+The current security standard for Wi-Fi authentication is WPA3, which provides a more secure and reliable connection method as compared to WPA2 and older security protocols. Windows supports three WPA3 modes - WPA3 Personal, WPA3 Enterprise, and WPA3 Enterprise 192-bit Suite B.
+
+Windows 11 includes WPA3 Personal with the new H2E protocol and WPA3 Enterprise 192-bit Suite B. Windows 11 also supports WPA3 Enterprise, which includes enhanced server certificate validation and TLS 1.3 for authentication using EAP-TLS authentication.
+
+Opportunistic Wireless Encryption (OWE), a technology that allows wireless devices to establish encrypted connections to public Wi-Fi hotspots, is also included.
diff --git a/windows/security/book/includes/win32-app-isolation.md b/windows/security/book/includes/win32-app-isolation.md
new file mode 100644
index 0000000000..cdf174203e
--- /dev/null
+++ b/windows/security/book/includes/win32-app-isolation.md
@@ -0,0 +1,40 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 12/11/2024
+ms.topic: include
+---
+
+## :::image type="icon" source="../images/new-button-title.svg" border="false"::: Win32 app isolation
+
+Win32 app isolation is a security feature designed to be the default isolation standard on Windows clients. It's built on [AppContainer][LINK-1], and offers several added security features to help the Windows platform defend against attacks that use vulnerabilities in applications or third-party libraries. To isolate their applications, developers can update them using Visual Studio.
+
+Win32 app isolation follows a two-step process:
+
+- In the first step, the Win32 application is launched as a low-integrity process using AppContainer, which is recognized as a security boundary by Windows. The process is limited to a specific set of Windows APIs by default and is unable to inject code into any process operating at a higher integrity level
+- In the second step, least privilege is enforced by granting authorized access to Windows securable objects. This access is determined by capabilities that are added to the application manifest through MSIX packaging. *Securable objects* in this context refers to Windows resources whose access is safeguarded by capabilities. These capabilities enable the implantation of a [Discretionary Access Control List][LINK-2] on Windows
+
+To help ensuring that isolated applications run smoothly, developers must define the access requirements for the application via access capability declarations in the application package manifest. The *Application Capability Profiler (ACP)* simplifies the entire process by allowing the application to run in *learn mode* with low privileges. Instead of denying access if the capability isn't present, ACP allows access and logs additional capabilities required for access if the application were to run isolated.
+
+To create a smooth user experience that aligns with nonisolated, native Win32 applications, two key factors should be taken into consideration:
+
+- Approaches for accessing data and privacy information
+- Integrating Win32 apps for compatibility with other Windows interfaces
+
+The first factor relates to implementing methods to manage access to files and privacy information within and outside the isolation boundary AppContainer. The second factor involves integrating Win32 apps with other Windows interfaces in a way that helps enable seamless functionality without causing perplexing user consent prompts.
+
+[!INCLUDE [learn-more](learn-more.md)]
+
+- [Win32 app isolation overview][LINK-4]
+- [Application Capability Profiler (ACP)][LINK-5]
+- [Packaging a Win32 app isolation application with Visual Studio][LINK-6]
+- [Sandboxing Python with Win32 app isolation][LINK-7]
+
+
+
+[LINK-1]: /windows/win32/secauthz/implementing-an-appcontainer
+[LINK-2]: /windows/win32/secauthz/access-control-lists
+[LINK-4]: /windows/win32/secauthz/app-isolation-overview
+[LINK-5]: /windows/win32/secauthz/app-isolation-capability-profiler
+[LINK-6]: /windows/win32/secauthz/app-isolation-packaging-with-vs
+[LINK-7]: https://blogs.windows.com/windowsdeveloper/2024/03/06/sandboxing-python-with-win32-app-isolation/
diff --git a/windows/security/book/includes/windows-autopatch.md b/windows/security/book/includes/windows-autopatch.md
new file mode 100644
index 0000000000..fd24c75902
--- /dev/null
+++ b/windows/security/book/includes/windows-autopatch.md
@@ -0,0 +1,19 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 12/11/2024
+ms.topic: include
+---
+
+## Windows Autopatch
+
+Cybercriminals commonly exploit obsolete or unpatched software to infiltrate networks. It's essential to maintain current updates to seal security gaps. Windows Autopatch is a cloud service that automates Windows, Microsoft 365 Apps for enterprise, Microsoft Edge, and Microsoft Teams updates to improve security and productivity across your organization. Autopatch helps you minimize the involvement of your scarce IT resources in the planning and deployment of updates so your IT Admins can focus on other activities and tasks.
+
+There's a lot more to learn about Windows Autopatch: this [Forrester Consulting Total Economic Impact™ Study](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RW10vlw) commissioned by Microsoft, features insights from customers who deployed Windows Autopatch and its impact on their organizations. You can also find out more information about new Autopatch features and the future of the service in the regularly published Windows IT Pro Blog and Windows Autopatch community.
+
+[!INCLUDE [learn-more](learn-more.md)]
+
+- [Windows Autopatch documentation](/windows/deployment/windows-autopatch/)
+- [Windows updates API overview](/graph/windowsupdates-concept-overview)
+- [Windows IT Pro Blog](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/bg-p/Windows-ITPro-blog/label-name/Windows%20Autopatch)
+- [Windows Autopatch community](https://techcommunity.microsoft.com/t5/windows-autopatch/bd-p/Windows-Autopatch)
diff --git a/windows/security/book/includes/windows-autopilot.md b/windows/security/book/includes/windows-autopilot.md
new file mode 100644
index 0000000000..e46a1a1982
--- /dev/null
+++ b/windows/security/book/includes/windows-autopilot.md
@@ -0,0 +1,26 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 12/11/2024
+ms.topic: include
+---
+
+## Windows Autopilot
+
+Traditionally, IT professionals spend significant time building and customizing images that will later be deployed to devices. If you're purchasing new devices or managing device refresh cycles, you can use Windows Autopilot to set up and preconfigure new devices, getting them ready for productive use. Autopilot helps you ensure your devices are delivered locked down and compliant with corporate security policies. The solution can also be used to reset, repurpose, and recover devices with zero touch by your IT team and no infrastructure to manage, enhancing efficiency with a process that's both easy and simple.
+
+With Windows Autopilot, there's no need to reimage or manually set-up devices before giving them to the users. Your hardware vendor can ship them, ready to go, directly to the users. From a user perspective, they turn on their device, go online, and Windows Autopilot delivers apps and settings.
+
+Windows Autopilot enables you to:
+
+- Automatically join devices to Microsoft Entra ID or Active Directory via Microsoft Entra hybrid join
+- Autoenroll devices into a device management solution like Microsoft Intune[\[4\]](../conclusion.md#footnote4) (requires a Microsoft Entra ID Premium subscription for configuration)
+- Create and autoassignment of devices to configuration groups based on a device's profile
+- Customize of the out-of-box experience (OOBE) content specific to your organization
+
+Existing devices can also be quickly prepared for a new user with Windows Autopilot Reset. The reset capability is also useful in break/fix scenarios to quickly bring a device back to a business-ready state.
+
+[!INCLUDE [learn-more](learn-more.md)]
+
+- [Windows Autopilot](/autopilot/overview)
+- [Windows Autopilot Reset](/mem/autopilot/windows-autopilot-reset)
diff --git a/windows/security/book/includes/windows-diagnostic-data-processor-configuration.md b/windows/security/book/includes/windows-diagnostic-data-processor-configuration.md
new file mode 100644
index 0000000000..c8dfa0b2d3
--- /dev/null
+++ b/windows/security/book/includes/windows-diagnostic-data-processor-configuration.md
@@ -0,0 +1,14 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 12/11/2024
+ms.topic: include
+---
+
+## Windows diagnostic data processor configuration
+
+The Windows diagnostic data processor configuration enables the user to be the controller, as defined by the European Union General Data Protection Regulation (GDPR), for the Windows diagnostic data collected from Windows devices that meet the configuration requirements.
+
+[!INCLUDE [learn-more](learn-more.md)]
+
+- [Windows diagnostic data processor configuration](/windows/privacy/configure-windows-diagnostic-data-in-your-organization#enable-windows-diagnostic-data-processor-configuration)
diff --git a/windows/security/book/includes/windows-firewall.md b/windows/security/book/includes/windows-firewall.md
new file mode 100644
index 0000000000..6e75d17aae
--- /dev/null
+++ b/windows/security/book/includes/windows-firewall.md
@@ -0,0 +1,30 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 12/11/2024
+ms.topic: include
+---
+
+## Windows Firewall
+
+Windows Firewall is an important part of a layered security model. It provides host-based, two-way network traffic
+filtering, blocking unauthorized traffic flowing into or out of the local device based on the types of networks the device is connected to.
+
+Windows Firewall offers the following benefits:
+
+- Reduces the risk of network security threats: Windows Firewall reduces the attack surface of a device with rules that restrict or allow traffic by many properties, such as IP addresses, ports, or program paths. This functionality increases manageability and decreases the likelihood of a successful attack
+- Safeguards sensitive data and intellectual property: By integrating with Internet Protocol Security (IPSec), Windows Firewall provides a simple way to enforce authenticated, end-to-end network communications. It provides scalable, tiered access to trusted network resources, helping to enforce integrity of the data, and optionally helping to protect the confidentiality of the data
+- Extends the value of existing investments: Because Windows Firewall is a host-based firewall that is included with the operating system, there's no extra hardware or software required. Windows Firewall is also designed to complement existing non-Microsoft network security solutions through a documented application programming interface (API)
+
+Windows 11 makes the Windows Firewall easier to analyze and debug. IPSec behavior is integrated with Packet Monitor, an in-box, cross-component network diagnostic tool for Windows. Additionally, the Windows Firewall event logs are enhanced to ensure an audit can identify the specific filter that was responsible for any given event. This enables analysis of firewall behavior and rich packet capture without relying on third-party tools.
+
+Admins can configure more settings through the Firewall and Firewall Rule policy templates in the Endpoint Security node in Microsoft Intune[\[4\]](../conclusion.md#footnote4), using the platform support from the Firewall configuration service provider (CSP) and applying these settings to Windows endpoints.
+
+[!INCLUDE [new-24h2](new-24h2.md)]
+
+The Firewall Configuration Service Provider (CSP) in Windows now enforces an all-or-nothing approach to applying firewall rules within each atomic block. Previously, if the CSP encountered an issue with any rule in a block, it would not only stop processing that rule but also cease processing subsequent rules, potentially leaving a security gap with partially deployed rule blocks. Now, if any rule in the block cannot be successfully applied, the CSP stops processing subsequent rules and roll back all rules from that atomic block, eliminating the ambiguity of partially deployed rule blocks.
+
+[!INCLUDE [learn-more](learn-more.md)]
+
+- [Windows Firewall overview](/windows/security/operating-system-security/network-security/windows-firewall)
+- [Firewall CSP](/windows/client-management/mdm/firewall-csp)
diff --git a/windows/security/book/includes/windows-hello-for-business.md b/windows/security/book/includes/windows-hello-for-business.md
new file mode 100644
index 0000000000..fa1f376c9d
--- /dev/null
+++ b/windows/security/book/includes/windows-hello-for-business.md
@@ -0,0 +1,59 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 12/11/2024
+ms.topic: include
+---
+
+## Windows Hello for Business
+
+Windows Hello for Business extends Windows Hello to work with an organization's Active Directory and Microsoft Entra ID accounts. It provides single sign-on access to work or school resources such as OneDrive, work email, and other business apps. Windows Hello for Business also gives IT admins the ability to manage PIN and other sign-in requirements for devices connecting to work or school resources.
+
+After Windows Hello for Business is provisioned, users can use a PIN, face, or fingerprint to unlock credentials and sign into their Windows device.
+
+Provisioning methods include:
+
+- Passkeys (preview), which provide a seamless way for users to authenticate to Microsoft Entra ID without entering a username or password
+- Temporary Access Pass (TAP), a time-limited passcode with strong authentication requirements issued through Microsoft Entra ID
+- Existing multifactor authentication with Microsoft Entra ID, including the Microsoft Authenticator app
+
+Windows Hello for Business enhances security by replacing traditional usernames and passwords with a combination of a security key or certificate and a PIN or biometric data. This setup securely maps the credentials to a user account.
+
+There are various deployment models available for Windows Hello for Business, providing flexibility to meet the diverse needs of different organizations. Among these, the *Hybrid cloud Kerberos trust* model is recommended and considered the simplest for organizations operating in hybrid environments.
+
+[!INCLUDE [learn-more](learn-more.md)]
+
+- [Windows Hello for Business overview](/windows/security/identity-protection/hello-for-business)
+- [Enable passkeys (FIDO2) for your organization](/entra/identity/authentication/how-to-enable-passkey-fido2)
+
+### PIN reset
+
+The Microsoft PIN Reset Service allows users to reset their forgotten Windows Hello PINs without requiring re-enrollment. After registering the service in the Microsoft Entra ID tenant, the capability must be enabled on the Windows devices using group policy or a device management solution like Microsoft Intune[\[4\]](../conclusion.md#footnote4).
+
+Users can initiate a PIN reset from the Windows lock screen or from the sign-in options in Settings. The process involves authenticating and completing multifactor authentication to reset the PIN.
+
+[!INCLUDE [learn-more](learn-more.md)]
+
+- [PIN reset](/windows/security/identity-protection/hello-for-business/pin-reset)
+
+### Multi-factor unlock
+
+For organizations that need an extra layer of sign-in security, multi-factor unlock enables IT admins to configure Windows to require a combination of two unique trusted signals to sign in. Trusted signal examples include a PIN or biometric data (face or fingerprint) combined with either a PIN, Bluetooth, IP configuration, or Wi-Fi.
+
+Multi-factor unlock is useful for organizations who need to prevent information workers from sharing credentials or need to comply with regulatory requirements for a two-factor authentication policy.
+
+[!INCLUDE [learn-more](learn-more.md)]
+
+- [Multi-factor unlock](/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock)
+
+### Windows passwordless experience
+
+**Windows Hello for Business now support a fully passwordless experience.**
+
+IT admins can configure a policy on Microsoft Entra ID joined machines so users no longer see the option to enter a password when accessing company resources. Once the policy is configured, passwords are removed from the Windows user experience, both for device unlock and in-session authentication scenarios. However, passwords aren't eliminated from the identity directory yet. Users are expected to navigate through their core authentication scenarios using strong, phish-resistant, possession-based credentials like Windows Hello for Business and FIDO2 security keys. If necessary, users can use passwordless recovery mechanisms such as Microsoft PIN reset service or web sign-in.
+
+Users authenticate directly with Microsoft Entra ID, helping speed access to on-premises applications and other resources.
+
+[!INCLUDE [learn-more](learn-more.md)]
+
+- [Windows passwordless experience](/windows/security/identity-protection/passwordless-experience)
diff --git a/windows/security/book/includes/windows-hello.md b/windows/security/book/includes/windows-hello.md
new file mode 100644
index 0000000000..806ed4ee22
--- /dev/null
+++ b/windows/security/book/includes/windows-hello.md
@@ -0,0 +1,46 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 12/11/2024
+ms.topic: include
+---
+
+## Windows Hello
+
+Too often, passwords are weak, stolen, or forgotten. Organizations are moving toward passwordless sign-in to reduce the risk of breaches, lower the cost of managing passwords, and improve productivity and satisfaction for their users and customers. Microsoft is committed to helping organizations move toward a secure, passwordless future with Windows Hello, a cornerstone of Windows security and identity protection.
+
+Windows Hello can enable passwordless sign-in using biometric or PIN verification and provides built-in support for the FIDO2 passwordless industry standard. As a result, people no longer need to carry external hardware like a security key for authentication.
+
+The secure, convenient sign-in experience can augment or replace passwords with a stronger authentication model based on a PIN or biometric data such as facial or fingerprint recognition secured by the Trusted Platform Module (TPM). Step-by-step guidance makes setup easy.
+
+Using asymmetric keys provisioned in the TPM, Windows Hello protects authentication by binding a user's credentials to their device. Windows Hello validates the user based on either a PIN or biometrics match and only then allows the use of cryptographic keys bound to that user in the TPM.
+
+PIN and biometric data stay on the device and can't be stored or accessed externally. Since the data can't be accessed by anyone without physical access to the device, credentials are protected against replay attacks, phishing, and spoofing as well as password reuse and leaks.
+
+Windows Hello can authenticate users to a Microsoft account (MSA), identity provider services, or the relying parties that also implement the FIDO2 or WebAuthn standards.
+
+[!INCLUDE [learn-more](learn-more.md)]
+
+- [Configure Windows Hello](https://support.microsoft.com/topic/dae28983-8242-bb2a-d3d1-87c9d265a5f0)
+
+### Windows Hello PIN
+
+The Windows Hello PIN, which can only be entered by someone with physical access to the device, can be used for strong multifactor authentication. The PIN is protected by the TPM and, like biometric data, never leaves the device. When a user enters their PIN, an authentication key is unlocked and used to sign a request sent to the authenticating server.
+
+The TPM protects against threats including PIN brute-force attacks on lost or stolen devices. After too many incorrect guesses, the device locks. IT admins can set security policies for PINs, such as complexity, length, and expiration requirements.
+
+[!INCLUDE [new-24h2](new-24h2.md)]
+
+If your device doesn't have built-in biometrics, Windows Hello has been enhanced to use Virtualization-based Security (VBS) by default to isolate credentials. This added layer of protection helps guard against admin-level attacks. Even when you sign in with a PIN, your credentials are stored in a secure container, ensuring protection on devices with or without built-in biometric sensors.
+
+### Windows Hello biometric
+
+Windows Hello biometric sign-in enhances both security and productivity with a quick and convenient sign-in experience. There's no need to enter your PIN; just use your biometric data for an easy and delightful sign-in.
+
+Windows devices that support biometric hardware, such as fingerprint or facial recognition cameras, integrate directly with Windows Hello, enabling access to Windows client resources and services. Biometric readers for both face and fingerprint must comply with Windows Hello biometric requirements. Windows Hello facial recognition is designed to authenticate only from trusted cameras used at the time of enrollment.
+
+If a peripheral camera is attached to the device after enrollment, it can be used for facial authentication once validated by signing in with the internal camera. For added security, external cameras can be disabled for use with Windows Hello facial recognition.
+
+[!INCLUDE [learn-more](learn-more.md)]
+
+- [Windows Hello biometric requirements](/windows-hardware/design/device-experiences/windows-hello-biometric-requirements)
diff --git a/windows/security/book/includes/windows-hotpatch.md b/windows/security/book/includes/windows-hotpatch.md
new file mode 100644
index 0000000000..a417cec5fd
--- /dev/null
+++ b/windows/security/book/includes/windows-hotpatch.md
@@ -0,0 +1,16 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 12/11/2024
+ms.topic: include
+---
+
+## :::image type="icon" source="../images/soon-button-title.svg" border="false"::: Windows Hotpatch
+
+Windows Hotpatch is a feature designed to enhance security and minimize disruptions. With Windows Hotpatch, organizations can apply critical security updates without requiring a system restart, reducing the time to adopt a security update by 60% from the moment the update is offered. Hotpatch updates streamline the installation process, enhance compliance efficiency, and provide a per-policy level view of update statuses for all devices.
+
+By utilizing hotpatching through Windows Autopatch, the number of system restarts for Windows updates can be reduced from 12 times a year to just 4, ensuring consistent protection and uninterrupted productivity. This means less downtime, a streamlined experience for users, and a reduction in security risks. This technology, proven in the Azure Server environment, is now expanding to Windows 11, offering immediate security from day one without the need for a restart.
+
+[!INCLUDE [learn-more](learn-more.md)]
+
+- [Windows Autopatch documentation](/windows/deployment/windows-autopatch/)
diff --git a/windows/security/book/includes/windows-insider-and-microsoft-bug-bounty-programs.md b/windows/security/book/includes/windows-insider-and-microsoft-bug-bounty-programs.md
new file mode 100644
index 0000000000..ef4cf44951
--- /dev/null
+++ b/windows/security/book/includes/windows-insider-and-microsoft-bug-bounty-programs.md
@@ -0,0 +1,19 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 12/11/2024
+ms.topic: include
+---
+
+## Windows Insider and Microsoft Bug Bounty Programs
+
+As part of our secure development process, the Windows Insider Preview Program invites eligible researchers across the globe to find and submit vulnerabilities that reproduce in the latest Windows Insider Preview (WIP) Dev Channel.
+
+The goal of the Windows Insider Preview Program is to uncover significant vulnerabilities that have a direct and demonstrable impact on the security of customers using the latest version of Windows.
+
+Through this collaboration with researchers across the globe, our teams identify critical vulnerabilities and quickly fix the issues before releasing our final Windows.
+
+[!INCLUDE [learn-more](learn-more.md)]
+
+- [Windows Insider Program](/windows-insider/get-started)
+- [Microsoft Bug Bounty Programs](https://www.microsoft.com/msrc/bounty)
diff --git a/windows/security/book/includes/windows-laps.md b/windows/security/book/includes/windows-laps.md
new file mode 100644
index 0000000000..9b4d12e98b
--- /dev/null
+++ b/windows/security/book/includes/windows-laps.md
@@ -0,0 +1,20 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 12/11/2024
+ms.topic: include
+---
+
+## Windows Local Administrator Password Solution (LAPS)
+
+Windows Local Administrator Password Solution (LAPS) is a feature that automatically manages and backs up the password of a local administrator account on Microsoft Entra joined and Active Directory-joined devices. It helps enhance security by regularly rotating and managing local administrator account passwords, protecting against pass-the-hash and lateral-traversal attacks.
+
+Windows LAPS can be configured via group policy or with a device management solution like Microsoft Intune[\[4\]](../conclusion.md#footnote4).
+
+[!INCLUDE [new-24h2](new-24h2.md)]
+
+Several enhancements have been made to improve manageability and security. Administrators can now configure LAPS to automatically create managed local accounts, integrating with existing policies to enhance security and efficiency. Policy settings have been updated to generate more readable passwords by ignoring certain characters and to support the generation of readable passphrases, with options to choose from three separate word source list and control passphrase length. Additionally, LAPS can detect when a computer rolls back to a previous image, ensuring password consistency between the computer and Active Directory.
+
+[!INCLUDE [learn-more](learn-more.md)]
+
+- [Windows LAPS overview](/windows-server/identity/laps/laps-overview)
diff --git a/windows/security/book/includes/windows-presence-sensing.md b/windows/security/book/includes/windows-presence-sensing.md
new file mode 100644
index 0000000000..c0a2c00c41
--- /dev/null
+++ b/windows/security/book/includes/windows-presence-sensing.md
@@ -0,0 +1,21 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 12/11/2024
+ms.topic: include
+---
+
+## Windows presence sensing
+
+Windows presence sensing[\[9\]](../conclusion.md#footnote9) provides another layer of data security protection for hybrid workers. Windows 11 devices can intelligently adapt to a user's presence to help them stay secure and productive, whether they're working at home, the office, or a public environment.
+
+Windows presence sensing combines presence detection sensors with Windows Hello facial recognition to sign the user in hands-free and automatically locks the device when the user leaves. With adaptive dimming, the PC dims the screen when the user looks away on compatible devices with presence sensors. It's also easier than ever to configure presence sensors on devices, with easy enablement in the out-of-the-box experience and new links in Settings to help find presence sensing features. Device manufacturers can customize and build extensions for the presence sensor.
+
+Privacy is top of mind and more important than ever. Customers want to have greater transparency and control over the use of their information. The new app privacy settings enable users to allow or block access to their presence sensor information. Users can decide on these settings during the initial Windows 11 setup.
+
+Users can also take advantage of more granular settings to easily enable and disable differentiated presence sensing features like wake on approach, lock on leave, and adaptive dimming. We're also supporting developers with new APIs for presence sensing for third-party applications. Third-party applications can now access user presence information on devices with presence sensors.
+
+[!INCLUDE [learn-more](learn-more.md)]
+
+- [Presence sensing](/windows-hardware/design/device-experiences/sensors-presence-sensing)
+- [Manage presence sensing settings in Windows 11](https://support.microsoft.com/topic/82285c93-440c-4e15-9081-c9e38c1290bb)
diff --git a/windows/security/book/includes/windows-protected-print.md b/windows/security/book/includes/windows-protected-print.md
new file mode 100644
index 0000000000..4dc9cda421
--- /dev/null
+++ b/windows/security/book/includes/windows-protected-print.md
@@ -0,0 +1,23 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 12/11/2024
+ms.topic: include
+---
+
+## :::image type="icon" source="../images/new-button-title.svg" border="false"::: Windows protected print
+
+Windows protected print is built to provide a more modern and secure print system that maximizes compatibility and puts users first. It simplifies the printing experience by allowing devices to exclusively print using the Windows modern print stack.
+
+The benefits of Windows protected print include:
+
+- Increased PC security
+- Simplified and consistent printing experience, regardless of PC architecture
+- Removes the need to manage print drivers
+
+Windows protected print is designed to work with Mopria certified printers only. Many existing printers are already compatible.
+
+[!INCLUDE [learn-more](learn-more.md)]
+
+- [Windows protected print](/windows-hardware/drivers/print/modern-print-platform)
+- [New, modern, and secure print experience from Windows](https://techcommunity.microsoft.com/t5/security-compliance-and-identity/a-new-modern-and-secure-print-experience-from-windows/ba-p/4002645)
diff --git a/windows/security/book/includes/windows-sandbox.md b/windows/security/book/includes/windows-sandbox.md
new file mode 100644
index 0000000000..c219cb8339
--- /dev/null
+++ b/windows/security/book/includes/windows-sandbox.md
@@ -0,0 +1,16 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 12/11/2024
+ms.topic: include
+---
+
+## Windows Sandbox
+
+Windows Sandbox provides a lightweight desktop environment to safely run untrusted Win32 applications in isolation, using the same hardware-based virtualization technology as Hyper-V. Any untrusted Win32 app installed in Windows Sandbox stays only in the sandbox and can't affect the host.
+
+Once Windows Sandbox is closed, nothing persists on the device. All the software with all its files and state are permanently deleted after the untrusted Win32 application is closed.
+
+[!INCLUDE [learn-more](learn-more.md)]
+
+- [Windows Sandbox](/windows/security/application-security/application-isolation/windows-sandbox)
diff --git a/windows/security/book/includes/windows-security-policy-settings-and-auditing.md b/windows/security/book/includes/windows-security-policy-settings-and-auditing.md
new file mode 100644
index 0000000000..82787e2e83
--- /dev/null
+++ b/windows/security/book/includes/windows-security-policy-settings-and-auditing.md
@@ -0,0 +1,30 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 12/11/2024
+ms.topic: include
+---
+
+## Windows security policy settings and auditing
+
+Security policy settings are a critical part of your overall security strategy. Windows provides a robust set of security setting policies that IT administrators can use to help protect Windows devices and other resources in your organization. Security policies settings are rules you can configure on a device, or multiple devices, to control:
+
+- User authentication to a network or device
+- Resources that users are permitted to access
+- Whether to record a user or group's actions in the event log
+- Membership in a group
+
+Security auditing is one of the most powerful tools that you can use to maintain the integrity of your network and assets. Auditing can help identify attacks, network vulnerabilities, and attacks against high-value targets. You can specify categories of security-related events to create an audit policy tailored to the needs of your organization using configuration service providers (CSP) or group policies.
+
+All auditing categories are disabled when Windows is first installed. Before enabling them, follow these steps to create an effective security auditing policy:
+
+1. Identify your most critical resources and activities.
+1. Identify the audit settings you need to track them.
+1. Assess the advantages and potential costs associated with each resource or setting.
+1. Test these settings to validate your choices.
+1. Develop plans for deploying and managing your audit policy.
+
+[!INCLUDE [learn-more](learn-more.md)]
+
+- [Security policy settings](/windows/security/threat-protection/security-policy-settings/security-policy-settings)
+- [Security auditing](/windows/security/threat-protection/auditing/security-auditing-overview)
diff --git a/windows/security/book/includes/windows-security.md b/windows/security/book/includes/windows-security.md
new file mode 100644
index 0000000000..5372df0ece
--- /dev/null
+++ b/windows/security/book/includes/windows-security.md
@@ -0,0 +1,22 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 12/11/2024
+ms.topic: include
+---
+
+## Windows Security
+
+:::row:::
+ :::column span="2":::
+ Visibility and awareness of device security and health are key to any action taken. The Windows Security app provides an at-a-glance view of the security status and health of your device. These insights help you identify issues and act to make sure you're protected. You can quickly see the status of your virus and threat protection, firewall and network security, device security controls, and more.
+ :::column-end:::
+ :::column span="2":::
+:::image type="content" source="../images/windows-security.png" alt-text="Screenshot of the Windows Security app." border="false" lightbox="../images/windows-security.png" :::
+ :::column-end:::
+:::row-end:::
+
+[!INCLUDE [learn-more](learn-more.md)]
+
+- [Stay Protected With the Windows Security App](https://support.microsoft.com/topic/2ae0363d-0ada-c064-8b56-6a39afb6a963)
+- [Windows Security](/windows/security/operating-system-security/system-security/windows-defender-security-center/windows-defender-security-center)
diff --git a/windows/security/book/includes/windows-software-development-kit.md b/windows/security/book/includes/windows-software-development-kit.md
new file mode 100644
index 0000000000..81a15b2dc8
--- /dev/null
+++ b/windows/security/book/includes/windows-software-development-kit.md
@@ -0,0 +1,15 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 12/11/2024
+ms.topic: include
+---
+
+## Windows Software Development Kit (SDK)
+
+Developers can design highly secure applications that benefit from the latest Windows 11 safeguards using the Windows SDK. The SDK provides a unified set of APIs and tools for developing secure desktop apps for Windows 11 and Windows 10. To help create apps that are up to date and protected, the SDK follows the same security standards, protocols, and compliance as the core Windows operating system.
+
+[!INCLUDE [learn-more](learn-more.md)]
+
+- [Windows application development - best practices](/windows/apps/get-started/best-practices)
+- [Windows SDK samples on GitHub](https://github.com/microsoft/WindowsAppSDK-Samples)
diff --git a/windows/security/book/includes/windows-subsystem-for-linux.md b/windows/security/book/includes/windows-subsystem-for-linux.md
new file mode 100644
index 0000000000..ae408bb558
--- /dev/null
+++ b/windows/security/book/includes/windows-subsystem-for-linux.md
@@ -0,0 +1,34 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 12/11/2024
+ms.topic: include
+---
+
+## Windows Subsystem for Linux (WSL)
+
+With Windows Subsystem for Linux (WSL) you can run a Linux environment on a Windows device, without the need for a separate virtual machine or dual booting. WSL is designed to provide a seamless and productive experience for developers who want to use both Windows and Linux at the same time.
+
+[!INCLUDE [new-24h2](new-24h2.md)]
+
+- **Hyper-V Firewall** is a network firewall solution that enables filtering of inbound and outbound traffic to/from WSL containers hosted by Windows
+- **DNS Tunneling** is a networking setting that improves compatibility in different networking environments, making use of virtualization features to obtain DNS information rather than a networking packet
+- **Auto proxy** is a networking setting that enforces WSL to use Windows' HTTP proxy information. Turn on when using a proxy on Windows, as it makes that proxy automatically apply to WSL distributions
+
+These features can be set up using a device management solution such as Microsoft Intune[\[7\]](../conclusion.md#footnote7). Microsoft Defender for Endpoint (MDE) integrates with WSL, allowing it to monitor activities within a WSL distro and report them to the MDE dashboards.
+
+[!INCLUDE [learn-more](learn-more.md)]
+
+- [Hyper-V Firewall][LINK-1]
+- [DNS Tunneling][LINK-2]
+- [Auto proxy][LINK-3]
+- [Intune setting for WSL][LINK-4]
+- [Microsoft Defender for Endpoint plug-in for WSL][LINK-5]
+
+
+
+[LINK-1]: /windows/security/operating-system-security/network-security/windows-firewall/hyper-v-firewall
+[LINK-2]: /windows/wsl/networking#dns-tunneling
+[LINK-3]: /windows/wsl/networking#auto-proxy
+[LINK-4]: /windows/wsl/intune
+[LINK-5]: /defender-endpoint/mde-plugin-wsl
diff --git a/windows/security/book/includes/windows-update-for-business.md b/windows/security/book/includes/windows-update-for-business.md
new file mode 100644
index 0000000000..1cf9b9731b
--- /dev/null
+++ b/windows/security/book/includes/windows-update-for-business.md
@@ -0,0 +1,18 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 12/11/2024
+ms.topic: include
+---
+
+## Windows Update for Business
+
+Windows Update for Business empowers IT administrators to ensure that their organization's Windows client devices are consistently up to date with the latest security updates and features. By directly connecting these systems to the Windows Update service, administrators can maintain a high level of security and functionality.
+
+Administrators can utilize group policy or a device management solution like Microsoft Intune[\[4\]](../conclusion.md#footnote4), to configure Windows Update for Business settings. These settings control the timing and manner in which updates are applied, allowing for thorough reliability and performance testing on a subset of devices before deploying updates across the entire organization.
+
+This approach not only provides control over the update process but also ensures a seamless and positive update experience for all users within the organization. By using Windows Update for Business, organizations can achieve a more secure and efficient operational environment.
+
+[!INCLUDE [learn-more](learn-more.md)]
+
+- [Windows Update for Business documentation](/windows/deployment/update/waas-manage-updates-wufb)
diff --git a/windows/security/book/index.md b/windows/security/book/index.md
index 3fddf8be3c..3ee48c98ad 100644
--- a/windows/security/book/index.md
+++ b/windows/security/book/index.md
@@ -1,55 +1,61 @@
---
-title: Windows security book introduction
-description: Windows security book introduction
+title: Windows 11 security book - Windows security book introduction
+description: Windows 11 security book introduction.
ms.topic: overview
-ms.date: 04/09/2024
-ROBOTS:
+ms.date: 11/18/2024
---
# Windows 11 Security Book
-:::image type="content" source="images/cover.png" alt-text="Cover of the Windows 11 security book.":::
+:::image type="content" source="images/cover.png" alt-text="Cover of the Windows 11 security book." border="false":::
## Introduction
-Emerging technologies and evolving business trends bring new opportunities and challenges for organizations of all sizes. As technology and workstyles transform, so does the threat landscape with growing numbers of increasingly sophisticated attacks on organizations and employees.
+Today's organizations face a world of accelerated change, from marketplace fluctuation and sociopolitical events to the rapid adoption of new AI technologies. However, as organizations and industries innovate, so do increasingly sophisticated cybercriminals. Research shows that employees, including their devices, services, and identities, are at the center of attacks on businesses of all sizes. Some leading threats include identity attacks, ransomware, targeted phishing attempts, and business email compromise[\[1\]](conclusion.md#footnote1).
-To thrive, organizations need security to work anywhere. [Microsoft's 2022 Work Trend Index](https://www.microsoft.com/security/blog/2022/04/05/new-security-features-for-windows-11-will-help-protect-hybrid-work/) shows *cybersecurity issues and risks* are top concerns for business decision-makers, who worry about issues like malware, stolen credentials, devices that lack security updates, and physical attacks on lost or stolen devices.
+To address the ever-growing and changing threat landscape, we announced the [Secure Future Initiative (SFI)][LINK-1] in November 2023. The SFI endeavors to advance cybersecurity protection across all our company and products.
-In the past, a corporate network and software-based security were the first lines of defense. With an increasingly distributed and mobile workforce, attention has shifted to hardware-based endpoint security. People are now the top target for cybercriminals, with 74% of all breaches due to human error, privilege misuses, stolen credentials, or social engineering. Most attacks are financially motivated, and credential theft, phishing, and exploitation of vulnerabilities are the primary attack vectors. Credential theft is the most prevalent attack vector, accounting for 50% of breaches [\[1\]](conclusion.md#footnote1).
+Microsoft is committed to putting security above all else, with products and services that are secure by design and secure by default. We synthesize more than 65 trillion signals daily to understand digital threats and criminal cyberactivity[\[1\]](conclusion.md#footnote1). Through the SFI initiative, we've dedicated the equivalent of 34,000 full-time engineers to the highest priority security tasks. We continuously apply what we learn from incidents to improve our security and privacy models, security architecture, and technical controls.
-At Microsoft, we work hard to help organizations evolve and stay agile while protecting against modern threats. We're committed to helping businesses and their employees get secure, and stay secure. We [synthesize 43 trillion signals daily](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE5bcRe?culture=en-us&country=us) to understand and protect against digital threats. We have more than 8,500 dedicated security professionals across 77 countries and over 15,000 partners in our security ecosystem striving to increase resilience for our customers [\[2\]](conclusion.md#footnote2).
+### Security by design. Security by default.
-Businesses worldwide are moving toward [secure-by-design and secure-by-default strategies](https://www.cisa.gov/securebydesign). With these models, organizations choose products from manufacturers that consider security as a business requirement, not just a technical feature. With a secure-by-default strategy, businesses can proactively reduce risk and exposure to threats across their organization because products are shipped with security features already built in and enabled.
+Working together with a shared focus is key to improving global security, from individuals and organizations to governments and industries. The world is moving toward a [secure by design and secure by default][LINK-2] approach, where technology producers are tasked with incorporating security during the initial design phase, and offering products that deliver protection right out of the box. As part of our commitment to making the world a safer place, we build security into every innovation. Windows 11 is secure by design and secure by default, with layers of defense enabled on day one to enhance your protection without the need to first configure settings. This secure-by-design approach spans the Windows edition range including Pro, Enterprise, IoT Enterprise, and Education editions. Copilot+ PCs are the fastest, most intelligent Windows devices ever, and they're also the most secure. These groundbreaking AI PCs come with secured-core PC protection and the latest safeguards like Microsoft Pluton and Windows Enhanced Sign-in Security enabled by default.
-To help businesses transform and thrive in a new era, we built Windows 11 to be secure by design and secure by default. Windows 11 devices arrive with more security features enabled out of the box. In contrast, Windows 10 devices came with many safeguards turned off unless enabled by IT or employees. The default security provided by Windows 11 elevates protection without needing to configure settings. In addition, Windows 11 devices have been shown to increase malware resistance without impacting performance [\[3\]](conclusion.md#footnote3). Windows 11 is the most secure Windows ever, built in deep partnership with original equipment manufacturers (OEMs) and silicon manufacturers. Discover why organizations of all sizes, including 90% of Fortune 500 companies, are taking advantage of the powerful default protection of Windows 11 [\[4\]](conclusion.md#footnote4).
+Except for Windows IoT Long-Term Servicing Channel (LTSC) editions, support for Windows 10 is ending soon on October 14, 2025. Upgrading or replacing outdated devices before Windows 10 support ends is a critical priority for building a strong security posture. Discover why organizations of all sizes, including 90% of Fortune 500 companies, are relying on Windows 11.
-## Security priorities and benefits
+### Security priorities and benefits
-### Security by design and security by default
+Windows 11 enables you to focus on your work, not your security settings. Out-of-the-box features such as credential safeguards, malware shields, and application protection led to a reported 62% drop in security incidents, including a 3.0x reduction in firmware attacks[\[2\]](conclusion.md#footnote2).
-Windows 11 is designed with layers of security enabled by default, so you can focus on your work, not your security settings. **Out-of-the-box features such as credential safeguards, malware shields, and application protection led to a reported 58% drop in security incidents, including a 3.1x reduction in firmware attacks** [\[5\]](conclusion.md#footnote5).
+In Windows 11, hardware and software work together to shrink the attack surface, protect system integrity, and shield valuable data. New and enhanced features are designed for security by default. For example, Win32 apps in isolation[\[3\]](conclusion.md#footnote3), token protection[\[3\]](conclusion.md#footnote3), passkeys, and Microsoft Intune Endpoint Privilege Management[\[4\]](conclusion.md#footnote4) are some of the latest capabilities that help protect organizations and individual users against attack. Windows Hello and Windows Hello for Business work with hardware-based features like Trusted Platform Module (TPM) 2.0, biometric scanners, and Windows presence sensing to enable easier, secure sign-on and protection of your data and credentials.
-In Windows 11, hardware and software work together to shrink the attack surface, protect system integrity, and shield valuable data. New and enhanced features are designed for security by default. For example, Win32 apps in isolation [\[6\]](conclusion.md#footnote6), token protection [\[6\]](conclusion.md#footnote6), and Microsoft Intune Endpoint Privilege Management [\[7\]](conclusion.md#footnote7) are some of the latest capabilities that help protect your organization and employees against attack. Windows Hello and Windows Hello for Business work with hardware-based features like TPM 2.0 and biometric scanners for credential protection and easier, secure sign-on. Existing security features like BitLocker encryption have also been enhanced to optimize both security and performance.
+Existing security features are also continuously enhanced across Windows 11. For example, BitLocker encryption has been optimized for additional security and performance, and is available on more devices.
-### Protect employees against evolving threats
+### Identity protection
-With attackers targeting employees and their devices, organizations need stronger security against increasingly sophisticated cyberthreats. Windows 11 provides proactive protection against credential theft. Windows Hello and TPM 2.0 work together to shield identities. Secure biometric sign-in virtually eliminates the risk of lost or stolen passwords. And enhanced phishing protection increases safety. In fact, **businesses reported 2.8x fewer instances of identity theft with the hardware-backed protection in Windows 11** [\[5\]](conclusion.md#footnote5).
+Attackers are increasingly targeting employees and their devices, so organizations need stronger security against increasingly sophisticated cyberthreats. Windows 11 provides proactive protection against credential theft. Windows Hello and TPM 2.0 work together to shield identities, and features like passkeys and secure biometric sign-in virtually eliminate the risk of lost or stolen passwords[\[5\]](conclusion.md#footnote5). Enhanced phishing protection also increases safety; in fact, businesses reported 2.9x fewer instances of identity theft with the hardware-backed protection in Windows 11[\[2\]](conclusion.md#footnote2).
-### Gain mission-critical application safeguards
+### Application safeguards
-Help keep business data secure and employees productive with robust safeguards and control for applications. Windows 11 has multiple layers of application security that shield critical data and code integrity. Application protection, privacy controls, and least-privilege principles enable developers to build in security by design. This integrated security protects against breaches and malware, helps keep data private, and gives IT administrators the controls they need. As a result, organizations and regulators can be confident that critical data is protected.
+Help keep business data secure and employees productive with robust safeguards and control for applications. Windows 11 has multiple layers of security that shield critical data and defend code integrity. Application protection, privacy controls, and least-privilege principles enable developers to build in security by design. This integrated defense helps protect against breaches and malware, assists in keeping data private, and gives IT administrators the controls they need. As a result, organizations and regulators can be confident that critical data is protected.
-### End-to-end protection with modern management
+With Trusted Signing, developers can effortlessly sign their applications. This process ensures the authenticity and integrity of the applications while enhancing security features to prevent and mitigate the impacts of malware on Windows.
-Increase protection and efficiency with Windows 11 and chip-to-cloud security. Microsoft offers comprehensive cloud services for identity, storage, and access management. In addition, Microsoft also provides the tools needed to attest that Windows 11 devices connecting to your network or accessing your data and resources are trustworthy. You can also enforce compliance and conditional access with modern device management (MDM) solutions such as Microsoft Intune and Microsoft Entra ID. Security by default not only enables people to work securely anywhere, but it also simplifies IT. A streamlined, chip-to-cloud security solution based on Windows 11 has improved productivity for IT and security teams by a reported 25% [\[8\]](conclusion.md#footnote8).
+### Device health and access control
-## Security by design and default
+Increase protection and efficiency with Windows 11 and chip-to-cloud security. Microsoft provides the tools needed to attest that the devices connecting to your network, or accessing your data and resources, are trustworthy. You can enforce security policies and conditional access with cloud-based device management solutions such as Microsoft Intune, Microsoft Entra ID, and a comprehensive security baseline. Security by default not only enables people to work securely anywhere, but it also simplifies IT. A streamlined, chip-to-cloud security solution based on Windows 11 improves productivity for IT and security teams by a reported 25%[\[6\]](conclusion.md#footnote6).
-In Windows 11, hardware and software work together to protect sensitive data from the core of your PC all the way to the cloud. Comprehensive protection helps keep your organization secure, no matter where people work. This simple diagram shows the layers of protection in Windows 11, while each chapter provides a layer-by-layer deep dive into features.
+### Chip-to-cloud security
+
+In Windows 11, hardware and software work together to protect sensitive data, from the core of the device all the way to the cloud. Comprehensive protection helps keep organizations secure, no matter where people work. The following diagram shows the layers of protection in Windows 11, while each chapter provides a layer-by-layer deep dive into features.
:::image type="content" source="images/chip-to-cloud.png" alt-text="Diagram of chip-to-cloud containing a list of security features." lightbox="images/chip-to-cloud.png" border="false":::
-:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
+[!INCLUDE [learn-more](includes/learn-more.md)]
-- [Windows security features licensing and edition requirements](/windows/security/licensing-and-edition-requirements?tabs=edition)
+- [Windows security features licensing and edition requirements](../licensing-and-edition-requirements.md)
+
+
+
+[LINK-1]: https://www.microsoft.com/trust-center/security/secure-future-initiative
+[LINK-2]: https://www.cisa.gov/resources-tools/resources/secure-by-design
diff --git a/windows/security/book/operating-system-security-encryption-and-data-protection.md b/windows/security/book/operating-system-security-encryption-and-data-protection.md
index c574d203f1..045bef6f75 100644
--- a/windows/security/book/operating-system-security-encryption-and-data-protection.md
+++ b/windows/security/book/operating-system-security-encryption-and-data-protection.md
@@ -1,74 +1,22 @@
---
-title: Operating System security
-description: Windows 11 security book - Operating System security chapter.
+title: Windows 11 security book - Encryption and data protection
+description: Operating System security chapter - Encryption and data protection.
ms.topic: overview
-ms.date: 04/09/2024
+ms.date: 11/18/2024
---
# Encryption and data protection
-:::image type="content" source="images/operating-system.png" alt-text="Diagram of containing a list of security features." lightbox="images/operating-system.png" border="false":::
+:::image type="content" source="images/operating-system.png" alt-text="Diagram containing a list of security features." lightbox="images/operating-system.png" border="false":::
When people travel with their PCs, their confidential information travels with them. Wherever confidential data is stored, it must be protected against unauthorized access, whether through physical device theft or from malicious applications.
-## BitLocker
+[!INCLUDE [bitlocker](includes/bitlocker.md)]
-BitLocker Drive Encryption is a data protection feature that integrates with the operating system and addresses the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned computers. BitLocker uses the AES algorithm in XTS or CBC mode of operation with 128-bit or 256-bit key length to encrypt data on the volume. Cloud storage on Microsoft OneDrive or Azure[\[9\]](conclusion.md#footnote9) can be used to save recovery key content. BitLocker can be managed by any MDM solution such as Microsoft Intune[\[6\]](conclusion.md#footnote6)> using a configuration service provider (CSP)[\[9\]](conclusion.md#footnote9). BitLocker provides encryption for the OS, fixed data, and removable data drives (BitLocker To Go), leveraging technologies like Hardware Security Test Interface (HSTI), Modern Standby, UEFI Secure Boot, and TPM. Windows consistently improves data protection by expanding existing options and providing new strategies.
+[!INCLUDE [device-encryption](includes/device-encryption.md)]
-:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
+[!INCLUDE [encrypted-hard-drive](includes/encrypted-hard-drive.md)]
-- [BitLocker overview](../operating-system-security/data-protection/bitlocker/index.md)
+[!INCLUDE [personal-data-encryption](includes/personal-data-encryption.md)]
-## BitLocker To Go
-
-BitLocker To Go refers to BitLocker Drive Encryption on removable data drives. BitLocker To Go includes the encryption of USB flash drives, SD cards, and external hard disk drives. Drives can be unlocked using a password, certificate on a smart card, or recovery password.
-
-:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
-
-- [BitLocker FAQ](../operating-system-security/data-protection/bitlocker/faq.yml)
-
-## Device Encryption
-
-Device Encryption is consumer-level device encryption that can't be managed. Device Encryption is turned on by default for devices with the right hardware components (for example, TPM 2.0, UEFI Secure Boot, Hardware Security Test Interface, and Modern Standby). However, for a commercial scenario, it's possible for commercial customers to disable Device Encryption in favor of BitLocker Drive Encryption. BitLocker Drive Encryption is manageable through MDM.
-
-:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
-
-- [Device encryption](../operating-system-security/data-protection/bitlocker/index.md#device-encryption)
-
-## Encrypted hard drive
-
-Encrypted hard drives are a class of hard drives that are self-encrypted at the hardware level and allow for full-disk hardware encryption while being transparent to the device user. These drives combine the security and management benefits provided by BitLocker Drive Encryption with the power of self-encrypting drives.
-
-By offloading the cryptographic operations to hardware, encrypted hard drives increase BitLocker performance and reduce CPU usage and power consumption. Because encrypted hard drives encrypt data quickly, BitLocker deployment can be expanded across enterprise devices with little to no impact on productivity.
-
-Encrypted hard drives enable:
-
-- Smooth performance: Encryption hardware integrated into the drive controller allows the drive to operate at full data rate without performance degradation
-- Strong security based in hardware: Encryption is always "on," and the keys for encryption never leave the hard drive. The drive authenticates the user independently from the operating system before it unlocks
-- Ease of use: Encryption is transparent to the user, and the user doesn't need to enable it. Encrypted hard drives are easily erased using an onboard encryption key. There's no need
-to re-encrypt data on the drive
-- Lower cost of ownership: There's no need for new infrastructure to manage encryption keys since BitLocker leverages your existing infrastructure to store recovery information. Your device operates more efficiently because processor cycles do not need to be used for the encryption process
-
-:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
-
-- [Encrypted hard drive](../operating-system-security/data-protection/encrypted-hard-drive.md)
-
-## Personal data encryption
-
-Personal Data Encryption refers to a new user authenticated encryption mechanism used to protect user content. Windows Hello for Business is the modern user authentication mechanism, which is used with PDE. Windows Hello for Business, either with PIN or biometrics (face or fingerprint), is used to protect the container, which houses the encryption keys used by Personal Data Encryption (PDE). When the user logs in (either after bootup or unlocking after a lock screen), the container gets authenticated to release the keys in the container to decrypt user content.
-
-With the first release of PDE (Windows 11 22H2), the PDE API was available, which when adopted by applications can protect data under the purview of the applications. With the platform release of the next Windows version, PDE for Folders will be released, this feature would require no updates to any applications and protects the contents in the Known Windows Folders from bootup till first login. This reduces the barrier for entry for customers and they'll be able to get PDE security as part of the OS.
-
-PDE requires Microsoft Entra ID.
-
-:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
-
-- [Personal Data Encryption (PDE)](../operating-system-security/data-protection/personal-data-encryption/index.md)
-
-## Email encryption
-
-Email encryption enables users to encrypt outgoing email messages and attachments so that only intended recipients with a digital identification (ID) - also called a certificate - can read them.10 Users can digitally sign a message, which verifies the identity of the sender and ensures the message has not been tampered with.
-
-These encrypted messages can be sent by a user to people within their organization as well as external contacts who have proper encryption certificates.
-
-However, recipients using Windows 11 Mail app can only read encrypted messages if the message is received on their Exchange account and they have corresponding decryption keys. Encrypted messages can be read only by recipients who have a certificate. If an encrypted message is sent to recipients whose encryption certificates are not available, the app will prompt you to remove these recipients before sending the email.
+[!INCLUDE [email-encryption](includes/email-encryption.md)]
diff --git a/windows/security/book/operating-system-security-network-security.md b/windows/security/book/operating-system-security-network-security.md
index 5638c71bce..3ef8199a90 100644
--- a/windows/security/book/operating-system-security-network-security.md
+++ b/windows/security/book/operating-system-security-network-security.md
@@ -1,128 +1,38 @@
---
-title: Operating System security
-description: Windows 11 security book - Operating System security chapter.
+title: Windows 11 security book - Network security
+description: Operating System security chapter - Network security.
ms.topic: overview
-ms.date: 04/09/2024
+ms.date: 11/18/2024
---
# Network security
-:::image type="content" source="images/operating-system.png" alt-text="Diagram of containing a list of security features." lightbox="images/operating-system.png" border="false":::
+:::image type="content" source="images/operating-system.png" alt-text="Diagram containing a list of security features." lightbox="images/operating-system.png" border="false":::
Windows 11 raises the bar for network security, offering comprehensive protection to help people work with confidence from almost anywhere. To help reduce an organization's attack
surface, network protection in Windows prevents people from accessing dangerous IP addresses and domains that may host phishing scams, exploits, and other malicious content.
Using reputation-based services, network protection blocks access to potentially harmful, low-reputation domains and IP addresses.
-New DNS and TLS protocol versions strengthen the end-to-end protections needed for applications, web services, and Zero Trust networking. File access adds an untrusted network scenario with Server Message Block over QUIC, as well as new encryption and signing capabilities. Wi-Fi and Bluetooth advancements also provide greater trust in connections to other devices. In addition, VPN and Windows Firewall (previously called Windows Defender Firewall) platforms offer new ways to easily configure and debug software.
+New DNS and TLS protocol versions strengthen the end-to-end protections needed for applications, web services, and Zero Trust networking. File access adds an untrusted network scenario with Server Message Block over QUIC, and new encryption and signing capabilities. Wi-Fi and Bluetooth advancements also provide greater trust in connections to other devices. In addition, VPN and Windows Firewall platforms offer new ways to easily configure and debug software.
In enterprise environments, network protection works best with Microsoft Defender for Endpoint, which provides detailed reporting on protection events as part of larger investigation scenarios.
-:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
+[!INCLUDE [learn-more](includes/learn-more.md)]
- [How to protect your network](/defender-endpoint/network-protection)
-## Transport layer security (TLS)
+[!INCLUDE [transport-layer-security](includes/transport-layer-security.md)]
-Transport Layer Security (TLS) is the internet's most deployed security protocol, encrypting data in transit to provide a secure communication channel between two endpoints. Windows defaults to the latest protocol versions and strong cipher suites unless policies are in effect to limit them. There are many extensions available, such as client authentication for enhanced server security and session resumption for improved application performance.
+[!INCLUDE [domain-name-system-security](includes/domain-name-system-security.md)]
-TLS 1.3 is the latest version of the protocol and is enabled by default starting with Windows 11 and Windows Server 2022. TLS 1.3 eliminates obsolete cryptographic algorithms, enhances security over older versions, and encrypts as much of the TLS handshake as possible. The handshake is more performant, with one fewer round trip per connection on average, and supports only five strong cipher suites, which provide perfect forward secrecy and reduced operational risk.
+[!INCLUDE [bluetooth-protection](includes/bluetooth-protection.md)]
-Customers using TLS 1.3 (or Windows components that support it, including HTTP.SYS, WinInet, .NET, MsQuic, and more) will get enhanced privacy and lower latencies for their encrypted online connections. Note that if either the client or server does not support TLS 1.3, Windows will fall back to TLS 1.2.
+[!INCLUDE [wi-fi-connections](includes/wi-fi-connections.md)]
-Legacy protocol versions TLS 1.0 and 1.1 are officially deprecated and will be disabled by default in future OS versions only. This change will come to Windows Insider Preview in September 2023. Organizations and application developers are strongly encouraged to begin to identify and remove code dependencies on TLS 1.0/1.1 if they have not done so already.
+[!INCLUDE [5g-and-esim](includes/5g-and-esim.md)]
-:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
+[!INCLUDE [windows-firewall](includes/windows-firewall.md)]
-- [TLS/SSL overview (Schannel SSP)](/windows-server/security/tls/tls-ssl-schannel-ssp-overview)
-- [TLS 1.0 and TLS 1.1 soon to be disabled in Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/tls-1-0-and-tls-1-1-soon-to-be-disabled-in-windows/bc-p/3894928/emcs_t/S2h8ZW1haWx8dG9waWNfc3Vic2NyaXB0aW9ufExMM0hCN0VURDk3OU9OfDM4OTQ5Mjh8U1VCU0NSSVBUSU9OU3xoSw#M6180)
+[!INCLUDE [virtual-private-networks](includes/virtual-private-networks.md)]
-## DNS security
-
-In Windows 11, the Windows DNS client supports DNS over HTTPS and DNS over TLS, two encrypted DNS protocols. These allow administrators to ensure their devices protect their
-name queries from on-path attackers, whether they are passive observers logging browsing behavior or active attackers trying to redirect clients to malicious sites. In a Zero Trust
-model where no trust is placed in a network boundary, having a secure connection to a trusted name resolver is required.
-
-Windows 11 provides Group Policy as well as programmatic controls to configure DNS over HTTPS behavior. As a result, IT administrators can extend existing security to adopt new models such as Zero Trust. IT administrators can mandate DNS over HTTPS protocol, ensuring that devices that use insecure DNS will fail to connect to network resources. IT administrators also have the option not to use DNS over HTTPS or DNS over TLS for legacy deployments where network edge appliances are trusted to inspect plain-text DNS traffic. By default, Windows 11 will defer to the local administrator on which resolvers should use encrypted DNS.
-
-Support for DNS encryption integrates with existing Windows DNS configurations such as the Name Resolution Policy Table (NRPT) and the system Hosts file, as well as resolvers specified per network adapter or network profile. The integration helps Windows 11 ensure that the benefits of greater DNS security do not regress existing DNS control mechanisms.
-
-## Bluetooth protection
-
-The number of Bluetooth devices connected to Windows 11 continues to increase. Windows users connect their Bluetooth headsets, mice, keyboards, and other accessories and improve their day-to-day PC experience by enjoying streaming, productivity, and gaming. Windows supports all standard Bluetooth pairing protocols, including classic and LE Secure connections, secure simple pairing, and classic and LE legacy pairing. Windows also implements host-based LE privacy. Windows updates help users stay current with OS and driver security features in accordance with the Bluetooth Special Interest Group (SIG) and Standard Vulnerability Reports, as well as issues beyond those required by the Bluetooth core industry standards. Microsoft strongly recommends that Bluetooth accessories' firmware and software are kept up to date.
-
-IT-managed environments have a number of [Bluetooth policies](/windows/client-management/mdm/policy-csp-bluetooth) (MDM, Group Policy, and PowerShell) that can be managed through MDM tools such as Microsoft Intune[\[9\]](conclusion.md#footnote9). You can configure Windows to use Bluetooth technology while supporting the security needs of your organization. For example, you can allow input and audio while blocking file transfer, force encryption standards, limit Windows discoverability, or even disable Bluetooth entirely for the most sensitive environments.
-
-## Securing Wi-Fi connections
-
-Windows Wi-Fi supports industry-standard authentication and encryption methods when connecting to Wi-Fi networks. WPA (Wi-Fi Protected Access) is a security standard defined by the Wi-Fi Alliance (WFA) to provide sophisticated data encryption and better user authentication.
-
-The current security standard for Wi-Fi authentication is WPA3, which provides a more secure and reliable connection method as compared to WPA2 and older security protocols. Windows supports three WPA3 modes - WPA3 Personal, WPA3 Enterprise, and WPA3 Enterprise 192-bit Suite B.
-
-Windows 11 includes WPA3 Personal with the new H2E protocol and WPA3 Enterprise 192-bit Suite B. Windows 11 also supports WPA3 Enterprise, which includes enhanced server certificate validation and TLS 1.3 for authentication using EAP-TLS authentication.
-
-Opportunistic Wireless Encryption (OWE), a technology that allows wireless devices to establish encrypted connections to public Wi-Fi hotspots, is also included.
-
-## 5G and eSIM
-
-5G networks use stronger encryption and better network segmentation compared to previous generations of cellular protocols. Unlike Wi-Fi, 5G access is always mutually authenticated. Access credentials are stored in an EAL4-certified eSIM that is physically embedded in the device, making it much harder for attackers to tamper with. Together, 5G and eSIM provide a strong foundation for security.
-
-:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
-
-- [eSIM configuration of a download server](/mem/intune/configuration/esim-device-configuration-download-server)
-
-## Windows Firewall
-
-Windows Firewall with Advanced Security (previously called Windows Defender Firewall) is an important part of a layered security model. It provides host-based, two-way network traffic
-filtering, blocking unauthorized traffic flowing into or out of the local device based on the types of networks the device is connected to.
-
-Windows Firewall in Windows 11 offers the following benefits:
-
-- Reduces the risk of network security threats: Windows Firewall reduces the attack surface of a device with rules that restrict or allow traffic by many properties, such as IP addresses,
-ports, or program paths. This functionality increases manageability and decreases the likelihood of a successful attack
-- Safeguards sensitive data and intellectual property: By integrating with Internet Protocol Security (IPSec), Windows Firewall provides a simple way to enforce authenticated, end-to-end network communications. It provides scalable, tiered access to trusted network resources, helping to enforce integrity of the data, and optionally helping to protect the confidentiality of the data
-- Extends the value of existing investments: Because Windows Firewall is a host-based firewall that is included with the operating system, there is no additional hardware or software required. Windows Firewall is also designed to complement existing non-Microsoft network security solutions through a documented application programming interface (API)
-
-Windows 11 makes the Windows Firewall easier to analyze and debug. IPSec behavior has been integrated with Packet Monitor (pktmon), an in-box, cross-component network diagnostic tool for Windows. Additionally, the Windows Firewall event logs have been enhanced to ensure an audit can identify the specific filter that was responsible for any given event. This enables analysis of firewall behavior and rich packet capture without relying on third-party tools.
-
-Admins can now configure additional settings through the Firewall and Firewall Rule policy templates in the Endpoint Security node in Microsoft Intune[\[9\]](conclusion.md#footnote9), leveraging the platform
-support from the Firewall configuration service provider (CSP) and applying these settings to Windows endpoints.
-
-:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
-
-- [Windows Firewall overview](../operating-system-security/network-security/windows-firewall/index.md)
-
-## Virtual private networks (VPN)
-
-Organizations have long relied on Windows to provide reliable, secured, and manageable virtual private network (VPN) solutions. The Windows VPN client platform includes built-in VPN
-protocols, configuration support, a common VPN user interface, and programming support for custom VPN protocols. VPN apps are available in the Microsoft Store for both enterprise and
-consumer VPNs, including apps for the most popular enterprise VPN gateways.
-
-In Windows 11, we've integrated the most commonly used VPN controls right into the Windows 11 Quick Actions pane. From the Quick Actions pane, users can see the status of their VPN, start and stop the VPN tunnels, and with one click, go to the modern Settings app for more control.
-
-The Windows VPN platform connects to Microsoft Entra ID[\[9\]](conclusion.md#footnote9) and Conditional Access for single sign-on, including multifactor authentication (MFA) through Microsoft Entra ID. The VPN platform also supports classic domain-joined authentication. It's supported by Microsoft Intune and other modern device management (MDM) providers. The flexible VPN profile supports both built-in protocols and custom protocols. It can configure multiple authentication methods and can be automatically started as needed or manually started by the end user. It also supports split-tunnel VPN and exclusive VPN with exceptions for trusted external sites.
-
-With Universal Windows Platform (UWP) VPN apps, end users never get stuck on an old version of their VPN client. VPN apps from the store will be automatically updated as needed. Naturally, the updates are in the control of your IT admins.
-
-The Windows VPN platform has been tuned and hardened for cloud-based VPN providers like Azure VPN. Features like Microsoft Entra ID authentication, Windows user interface integration, plumbing IKE traffic selectors, and server support are all built into the Windows VPN platform. The integration into the Windows VPN platform leads to a simpler IT admin experience. User authentication is more consistent, and users can easily find and control their VPN.
-
-:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
-
-- [Windows VPN technical guide](../operating-system-security/network-security/vpn/vpn-guide.md)
-
-## Server Message Block file services
-
-Server Message Block (SMB) and file services are the most common Windows workloads in the commercial and public sector ecosystem. Users and applications rely on SMB to access the files that run organizations of all sizes. In Windows 11, the SMB protocol has significant security updates to meet today's threats, including AES-256 encryption, accelerated SMB signing, Remote Directory Memory Access (RDMA) network encryption, and an entirely new scenario, SMB over QUIC for untrusted networks.
-
-SMB encryption provides end-to-end encryption of SMB data and protects data from eavesdropping occurrences on internal networks. Windows 11 introduces AES-256-GCM and AES-256-CCM cryptographic suites for SMB 3.1.1 encryption. Windows administrators can mandate the use of this more advanced security or continue to use the more compatible and still-safe AES-128 encryption.
-
-In Windows 11 Enterprise, Education, Pro, and Pro Workstation, SMB Direct now supports encryption. For demanding workloads like video rendering, data science, or extremely large files, you can now operate with the same safety as traditional Transmission Control Protocol (TCP) and the performance of RDMA. Previously, enabling SMB encryption disabled direct data placement, making RDMA as slow as TCP. Now, data is encrypted before placement, leading to relatively minor performance degradation while adding packet privacy with AES-128 and AES-256 protection.
-
-Windows 11 also introduces AES-128-GMAC for SMB signing. Windows will automatically negotiate this better-performing cipher method when connecting to another computer that supports it. Signing prevents common attacks like relay and spoofing, and it is required by default when clients communicate with Active Directory domain controllers.
-
-Finally, Windows 11 introduces SMB over QUIC, an alternative to the TCP network transport that provides secure, reliable connectivity to edge file servers over untrusted networks like the internet, as well as highly secure communications on internal networks. QUIC is an Internet Engineering Task Force (IETF)-standardized protocol with many benefits when compared with TCP, but most importantly, it always requires TLS 1.3 and encryption. SMB over QUIC offers an SMB VPN for telecommuters, mobile device users, and high-security organizations. All SMB traffic, including authentication and authorization within the tunnel, is never exposed to the underlying network. SMB behaves normally within the QUIC tunnel, meaning the user experience doesn't change. SMB over QUIC will be a game-changing feature for Windows 11 accessing Windows file servers and eventually Azure Files and third parties.
-
-Newly installed Windows 11 Home editions that contain the February 2023 cumulative update no longer install the SMB 1.0 client by default, meaning the Home edition now operates like all other editions of Windows 11. SMB 1.0 is an unsafe and deprecated protocol that Microsoft superseded by later versions of SMB starting with Windows Vista. Microsoft began uninstalling SMB 1.0 by default in certain Windows 10 editions in 2017. No versions of Windows 11 now install SMB 1.0 by default.
-
-:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
-
-- [File sharing using the SMB 3 protocol](/windows-server/storage/file-server/file-server-smb-overview)
+[!INCLUDE [server-message-block-file-services](includes/server-message-block-file-services.md)]
diff --git a/windows/security/book/operating-system-security-system-security.md b/windows/security/book/operating-system-security-system-security.md
index a3d5e5e95b..6d8c6adc24 100644
--- a/windows/security/book/operating-system-security-system-security.md
+++ b/windows/security/book/operating-system-security-system-security.md
@@ -1,129 +1,32 @@
---
-title: Operating System security
-description: Windows 11 security book - Operating System security chapter.
+title: Windows 11 security book - System security
+description: Operating System security chapter - System security.
ms.topic: overview
-ms.date: 04/09/2024
+ms.date: 11/18/2024
---
# System security
-:::image type="content" source="images/operating-system.png" alt-text="Diagram of containing a list of security features." lightbox="images/operating-system.png" border="false":::
+:::image type="content" source="images/operating-system.png" alt-text="Diagram containing a list of security features." lightbox="images/operating-system.png" border="false":::
-## Trusted Boot (Secure Boot + Measured Boot)
+[!INCLUDE [trusted-boot](includes/trusted-boot.md)]
-Windows 11 requires all PCs to use Unified Extensible Firmware Interface (UEFI)'s Secure Boot feature. When a Windows 11 device starts, Secure Boot and Trusted Boot work together to prevent malware and corrupted components from loading. Secure Boot provides initial protection, then Trusted Boot picks up the process.
+[!INCLUDE [cryptography](includes/cryptography.md)]
-Secure Boot makes a safe and trusted path from the Unified Extensible Firmware Interface (UEFI) through the Windows kernel's Trusted Boot sequence. Malware attacks on the Windows boot sequence are blocked by the signature-enforcement handshakes throughout the boot sequence between the UEFI, bootloader, kernel, and application environments.
+[!INCLUDE [certificates](includes/certificates.md)]
-To reduce the risk of firmware rootkits, the PC verifies that firmware is digitally signed as it begins the boot process. Then Secure Boot checks the OS bootloader's digital signature as well as all code that runs prior to the operating system starting to ensure the signature and code are uncompromised and trusted by the Secure Boot policy.
+[!INCLUDE [code-signing-and-integrity](includes/code-signing-and-integrity.md)]
-Trusted Boot picks up the process that begins with Secure Boot. The Windows bootloader verifies the digital signature of the Windows kernel before loading it. The Windows kernel, in turn, verifies every other component of the Windows startup process, including boot drivers, startup files, and any anti-malware product's early-launch anti-malware (ELAM) driver. If any of these files have been tampered with, the bootloader detects the problem and refuses to load the corrupted component. Often, Windows can automatically repair the corrupted component, restoring the integrity of Windows and allowing the PC to start normally.
+[!INCLUDE [device-health-attestation](includes/device-health-attestation.md)]
-Tampering or malware attacks on the Windows boot sequence are blocked by the signature enforcement handshakes between the UEFI, bootloader, kernel, and application environments.
+[!INCLUDE [windows-security-policy-settings-and-auditing](includes/windows-security-policy-settings-and-auditing.md)]
-For more information about these features and how they help prevent rootkits and bootkits from loading during the startup process, see [Secure the Windows boot process](../operating-system-security/system-security/secure-the-windows-10-boot-process.md)
+[!INCLUDE [windows-security](includes/windows-security.md)]
-:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
+[!INCLUDE [config-refresh](includes/config-refresh.md)]
-- [Secure Boot and Trusted Boot](../operating-system-security/system-security/trusted-boot.md)
+[!INCLUDE [kiosk-mode](includes/kiosk-mode.md)]
-## Cryptography
+[!INCLUDE [windows-protected-print](includes/windows-protected-print.md)]
-Cryptography is designed to protect user and system data. The cryptography stack in Windows 11 extends from the chip to the cloud, enabling Windows, applications, and services to protect system and user secrets. For example, data can be encrypted so that only a specific reader with a unique key can read it. As a basis for data security, cryptography helps prevent anyone except the intended recipient from reading data, performs integrity checks to ensure data is free of tampering, and authenticates identity to ensure that communication is secure. Windows 11 cryptography is certified to meet the Federal Information Processing Standard (FIPS) 140. FIPS 140 certification ensures that US government-approved algorithms are correctly implemented.
-
-Learn more: FIPS 140 validation
-
-Windows cryptographic modules provide low-level primitives such as:
-
-- Random number generators (RNG)
-- Support for AES 128/256 with XTS, ECB, CBC, CFB, CCM, and GCM modes of operation; RSA and DSA 2048, 3072, and 4,096 key sizes; ECDSA over curves P-256, P-384, P-521
-- Hashing (support for SHA1, SHA-256, SHA-384, and SHA-512)
-- Signing and verification (padding support for OAEP, PSS, and PKCS1)
-- Key agreement and key derivation (support for ECDH over NIST-standard prime curves P-256, P-384, P-521 and HKDF)
-
-Application developers can use these cryptographic modules to perform low-level cryptographic operations (Bcrypt), key storage operations (NCrypt), protect static data (DPAPI), and securely share secrets (DPAPI-NG).
-
-Learn more: Cryptography and certificate management
-
-Developers can access the modules on Windows through the Cryptography Next Generation API (CNG), which is powered by Microsoft's open-source cryptographic library, SymCrypt. SymCrypt supports complete transparency through its open-source code. In addition, SymCrypt offers performance optimization for cryptographic operations by taking advantage of assembly and hardware acceleration when available.
-
-SymCrypt is part of Microsoft's commitment to transparency, which includes the global Microsoft Government Security Program that aims to provide the confidential security information and resources people need to trust Microsoft's products and services. The program offers controlled access to source code, threat and vulnerability information
-exchange, opportunities to engage with technical content about Microsoft's products and services, and access to five globally distributed Transparency Centers.
-
-## Certificates
-
-To help safeguard and authenticate information, Windows provides comprehensive support for certificates and certificate management. The built-in certificate management command-line utility (certmgr.exe) or MMC snap-in (certmgr.msc) can be used to view and manage certificates, certificate trust lists (CTLs), and
-certificate revocation lists (CRLs). Whenever a certificate is used in Windows, we validate that the leaf certificate and all the certificates in its chain of trust have not been revoked or compromised. The CTLs and CRLs on the machine are used as a reference for PKI trust and are updated monthly by the Microsoft Trusted Root program. If a trusted certificate or root is revoked, all global devices will be updated, meaning users can trust that Windows will automatically protect against vulnerabilities in public key infrastructure. For cloud and enterprise deployments, Windows also offers users the ability to autoenroll and renew certificates in Active Directory with Group Policy to reduce the risk of potential outages due to certificate expiration or misconfiguration. Additionally, enterprise certificate pinning can be used to help reduce man-in-the-middle attacks by enabling users to protect their internal domain names from chaining to unwanted certificates. A web application's server authentication certificate chain is checked to ensure it matches a restricted set of certificate authorities. Any web application triggering a name mismatch will start event logging and prevent user access from Microsoft Edge.
-
-## Code signing and integrity
-
-To ensure that Windows files haven't been tampered with, the Windows Code Integrity process verifies the signature of each file in Windows. Code signing is core to establishing the integrity of firmware, drivers, and software across the Windows platform. Code signing creates a digital signature by encrypting the hash of the file with the private key portion of a code-signing certificate and embedding the signature into the file. The Windows code integrity process verifies the signed file by decrypting the signature to check the integrity of the file and confirm that it is from a reputable publisher, ensuring that the file hasn't been tampered with.
-
-The digital signature is evaluated across the Windows environment on Windows boot code, Windows kernel code, and Windows user mode applications. Secure Boot and Code Integrity verify the signature on bootloaders, Option ROMs, and other boot components to ensure that it's trusted and from a reputable publisher. For drivers not published by Microsoft, Kernel Code Integrity verifies the signature on kernel drivers and requires that drivers be signed by Windows or certified by the Windows Hardware Compatibility Program (WHCP). This program ensures that third-party drivers are compatible with various hardware and Windows and that the drivers are from vetted driver developers.
-
-## Device health attestation
-
-The Windows device health attestation process supports a Zero Trust paradigm that shifts the focus from static, network-based perimeters to users, assets, and resources. The attestation process confirms the device, firmware, and boot process are in a good state and haven't been tampered with before they can access corporate resources. These
-determinations are made with data stored in the TPM, which provides a secure root-of-trust. The information is sent to an attestation service such as Azure Attestation to verify that the device is in a trusted state. Then a modern device management (MDM) tool like Microsoft Intune[\[9\]](conclusion.md#footnote9) reviews device health and connects this information with Microsoft Entra ID[\[9\]](conclusion.md#footnote9) for conditional access.
-
-Windows includes many security features to help protect users from malware and attacks. However, security components are trustworthy only if the platform boots as expected and isn't tampered with. As noted above, Windows relies on Unified Extensible Firmware Interface (UEFI) Secure Boot, ELAM, DRTM, Trusted Boot, and other low-level hardware and firmware security features to protect your PC from attacks. From the moment you power on your PC until your antimalware starts, Windows is backed with the appropriate hardware configurations that help keep you safe. Measured Boot, implemented by bootloaders and BIOS, verifies and cryptographically records each step of the boot in a chained manner. These events are bound to the TPM, that functions as a hardware root-of-trust. Remote attestation is the mechanism by which these events are read and verified by a service to provide a verifiable, unbiased, and tamper-resilient report. Remote attestation is the trusted auditor of your system's boot, allowing reliant parties to bind trust to the device and its security.
-
-A summary of the steps involved in attestation and Zero-Trust on a Windows device are as follows:
-
-- During each step of the boot process - such as a file load, update of special variables, and more - information such as file hashes and signature(s) are measured in the TPM Platform Configuration Register (PCRs). The measurements are bound by a Trusted Computing Group specification that dictates which events can be recorded and the format of each event. The data provides important information about device security from the moment it powers on
-- Once Windows has booted, the attestor (or verifier) requests the TPM get the measurements stored in its PCRs alongside the Measured Boot log. Together, these form the attestation evidence that's sent to the Microsoft Azure Attestation Service
-- The TPM is verified by using the keys or cryptographic material available on the chipset with an Azure Certificate Service
-- The above information is sent to the Azure Attestation Service to verify that the device is in a trusted state.
-
-Learn more: Control the health of Windows devices
-
-## Windows security policy settings and auditing
-
-Security policy settings are a critical part of your overall security strategy. Windows provides a robust set of security setting policies that IT administrators can use to help protect Windows devices and other resources in your organization. Security policies settings are rules you can configure on a device, or multiple devices, to control:
-
-- User authentication to a network or device
-- Resources that users are permitted to access
-- Whether to record a user or group's actions in the event log
-- Membership in a group
-
-Security auditing is one of the most powerful tools that you can use to maintain the integrity of your network and assets. Auditing can help identify attacks, network vulnerabilities, and attacks against high-value targets. You can specify categories of security-related events to create an audit policy tailored to the needs of your organization.
-
-All auditing categories are disabled when Windows is first installed. Before enabling them, follow these steps to create an effective security auditing policy:
-
-1. Identify your most critical resources and activities.
-1. Identify the audit settings you need to track them.
-1. Assess the advantages and potential costs associated with each resource or setting.
-1. Test these settings to validate your choices.
-1. Develop plans for deploying and managing your audit policy.
-
-:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
-
-- [Security policy settings](/windows/security/threat-protection/security-policy-settings/security-policy-settings)
-- [Security auditing](/windows/security/threat-protection/auditing/security-auditing-overview)
-
-## Assigned Access
-
-With Assigned Access, Windows devices restrict functionality to pre-selected applications depending on the user and keep individual identities separate, which is ideal for public-facing or shared devices. Configuring a device in Kiosk Mode is a straightforward process. You can do this locally on the device or remotely using modern device management.
-
-:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
-
-- [Windows kiosks and restricted user experiences](/windows/configuration/assigned-access)
-
-## Config Refresh
-
-With traditional Group Policy, policies were refreshed on a PC when a user signed in and every 90 minutes by default. Administrators could adjust that timing to be shorter to ensure that the PC's policies were compliant with the management settings set by IT.
-
-By contrast, with an MDM solution like Microsoft Intune[\[9\]](conclusion.md#footnote9), policies are refreshed when a user signs in and then at eight-hour intervals by default. But as more available group policies were implemented through MDM, one remaining gap was the longer period between the reapplication of a changed policy.
-
-Config Refresh allows settings in the Policy configuration service provider (CSP) that drift due to misconfiguration, registry edits, or malicious software on a PC to be reset to the value the administrator intended every 90 minutes by default. It is configurable to refresh every 30 minutes if desired. The Policy CSP covers hundreds of settings that were traditionally set with Group Policy and are now set through MDM.
-
-Config Refresh can also be *paused* for a configurable period of time, after which it will be reenabled. This is to support scenarios where a helpdesk technician might need to reconfigure a PC for troubleshooting purposes. It can also be resumed at any time by an administrator.
-
-## Windows security settings
-
-Visibility and awareness of device security and health are key to any action taken. The Windows built-in security settings provide an at-a-glance view of the security status and health of your device. These insights help you identify issues and act to make sure you're protected. You can quickly see the status of your virus and threat protection, firewall and network security, device security controls, and more.
-
-:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
-
-- [Windows security settings](https://support.microsoft.com/windows/stay-protected-with-windows-security-2ae0363d-0ada-c064-8b56-6a39afb6a963)
-- [Windows Security](../operating-system-security/system-security/windows-defender-security-center/windows-defender-security-center.md)
+[!INCLUDE [rust-for-windows](includes/rust-for-windows.md)]
diff --git a/windows/security/book/operating-system-security-virus-and-threat-protection.md b/windows/security/book/operating-system-security-virus-and-threat-protection.md
index c5873bd86f..fcc31121e8 100644
--- a/windows/security/book/operating-system-security-virus-and-threat-protection.md
+++ b/windows/security/book/operating-system-security-virus-and-threat-protection.md
@@ -1,126 +1,26 @@
---
-title: Operating System security
-description: Windows 11 security book - Operating System security chapter.
+title: Windows 11 security book - Virus and threat protection
+description: Operating System security chapter - Virus and threat protection.
ms.topic: overview
-ms.date: 04/09/2024
+ms.date: 11/18/2024
---
-# Virus and threat protection
+# Virus and threat protection in Windows 11
-:::image type="content" source="images/operating-system.png" alt-text="Diagram of containing a list of security features." lightbox="images/operating-system.png" border="false":::
+:::image type="content" source="images/operating-system.png" alt-text="Diagram containing a list of security features." lightbox="images/operating-system.png" border="false":::
Today's threat landscape is more complex than ever. This new world requires a new approach to threat prevention, detection, and response. Microsoft Defender Antivirus, along with many other features that are built into Windows 11, is at the frontlines, protecting customers against current and emerging threats.
-## Microsoft Defender SmartScreen
+[!INCLUDE [microsoft-defender-smartscreen](includes/microsoft-defender-smartscreen.md)]
-Microsoft Defender SmartScreen protects against phishing, malware websites and applications, and the downloading of potentially malicious files.
+[!INCLUDE [network-protection](includes/network-protection.md)]
-SmartScreen determines whether a site is potentially malicious by:
+[!INCLUDE [tamper-protection](includes/tamper-protection.md)]
-- Analyzing visited webpages to find indications of suspicious behavior. If it determines a page is suspicious, it will show a warning page advising caution
-- Checking the visited sites against a dynamic list of reported phishing sites and malicious software sites. If it finds a match, SmartScreen warns that the site might be malicious
+[!INCLUDE [microsoft-defender-antivirus](includes/microsoft-defender-antivirus.md)]
-SmartScreen also determines whether a downloaded app or app installer is potentially malicious by:
+[!INCLUDE [attack-surface-reduction-rules](includes/attack-surface-reduction-rules.md)]
-- Checking downloaded files against a list of reported malicious software sites and programs known to be unsafe. If it finds a match, SmartScreen warns that the file might be malicious
-- Checking downloaded files against a list of well-known files. If the file is of a dangerous type and not well-known, SmartScreen displays a caution alert
+[!INCLUDE [controlled-folder-access](includes/controlled-folder-access.md)]
-With enhanced phishing protection in Windows 11, SmartScreen also alerts people when they are entering their Microsoft credentials into a potentially risky location, regardless of which application or browser is used. IT can customize which notifications appear through Microsoft Intune[\[9\]](conclusion.md#footnote9). This protection runs in audit mode by default, giving IT admins full control to make decisions around policy creation and enforcement.
-
-Because Windows 11 comes with these enhancements already built in and enabled, users have extra security from the moment they turn on their device.
-
-The app and browser control section contains information and settings for Microsoft Defender SmartScreen. IT administrators and IT pros can get configuration guidance in the [Microsoft Defender SmartScreen documentation library](/windows/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-overview).
-
-## Microsoft Defender Antivirus
-
-Microsoft Defender Antivirus is a next-generation protection solution included in all versions of Windows 10 and Windows 11. From the moment you turn on Windows, Microsoft Defender Antivirus continually monitors for malware, viruses, and security threats. In addition to real-time protection, updates are downloaded automatically to help keep your device safe and protect it from threats. If you have another antivirus app installed and turned on, Microsoft Defender Antivirus will turn off automatically. If you uninstall the other app, Microsoft Defender Antivirus will turn back on.
-
-Microsoft Defender Antivirus includes real-time, behavior-based, and heuristic antivirus protection. This combination of always-on content scanning, file and process behavior monitoring, and other heuristics effectively prevents security threats. Microsoft Defender Antivirus continually scans for malware and threats and also detects and blocks potentially unwanted applications (PUA), applications deemed to negatively impact your device but are not considered malware.
-
-Microsoft Defender Antivirus always-on protection is integrated with cloud-delivered protection, which helps ensure near-instant detection and blocking of new and emerging threats. This combination of local and cloud-delivered technologies provides award-winning protection at home and at work.
-
-:::image type="content" source="images/defender-antivirus.png" alt-text="Diagram of the Microsoft Defender Antivirus components." border="false":::
-
-:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
-
-- [Next-generation protection with Microsoft Defender Antivirus](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-windows).
-
-## Attack surface reduction
-
-Attack surface reduction rules help prevent software behaviors that are often abused to compromise devices and networks. By reducing the attack surface, you can reduce the overall vulnerability of your organization. Administrators can configure specific attack surface reduction rules to help block certain behaviors, such as:
-
-- Launching executable files and scripts that attempt to download or run files
-- Running obfuscated or otherwise suspicious scripts
-- Performing behaviors that apps don't usually initiate during normal day-to-day work
-
-For example, an attacker might try to run an unsigned script from a USB drive or have a macro in an Office document make calls directly to the Win32 API. Attack surface reduction rules can constrain these kinds of risky behaviors and improve the defensive posture of the device. For comprehensive protection, follow steps for enabling hardware-based isolation
-
-For Microsoft Edge and reducing the attack surface across applications, folders, device,
-network, and firewall.
-
-:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
-
-- [Attack surface reduction](/microsoft-365/security/defender-endpoint/overview-attack-surface-reduction)
-
-## Tamper protection
-
-Attacks like ransomware attempt to disable security features, such as anti-virus protection. Bad actors like to disable security features to get easier access to user's data, to install malware, or otherwise exploit user's data, identity, and devices without fear of being blocked. Tamper protection helps prevent these kinds of activities.
-
-With tamper protection, malware is prevented from taking actions such as:
-
-- Disabling real-time protection
-- Turning off behavior monitoring
-- Disabling antivirus, such as IOfficeAntivirus (IOAV)
-- Disabling cloud-delivered protection
-- Removing security intelligence updates
-
-:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
-
-- [Tamper protection](/microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection)
-
-## Exploit protection
-
-Exploit protection automatically applies several exploit mitigation techniques to operating system processes and apps. Exploit protection works best with Microsoft Defender for Endpoint[\[9\]](conclusion.md#footnote9), which gives organizations detailed reporting into exploit protection events and blocks as part of typical alert investigation scenarios. You can enable exploit protection on an individual device and then use Group Policy in Active Directory or Microsoft Intune[\[9\]](conclusion.md#footnote9) to distribute the configuration XML file to multiple devices simultaneously.
-
-When a mitigation is encountered on the device, a notification will be displayed from the Action Center. You can customize the notification with your company details and contact information. You can also enable the rules individually to customize which techniques the feature monitors.
-
-You can use audit mode to evaluate how exploit protection would impact your organization if it were enabled.
-
-Windows 11 provides configuration options for exploit protection. You can prevent users from modifying these specific options with Group Policy.
-
-:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
-
-- [Protecting devices from exploits](/microsoft-365/security/defender-endpoint/enable-exploit-protection)
-
-## Controlled folder access
-
-You can protect your valuable information in specific folders by managing app access to them. Only trusted apps can access protected folders, which are specified when controlled folder access is configured. Typically, commonly used folders, such as those used for documents, pictures, and downloads, are included in the list of controlled folders.
-
-Controlled folder access works with a list of trusted apps. Apps that are included in the list of trusted software work as expected. Apps that are not included in the trusted list are prevented from making any changes to files inside protected folders.
-
-Controlled folder access helps protect user's valuable data from malicious apps and threats such as ransomware.
-
-:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
-
-- [Controlled folder access](/microsoft-365/security/defender-endpoint/controlled-folders)
-
-## Microsoft Defender for Endpoint
-
-Microsoft Defender for Endpoint[\[9\]](conclusion.md#footnote9) is an enterprise endpoint detection and response solution that helps security teams detect, investigate, and respond to advanced threats.
-
-Organizations can use the rich event data and attack insights Defender for Endpoint provides to investigate incidents. Defender for Endpoint brings together the following elements to provide a more complete picture of security incidents:
-
-- Endpoint behavioral sensors: Embedded in Windows, these sensors collect and process behavioral signals from the operating system and send this sensor data to your private, isolated cloud instance of Microsoft Defender for Endpoint
-- Cloud security analytics: Behavioral signals are translated into insights, detections, and recommended responses to advanced threats. These analytics leverage big data, device learning, and unique Microsoft optics across the Windows ecosystem, enterprise cloud products such as Microsoft 365[\[9\]](conclusion.md#footnote9), and online assets
-- Threat intelligence: Microsoft processes over 43 trillion security signals every 24 hours, yielding a deep and broad view into the evolving threat landscape. Combined with our global team of security experts and cutting-edge artificial intelligence and machine learning, we can see threats that others miss. This threat intelligence helps provide unparalleled protection for our customers. The protections built into our platforms and products blocked
-attacks that include 31 billion identity threats and 32 billion email threats
-- Rich response capabilities: Defender for Endpoint empowers SecOps teams to isolate, remediate, and remote into machines to further investigate and stop active threats in their environment, as well as block files, network destinations, and create alerts for them. In addition, Automated Investigation and Remediation can help reduce the load on the SOC by automatically performing otherwise manual steps towards remediation and providing
-detailed investigation outcomes
-
-Defender for Endpoint is also part of Microsoft 365 Defender, our end-to-end, cloud-native extended detection and response (XDR) solution that combines best-of-breed endpoint, email, and identity security products. It enables organizations to prevent, detect, investigate, and remediate attacks by delivering deep visibility, granular context, and actionable insights generated from raw signals harnessed across the Microsoft 365 environment and other
-platforms, all synthesized into a single dashboard. This solution offers tremendous value to organizations of any size, especially those that are looking to break away from the added complexity of multiple point solutions, keeping them protected from sophisticated attacks and saving IT and security teams' time and resources.
-
-:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
-
-- [Microsoft Defender for Endpoint](/defender-endpoint/microsoft-defender-endpoint)
-- [Microsoft 365 Defender](/microsoft-365/security/defender/microsoft-365-defender)
+[!INCLUDE [exploit-protection](includes/exploit-protection.md)]
diff --git a/windows/security/book/operating-system-security.md b/windows/security/book/operating-system-security.md
index f5bf82d057..17141c211b 100644
--- a/windows/security/book/operating-system-security.md
+++ b/windows/security/book/operating-system-security.md
@@ -1,14 +1,16 @@
---
-title: Operating System security
-description: Windows 11 security book - Operating System security chapter.
+title: Windows 11 security book - Operating System security
+description: Operating System security chapter.
ms.topic: overview
-ms.date: 04/09/2024
+ms.date: 11/18/2024
---
# Operating System security
:::image type="content" source="images/operating-system-security-cover.png" alt-text="Cover of the operating system security chapter." border="false":::
-:::image type="content" source="images/operating-system-on.png" alt-text="Diagram of containing a list of security features." lightbox="images/operating-system.png" border="false":::
+Operating systems face an onslaught of security threats, from malware and exploits to unauthorized access and privilege escalation. Windows 11 is the most secure Windows yet, with strong operating system safeguards to help keep devices, identities, and data safe.
-Windows 11 is the most secure Windows yet with extensive security measures in the operating system designed to help keep devices, identities, and information safe. These measures include built-in advanced encryption and data protection, robust network system security, and intelligent safeguards against ever-evolving viruses and threats.
+Defenses include a trusted boot process, layers of encryption, network security, and virus and threat protection. These comprehensive security features ensure that Windows 11 provides robust protection against modern cyber threats.
+
+:::image type="content" source="images/operating-system-on.png" alt-text="Diagram containing a list of security features." lightbox="images/operating-system.png" border="false":::
diff --git a/windows/security/book/privacy-controls.md b/windows/security/book/privacy-controls.md
index 01caad195d..217043c134 100644
--- a/windows/security/book/privacy-controls.md
+++ b/windows/security/book/privacy-controls.md
@@ -1,32 +1,16 @@
---
-title: Privacy
-description: Windows 11 security book - Privacy chapter.
+title: Windows 11 security book - Privacy controls
+description: Privacy chapter - Privacy controls.
ms.topic: overview
-ms.date: 04/09/2024
+ms.date: 11/18/2024
---
# Privacy controls
-:::image type="content" source="images/privacy.png" alt-text="Diagram of containing a list of security features." lightbox="images/privacy.png" border="false":::
+[!INCLUDE [microsoft-privacy-dashboard](includes/microsoft-privacy-dashboard.md)]
-## Privacy dashboard and report
+[!INCLUDE [privacy-transparency-and-controls](includes/privacy-transparency-and-controls.md)]
-Customers can use the [Microsoft Privacy dashboard](https://account.microsoft.com/privacy) to view, export, and delete their information, giving them further transparency and control. They can also use the [Microsoft Privacy Report](https://privacy.microsoft.com/privacy-report) to learn more about Windows data collection and how to manage it. For enterprises we provide a guide for Windows Privacy Compliance that includes additional details on the available controls and transparency.
+[!INCLUDE [privacy-resource-usage](includes/privacy-resource-usage.md)]
-## Privacy transparency and controls
-
-Prominent system tray icons show users when resources and apps like microphones and location are in use. A description of the app and its activity are presented in a simple tooltip that appears when you hover over an icon with your cursor. Apps can also make use of new Windows APIs to support Quick Mute functionality and more.
-
-## Privacy resource usage
-
-Every Microsoft customer should be able to use our products secure in the knowledge that we will protect their privacy and give them the information and tools they need to easily make privacy decisions with confidence. Accessed in Settings, the new app usage history feature gives users a seven-day history of resource access for Location, Camera, Microphone, Phone Calls, Messaging, Contacts, Pictures, Videos, Music library, Screenshots, and other apps.
-
-This information helps you determine if an app is behaving as expected so that you can change the app's access to resources as desired.
-
-## Windows diagnostic data processor configuration
-
-The Windows diagnostic data processor configuration enables the user to be the controller, as defined by the European Union General Data Protection Regulation (GDPR), for the Windows diagnostic data collected from Windows devices that meet the configuration requirements.
-
-:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
-
-- [Windows diagnostic data processor configuration](/windows/privacy/configure-windows-diagnostic-data-in-your-organization#enable-windows-diagnostic-data-processor-configuration)
+[!INCLUDE [windows-diagnostic-data-processor-configuration](includes/windows-diagnostic-data-processor-configuration.md)]
diff --git a/windows/security/book/privacy.md b/windows/security/book/privacy.md
index 19cae8027a..d4acb2ffed 100644
--- a/windows/security/book/privacy.md
+++ b/windows/security/book/privacy.md
@@ -1,16 +1,14 @@
---
-title: Privacy
-description: Windows 11 security book - Privacy chapter.
+title: Windows 11 security book - Privacy
+description: Privacy chapter.
ms.topic: overview
-ms.date: 04/09/2024
+ms.date: 11/18/2024
---
# Privacy
:::image type="content" source="images/privacy-cover.png" alt-text="Cover of the privacy chapter." border="false":::
-:::image type="content" source="images/privacy-on.png" alt-text="Diagram of containing a list of security features." lightbox="images/privacy.png" border="false":::
+Privacy is an important priority for individuals and organizations, and the rise of AI is bringing it into even sharper focus. Windows provides privacy controls that can be easily accessed in the Settings app or desktop system tray for speech, location, calendar, microphone, call history, and more. Users can also find more information and manage privacy settings for Microsoft apps and services by signing into their [account dashboard](https://privacy.microsoft.com/).
-[Privacy: Your data, powering your experiences, controlled by you](https://privacy.microsoft.com/).
-
-Privacy is becoming top of mind for customers, who want to know who is using their data and why. They also need to know how to control and manage the data that is being collected - so providing transparency and control over this personal data is essential. At Microsoft we are focused on protecting the privacy and confidentiality of your data and will only use it in a way that is consistent with your expectations.
+:::image type="content" source="images/privacy-on.png" alt-text="Diagram containing a list of security features." lightbox="images/privacy.png" border="false":::
diff --git a/windows/security/book/security-foundation-certification.md b/windows/security/book/security-foundation-certification.md
index fe9fa899fc..2cc0aad27e 100644
--- a/windows/security/book/security-foundation-certification.md
+++ b/windows/security/book/security-foundation-certification.md
@@ -1,24 +1,16 @@
---
-title: Security foundation
-description: Windows 11 security book - Security foundation chapter.
+title: Windows 11 security book - Certification
+description: Security foundation chapter - Certification.
ms.topic: overview
-ms.date: 04/09/2024
+ms.date: 11/18/2024
---
# Certification
-:::image type="content" source="images/security-foundation.png" alt-text="Diagram of containing a list of security features." lightbox="images/security-foundation.png" border="false":::
+:::image type="content" source="images/security-foundation.png" alt-text="Diagram containing a list of security features." lightbox="images/security-foundation.png" border="false":::
Microsoft is committed to supporting product security standards and certifications, including FIPS 140 and Common Criteria, as an external validation of security assurance.
-## Federal Information Processing Standard (FIPS)
+[!INCLUDE [federal-information-processing-standard](includes/federal-information-processing-standard.md)]
-The Federal Information Processing Standard (FIPS) Publication 140 is a US government standard that defines the minimum security requirements for cryptographic modules in IT products. Microsoft maintains an active commitment to meeting the requirements of the FIPS 140 standard, having validated cryptographic modules against FIPS 140-2 since it was first established. Microsoft products, including Windows 11, Windows 10, Windows Server, and many cloud services, use these cryptographic modules.
-
-## Common Criteria (CC)
-
-Common Criteria (CC) is an international standard currently maintained by national governments who participate in the Common Criteria Recognition Arrangement. Common Criteria defines a common taxonomy for security functional requirements, security assurance requirements, and an evaluation methodology used to ensure products undergoing evaluation satisfy the functional and assurance requirements.
-
-Microsoft ensures that products incorporate the features and functions required by relevant Common Criteria Protection Profiles and completes Common Criteria certifications of Microsoft Windows products.
-
-Microsoft publishes the list of FIPS 140 and Common Criteria certified products at [Federal](/windows/security/security-foundations/certification/fips-140-validation) [Information Processing Standard (FIPS)](/windows/security/security-foundations/certification/fips-140-validation) 140 Validation and [Common Criteria Certifications.](/windows/security/threat-protection/windows-platform-common-criteria)
+[!INCLUDE [common-criteria](includes/common-criteria.md)]
diff --git a/windows/security/book/security-foundation-offensive-research.md b/windows/security/book/security-foundation-offensive-research.md
index 965ecba6c0..ce6cfae794 100644
--- a/windows/security/book/security-foundation-offensive-research.md
+++ b/windows/security/book/security-foundation-offensive-research.md
@@ -1,42 +1,20 @@
---
-title: Security foundation
-description: Windows 11 security book - Security foundation chapter.
+title: Windows 11 security book - Secure Future Initiative and offensive research
+description: Security foundation chapter - Secure Future Initiative and offensive research.
ms.topic: overview
-ms.date: 04/09/2024
+ms.date: 11/18/2024
---
-# Offensive research
+# Secure Future Initiative and offensive research
-:::image type="content" source="images/security-foundation.png" alt-text="Diagram of containing a list of security features." lightbox="images/security-foundation.png" border="false":::
+:::image type="content" source="images/security-foundation.png" alt-text="Diagram containing a list of security features." lightbox="images/security-foundation.png" border="false":::
-## Microsoft Security Development Lifecycle (SDL)
+[!INCLUDE [secure-future-initiative](includes/secure-future-initiative.md)]
-The Microsoft Security Development Lifecycle (SDL) introduces security best practices, tools, and processes throughout all phases of engineering and development.
+[!INCLUDE [microsoft-security-development-lifecycle](includes/microsoft-security-development-lifecycle.md)]
-## OneFuzz service
+[!INCLUDE [onefuzz-service](includes/onefuzz-service.md)]
-A range of tools and techniques - such as threat modeling, static analysis, fuzz testing, and code quality checks - enable continued security value to be embedded into Windows by every engineer on the team from day one. Through the SDL practices, Microsoft engineers are continuously provided with actionable and up-to-date methods to improve development workflows and overall product security before the code has been released.
+[!INCLUDE [microsoft-offensive-research-and-security-engineering](includes/microsoft-offensive-research-and-security-engineering.md)]
-Microsoft is dedicated to working with the community and our customers to continuously improve and tune our platform and products to help defend against the dynamic and sophisticated threat landscape. Project OneFuzz - an extensible fuzz testing framework used by Microsoft Edge, Windows, and teams across Microsoft - is now available to developers around the world through GitHub as an open-source tool.
-
-:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
-
-- [Project OneFuzz framework, an open source developer tool to find and fix bugs at scale](https://www.microsoft.com/security/blog/2020/09/15/microsoft-onefuzz-framework-open-source-developer-tool-fix-bugs/)
-- [OneFuzz on GitHub](https://github.com/microsoft/onefuzz)
-
-## Microsoft Offensive Research and Security Engineering
-
-[Microsoft Offensive Research and Security Engineering](https://github.com/microsoft/WindowsAppSDK-Samples?msclkid=1a6280c6c73d11ecab82868efae04e5c) performs targeted design reviews, audits, and deep penetration testing of Windows features using Microsoft's open-source OneFuzz platform as part of their development and testing cycle.
-
-## Windows Insider and Bug Bounty program
-
-As part of our secure development process, the Microsoft Windows Insider Preview bounty program invites eligible researchers across the globe to find and submit vulnerabilities that reproduce in the latest Windows Insider Preview (WIP) Dev Channel.
-
-The goal of the Windows Insider Preview bounty program is to uncover significant vulnerabilities that have a direct and demonstrable impact on the security of customers using the latest version of Windows.
-
-Through this collaboration with researchers across the globe, our teams identify critical vulnerabilities that were not previously found during development and quick fix the issues before releasing our final Windows.
-
-:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
-
-- [Windows Insider Program](/windows-insider/get-started)
-- [Microsoft bounty programs](https://www.microsoft.com/msrc/bounty)
+[!INCLUDE [windows-insider-and-microsoft-bug-bounty-programs](includes/windows-insider-and-microsoft-bug-bounty-programs.md)]
diff --git a/windows/security/book/security-foundation-secure-supply-chain.md b/windows/security/book/security-foundation-secure-supply-chain.md
index ee2f6ef548..aff2c2efad 100644
--- a/windows/security/book/security-foundation-secure-supply-chain.md
+++ b/windows/security/book/security-foundation-secure-supply-chain.md
@@ -1,22 +1,22 @@
---
-title: Secure supply chain
-description: Windows 11 security book - Security foundation chapter - Secure supply chain.
+title: Windows 11 security book - Secure supply chain
+description: Security foundation chapter - Secure supply chain.
ms.topic: overview
-ms.date: 04/09/2024
+ms.date: 11/18/2024
---
# Secure supply chain
-:::image type="content" source="images/security-foundation.png" alt-text="Diagram of containing a list of security features." lightbox="images/security-foundation.png" border="false":::
+:::image type="content" source="images/security-foundation.png" alt-text="Diagram containing a list of security features." lightbox="images/security-foundation.png" border="false":::
-The end-to-end Windows 11 supply chain is complex, extending from the entire development process to components such as chips, firmware, drivers, operating system, and apps from other organizations, manufacturing, and security updates. Microsoft invests significantly in Windows 11 supply chain security, as well as the security of features and components. In 2021, the United States issued an executive order on enhancing the nation's cybersecurity. The executive order, along with various attacks like SolarWinds and WannaCry, elevated the urgency and importance of ensuring a secure supply chain.
+The end-to-end Windows 11 supply chain is complex. It extends from the entire development process, to components such as chips, firmware, drivers, operating system, and apps from other organizations, manufacturing, and security updates. Microsoft invests significantly in Windows 11 supply chain security, and the security of features and components. In 2021, the United States issued an executive order on enhancing the nation's cybersecurity. The executive order, along with various attacks like SolarWinds and WannaCry, elevated the urgency and importance of ensuring a secure supply chain.
Microsoft requires the Windows 11 supply chain to comply with controls including:
- Identity management and user access control
- Access control
- Principles of least privilege
- - RBAC
+ - Role-based access control (role-based access control)
- Segregation of duties
- MFAs
- Account management
@@ -42,7 +42,7 @@ Microsoft requires the Windows 11 supply chain to comply with controls including
- Manufacturing security
- Physical security monitoring
- Supplier security control
- - SSPA
+ - Supplier Security and Privacy Assurance (SSPA)
- Supplier screening
- Supplier inventory
- Logistics security control
@@ -51,16 +51,6 @@ Microsoft requires the Windows 11 supply chain to comply with controls including
- Warehouse & storage
- Logistics management
-## Software bill of materials (SBOM)
+[!INCLUDE [software-bill-of-materials](includes/software-bill-of-materials.md)]
-In addition to following the above supply chain security controls, SBOMs are leveraged to provide the transparency and provenance of the content as it moves through various stages of the Windows supply chain. This enables trust between each supply chain segment, ensures that tampering has not taken place during ingestion and along the way, and provides a provable chain of custody for the product that we ship to customers.
-
-Code-signing software is the best way to guarantee application integrity and authenticity and helps users distinguish between trusted applications and malware before downloading or installing. Code signing proprietary applications and software from other organizations greatly reduces the complexity of creating and managing application control policies. Code signing enables the creation and deployment of certificate chain-based application control policies, which can then be cryptographically enforced.
-
-Traditionally, code signing has been a difficult undertaking due to the complexities involved in obtaining certificates, securely managing those certificates, and integrating a proper signing process into the development and continuous integration and continuous deployment (CI/CD) pipelines.
-
-## Windows App software development kit (SDK)
-
-Developers can design highly secure applications that benefit from the latest Windows 11 safeguards using the Windows App SDK. The SDK provides a unified set of APIs and tools for developing secure desktop apps for Windows 11 and Windows 10. To help create apps that are up to date and protected, the SDK follows the same security standards, protocols, and compliance as the core Windows operating system.
-
-If you are a developer, you can find security best practices and information at [Windows application development - best practices](/windows/security/threat-protection/windows-platform-common-criteria#security-and-privacy). You can get started with [Windows App SDK samples on GitHub](/windows/security/threat-protection/fips-140-validation#windows-app-sdk-samples). For an example of the continuous security process in action with the Windows App SDK, see the [most recent release](https://insider.windows.com/#version-11).
+[!INCLUDE [windows-software-development-kit](includes/windows-software-development-kit.md)]
diff --git a/windows/security/book/security-foundation.md b/windows/security/book/security-foundation.md
index f0fb340c8a..2748af0a55 100644
--- a/windows/security/book/security-foundation.md
+++ b/windows/security/book/security-foundation.md
@@ -1,18 +1,14 @@
---
-title: Security foundation
-description: Windows 11 security book - Security foundation chapter.
+title: Windows 11 security book - Security foundation
+description: Security foundation chapter.
ms.topic: overview
-ms.date: 04/09/2024
+ms.date: 11/18/2024
---
-# Security foundation
+# Security foundation in Windows 11
:::image type="content" source="images/security-foundation-cover.png" alt-text="Cover of the security foundation chapter." border="false":::
-Microsoft is committed to continuously investing in improving our software development process, building highly secure-by-design software, and addressing security compliance requirements. At Microsoft, we embed security and privacy considerations from the earliest lifecycle phases of all our product design and software development processes. We build in security from the ground up for powerful defense in today's threat environment and have the infrastructure to protect and react quickly to future threats.
+Microsoft is committed to continuously investing in improving the development process, building highly secure-by-design software, and addressing security compliance requirements. Security and privacy considerations informed by offensive research are built into each phase of our product design and software development process. Microsoft's security foundation includes not only our development and certification processes, but also our end-to-end supply chain. The comprehensive Windows 11 security foundation also reflects our deep commitment to principles of security by design and security by default.
-Every component of the Windows 11 technology stack, from chip-to-cloud, is purposefully built secure by design. Windows 11 meets the modern threats of today's flexible work environments by delivering hardware-based isolation, end-to-end encryption, and advanced malware protection.
-
-With Windows 11, organizations can improve productivity and gain intuitive new experiences without compromising security.
-
-:::image type="content" source="images/security-foundation-on.png" alt-text="Diagram of containing a list of security features." lightbox="images/security-foundation.png" border="false":::
+:::image type="content" source="images/security-foundation-on.png" alt-text="Diagram containing a list of security features." lightbox="images/security-foundation.png" border="false":::
diff --git a/windows/security/book/toc.yml b/windows/security/book/toc.yml
index e1135516e9..928d02f50f 100644
--- a/windows/security/book/toc.yml
+++ b/windows/security/book/toc.yml
@@ -55,11 +55,13 @@ items:
items:
- name: Overview
href: security-foundation.md
- - name: Offensive research
+ - name: Secure Future Initiative and offensive research
href: security-foundation-offensive-research.md
- name: Certification
href: security-foundation-certification.md
- name: Secure supply chain
href: security-foundation-secure-supply-chain.md
- name: Conclusion
- href: conclusion.md
\ No newline at end of file
+ href: conclusion.md
+- name: Features index
+ href: features-index.md
\ No newline at end of file
diff --git a/windows/security/cloud-services/index.md b/windows/security/cloud-services/index.md
deleted file mode 100644
index 9124be688f..0000000000
--- a/windows/security/cloud-services/index.md
+++ /dev/null
@@ -1,18 +0,0 @@
----
-title: Windows and cloud services
-description: Get an overview of cloud-based services in Windows.
-ms.date: 05/06/2024
-ms.topic: overview
-author: paolomatarazzo
-ms.author: paoloma
----
-
-# Windows and cloud services
-
-Today's workforce has more freedom and mobility than ever before, and the risk of data exposure is also at its highest. We're focused on getting customers to the cloud to benefit from modern hybrid workstyles while improving security management. Built on zero-trust principles, Windows works with Microsoft cloud services to safeguard sensitive information while controlling access and mitigating threats.
-
-From identity and device management to Office apps and data storage, Windows and integrated cloud services can help improve productivity, security, and resilience anywhere.
-
-Learn more about cloud-based services in Windows.
-
-[!INCLUDE [cloud-services](../includes/sections/cloud-services.md)]
diff --git a/windows/security/cloud-services/toc.yml b/windows/security/cloud-services/toc.yml
index 4132706858..92d3eaac86 100644
--- a/windows/security/cloud-services/toc.yml
+++ b/windows/security/cloud-services/toc.yml
@@ -1,6 +1,4 @@
items:
-- name: Overview
- href: index.md
- name: Join Active Directory and Microsoft Entra ID with single sign-on (SSO) 🔗
href: /azure/active-directory/devices/concept-azure-ad-join
- name: Security baselines with Intune 🔗
diff --git a/windows/security/docfx.json b/windows/security/docfx.json
index 1a7808e2b1..eebfabaaa0 100644
--- a/windows/security/docfx.json
+++ b/windows/security/docfx.json
@@ -101,6 +101,12 @@
"security-foundations/certification/**/*.md": "mike-grimm",
"security-foundations/certification/**/*.yml": "mike-grimm"
},
+ "feedback_system": {
+ "book/*.md": "none"
+ },
+ "hideEdit": {
+ "book/*.md": "true"
+ },
"ms.author": {
"application-security//**/*.md": "vinpa",
"application-security//**/*.yml": "vinpa",
@@ -131,19 +137,21 @@
"application-security/application-control/user-account-control/**/*.md": [
"✅ Windows 11",
"✅ Windows 10",
+ "✅ Windows Server 2025",
"✅ Windows Server 2022",
"✅ Windows Server 2019",
"✅ Windows Server 2016"
],
- "application-security/application-control/windows-defender-application-control/**/*.md": [
+ "application-security/application-control/app-control-for-business/**/*.md": [
"✅ Windows 11",
"✅ Windows 10",
+ "✅ Windows Server 2025",
"✅ Windows Server 2022",
"✅ Windows Server 2019",
"✅ Windows Server 2016"
],
"book/**/*.md": [
- "✅ Windows 11"
+ "Windows 11"
],
"hardware-security/**/*.md": [
"✅ Windows 11",
@@ -166,6 +174,7 @@
"identity-protection/credential-guard/**/*.md": [
"✅ Windows 11",
"✅ Windows 10",
+ "✅ Windows Server 2025",
"✅ Windows Server 2022",
"✅ Windows Server 2019",
"✅ Windows Server 2016"
@@ -173,6 +182,7 @@
"identity-protection/smart-cards/**/*.md": [
"✅ Windows 11",
"✅ Windows 10",
+ "✅ Windows Server 2025",
"✅ Windows Server 2022",
"✅ Windows Server 2019",
"✅ Windows Server 2016"
@@ -180,6 +190,7 @@
"identity-protection/virtual-smart-cards/**/*.md": [
"✅ Windows 11",
"✅ Windows 10",
+ "✅ Windows Server 2025",
"✅ Windows Server 2022",
"✅ Windows Server 2019",
"✅ Windows Server 2016"
@@ -191,6 +202,7 @@
"operating-system-security/data-protection/**/*.md": [
"✅ Windows 11",
"✅ Windows 10",
+ "✅ Windows Server 2025",
"✅ Windows Server 2022",
"✅ Windows Server 2019",
"✅ Windows Server 2016"
@@ -198,6 +210,7 @@
"operating-system-security/data-protection/**/*.yml": [
"✅ Windows 11",
"✅ Windows 10",
+ "✅ Windows Server 2025",
"✅ Windows Server 2022",
"✅ Windows Server 2019",
"✅ Windows Server 2016"
@@ -218,6 +231,7 @@
"operating-system-security/network-security/windows-firewall/**/*.md": [
"✅ Windows 11",
"✅ Windows 10",
+ "✅ Windows Server 2025",
"✅ Windows Server 2022",
"✅ Windows Server 2019",
"✅ Windows Server 2016"
@@ -229,7 +243,6 @@
"book/*.md": "paoloma",
"identity-protection/access-control/*.md": "sulahiri",
"identity-protection/credential-guard/*.md": "zwhittington",
- "identity-protection/hello-for-business/*.md": "erikdau",
"identity-protection/smart-cards/*.md": "ardenw",
"identity-protection/virtual-smart-cards/*.md": "ardenw",
"operating-system-security/data-protection/personal-data-encryption/*.md": "rhonnegowda",
@@ -239,7 +252,7 @@
"security-foundations/certification/**/*.md": "paoloma"
},
"ms.collection": {
- "book/*.md": "tier3",
+ "book/*.md": "tier1",
"identity-protection/hello-for-business/*.md": "tier1",
"information-protection/pluton/*.md": "tier1",
"information-protection/tpm/*.md": "tier1",
@@ -247,9 +260,6 @@
"operating-system-security/data-protection/personal-data-encryption/*.md": "tier1",
"security-foundations/certification/**/*.md": "tier3",
"threat-protection/auditing/*.md": "tier3"
- },
- "ROBOTS": {
- "book/*.md": "NOINDEX"
}
},
"template": [],
diff --git a/windows/security/hardware-security/enable-virtualization-based-protection-of-code-integrity.md b/windows/security/hardware-security/enable-virtualization-based-protection-of-code-integrity.md
index 22b8f3245f..928f69bd65 100644
--- a/windows/security/hardware-security/enable-virtualization-based-protection-of-code-integrity.md
+++ b/windows/security/hardware-security/enable-virtualization-based-protection-of-code-integrity.md
@@ -1,7 +1,7 @@
---
title: Enable memory integrity
description: This article explains the steps to opt in to using memory integrity on Windows devices.
-ms.topic: conceptual
+ms.topic: how-to
ms.date: 07/10/2024
appliesto:
- "✅ Windows 11"
@@ -13,6 +13,9 @@ appliesto:
# Enable virtualization-based protection of code integrity
+> [!WARNING]
+> Some applications and hardware device drivers may be incompatible with memory integrity. This incompatibility can cause devices or software to malfunction and in rare cases may result in a boot failure (blue screen). Such issues may occur after memory integrity has been turned on or during the enablement process itself. If compatibility issues occur, see [Troubleshooting](#troubleshooting) for remediation steps.
+
**Memory integrity** is a Virtualization-based security (VBS) feature available in Windows. Memory integrity and VBS improve the threat model of Windows and provide stronger protections against malware trying to exploit the Windows kernel. VBS uses the Windows hypervisor to create an isolated virtual environment that becomes the root of trust of the OS that assumes the kernel can be compromised. Memory integrity is a critical component that protects and hardens Windows by running kernel mode code integrity within the isolated virtual environment of VBS. Memory integrity also restricts kernel memory allocations that could be used to compromise the system.
> [!NOTE]
@@ -20,9 +23,6 @@ appliesto:
> - Memory integrity is sometimes referred to as *hypervisor-protected code integrity (HVCI)* or *hypervisor enforced code integrity*, and was originally released as part of *Device Guard*. Device Guard is no longer used except to locate memory integrity and VBS settings in Group Policy or the Windows registry.
> - Memory integrity works better with Intel Kabylake and higher processors with *Mode-Based Execution Control*, and AMD Zen 2 and higher processors with *Guest Mode Execute Trap* capabilities. Older processors rely on an emulation of these features, called *Restricted User Mode*, and will have a bigger impact on performance. When nested virtualization is enabled, memory integrity works better when the VM is version >= 9.3.
-> [!WARNING]
-> Some applications and hardware device drivers may be incompatible with memory integrity. This incompatibility can cause devices or software to malfunction and in rare cases may result in a boot failure (blue screen). Such issues may occur after memory integrity has been turned on or during the enablement process itself. If compatibility issues occur, see [Troubleshooting](#troubleshooting) for remediation steps.
-
## Memory integrity features
- Protects modification of the Control Flow Guard (CFG) bitmap for kernel mode drivers.
@@ -32,28 +32,28 @@ appliesto:
To enable memory integrity on Windows devices with supporting hardware throughout an enterprise, use any of these options:
-- [Windows Security settings](#windows-security)
-- [Microsoft Intune (or another MDM provider)](#enable-memory-integrity-using-intune)
-- [Group Policy](#enable-memory-integrity-using-group-policy)
-- [Microsoft Configuration Manager](https://cloudblogs.microsoft.com/enterprisemobility/2015/10/30/managing-windows-10-device-guard-with-configuration-manager/)
-- [Registry](#use-registry-keys-to-enable-memory-integrity)
+### [:::image type="icon" source="../images/icons/security-app.svg" border="false"::: **Windows Security**](#tab/security)
-### Windows Security
+### Enable memory integrity using Windows Security
**Memory integrity** can be turned on in **Windows Security** settings and found at **Windows Security** > **Device security** > **Core isolation details** > **Memory integrity**. For more information, see [Device protection in Windows Security](https://support.microsoft.com/help/4096339/windows-10-device-protection-in-windows-defender-security-center).
Beginning with Windows 11 22H2, **Windows Security** shows a warning if memory integrity is turned off. The warning indicator also appears on the Windows Security icon in the Windows Taskbar and in the Windows Notification Center. The user can dismiss the warning from within **Windows Security**.
+### [:::image type="icon" source="../images/icons/intune.svg" border="false"::: **Intune/CSP**](#tab/intune)
+
### Enable memory integrity using Intune
Use the **Virtualization Based Technology** > **Hypervisor Enforced Code Integrity** setting using the [settings catalog](/mem/intune/configuration/settings-catalog) to enable memory integrity. You can also use the HypervisorEnforcedCodeIntegrity node in the [VirtualizationBasedTechnology CSP](/windows/client-management/mdm/policy-csp-virtualizationbasedtechnology).
+### [:::image type="icon" source="../images/icons/group-policy.svg" border="false"::: **GPO**](#tab/gpo)
+
### Enable memory integrity using Group Policy
1. Use Group Policy Editor (gpedit.msc) to either edit an existing GPO or create a new one.
1. Navigate to **Computer Configuration** > **Administrative Templates** > **System** > **Device Guard**.
1. Double-click **Turn on Virtualization Based Security**.
-1. Select **Enabled** and under **Virtualization Based Protection of Code Integrity**, select **Enabled without UEFI lock**. Only select **Enabled with UEFI lock** if you want to prevent memory integrity from being disabled remotely or by policy update. Once enabled with UEFI lock, you must have access to the UEFI BIOS menu to turn off Secure Boot if you want to turn off memory integrity.
+1. Select **Enabled**. Under **Virtualization Based Protection of Code Integrity**, select **Enabled without UEFI lock**. Only select **Enabled with UEFI lock** if you want to prevent memory integrity from being disabled remotely or by policy update. Once enabled with UEFI lock, you must have access to the UEFI BIOS menu to turn off Secure Boot if you want to turn off memory integrity.
@@ -61,7 +61,9 @@ Use the **Virtualization Based Technology** > **Hypervisor Enforced Code Integri
To apply the new policy on a domain-joined computer, either restart or run `gpupdate /force` in an elevated Command Prompt.
-### Use registry keys to enable memory integrity
+### [:::image type="icon" source="../images/icons/registry.svg" border="false"::: **Registry**](#tab/reg)
+
+### Enable memory integrity using registry
Set the following registry keys to enable memory integrity. These keys provide similar set of configuration options provided by Group Policy
@@ -85,74 +87,78 @@ reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorE
If you want to customize the preceding recommended settings, use the following registry keys.
-**To enable VBS only (no memory integrity)**
+- To enable VBS only (no memory integrity):
-```cmd
-reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "EnableVirtualizationBasedSecurity" /t REG_DWORD /d 1 /f
-```
+ ```cmd
+ reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "EnableVirtualizationBasedSecurity" /t REG_DWORD /d 1 /f
+ ```
-**To enable VBS and require Secure boot only (value 1)**
+- To enable VBS and require Secure boot only (value 1):
-```cmd
-reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "RequirePlatformSecurityFeatures" /t REG_DWORD /d 1 /f
-```
+ ```cmd
+ reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "RequirePlatformSecurityFeatures" /t REG_DWORD /d 1 /f
+ ```
-**To enable VBS with Secure Boot and DMA protection (value 3)**
+- To enable VBS with Secure Boot and DMA protection (value 3):
-```cmd
-reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "RequirePlatformSecurityFeatures" /t REG_DWORD /d 3 /f
-```
+ ```cmd
+ reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "RequirePlatformSecurityFeatures" /t REG_DWORD /d 3 /f
+ ```
-**To enable VBS without UEFI lock (value 0)**
+- To enable VBS without UEFI lock (value 0):
-```cmd
-reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "Locked" /t REG_DWORD /d 0 /f
-```
+ ```cmd
+ reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "Locked" /t REG_DWORD /d 0 /f
+ ```
-**To enable VBS with UEFI lock (value 1)**
+- To enable VBS with UEFI lock (value 1):
-```cmd
-reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "Locked" /t REG_DWORD /d 1 /f
-```
+ ```cmd
+ reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "Locked" /t REG_DWORD /d 1 /f
+ ```
-**To enable memory integrity**
+- To enable memory integrity:
-```cmd
-reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Enabled" /t REG_DWORD /d 1 /f
-```
+ ```cmd
+ reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Enabled" /t REG_DWORD /d 1 /f
+ ```
-**To enable memory integrity without UEFI lock (value 0)**
+- To enable memory integrity without UEFI lock (value 0):
-```cmd
-reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Locked" /t REG_DWORD /d 0 /f
-```
+ ```cmd
+ reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Locked" /t REG_DWORD /d 0 /f
+ ```
-**To enable memory integrity with UEFI lock (value 1)**
+- To enable memory integrity with UEFI lock (value 1):
-```cmd
-reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Locked" /t REG_DWORD /d 1 /f
-```
+ ```cmd
+ reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Locked" /t REG_DWORD /d 1 /f
+ ```
-**To enable VBS (and memory integrity) in mandatory mode**
+- To enable VBS (and memory integrity) in mandatory mode:
-```cmd
-reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "Mandatory" /t REG_DWORD /d 1 /f
-```
+ ```cmd
+ reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "Mandatory" /t REG_DWORD /d 1 /f
+ ```
-The **Mandatory** setting prevents the OS loader from continuing to boot in case the Hypervisor, Secure Kernel or one of their dependent modules fails to load.
+ The **Mandatory** setting prevents the OS loader from continuing to boot in case the Hypervisor, Secure Kernel or one of their dependent modules fails to load.
-> [!IMPORTANT]
-> Special care should be used before enabling this mode, since, in case of any failure of the virtualization modules, the system will refuse to boot.
+ > [!IMPORTANT]
+ > Special care should be used before enabling this mode, since, in case of any failure of the virtualization modules, the system will refuse to boot.
-**To gray out the memory integrity UI and display the message "This setting is managed by your administrator"**
-```cmd
-reg delete HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity /v "WasEnabledBy" /f
-```
+- To gray out the memory integrity UI and display the message `This setting is managed by your administrator`:
-**To let memory integrity UI behave normally (Not grayed out)**
-```cmd
-reg add HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity /v "WasEnabledBy" /t REG_DWORD /d 2 /f
-```
+ ```cmd
+ reg delete HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity /v "WasEnabledBy" /f
+ ```
+
+- To let memory integrity UI behave normally (Not grayed out):
+
+ ```cmd
+ reg add HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity /v "WasEnabledBy" /t REG_DWORD /d 2 /f
+ ```
+
+### [:::image type="icon" source="../images/icons/app-control.svg" border="false"::: **App Control**](#tab/appcontrol)
### Enable memory integrity using App Control for Business
@@ -165,6 +171,8 @@ You can use App Control policy to turn on memory integrity using any of the foll
> [!NOTE]
> If your App Control policy is set to turn memory integrity on, it will be turned on even if the policy is in audit mode.
+---
+
### Validate enabled VBS and memory integrity features
#### Use Win32_DeviceGuard WMI class
@@ -180,82 +188,98 @@ Get-CimInstance -ClassName Win32_DeviceGuard -Namespace root\Microsoft\Windows\D
The output of this command provides details of the available hardware-based security features and those features that are currently enabled.
-##### AvailableSecurityProperties
+- **InstanceIdentifier**: A string that is unique to a particular device and set by WMI.
-This field helps to enumerate and report state on the relevant security properties for VBS and memory integrity.
+- **Version**: This field lists the version of this WMI class. The only valid value now is **1.0**.
-| Value | Description |
-|-------|---------------------------------------------------------|
-| **0** | If present, no relevant properties exist on the device. |
-| **1** | If present, hypervisor support is available. |
-| **2** | If present, Secure Boot is available. |
-| **3** | If present, DMA protection is available. |
-| **4** | If present, Secure Memory Overwrite is available. |
-| **5** | If present, NX protections are available. |
-| **6** | If present, SMM mitigations are available. |
-| **7** | If present, MBEC/GMET is available. |
-| **8** | If present, APIC virtualization is available. |
+- **AvailableSecurityProperties**: This field helps to enumerate and report state on the relevant security properties for VBS and memory integrity.
-##### InstanceIdentifier
+ | Value | Description |
+ |-------|---------------------------------------------------------|
+ | **0** | If present, no relevant properties exist on the device. |
+ | **1** | If present, hypervisor support is available. |
+ | **2** | If present, Secure Boot is available. |
+ | **3** | If present, DMA protection is available. |
+ | **4** | If present, Secure Memory Overwrite is available. |
+ | **5** | If present, NX protections are available. |
+ | **6** | If present, SMM mitigations are available. |
+ | **7** | If present, MBEC/GMET is available. |
+ | **8** | If present, APIC virtualization is available. |
-A string that is unique to a particular device and set by WMI.
+- **CodeIntegrityPolicyEnforcementStatus**: This field indicates the code integrity policy enforcement status.
-##### RequiredSecurityProperties
+ | Value | Description |
+ |-------|-------------|
+ | **0** | Off |
+ | **1** | Audit. |
+ | **2** | Enforced. |
-This field describes the required security properties to enable VBS.
+- **RequiredSecurityProperties**: This field describes the required security properties to enable VBS.
-| Value | Description |
-|-------|------------------------------------------------|
-| **0** | Nothing is required. |
-| **1** | If present, hypervisor support is needed. |
-| **2** | If present, Secure Boot is needed. |
-| **3** | If present, DMA protection is needed. |
-| **4** | If present, Secure Memory Overwrite is needed. |
-| **5** | If present, NX protections are needed. |
-| **6** | If present, SMM mitigations are needed. |
-| **7** | If present, MBEC/GMET is needed. |
+ | Value | Description |
+ |-------|------------------------------------------------|
+ | **0** | Nothing is required. |
+ | **1** | If present, hypervisor support is needed. |
+ | **2** | If present, Secure Boot is needed. |
+ | **3** | If present, DMA protection is needed. |
+ | **4** | If present, Secure Memory Overwrite is needed. |
+ | **5** | If present, NX protections are needed. |
+ | **6** | If present, SMM mitigations are needed. |
+ | **7** | If present, MBEC/GMET is needed. |
-##### SecurityServicesConfigured
+- **SecurityServicesConfigured**: This field indicates whether Credential Guard or memory integrity is configured.
-This field indicates whether Credential Guard or memory integrity is configured.
+ | Value | Description |
+ |-------|-------------------------------------------------------|
+ | **0** | No services are configured. |
+ | **1** | If present, Credential Guard is configured. |
+ | **2** | If present, memory integrity is configured. |
+ | **3** | If present, System Guard Secure Launch is configured. |
+ | **4** | If present, SMM Firmware Measurement is configured. |
+ | **5** | If present, Kernel-mode Hardware-enforced Stack Protection is configured. |
+ | **6** | If present, Kernel-mode Hardware-enforced Stack Protection is configured in Audit mode. |
+ | **7** | If present, Hypervisor-Enforced Paging Translation is configured. |
-| Value | Description |
-|-------|-------------------------------------------------------|
-| **0** | No services are configured. |
-| **1** | If present, Credential Guard is configured. |
-| **2** | If present, memory integrity is configured. |
-| **3** | If present, System Guard Secure Launch is configured. |
-| **4** | If present, SMM Firmware Measurement is configured. |
+- **SecurityServicesRunning**: This field indicates whether Credential Guard or memory integrity is running.
-##### SecurityServicesRunning
+ | Value | Description |
+ |-------|----------------------------------------------------|
+ | **0** | No services running. |
+ | **1** | If present, Credential Guard is running. |
+ | **2** | If present, memory integrity is running. |
+ | **3** | If present, System Guard Secure Launch is running. |
+ | **4** | If present, SMM Firmware Measurement is running. |
+ | **5** | If present, Kernel-mode Hardware-enforced Stack Protection is running. |
+ | **6** | If present, Kernel-mode Hardware-enforced Stack Protection is running in Audit mode. |
+ | **7** | If present, Hypervisor-Enforced Paging Translation is running. |
-This field indicates whether Credential Guard or memory integrity is running.
+- **SmmIsolationLevel**: This field indicates the SMM isolation level.
-| Value | Description |
-|-------|----------------------------------------------------|
-| **0** | No services running. |
-| **1** | If present, Credential Guard is running. |
-| **2** | If present, memory integrity is running. |
-| **3** | If present, System Guard Secure Launch is running. |
-| **4** | If present, SMM Firmware Measurement is running. |
+- **UsermodeCodeIntegrityPolicyEnforcementStatus**: This field indicates the user mode code integrity policy enforcement status.
-##### Version
+ | Value | Description |
+ |-------|-------------|
+ | **0** | Off |
+ | **1** | Audit. |
+ | **2** | Enforced. |
-This field lists the version of this WMI class. The only valid value now is **1.0**.
+- **VirtualizationBasedSecurityStatus**: This field indicates whether VBS is enabled and running.
-##### VirtualizationBasedSecurityStatus
+ | Value | Description |
+ |-------|---------------------------------|
+ | **0** | VBS isn't enabled. |
+ | **1** | VBS is enabled but not running. |
+ | **2** | VBS is enabled and running. |
-This field indicates whether VBS is enabled and running.
+- **VirtualMachineIsolation**: This field indicates whether virtual machine isolation is enabled.
-| Value | Description |
-|-------|---------------------------------|
-| **0** | VBS isn't enabled. |
-| **1** | VBS is enabled but not running. |
-| **2** | VBS is enabled and running. |
+- **VirtualMachineIsolationProperties**: This field indicates the set of virtual machine isolation properties that are available.
-##### PSComputerName
-
-This field lists the computer name. All valid values for computer name.
+ | Value | Description |
+ |-------|-------------------------------|
+ | **1** | AMD SEV-SNP |
+ | **2** | Virtualization-based Security |
+ | **3** | Intel TDX |
#### Use msinfo32.exe
diff --git a/windows/security/hardware-security/how-hardware-based-root-of-trust-helps-protect-windows.md b/windows/security/hardware-security/how-hardware-based-root-of-trust-helps-protect-windows.md
index 54f9cc0237..6e2dcf5d19 100644
--- a/windows/security/hardware-security/how-hardware-based-root-of-trust-helps-protect-windows.md
+++ b/windows/security/hardware-security/how-hardware-based-root-of-trust-helps-protect-windows.md
@@ -3,7 +3,7 @@ title: How System Guard helps protect Windows
description: Learn how System Guard reorganizes the existing Windows system integrity features under one roof.
ms.localizationpriority: medium
ms.date: 07/10/2024
-ms.topic: conceptual
+ms.topic: article
---
# System Guard: How a hardware-based root of trust helps protect Windows
diff --git a/windows/security/hardware-security/index.md b/windows/security/hardware-security/index.md
deleted file mode 100644
index e8cfb27d50..0000000000
--- a/windows/security/hardware-security/index.md
+++ /dev/null
@@ -1,15 +0,0 @@
----
-title: Windows hardware security
-description: Learn more about hardware security features support in Windows.
-ms.date: 07/10/2024
-ms.topic: overview
-appliesto:
----
-
-# Windows hardware security
-
-:::image type="content" source="..\book\images\hardware.png" alt-text="Diagram of containing a list of security features." lightbox="..\book\images\hardware.png" border="false":::
-
-Learn more about hardware security features support in Windows.
-
-[!INCLUDE [hardware](../includes/sections/hardware.md)]
diff --git a/windows/security/hardware-security/kernel-dma-protection-for-thunderbolt.md b/windows/security/hardware-security/kernel-dma-protection-for-thunderbolt.md
index d010c70d1c..71947fb098 100644
--- a/windows/security/hardware-security/kernel-dma-protection-for-thunderbolt.md
+++ b/windows/security/hardware-security/kernel-dma-protection-for-thunderbolt.md
@@ -3,7 +3,7 @@ title: Kernel DMA Protection
description: Learn how Kernel DMA Protection protects Windows devices against drive-by Direct Memory Access (DMA) attacks using PCI hot plug devices.
ms.collection:
- tier1
-ms.topic: conceptual
+ms.topic: article
ms.date: 07/10/2024
---
diff --git a/windows/security/hardware-security/pluton/microsoft-pluton-security-processor.md b/windows/security/hardware-security/pluton/microsoft-pluton-security-processor.md
index dfdb572272..0e940b9215 100644
--- a/windows/security/hardware-security/pluton/microsoft-pluton-security-processor.md
+++ b/windows/security/hardware-security/pluton/microsoft-pluton-security-processor.md
@@ -1,7 +1,7 @@
---
title: Microsoft Pluton security processor
description: Learn more about Microsoft Pluton security processor
-ms.topic: conceptual
+ms.topic: article
ms.date: 07/10/2024
---
diff --git a/windows/security/hardware-security/pluton/pluton-as-tpm.md b/windows/security/hardware-security/pluton/pluton-as-tpm.md
index 2946f43e11..c73773ce96 100644
--- a/windows/security/hardware-security/pluton/pluton-as-tpm.md
+++ b/windows/security/hardware-security/pluton/pluton-as-tpm.md
@@ -1,7 +1,7 @@
---
title: Microsoft Pluton as Trusted Platform Module (TPM 2.0)
description: Learn more about Microsoft Pluton security processor as Trusted Platform Module (TPM 2.0)
-ms.topic: conceptual
+ms.topic: article
ms.date: 07/10/2024
---
diff --git a/windows/security/hardware-security/system-guard-secure-launch-and-smm-protection.md b/windows/security/hardware-security/system-guard-secure-launch-and-smm-protection.md
index af01702227..d088aaf278 100644
--- a/windows/security/hardware-security/system-guard-secure-launch-and-smm-protection.md
+++ b/windows/security/hardware-security/system-guard-secure-launch-and-smm-protection.md
@@ -2,7 +2,7 @@
title: System Guard Secure Launch and SMM protection
description: Explains how to configure System Guard Secure Launch and System Management Mode (SMM protection) to improve the startup security of Windows devices.
ms.date: 07/10/2024
-ms.topic: conceptual
+ms.topic: article
---
# System Guard Secure Launch and SMM protection
diff --git a/windows/security/hardware-security/toc.yml b/windows/security/hardware-security/toc.yml
index 92e9f40c56..7cacd9e8a8 100644
--- a/windows/security/hardware-security/toc.yml
+++ b/windows/security/hardware-security/toc.yml
@@ -1,7 +1,5 @@
items:
- - name: Overview
- href: index.md
- - name: Hardware root of trust
+ - name: Hardware root-of-trust
items:
- name: System Guard
href: how-hardware-based-root-of-trust-helps-protect-windows.md
diff --git a/windows/security/hardware-security/tpm/backup-tpm-recovery-information-to-ad-ds.md b/windows/security/hardware-security/tpm/backup-tpm-recovery-information-to-ad-ds.md
index 7a1c590a9a..c6bbdddee7 100644
--- a/windows/security/hardware-security/tpm/backup-tpm-recovery-information-to-ad-ds.md
+++ b/windows/security/hardware-security/tpm/backup-tpm-recovery-information-to-ad-ds.md
@@ -1,7 +1,7 @@
---
title: Back up TPM recovery information to Active Directory
description: Learn how to back up the Trusted Platform Module (TPM) recovery information to Active Directory.
-ms.topic: conceptual
+ms.topic: article
ms.date: 07/10/2024
---
diff --git a/windows/security/hardware-security/tpm/change-the-tpm-owner-password.md b/windows/security/hardware-security/tpm/change-the-tpm-owner-password.md
index 37025f1eca..12ec2add28 100644
--- a/windows/security/hardware-security/tpm/change-the-tpm-owner-password.md
+++ b/windows/security/hardware-security/tpm/change-the-tpm-owner-password.md
@@ -1,7 +1,7 @@
---
title: Change the TPM owner password
description: This article for the IT professional describes how to change the password or PIN for the owner of the Trusted Platform Module (TPM) that is installed on your system.
-ms.topic: conceptual
+ms.topic: article
ms.date: 07/10/2024
---
diff --git a/windows/security/hardware-security/tpm/how-windows-uses-the-tpm.md b/windows/security/hardware-security/tpm/how-windows-uses-the-tpm.md
index a4d314ad3f..fc8234350c 100644
--- a/windows/security/hardware-security/tpm/how-windows-uses-the-tpm.md
+++ b/windows/security/hardware-security/tpm/how-windows-uses-the-tpm.md
@@ -1,7 +1,7 @@
---
title: How Windows uses the TPM
description: Learn how Windows uses the Trusted Platform Module (TPM) to enhance security.
-ms.topic: conceptual
+ms.topic: article
ms.date: 07/10/2024
---
diff --git a/windows/security/hardware-security/tpm/initialize-and-configure-ownership-of-the-tpm.md b/windows/security/hardware-security/tpm/initialize-and-configure-ownership-of-the-tpm.md
index bede99fdbe..4534e82e7a 100644
--- a/windows/security/hardware-security/tpm/initialize-and-configure-ownership-of-the-tpm.md
+++ b/windows/security/hardware-security/tpm/initialize-and-configure-ownership-of-the-tpm.md
@@ -1,7 +1,7 @@
---
title: Troubleshoot the TPM
description: Learn how to view and troubleshoot the Trusted Platform Module (TPM).
-ms.topic: conceptual
+ms.topic: troubleshooting-general
ms.date: 07/10/2024
ms.collection:
- tier1
diff --git a/windows/security/hardware-security/tpm/manage-tpm-commands.md b/windows/security/hardware-security/tpm/manage-tpm-commands.md
index fc2bcfb404..f65591233c 100644
--- a/windows/security/hardware-security/tpm/manage-tpm-commands.md
+++ b/windows/security/hardware-security/tpm/manage-tpm-commands.md
@@ -1,7 +1,7 @@
---
title: Manage TPM commands
description: This article for the IT professional describes how to manage which Trusted Platform Module (TPM) commands are available to domain users and to local users.
-ms.topic: conceptual
+ms.topic: how-to
ms.date: 07/10/2024
---
diff --git a/windows/security/hardware-security/tpm/manage-tpm-lockout.md b/windows/security/hardware-security/tpm/manage-tpm-lockout.md
index 7dfa150354..070cfc617b 100644
--- a/windows/security/hardware-security/tpm/manage-tpm-lockout.md
+++ b/windows/security/hardware-security/tpm/manage-tpm-lockout.md
@@ -1,7 +1,7 @@
---
title: Manage TPM lockout
description: This article for the IT professional describes how to manage the lockout feature for the Trusted Platform Module (TPM) in Windows.
-ms.topic: conceptual
+ms.topic: how-to
ms.date: 07/10/2024
---
diff --git a/windows/security/hardware-security/tpm/switch-pcr-banks-on-tpm-2-0-devices.md b/windows/security/hardware-security/tpm/switch-pcr-banks-on-tpm-2-0-devices.md
index c3cd7b4d47..d33b3d16c9 100644
--- a/windows/security/hardware-security/tpm/switch-pcr-banks-on-tpm-2-0-devices.md
+++ b/windows/security/hardware-security/tpm/switch-pcr-banks-on-tpm-2-0-devices.md
@@ -1,7 +1,7 @@
---
title: Understand PCR banks on TPM 2.0 devices
description: Learn about what happens when you switch PCR banks on TPM 2.0 devices.
-ms.topic: conceptual
+ms.topic: concept-article
ms.date: 07/10/2024
---
diff --git a/windows/security/hardware-security/tpm/tpm-fundamentals.md b/windows/security/hardware-security/tpm/tpm-fundamentals.md
index a6b202ab80..973ba406fe 100644
--- a/windows/security/hardware-security/tpm/tpm-fundamentals.md
+++ b/windows/security/hardware-security/tpm/tpm-fundamentals.md
@@ -1,7 +1,7 @@
---
title: Trusted Platform Module (TPM) fundamentals
description: Learn about the components of the Trusted Platform Module and how they're used to mitigate dictionary attacks.
-ms.topic: conceptual
+ms.topic: article
ms.date: 07/10/2024
---
diff --git a/windows/security/hardware-security/tpm/tpm-recommendations.md b/windows/security/hardware-security/tpm/tpm-recommendations.md
index ff2f368320..5d8894c0dd 100644
--- a/windows/security/hardware-security/tpm/tpm-recommendations.md
+++ b/windows/security/hardware-security/tpm/tpm-recommendations.md
@@ -1,7 +1,7 @@
---
title: TPM recommendations
description: This article provides recommendations for Trusted Platform Module (TPM) technology for Windows.
-ms.topic: conceptual
+ms.topic: article
ms.date: 07/10/2024
ms.collection:
- tier1
diff --git a/windows/security/hardware-security/tpm/trusted-platform-module-overview.md b/windows/security/hardware-security/tpm/trusted-platform-module-overview.md
index 372d8ad9ee..65628f0704 100644
--- a/windows/security/hardware-security/tpm/trusted-platform-module-overview.md
+++ b/windows/security/hardware-security/tpm/trusted-platform-module-overview.md
@@ -1,7 +1,7 @@
---
title: Trusted Platform Module Technology Overview
description: Learn about the Trusted Platform Module (TPM) and how Windows uses it for access control and authentication.
-ms.topic: conceptual
+ms.topic: concept-article
ms.date: 07/10/2024
ms.collection:
- tier1
diff --git a/windows/security/hardware-security/tpm/trusted-platform-module-services-group-policy-settings.md b/windows/security/hardware-security/tpm/trusted-platform-module-services-group-policy-settings.md
index fdc858bcd3..11597ee071 100644
--- a/windows/security/hardware-security/tpm/trusted-platform-module-services-group-policy-settings.md
+++ b/windows/security/hardware-security/tpm/trusted-platform-module-services-group-policy-settings.md
@@ -1,7 +1,7 @@
---
title: TPM Group Policy settings
description: This article describes the Trusted Platform Module (TPM) Services that can be controlled centrally by using Group Policy settings.
-ms.topic: conceptual
+ms.topic: article
ms.date: 07/10/2024
---
diff --git a/windows/security/identity-protection/access-control/access-control.md b/windows/security/identity-protection/access-control/access-control.md
index 20731a876a..12fe65bda4 100644
--- a/windows/security/identity-protection/access-control/access-control.md
+++ b/windows/security/identity-protection/access-control/access-control.md
@@ -6,6 +6,7 @@ ms.topic: overview
appliesto:
- ✅ Windows 11
- ✅ Windows 10
+- ✅ Windows Server 2025
- ✅ Windows Server 2022
- ✅ Windows Server 2019
- ✅ Windows Server 2016
diff --git a/windows/security/identity-protection/access-control/local-accounts.md b/windows/security/identity-protection/access-control/local-accounts.md
index 70dbff7388..102e723645 100644
--- a/windows/security/identity-protection/access-control/local-accounts.md
+++ b/windows/security/identity-protection/access-control/local-accounts.md
@@ -6,6 +6,7 @@ ms.topic: concept-article
appliesto:
- ✅ Windows 11
- ✅ Windows 10
+- ✅ Windows Server 2025
- ✅ Windows Server 2022
- ✅ Windows Server 2019
- ✅ Windows Server 2016
@@ -230,27 +231,27 @@ The following table shows the Group Policy and registry settings that are used t
1. In the details pane, right-click <**gpo\_name**>, and > **Edit**
1. Ensure that UAC is enabled and that UAC restrictions apply to the default Administrator account by following these steps:
- - Navigate to the Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\, and > **Security Options**
- - Double-click **User Account Control: Run all administrators in Admin Approval Mode** > **Enabled** > **OK**
- - Double-click **User Account Control: Admin Approval Mode for the Built-in Administrator account** > **Enabled** > **OK**
+ - Navigate to the Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\, and > **Security Options**
+ - Double-click **User Account Control: Run all administrators in Admin Approval Mode** > **Enabled** > **OK**
+ - Double-click **User Account Control: Admin Approval Mode for the Built-in Administrator account** > **Enabled** > **OK**
1. Ensure that the local account restrictions are applied to network interfaces by following these steps:
- - Navigate to *Computer Configuration\Preferences and Windows Settings*, and > **Registry**
- - Right-click **Registry**, and > **New** > **Registry Item**
- - In the **New Registry Properties** dialog box, on the **General** tab, change the setting in the **Action** box to **Replace**
- - Ensure that the **Hive** box is set to **HKEY_LOCAL_MACHINE**
- - Select (**…**), browse to the following location for **Key Path** > **Select** for: `SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System`
- - In the **Value name** area, type `LocalAccountTokenFilterPolicy`
- - In the **Value type** box, from the drop-down list, select **REG_DWORD** to change the value
- - In the **Value data** box, ensure that the value is set to **0**
- - Verify this configuration, and > **OK**
+ - Navigate to *Computer Configuration\Preferences and Windows Settings*, and > **Registry**
+ - Right-click **Registry**, and > **New** > **Registry Item**
+ - In the **New Registry Properties** dialog box, on the **General** tab, change the setting in the **Action** box to **Replace**
+ - Ensure that the **Hive** box is set to **HKEY_LOCAL_MACHINE**
+ - Select (**…**), browse to the following location for **Key Path** > **Select** for: `SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System`
+ - In the **Value name** area, type `LocalAccountTokenFilterPolicy`
+ - In the **Value type** box, from the drop-down list, select **REG_DWORD** to change the value
+ - In the **Value data** box, ensure that the value is set to **0**
+ - Verify this configuration, and > **OK**
1. Link the GPO to the first **Workstations** organizational unit (OU) by doing the following:
- - Navigate to the `*Forest*\\*Domain*\*OU*` path
- - Right-click the **Workstations > Link an existing GPO**
- - Select the GPO that you created, and > **OK**
+ - Navigate to the `*Forest*\\*Domain*\*OU*` path
+ - Right-click the **Workstations > Link an existing GPO**
+ - Select the GPO that you created, and > **OK**
1. Test the functionality of enterprise applications on the workstations in that first OU and resolve any issues caused by the new policy
1. Create links to all other OUs that contain workstations
@@ -291,9 +292,9 @@ The following table shows the Group Policy settings that are used to deny networ
1. Select **Add User or Group**, type **Local account and member of Administrators group**, and > **OK**
1. Link the GPO to the first **Workstations** OU as follows:
- - Navigate to the <*Forest*>\\Domains\\<*Domain*>\\OU path
- - Right-click the **Workstations** OU, and > **Link an existing GPO**
- - Select the GPO that you created, and > **OK**
+ - Navigate to the <*Forest*>\\Domains\\<*Domain*>\\OU path
+ - Right-click the **Workstations** OU, and > **Link an existing GPO**
+ - Select the GPO that you created, and > **OK**
1. Test the functionality of enterprise applications on the workstations in that first OU and resolve any issues caused by the new policy
1. Create links to all other OUs that contain workstations
diff --git a/windows/security/identity-protection/credential-guard/additional-mitigations.md b/windows/security/identity-protection/credential-guard/additional-mitigations.md
index dde02e443a..72b234fa55 100644
--- a/windows/security/identity-protection/credential-guard/additional-mitigations.md
+++ b/windows/security/identity-protection/credential-guard/additional-mitigations.md
@@ -1,5 +1,5 @@
---
-ms.date: 06/20/2024
+ms.date: 02/25/2025
title: Additional mitigations
description: Learn how to improve the security of your domain environment with additional mitigations for Credential Guard and sample code.
ms.topic: reference
diff --git a/windows/security/identity-protection/credential-guard/configure.md b/windows/security/identity-protection/credential-guard/configure.md
index b965f14e38..84a8a1ab89 100644
--- a/windows/security/identity-protection/credential-guard/configure.md
+++ b/windows/security/identity-protection/credential-guard/configure.md
@@ -1,5 +1,5 @@
---
-ms.date: 06/20/2024
+ms.date: 02/25/2025
title: Configure Credential Guard
description: Learn how to configure Credential Guard using MDM, Group Policy, or the registry.
ms.topic: how-to
@@ -11,9 +11,7 @@ This article describes how to configure Credential Guard using Microsoft Intune,
## Default enablement
-[!INCLUDE [windows-server-2025-preview](../../includes/windows-server-2025-preview.md)]
-
-Starting in Windows 11, 22H2 and Windows Server 2025 (preview), Credential Guard is [enabled by default on devices which meet the requirements](index.md#default-enablement).
+Starting in Windows 11, 22H2 and Windows Server 2025, Credential Guard is [enabled by default on devices which meet the requirements](index.md#default-enablement).
System administrators can explicitly [enable](#enable-credential-guard) or [disable](#disable-credential-guard) Credential Guard using one of the methods described in this article. Explicitly configured values overwrite the default enablement state after a reboot.
diff --git a/windows/security/identity-protection/credential-guard/considerations-known-issues.md b/windows/security/identity-protection/credential-guard/considerations-known-issues.md
index 71298d9a5b..61c3a2f4ad 100644
--- a/windows/security/identity-protection/credential-guard/considerations-known-issues.md
+++ b/windows/security/identity-protection/credential-guard/considerations-known-issues.md
@@ -1,5 +1,5 @@
---
-ms.date: 06/20/2024
+ms.date: 02/25/2025
title: Considerations and known issues when using Credential Guard
description: Considerations, recommendations, and known issues when using Credential Guard.
ms.topic: troubleshooting
@@ -11,13 +11,11 @@ Microsoft recommends that in addition to deploying Credential Guard, organizatio
## Upgrade considerations
-[!INCLUDE [windows-server-2025-preview](../../includes/windows-server-2025-preview.md)]
-
As Credential Guard evolves and enhances its security features, newer versions of Windows running Credential Guard might affect previously functional scenarios. For instance, Credential Guard could restrict the use of certain credentials or components to thwart malware exploiting vulnerabilities.
It's advisable to thoroughly test operational scenarios within an organization before updating devices that utilize Credential Guard.
-Upgrades to Windows 11, version 22H2, and Windows Server 2025 (preview) have Credential Guard [enabled by default](index.md#default-enablement) unless explicitly disabled.
+Upgrades to Windows 11, version 22H2, and Windows Server 2025 have Credential Guard [enabled by default](index.md#default-enablement) unless explicitly disabled.
## Wi-fi and VPN considerations
@@ -120,25 +118,23 @@ Credential Guard blocks certain authentication capabilities. Applications that r
This article describes known issues when Credential Guard is enabled.
-### Live migration with Hyper-V breaks when upgrading to Windows Server 2025 (preview)
+### Live migration with Hyper-V breaks when upgrading to Windows Server 2025
-[!INCLUDE [windows-server-2025-preview](../../includes/windows-server-2025-preview.md)]
-
-Devices that use CredSSP-based Delegation might no longer be able to use [Live Migration with Hyper-V](/windows-server/virtualization/hyper-v/manage/live-migration-overview) after upgrading to Windows Server 2025 (preview). Applications and services that rely on live migration (such as [SCVMM](/system-center/vmm/overview)) might also be affected. CredSSP-based delegation is the default for Windows Server 2022 and earlier for live migration.
+Devices that use CredSSP-based Delegation might no longer be able to use [Live Migration with Hyper-V](/windows-server/virtualization/hyper-v/manage/live-migration-overview) after upgrading to Windows Server 2025. Applications and services that rely on live migration (such as [SCVMM](/system-center/vmm/overview)) might also be affected. CredSSP-based delegation is the default for Windows Server 2022 and earlier for live migration.
||Description|
|-|-|
-| **Affected devices**|Any server with Credential Guard enabled might encounter this issue. Starting in Windows Server 2025 (preview), [Credential Guard is enabled by default](index.md#default-enablement-on-windows-server) on all domain-joined servers that aren't domain controllers. Default enablement of Credential Guard can be [preemptively blocked](configure.md#default-enablement) before upgrade.|
+| **Affected devices**|Any server with Credential Guard enabled might encounter this issue. Starting in Windows Server 2025, [Credential Guard is enabled by default](index.md#default-enablement-on-windows-server) on all domain-joined servers that aren't domain controllers. Default enablement of Credential Guard can be [preemptively blocked](configure.md#default-enablement) before upgrade.|
| **Cause of the issue**|Live Migration with Hyper-V, and applications and services that rely on it, are affected by the issue if one or both ends of a given connection try to use CredSSP with Credential Guard enabled. With Credential Guard enabled, CredSSP can only utilize supplied credentials, not saved or SSO credentials.
If the source machine of a Live Migration uses CredSSP for delegation with Credential Guard enabled, the Live Migration fails. In most cases, Credential Guard's enablement state on the destination machine won't impact Live Migration. Live Migration also fails in cluster scenarios (for example, SCVMM), since any device might act as a source machine.|
| **Resolution**|Instead of CredSSP Delegation, [Kerberos Constrained Delegation and Resource-Based Kerberos Constrained Delegation](/windows-server/security/kerberos/kerberos-constrained-delegation-overview) are recommended. These forms of delegation provide greater credential protections, in addition to being compatible with Credential Guard. Administrators of Hyper-V can [configure these types of delegation](/windows-server/virtualization/hyper-v/deploy/set-up-hosts-for-live-migration-without-failover-clustering#BKMK_Step1) manually or with the help of automated scripts.|
-### Single sign-on for Network services breaks after upgrading to Windows 11, version 22H2 or Windows Server 2025 (preview)
+### Single sign-on for Network services breaks after upgrading to Windows 11, version 22H2 or Windows Server 2025
Devices that use 802.1x wireless or wired network, RDP, or VPN connections that rely on insecure protocols with password-based authentication are unable to use SSO to sign in and are forced to manually reauthenticate in every new Windows session when Credential Guard is running.
||Description|
|-|-|
-| **Affected devices**|Any device with Credential Guard enabled might encounter the issue. Starting in Windows 11, version 22H2, and Windows Server 2025 (preview), eligible devices that didn't disable Credential Guard, have it [enabled by default](index.md#default-enablement). This affects all devices on Enterprise (E3 and E5) and Education licenses, and some Pro licenses, as long as they meet the [minimum hardware requirements](index.md#hardware-and-software-requirements).
All Windows Pro devices that previously ran Credential Guard on an eligible license and later downgraded to Pro, and which still meet the [minimum hardware requirements](index.md#hardware-and-software-requirements), receive default enablement.|
+| **Affected devices**|Any device with Credential Guard enabled might encounter the issue. Starting in Windows 11, version 22H2, and Windows Server 2025, eligible devices that didn't disable Credential Guard, have it [enabled by default](index.md#default-enablement). This affects all devices on Enterprise (E3 and E5) and Education licenses, and some Pro licenses, as long as they meet the [minimum hardware requirements](index.md#hardware-and-software-requirements).
All Windows Pro devices that previously ran Credential Guard on an eligible license and later downgraded to Pro, and which still meet the [minimum hardware requirements](index.md#hardware-and-software-requirements), receive default enablement.|
| **Cause of the issue**|Applications and services are affected by the issue when they rely on insecure protocols that use password-based authentication. Such protocols are considered insecure because they can lead to password disclosure on the client or the server, and Credential Guard blocks them. Affected protocols include:
- Kerberos unconstrained delegation (both SSO and supplied credentials are blocked) - Kerberos when PKINIT uses RSA encryption instead of Diffie-Hellman (both SSO and supplied credentials are blocked) - MS-CHAP (only SSO is blocked) - WDigest (only SSO is blocked) - NTLM v1 (only SSO is blocked)
**Note**: Since only SSO is blocked for MS-CHAP, WDigest, and NTLM v1, these protocols can still be used by prompting the user to supply credentials.|
| **Resolution**|Microsoft recommends moving away from MSCHAPv2-based connections (for example, PEAP-MSCHAPv2 and EAP-MSCHAPv2), to certificate-based authentication (for example, PEAP-TLS or EAP-TLS). Credential Guard doesn't block certificate-based authentication.
For a more immediate, but less secure fix, [disable Credential Guard](configure.md#disable-credential-guard). Credential Guard doesn't have per-protocol or per-application policies, and it can either be turned on or off. If you disable Credential Guard, you leave stored domain credentials vulnerable to theft.|
@@ -148,7 +144,7 @@ Devices that use 802.1x wireless or wired network, RDP, or VPN connections that
> If Credential Guard is explicitly disabled, the device won't automatically enable Credential Guard after the update.
> [!NOTE]
-> To determine if a Windows Pro device receives default enablement when upgraded to **Windows 11, version 22H2** or **Windows Server 2025 (preview)**, check if the registry key `IsolatedCredentialsRootSecret` is present in `Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0`.
+> To determine if a Windows Pro device receives default enablement when upgraded to **Windows 11, version 22H2** or **Windows Server 2025**, check if the registry key `IsolatedCredentialsRootSecret` is present in `Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0`.
> If it's present, the device enables Credential Guard after the update.
>
> Credential Guard can be disabled after upgrade by following the [disablement instructions](configure.md#disable-credential-guard).
diff --git a/windows/security/identity-protection/credential-guard/how-it-works.md b/windows/security/identity-protection/credential-guard/how-it-works.md
index beedce6046..57b7f1812e 100644
--- a/windows/security/identity-protection/credential-guard/how-it-works.md
+++ b/windows/security/identity-protection/credential-guard/how-it-works.md
@@ -1,5 +1,5 @@
---
-ms.date: 06/20/2024
+ms.date: 02/25/2025
title: How Credential Guard works
description: Learn how Credential Guard uses virtualization to protect secrets, so that only privileged system software can access them.
ms.topic: concept-article
diff --git a/windows/security/identity-protection/credential-guard/index.md b/windows/security/identity-protection/credential-guard/index.md
index fcbe9884bb..ed560fd572 100644
--- a/windows/security/identity-protection/credential-guard/index.md
+++ b/windows/security/identity-protection/credential-guard/index.md
@@ -1,5 +1,5 @@
---
-ms.date: 06/20/2024
+ms.date: 02/25/2025
title: Credential Guard overview
description: Learn about Credential Guard and how it isolates secrets so that only privileged system software can access them.
ms.topic: overview
@@ -22,16 +22,14 @@ When enabled, Credential Guard provides the following benefits:
## Default enablement
-[!INCLUDE [windows-server-2025-preview](../../includes/windows-server-2025-preview.md)]
-
-Starting in **Windows 11, 22H2** and **Windows Server 2025 (preview)**, VBS and Credential Guard are enabled by default on devices that meet the requirements.
+Starting in **Windows 11, 22H2** and **Windows Server 2025**, VBS and Credential Guard are enabled by default on devices that meet the requirements.
The default enablement is **without UEFI Lock**, thus allowing administrators to disable Credential Guard remotely if needed.
When Credential Guard is enabled, [VBS](#system-requirements) is automatically enabled too.
> [!NOTE]
-> If Credential Guard is explicitly [disabled](configure.md#disable-credential-guard) *before* a device is updated to Windows 11, version 22H2 / Windows Server 2025 (preview) or later, default enablement does not overwrite the existing settings. That device will continue to have Credential Guard disabled even after updating to a version of Windows that enables Credential Guard by default.
+> If Credential Guard is explicitly [disabled](configure.md#disable-credential-guard) *before* a device is updated to Windows 11, version 22H2 / Windows Server 2025 or later, default enablement does not overwrite the existing settings. That device will continue to have Credential Guard disabled even after updating to a version of Windows that enables Credential Guard by default.
### Default enablement on Windows
@@ -48,7 +46,7 @@ Devices running Windows 11, 22H2 or later have Credential Guard enabled by defau
### Default enablement on Windows Server
-Devices running Windows Server 2025 (preview) or later have Credential Guard enabled by default if they:
+Devices running Windows Server 2025 or later have Credential Guard enabled by default if they:
- Meet the [license requirements](#windows-edition-and-licensing-requirements)
- Meet the [hardware and software requirements](#system-requirements)
diff --git a/windows/security/identity-protection/enterprise-certificate-pinning.md b/windows/security/identity-protection/enterprise-certificate-pinning.md
index 55551c53ca..59d5e97382 100644
--- a/windows/security/identity-protection/enterprise-certificate-pinning.md
+++ b/windows/security/identity-protection/enterprise-certificate-pinning.md
@@ -1,8 +1,8 @@
---
-title: Enterprise certificate pinning
+title: Enterprise Certificate Pinning In Windows
description: Enterprise certificate pinning is a Windows feature for remembering, or pinning, a root issuing certificate authority, or end-entity certificate to a domain name.
ms.topic: concept-article
-ms.date: 03/12/2024
+ms.date: 12/02/2024
---
# Enterprise certificate pinning overview
diff --git a/windows/security/identity-protection/hello-for-business/configure.md b/windows/security/identity-protection/hello-for-business/configure.md
index 901fa618d2..29cb37b8e0 100644
--- a/windows/security/identity-protection/hello-for-business/configure.md
+++ b/windows/security/identity-protection/hello-for-business/configure.md
@@ -2,7 +2,7 @@
title: Configure Windows Hello for Business
description: Learn about the configuration options for Windows Hello for Business and how to implement them in your organization.
ms.topic: how-to
-ms.date: 04/23/2024
+ms.date: 11/05/2024
---
# Configure Windows Hello for Business
@@ -83,7 +83,7 @@ To check the Windows Hello for Business policy settings applied at enrollment ti
1. Select **Windows Hello for Business**
1. Verify the status of **Configure Windows Hello for Business** and any settings that might be configured
-:::image type="content" source="deploy/images/whfb-intune-disable.png" alt-text="Disablement of Windows Hello for Business from Microsoft Intune admin center." lightbox="deploy/images/whfb-intune-disable.png":::
+ :::image type="content" source="deploy/images/whfb-intune-disable.png" alt-text="Disablement of Windows Hello for Business from Microsoft Intune admin center." lightbox="deploy/images/whfb-intune-disable.png":::
## Policy conflicts from multiple policy sources
@@ -109,7 +109,7 @@ Configuration type| Details |
| CSP (user)|**Key path**: `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Policies\PassportForWork\\UserSid\Policies` **Key name**: `UsePassportForWork` **Type**: `REG_DWORD` **Value**: `1` to enable `0` to disable |
| CSP (device)|**Key path**: `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Policies\PassportForWork\\Device\Policies` **Key name**: `UsePassportForWork` **Type**: `REG_DWORD` **Value**: `1` to enable `0` to disable |
| GPO (user)|**Key path**: `HKEY_USERS\\SOFTWARE\Policies\Microsoft\PassportForWork` **Key name**: `Enabled` **Type**: `REG_DWORD` **Value**: `1` to enable `0` to disable |
-| GPO (user)|**Key path**: `KEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PassportForWork` **Key name**: `Enabled` **Type**: `REG_DWORD` **Value**: `1` to enable `0` to disable |
+| GPO (device)|**Key path**: `KEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PassportForWork` **Key name**: `Enabled` **Type**: `REG_DWORD` **Value**: `1` to enable `0` to disable |
> [!NOTE]
> If there's a conflicting device policy and user policy, the user policy takes precedence. It's not recommended to create Local GPO or registry settings that could conflict with an MDM policy. This conflict could lead to unexpected results.
diff --git a/windows/security/identity-protection/hello-for-business/deploy/cloud-only.md b/windows/security/identity-protection/hello-for-business/deploy/cloud-only.md
index 553251974a..3d39fd5952 100644
--- a/windows/security/identity-protection/hello-for-business/deploy/cloud-only.md
+++ b/windows/security/identity-protection/hello-for-business/deploy/cloud-only.md
@@ -1,7 +1,7 @@
---
title: Windows Hello for Business cloud-only deployment guide
description: Learn how to deploy Windows Hello for Business in a cloud-only deployment scenario.
-ms.date: 03/12/2024
+ms.date: 02/25/2025
ms.topic: tutorial
---
diff --git a/windows/security/identity-protection/hello-for-business/deploy/hybrid-cert-trust-adfs.md b/windows/security/identity-protection/hello-for-business/deploy/hybrid-cert-trust-adfs.md
index d17d8078a4..3e243e7804 100644
--- a/windows/security/identity-protection/hello-for-business/deploy/hybrid-cert-trust-adfs.md
+++ b/windows/security/identity-protection/hello-for-business/deploy/hybrid-cert-trust-adfs.md
@@ -1,7 +1,7 @@
---
title: Configure Active Directory Federation Services in a hybrid certificate trust model
description: Learn how to configure Active Directory Federation Services (AD FS) to support the Windows Hello for Business hybrid certificate trust model.
-ms.date: 06/23/2024
+ms.date: 02/25/2025
ms.topic: tutorial
---
diff --git a/windows/security/identity-protection/hello-for-business/deploy/hybrid-cert-trust-enroll.md b/windows/security/identity-protection/hello-for-business/deploy/hybrid-cert-trust-enroll.md
index 436f28fe2d..62058ca259 100644
--- a/windows/security/identity-protection/hello-for-business/deploy/hybrid-cert-trust-enroll.md
+++ b/windows/security/identity-protection/hello-for-business/deploy/hybrid-cert-trust-enroll.md
@@ -1,7 +1,7 @@
---
title: Configure and enroll in Windows Hello for Business in hybrid certificate trust model
description: Learn how to configure devices and enroll them in Windows Hello for Business in a hybrid certificate trust scenario.
-ms.date: 09/26/2024
+ms.date: 02/25/2025
ms.topic: tutorial
---
diff --git a/windows/security/identity-protection/hello-for-business/deploy/hybrid-cert-trust-pki.md b/windows/security/identity-protection/hello-for-business/deploy/hybrid-cert-trust-pki.md
index ff9434bc73..201dcb360e 100644
--- a/windows/security/identity-protection/hello-for-business/deploy/hybrid-cert-trust-pki.md
+++ b/windows/security/identity-protection/hello-for-business/deploy/hybrid-cert-trust-pki.md
@@ -1,7 +1,7 @@
---
title: Configure and validate the PKI in a hybrid certificate trust model
description: Configure and validate the Public Key Infrastructure when deploying Windows Hello for Business in a hybrid certificate trust model.
-ms.date: 06/23/2024
+ms.date: 02/25/2025
ms.topic: tutorial
---
diff --git a/windows/security/identity-protection/hello-for-business/deploy/hybrid-cert-trust.md b/windows/security/identity-protection/hello-for-business/deploy/hybrid-cert-trust.md
index 8b2347f411..ae5c58048b 100644
--- a/windows/security/identity-protection/hello-for-business/deploy/hybrid-cert-trust.md
+++ b/windows/security/identity-protection/hello-for-business/deploy/hybrid-cert-trust.md
@@ -1,7 +1,7 @@
---
title: Windows Hello for Business hybrid certificate trust deployment guide
description: Learn how to deploy Windows Hello for Business in a hybrid certificate trust scenario.
-ms.date: 06/23/2024
+ms.date: 02/25/2025
ms.topic: tutorial
---
diff --git a/windows/security/identity-protection/hello-for-business/deploy/hybrid-cloud-kerberos-trust.md b/windows/security/identity-protection/hello-for-business/deploy/hybrid-cloud-kerberos-trust.md
index c547b535eb..c5415b75d6 100644
--- a/windows/security/identity-protection/hello-for-business/deploy/hybrid-cloud-kerberos-trust.md
+++ b/windows/security/identity-protection/hello-for-business/deploy/hybrid-cloud-kerberos-trust.md
@@ -1,7 +1,7 @@
---
title: Windows Hello for Business cloud Kerberos trust deployment guide
description: Learn how to deploy Windows Hello for Business in a cloud Kerberos trust scenario.
-ms.date: 03/12/2024
+ms.date: 02/25/2025
ms.topic: tutorial
---
@@ -41,13 +41,13 @@ If you haven't deployed Microsoft Entra Kerberos, follow the instructions in the
When Microsoft Entra Kerberos is enabled in an Active Directory domain, an *AzureADKerberos* computer object is created in the domain. This object:
-- Appears as a Read Only Domain Controller (RODC) object, but isn't associated with any physical servers
+- Appears as a read only domain controller (RODC) object, but isn't associated with any physical servers
- Is only used by Microsoft Entra ID to generate TGTs for the Active Directory domain
> [!NOTE]
- > Similar rules and restrictions used for RODCs apply to the AzureADKerberos computer object. For example, users that are direct or indirect members of priviliged built-in security groups won't be able to use cloud Kerberos trust.
+ > Similar rules and restrictions used for RODCs apply to the AzureADKerberos computer object. For example, users that are direct or indirect members of privileged built-in security groups won't be able to use cloud Kerberos trust.
-:::image type="content" source="images/azuread-kerberos-object.png" alt-text="Screenshot of the Active Directory Users and Computers console, showing the computer object representing the Microsoft Entra Kerberos server.":::
+:::image type="content" source="images/azuread-kerberos-object.png" alt-text="Screenshot of the Active Directory Users and Computers console, showing the computer object representing the Microsoft Entra Kerberos server." lightbox="images/azuread-kerberos-object.png":::
For more information about how Microsoft Entra Kerberos works with Windows Hello for Business cloud Kerberos trust, see [Windows Hello for Business authentication technical deep dive](../how-it-works-authentication.md#microsoft-entra-hybrid-join-authentication-using-cloud-kerberos-trust).
@@ -169,8 +169,8 @@ If you deployed Windows Hello for Business using the key trust model, and want t
1. [Enable cloud Kerberos trust via Group Policy or Intune](#configure-windows-hello-for-business-policy-settings)
1. For Microsoft Entra joined devices, sign out and sign in to the device using Windows Hello for Business
-> [!NOTE]
-> For Microsoft Entra hybrid joined devices, users must perform the first sign in with new credentials while having line of sight to a DC.
+ > [!NOTE]
+ > For Microsoft Entra hybrid joined devices, users must perform the first sign in with new credentials while having line of sight to a DC.
## Migrate from certificate trust deployment model to cloud Kerberos trust
@@ -179,11 +179,11 @@ If you deployed Windows Hello for Business using the key trust model, and want t
If you deployed Windows Hello for Business using the certificate trust model, and want to use the cloud Kerberos trust model, you must redeploy Windows Hello for Business by following these steps:
-1. Disable the certificate trust policy
-1. [Enable cloud Kerberos trust via Group Policy or Intune](#configure-windows-hello-for-business-policy-settings)
-1. Remove the certificate trust credential using the command `certutil.exe -deletehellocontainer` from the user context
-1. Sign out and sign back in
-1. Provision Windows Hello for Business using a method of your choice
+1. Disable the certificate trust policy.
+1. [Enable cloud Kerberos trust via Group Policy or Intune](#configure-windows-hello-for-business-policy-settings).
+1. Remove the certificate trust credential using the command `certutil.exe -deletehellocontainer` from the user context.
+1. Sign out and sign back in.
+1. Provision Windows Hello for Business using a method of your choice.
> [!NOTE]
> For Microsoft Entra hybrid joined devices, users must perform the first sign-in with new credentials while having line of sight to a DC.
diff --git a/windows/security/identity-protection/hello-for-business/deploy/hybrid-key-trust-enroll.md b/windows/security/identity-protection/hello-for-business/deploy/hybrid-key-trust-enroll.md
index c97ec8cde9..fb1fca3ac8 100644
--- a/windows/security/identity-protection/hello-for-business/deploy/hybrid-key-trust-enroll.md
+++ b/windows/security/identity-protection/hello-for-business/deploy/hybrid-key-trust-enroll.md
@@ -1,7 +1,7 @@
---
title: Configure and enroll in Windows Hello for Business in a hybrid key trust model
description: Learn how to configure devices and enroll them in Windows Hello for Business in a hybrid key trust scenario.
-ms.date: 03/12/2024
+ms.date: 02/25/2025
ms.topic: tutorial
---
diff --git a/windows/security/identity-protection/hello-for-business/deploy/hybrid-key-trust.md b/windows/security/identity-protection/hello-for-business/deploy/hybrid-key-trust.md
index 2b775003f0..6c4e14aced 100644
--- a/windows/security/identity-protection/hello-for-business/deploy/hybrid-key-trust.md
+++ b/windows/security/identity-protection/hello-for-business/deploy/hybrid-key-trust.md
@@ -1,7 +1,7 @@
---
title: Windows Hello for Business hybrid key trust deployment guide
description: Learn how to deploy Windows Hello for Business in a hybrid key trust scenario.
-ms.date: 03/12/2024
+ms.date: 02/25/2025
ms.topic: tutorial
---
diff --git a/windows/security/identity-protection/hello-for-business/deploy/includes/adfs-mfa.md b/windows/security/identity-protection/hello-for-business/deploy/includes/adfs-mfa.md
index 6adbe43c94..11af1ac31c 100644
--- a/windows/security/identity-protection/hello-for-business/deploy/includes/adfs-mfa.md
+++ b/windows/security/identity-protection/hello-for-business/deploy/includes/adfs-mfa.md
@@ -1,5 +1,5 @@
---
-ms.date: 06/23/2024
+ms.date: 11/22/2024
ms.topic: include
---
@@ -19,3 +19,6 @@ Windows Hello for Business requires users perform multifactor authentication (MF
For information on available non-Microsoft authentication methods see [Configure Additional Authentication Methods for AD FS](/windows-server/identity/ad-fs/operations/configure-additional-authentication-methods-for-ad-fs). For creating a custom authentication method see [Build a Custom Authentication Method for AD FS in Windows Server](/windows-server/identity/ad-fs/development/ad-fs-build-custom-auth-method)
Follow the integration and deployment guide for the authentication provider you select to integrate and deploy it to AD FS. Make sure that the authentication provider is selected as a multifactor authentication option in the AD FS authentication policy. For information on configuring AD FS authentication policies see [Configure Authentication Policies](/windows-server/identity/ad-fs/operations/configure-authentication-policies).
+
+> [!TIP]
+> When you validate the AD FS configuration, verify if you need to update the configuration of user agent strings to support Windows Integrated Authentication (WIA). For more information, see [Change WIASupportedUserAgent settings](/windows-server/identity/ad-fs/operations/configure-ad-fs-browser-wia#change-wiasupporteduseragent-settings).
diff --git a/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-trust-cloud-kerberos.md b/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-trust-cloud-kerberos.md
index 58bad86a1c..7975aad95b 100644
--- a/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-trust-cloud-kerberos.md
+++ b/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-trust-cloud-kerberos.md
@@ -1,5 +1,5 @@
---
-ms.date: 12/08/2022
+ms.date: 10/30/2024
ms.topic: include
---
diff --git a/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-trust-key.md b/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-trust-key.md
index 41d9b6cdf9..67e1f2fa05 100644
--- a/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-trust-key.md
+++ b/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-trust-key.md
@@ -1,5 +1,5 @@
---
-ms.date: 12/08/2022
+ms.date: 10/30/2024
ms.topic: include
---
diff --git a/windows/security/identity-protection/hello-for-business/deploy/index.md b/windows/security/identity-protection/hello-for-business/deploy/index.md
index 09c8d47a70..22fb26e965 100644
--- a/windows/security/identity-protection/hello-for-business/deploy/index.md
+++ b/windows/security/identity-protection/hello-for-business/deploy/index.md
@@ -1,7 +1,7 @@
---
title: Plan a Windows Hello for Business Deployment
description: Learn about the role of each component within Windows Hello for Business and how certain deployment decisions affect other aspects of your infrastructure.
-ms.date: 05/16/2024
+ms.date: 02/25/2025
ms.topic: concept-article
---
@@ -65,7 +65,7 @@ Windows Hello for Business authentication to Microsoft Entra ID always uses the
The trust type determines whether you issue authentication certificates to your users. One trust model isn't more secure than the other.
-The deployment of certificates to users and Domain Controllers requires more configuration and infrastructure, which could also be a factor to consider in your decision. More infrastructure needed for certificate-trust deployments includes a certificate registration authority. In a federated environment, you must activate the Device Writeback option in Microsoft Entra Connect.
+The deployment of certificates to users and domain controllers requires more configuration and infrastructure, which could also be a factor to consider in your decision. More infrastructure needed for certificate-trust deployments includes a certificate registration authority. In a federated environment, you must activate the Device Writeback option in Microsoft Entra Connect.
There are three trust types from which you can choose:
@@ -251,7 +251,7 @@ Here are some considerations regarding licensing requirements for cloud services
### Windows requirements
-All supported Windows versions can be used with Windows Hello for Business. However, cloud Kerberos trust requires minimum versions:
+All supported Windows (client) versions can be used with Windows Hello for Business. However, cloud Kerberos trust requires minimum versions:
|| Deployment model | Trust type | Windows version|
|--|--|--|--|
@@ -264,12 +264,12 @@ All supported Windows versions can be used with Windows Hello for Business. Howe
### Windows Server requirements
-All supported Windows Server versions can be used with Windows Hello for Business as Domain Controller. However, cloud Kerberos trust requires minimum versions:
+Windows Hello for Business can be used to authenticate against all supported Windows Server versions as a domain controller. However, cloud Kerberos trust requires minimum versions:
-| | Deployment model | Trust type | Domain Controller OS version |
+| | Deployment model | Trust type | Domain controller OS version |
|--|--|--|--|
| **🔲** | **Cloud-only** | n/a | All supported versions |
-| **🔲** | **Hybrid** | Cloud Kerberos | - Windows Server 2016, with [KB3534307][KB-3] and later - Windows Server 2019, with [KB4534321][KB-4] and later - Windows Server 2022 |
+| **🔲** | **Hybrid** | Cloud Kerberos | - Windows Server 2016, with [KB3534307][KB-3] and later - Windows Server 2019, with [KB4534321][KB-4] and later - Windows Server 2022 - Windows Server 2025|
| **🔲** | **Hybrid** | Key | All supported versions |
| **🔲** | **Hybrid** | Certificate | All supported versions |
| **🔲** | **On-premises** | Key | All supported versions |
diff --git a/windows/security/identity-protection/hello-for-business/deploy/on-premises-cert-trust-adfs.md b/windows/security/identity-protection/hello-for-business/deploy/on-premises-cert-trust-adfs.md
index 7446d01e92..2c00e42350 100644
--- a/windows/security/identity-protection/hello-for-business/deploy/on-premises-cert-trust-adfs.md
+++ b/windows/security/identity-protection/hello-for-business/deploy/on-premises-cert-trust-adfs.md
@@ -1,7 +1,7 @@
---
title: Configure Active Directory Federation Services in an on-premises certificate trust model
description: Learn how to configure Active Directory Federation Services (AD FS) to support the Windows Hello for Business on-premises certificate trust model.
-ms.date: 06/23/2024
+ms.date: 02/25/2025
ms.topic: tutorial
---
@@ -33,14 +33,14 @@ Windows Hello for Business works exclusively with the Active Directory Federatio
Sign in to the CA or management workstations with **Enterprise Admin** equivalent credentials.
-1. Open the **Certification Authority** management console
-1. Expand the parent node from the navigation pane
-1. Select **Certificate Templates** in the navigation pane
-1. Right-click the **Certificate Templates** node. Select **New > Certificate Template** to issue
-1. In the **Enable Certificates Templates** window, select the *WHFB Enrollment Agent* template you created in the previous step. Select **OK** to publish the selected certificate templates to the certification authority
-1. If you published the *Domain Controller Authentication (Kerberos)* certificate template, then unpublish the certificate templates you included in the superseded templates list
- - To unpublish a certificate template, right-click the certificate template you want to unpublish and select **Delete**. Select **Yes** to confirm the operation
-1. Close the console
+1. Open the **Certification Authority** management console.
+1. Expand the parent node from the navigation pane.
+1. Select **Certificate Templates** in the navigation pane.
+1. Right-click the **Certificate Templates** node. Select **New > Certificate Template** to issue.
+1. In the **Enable Certificates Templates** window, select the *WHFB Enrollment Agent* template you created in the previous step. Select **OK** to publish the selected certificate templates to the certification authority.
+1. If you published the *Domain Controller Authentication (Kerberos)* certificate template, then unpublish the certificate templates you included in the superseded templates list.
+ - To unpublish a certificate template, right-click the certificate template you want to unpublish and select **Delete**. Select **Yes** to confirm the operation.
+1. Close the console.
## Configure the certificate registration authority
@@ -55,7 +55,7 @@ Set-AdfsCertificateAuthority -EnrollmentAgent -EnrollmentAgentCertificateTemplat
```
>[!NOTE]
-> If you gave your Windows Hello for Business Enrollment Agent and Windows Hello for Business Authentication certificate templates different names, then replace *WHFBEnrollmentAgent* and *WHFBAuthentication* in the above command with the name of your certificate templates. It's important that you use the template name rather than the template display name. You can view the template name on the **General** tab of the certificate template by using the **Certificate Template** management console (certtmpl.msc). Or, you can view the template name by using the `Get-CATemplate` PowerShell cmdlet on a CA.
+> If you gave your Windows Hello for Business Enrollment Agent and Windows Hello for Business Authentication certificate templates different names, then replace *WHFBEnrollmentAgent* and *WHFBAuthentication* in the above command with the name of your certificate templates. It's important that you use the template name rather than the template display name. You can view the template name on the **General** tab of the certificate template by using the **Certificate Template** management console (_certtmpl.msc_). Or, you can view the template name by using the `Get-CATemplate` PowerShell cmdlet on a CA.
### Enrollment agent certificate lifecycle management
@@ -89,18 +89,18 @@ For detailed information about the certificate, use `Certutil -q -v [!div class="checklist"]
> Before you continue with the deployment, validate your deployment progress by reviewing the following items:
>
-> - Configure an enrollment agent certificate template
-> - Confirm only the AD FS service account has the allow enroll permission for the enrollment agent certificate template
-> - Consider using an HSM to protect the enrollment agent certificate; however, understand the frequency and quantity of signature operations the enrollment agent server makes and understand the impact it has on overall performance
-> - Confirm you properly configured the Windows Hello for Business authentication certificate template
-> - Confirm all certificate templates were properly published to the appropriate issuing certificate authorities
-> - Confirm the AD FS service account has the allow enroll permission for the Windows Hello Business authentication certificate template
-> - Confirm the AD FS certificate registration authority is properly configured using the `Get-AdfsCertificateAuthority` Windows PowerShell cmdlet
-> Confirm you restarted the AD FS service
-> - Confirm you properly configured load-balancing (hardware or software)
-> - Confirm you created a DNS A Record for the federation service and the IP address used is the load-balanced IP address
-> - Confirm you created and deployed the Intranet Zone settings to prevent double authentication to the federation server
-> - Confirm you have deployed a MFA solution for AD FS
+> - Configure an enrollment agent certificate template.
+> - Confirm only the AD FS service account has the allow enroll permission for the enrollment agent certificate template.
+> - Consider using an HSM to protect the enrollment agent certificate; however, understand the frequency and quantity of signature operations the enrollment agent server makes and understand the impact it has on overall performance.
+> - Confirm you properly configured the Windows Hello for Business authentication certificate template.
+> - Confirm all certificate templates were properly published to the appropriate issuing certificate authorities.
+> - Confirm the AD FS service account has the allow enroll permission for the Windows Hello Business authentication certificate template.
+> - Confirm the AD FS certificate registration authority is properly configured using the `Get-AdfsCertificateAuthority` Windows PowerShell cmdlet.
+> - Confirm you restarted the AD FS service.
+> - Confirm you properly configured load-balancing (hardware or software).
+> - Confirm you created a DNS A Record for the federation service and the IP address used is the load-balanced IP address.
+> - Confirm you created and deployed the Intranet Zone settings to prevent double authentication to the federation server.
+> - Confirm you have deployed a MFA solution for AD FS.
> [!div class="nextstepaction"]
> [Next: configure and enroll in Windows Hello for Business >](on-premises-cert-trust-enroll.md)
diff --git a/windows/security/identity-protection/hello-for-business/deploy/on-premises-cert-trust-enroll.md b/windows/security/identity-protection/hello-for-business/deploy/on-premises-cert-trust-enroll.md
index 3a9200db54..d718cd9fc4 100644
--- a/windows/security/identity-protection/hello-for-business/deploy/on-premises-cert-trust-enroll.md
+++ b/windows/security/identity-protection/hello-for-business/deploy/on-premises-cert-trust-enroll.md
@@ -1,5 +1,5 @@
---
-ms.date: 06/23/2024
+ms.date: 02/25/2025
ms.topic: tutorial
title: Configure Windows Hello for Business Policy settings in an on-premises certificate trust
description: Configure Windows Hello for Business Policy settings for Windows Hello for Business in an on-premises certificate trust scenario
diff --git a/windows/security/identity-protection/hello-for-business/deploy/on-premises-cert-trust.md b/windows/security/identity-protection/hello-for-business/deploy/on-premises-cert-trust.md
index 0240088385..7967a0cd35 100644
--- a/windows/security/identity-protection/hello-for-business/deploy/on-premises-cert-trust.md
+++ b/windows/security/identity-protection/hello-for-business/deploy/on-premises-cert-trust.md
@@ -1,7 +1,7 @@
---
title: Windows Hello for Business on-premises certificate trust deployment guide
description: Learn how to deploy Windows Hello for Business in an on-premises, certificate trust scenario.
-ms.date: 06/23/2024
+ms.date: 02/25/2025
ms.topic: tutorial
---
diff --git a/windows/security/identity-protection/hello-for-business/deploy/on-premises-key-trust-adfs.md b/windows/security/identity-protection/hello-for-business/deploy/on-premises-key-trust-adfs.md
index d9e217575b..32a928a19c 100644
--- a/windows/security/identity-protection/hello-for-business/deploy/on-premises-key-trust-adfs.md
+++ b/windows/security/identity-protection/hello-for-business/deploy/on-premises-key-trust-adfs.md
@@ -1,7 +1,7 @@
---
title: Configure Active Directory Federation Services in an on-premises key trust model
description: Learn how to configure Active Directory Federation Services (AD FS) to support the Windows Hello for Business key trust model.
-ms.date: 03/12/2024
+ms.date: 02/25/2025
ms.topic: tutorial
---
diff --git a/windows/security/identity-protection/hello-for-business/deploy/on-premises-key-trust-enroll.md b/windows/security/identity-protection/hello-for-business/deploy/on-premises-key-trust-enroll.md
index 41cea6946f..c8081dd141 100644
--- a/windows/security/identity-protection/hello-for-business/deploy/on-premises-key-trust-enroll.md
+++ b/windows/security/identity-protection/hello-for-business/deploy/on-premises-key-trust-enroll.md
@@ -1,5 +1,5 @@
---
-ms.date: 06/23/2024
+ms.date: 02/25/2025
ms.topic: tutorial
title: Configure Windows Hello for Business Policy settings in an on-premises key trust
description: Configure Windows Hello for Business Policy settings for Windows Hello for Business in an on-premises key trust scenario
diff --git a/windows/security/identity-protection/hello-for-business/deploy/on-premises-key-trust.md b/windows/security/identity-protection/hello-for-business/deploy/on-premises-key-trust.md
index 347471eeef..3fb4866bff 100644
--- a/windows/security/identity-protection/hello-for-business/deploy/on-premises-key-trust.md
+++ b/windows/security/identity-protection/hello-for-business/deploy/on-premises-key-trust.md
@@ -1,7 +1,7 @@
---
title: Windows Hello for Business on-premises key trust deployment guide
description: Learn how to deploy Windows Hello for Business in an on-premises, key trust scenario.
-ms.date: 06/24/2024
+ms.date: 02/25/2025
ms.topic: tutorial
---
diff --git a/windows/security/identity-protection/hello-for-business/deploy/prepare-users.md b/windows/security/identity-protection/hello-for-business/deploy/prepare-users.md
index 0aeded8941..8bdef8c5ea 100644
--- a/windows/security/identity-protection/hello-for-business/deploy/prepare-users.md
+++ b/windows/security/identity-protection/hello-for-business/deploy/prepare-users.md
@@ -1,7 +1,7 @@
---
title: Prepare users to provision and use Windows Hello for Business
description: Learn how to prepare users to enroll and to use Windows Hello for Business.
-ms.date: 03/12/2024
+ms.date: 02/25/2025
ms.topic: end-user-help
---
diff --git a/windows/security/identity-protection/hello-for-business/dual-enrollment.md b/windows/security/identity-protection/hello-for-business/dual-enrollment.md
index 7dd1507298..0d5f859326 100644
--- a/windows/security/identity-protection/hello-for-business/dual-enrollment.md
+++ b/windows/security/identity-protection/hello-for-business/dual-enrollment.md
@@ -1,7 +1,7 @@
---
title: Dual enrollment
description: Learn how to configure Windows Hello for Business dual enrollment and how to configure Active Directory to support Domain Administrator enrollment.
-ms.date: 05/06/2024
+ms.date: 11/22/2024
ms.topic: how-to
---
@@ -40,7 +40,7 @@ Active Directory Domain Services uses `AdminSDHolder` to secure privileged users
Sign in to a domain controller or management workstation with access equivalent to *domain administrator*.
-1. Type the following command to add the **allow** read and write property permissions for msDS-KeyCredentialLink attribute for the `Key Admins` group on the `AdminSDHolder` object
+1. Type the following command to add the **allow** read and write property permissions for msDS-KeyCredentialLink attribute for the `Key Admins` group on the `AdminSDHolder` object.
```cmd
dsacls "CN=AdminSDHolder,CN=System,DC=domain,DC=com" /g "[domainName\keyAdminGroup]":RPWP;msDS-KeyCredentialLink
@@ -52,21 +52,21 @@ Sign in to a domain controller or management workstation with access equivalent
dsacls "CN=AdminSDHolder,CN=System,DC=corp,DC=mstepdemo,DC=net" /g "mstepdemo\Key Admins":RPWP;msDS-KeyCredentialLink
```
-1. To trigger security descriptor propagation, open `ldp.exe`
-1. Select **Connection** and select **Connect...** Next to **Server**, type the name of the domain controller that holds the PDC role for the domain. Next to **Port**, type **389** and select **OK**
-1. Select **Connection** and select **Bind...** Select **OK** to bind as the currently signed-in user
-1. Select **Browser** and select **Modify**. Leave the **DN** text box blank. Next to **Attribute**, type **RunProtectAdminGroupsTask**. Next to **Values**, type `1`. Select **Enter** to add this to the **Entry List**
-1. Select **Run** to start the task
-1. Close LDP
+1. To trigger security descriptor propagation, open `ldp.exe`.
+1. Select **Connection** and select **Connect...** Next to **Server**, type the name of the domain controller that holds the PDC role for the domain. Next to **Port**, type **389** and select **OK**.
+1. Select **Connection** and select **Bind...** Select **OK** to bind as the currently signed-in user.
+1. Select **Browser** and select **Modify**. Leave the **DN** text box blank. Next to **Attribute**, type **RunProtectAdminGroupsTask**. Next to **Values**, type `1`. Select **Enter** to add this to the **Entry List**.
+1. Select **Run** to start the task.
+1. Close LDP.
### Configure dual enrollment with group policy
You configure Windows to support dual enrollment using the computer configuration portion of a Group Policy object:
-1. Using the Group Policy Management Console (GPMC), create a new domain-based Group Policy object and link it to an organizational Unit that contains Active Directory computer objects used by privileged users
-1. Edit the Group Policy object from step 1
+1. Using the Group Policy Management Console (GPMC), create a new domain-based Group Policy object and link it to an organizational Unit that contains Active Directory computer objects used by privileged users.
+1. Edit the Group Policy object from step 1.
1. Enable the **Allow enumeration of emulated smart cards for all users** policy setting located under **Computer Configuration->Administrative Templates->Windows Components->Windows Hello for Business**
-1. Close the Group Policy Management Editor to save the Group Policy object. Close the GPMC
-1. Restart computers targeted by this Group Policy object
+1. Close the Group Policy Management Editor to save the Group Policy object. Close the GPMC.
+1. Restart computers targeted by this Group Policy object.
-The computer is ready for dual enrollment. Sign in as the privileged user first and enroll for Windows Hello for Business. Once completed, sign out and sign in as the nonprivileged user and enroll for Windows Hello for Business. You can now use your privileged credential to perform privileged tasks without using your password and without needing to switch users.
+ The computer is ready for dual enrollment. Sign in as the privileged user first and enroll for Windows Hello for Business. Once completed, sign out and sign in as the nonprivileged user and enroll for Windows Hello for Business. You can now use your privileged credential to perform privileged tasks without using your password and without needing to switch users.
diff --git a/windows/security/identity-protection/hello-for-business/faq.yml b/windows/security/identity-protection/hello-for-business/faq.yml
index c17a99f819..3a5d20bea8 100644
--- a/windows/security/identity-protection/hello-for-business/faq.yml
+++ b/windows/security/identity-protection/hello-for-business/faq.yml
@@ -5,7 +5,7 @@ metadata:
author: paolomatarazzo
ms.author: paoloma
ms.topic: faq
- ms.date: 01/03/2024
+ ms.date: 10/10/2024
title: Common questions about Windows Hello for Business
summary: Windows Hello for Business replaces password sign-in with strong authentication, using an asymmetric key pair. This Frequently Asked Questions (FAQ) article is intended to help you learn more about Windows Hello for Business.
@@ -47,7 +47,7 @@ sections:
The smart card emulation feature of Windows Hello for Business verifies the PIN and then discards the PIN in exchange for a ticket. The process doesn't receive the PIN, but rather the ticket that grants them private key operations. There isn't a policy setting to adjust the caching.
- question: Where is Windows Hello biometrics data stored?
answer: |
- When you enroll in Windows Hello, a representation of your biometrics, called an enrollment profile, is created. The enrollment profile biometrics data is device specific, is stored locally on the device, and does not leave the device or roam with the user. Some external fingerprint sensors store biometric data on the fingerprint module itself rather than on Windows device. Even in this case, the biometrics data is stored locally on those modules, is device specific, doesn't roam, never leaves the module, and is never sent to Microsoft cloud or external server. For more details, see [Windows Hello biometrics in the enterprise](/windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise#where-is-windows-hello-data-stored) and [Windows Hello face authentication](/windows-hardware/design/device-experiences/windows-hello-face-authentication).
+ When you enroll in Windows Hello, a representation of your biometrics, called an enrollment profile, is created. The enrollment profile biometrics data is device specific, is stored locally on the device, and does not leave the device or roam with the user. Some external fingerprint sensors store biometric data on the fingerprint module itself rather than on Windows device. Even in this case, the biometrics data is stored locally on those modules, is device specific, doesn't roam, never leaves the module, and is never sent to Microsoft cloud or external server. For more details, see [Windows Hello biometrics in the enterprise](/windows/security/identity-protection/hello-for-business/how-it-works#biometric-data-storage) and [Windows Hello face authentication](/windows-hardware/design/device-experiences/windows-hello-face-authentication).
- question: What is the format used to store Windows Hello biometrics data on the device?
answer: |
Windows Hello biometrics data is stored on the device as an encrypted template database. The data from the biometrics sensor (like face camera or fingerprint reader) creates a data representation—or graph—that is then encrypted before it's stored on the device. Each biometrics sensor on the device which is used by Windows Hello (face or fingerprint) will have its own biometric database file where template data is stored. Each biometrics database file is encrypted with unique, randomly generated key that is encrypted to the system using AES encryption producing an SHA256 hash.
@@ -210,9 +210,9 @@ sections:
- question: Does Windows Hello for Business cloud Kerberos trust work in my on-premises environment?
answer: |
This feature doesn't work in a pure on-premises AD domain services environment.
- - question: Does Windows Hello for Business cloud Kerberos trust work in a Windows sign-in with RODC present in the hybrid environment?
+ - question: Does Windows Hello for Business cloud Kerberos trust work with RODC present in the hybrid environment?
answer: |
- Windows Hello for Business cloud Kerberos trust looks for a writeable DC to exchange the partial TGT. As long as you have at least one writeable DC per site, login with cloud Kerberos trust will work.
+ Windows Hello for Business cloud Kerberos trust functions correctly when the client authenticates directly to a writable domain controller or to a Read-Only Domain Controller (RODC) that doesn't cache the user's credentials, in accordance with the Password Replication Policy. If the client attempts to authenticate to an RODC that can cache the user's credentials, cloud Kerberos trust authentication might fail. To mitigate this, deploy KDC certificates to all RODCs to support Windows Hello for Business key trust authentication, which is also required for those RODCs to support LDAP over SSL. This configuration ensures that authentication can seamlessly failover to Windows Hello for Business key trust authentication, thereby guaranteeing successful user authentication.
- question: Do I need line of sight to a domain controller to use Windows Hello for Business cloud Kerberos trust?
answer: |
Windows Hello for Business cloud Kerberos trust requires line of sight to a domain controller when:
diff --git a/windows/security/identity-protection/hello-for-business/hello-deployment-issues.md b/windows/security/identity-protection/hello-for-business/hello-deployment-issues.md
index e6b79420ad..aaed7b870d 100644
--- a/windows/security/identity-protection/hello-for-business/hello-deployment-issues.md
+++ b/windows/security/identity-protection/hello-for-business/hello-deployment-issues.md
@@ -1,7 +1,7 @@
---
title: Windows Hello for Business known deployment issues
description: This article is a troubleshooting guide for known Windows Hello for Business deployment issues.
-ms.date: 03/12/2024
+ms.date: 11/22/2024
ms.topic: troubleshooting
---
diff --git a/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md b/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md
index ef8e864841..8524027332 100644
--- a/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md
+++ b/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md
@@ -2,7 +2,7 @@
title: Windows Hello errors during PIN creation
description: Learn about the Windows Hello error codes that might happen during PIN creation.
ms.topic: troubleshooting
-ms.date: 03/12/2024
+ms.date: 11/22/2024
---
# Windows Hello errors during PIN creation
diff --git a/windows/security/identity-protection/hello-for-business/hello-feature-dynamic-lock.md b/windows/security/identity-protection/hello-for-business/hello-feature-dynamic-lock.md
index e1845d9363..b0fc5d6b30 100644
--- a/windows/security/identity-protection/hello-for-business/hello-feature-dynamic-lock.md
+++ b/windows/security/identity-protection/hello-for-business/hello-feature-dynamic-lock.md
@@ -1,7 +1,7 @@
---
title: Dynamic lock
description: Learn how to configure dynamic lock on Windows devices via group policies. This feature locks a device when a Bluetooth signal falls below a set value.
-ms.date: 04/23/2024
+ms.date: 11/22/2024
ms.topic: how-to
---
@@ -19,33 +19,61 @@ You can configure Windows devices to use the **dynamic lock** using a Group Poli
1. Enable the **Configure dynamic lock factors** policy setting located under **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Hello for Business**.
1. Close the Group Policy Management Editor to save the Group Policy object.
-The Group Policy Editor, when the policy is enabled, creates a default signal rule policy with the following value:
+ The Group Policy Editor, when the policy is enabled, creates a default signal rule policy with the following value:
-```xml
-
-
-
-```
+ ```xml
+
+
+
+ ```
->[!IMPORTANT]
->Microsoft recommends using the default values for this policy settings. Measurements are relative based on the varying conditions of each environment. Therefore, the same values may produce different results. Test policy settings in each environment prior to broadly deploying the setting.
+ >[!IMPORTANT]
+ >Microsoft recommends using the default values for this policy settings. Measurements are relative based on the varying conditions of each environment. Therefore, the same values may produce different results. Test policy settings in each environment prior to broadly deploying the setting.
-For this policy setting, the `type` and `scenario` attribute values are static and can't change. The `classofDevice` is configurable but Phone is the only currently supported configuration. The attribute defaults to Phone and uses the values from the following table:
+ For this policy setting, the `type` and `scenario` attribute values are static and can't change. The `classofDevice` is configurable but Phone is the only currently supported configuration. The attribute defaults to Phone and uses the values from the following table:
-|Description|Value|
-|:-------------|:-------:|
-|Miscellaneous|0|
-|Computer|256|
-|Phone|512|
-|LAN/Network Access Point|768|
-|Audio/Video|1024|
-|Peripheral|1280|
-|Imaging|1536|
-|Wearable|1792|
-|Toy|2048|
-|Health|2304|
-|Uncategorized|7936|
+ |Description|Value|
+ |:-------------|:-------:|
+ |Miscellaneous|0|
+ |Computer|256|
+ |Phone|512|
+ |LAN/Network Access Point|768|
+ |Audio/Video|1024|
+ |Peripheral|1280|
+ |Imaging|1536|
+ |Wearable|1792|
+ |Toy|2048|
+ |Health|2304|
+ |Uncategorized|7936|
-The `rssiMin` attribute value signal indicates the strength needed for the device to be considered *in-range*. The default value of `-10` enables a user to move about an average size office or cubicle without triggering Windows to lock the device. The `rssiMaxDelta` has a default value of `-10`, which instruct Windows to lock the device once the signal strength weakens by more than measurement of 10.
+ The `rssiMin` attribute value signal indicates the strength needed for the device to be considered *in-range*. The default value of `-10` enables a user to move about an average size office or cubicle without triggering Windows to lock the device. The `rssiMaxDelta` has a default value of `-10`, which instruct Windows to lock the device once the signal strength weakens by more than measurement of 10.
-RSSI measurements are relative and lower as the bluetooth signals between the two paired devices reduces. Therefore a measurement of 0 is stronger than -10, which is stronger than -60, which is an indicator the devices are moving further apart from each other.
+ RSSI measurements are relative and lower as the bluetooth signals between the two paired devices reduces. Therefore a measurement of 0 is stronger than -10, which is stronger than -60, which is an indicator the devices are moving further apart from each other.
+
+## Configure Dynamic lock with Microsoft Intune
+
+To configure Dynamic lock using Microsoft Intune, follow these steps:
+
+1. Open the Microsoft Intune admin center and navigate to Devices > Windows > Configuration policies.
+1. Create a new policy:
+ - Platform: Windows 10 and later
+ - Profile type: Templates - Custom
+ - Select Create
+1. Configure the profile:
+ - Name: Provide a name for the profile.
+ - Description: (Optional) Add a description.
+1. Add OMA-URI settings:
+ - Enable Dynamic lock:
+ - Name: Enable Dynamic lock
+ - Description: (Optional) This setting enables Dynamic lock
+ - OMA-URI: ./Device/Vendor/MSFT/PassportForWork/DynamicLock/DynamicLock
+ - Data type: Boolean
+ - Value: True
+ - Define the Dynamic lock signal rule:
+ - Name: Dynamic lock Signal Rule
+ - Description: (Optional) This setting configures Dynamic lock values
+ - OMA-URI: ./Device/Vendor/MSFT/PassportForWork/DynamicLock/Plugins
+ - Data type: String
+ - Value: ``
+1. Assign the profile to the appropriate groups.
+
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md
index 3d2908e78a..613da4d993 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md
@@ -1,7 +1,7 @@
---
title: Use Certificates to enable SSO for Microsoft Entra join devices
description: If you want to use certificates for on-premises single-sign on for Microsoft Entra joined devices, then follow these additional steps.
-ms.date: 04/24/2024
+ms.date: 11/22/2024
ms.topic: how-to
---
@@ -62,21 +62,21 @@ To include the on-premises distinguished name in the certificate's subject, Micr
Sign-in to computer running Microsoft Entra Connect with access equivalent to *local administrator*.
-1. Open **Synchronization Services** from the **Microsoft Entra Connect** folder
-1. In the **Synchronization Service Manager**, select **Help** and then select **About**
-1. If the version number isn't **1.1.819** or later, then upgrade Microsoft Entra Connect to the latest version
+1. Open **Synchronization Services** from the **Microsoft Entra Connect** folder.
+1. In the **Synchronization Service Manager**, select **Help** and then select **About**.
+1. If the version number isn't **1.1.819** or later, then upgrade Microsoft Entra Connect to the latest version.
### Verify the onPremisesDistinguishedName attribute is synchronized
The easiest way to verify that the onPremisesDistingushedNamne attribute is synchronized is to use the Graph Explorer for Microsoft Graph.
-1. Open a web browser and navigate to [Graph Explorer](https://developer.microsoft.com/graph/graph-explorer)
-1. Select **Sign in to Graph Explorer** and provide Microsoft Entra ID credentials
+1. Open a web browser and navigate to [Graph Explorer](https://developer.microsoft.com/graph/graph-explorer).
+1. Select **Sign in to Graph Explorer** and provide Microsoft Entra ID credentials.
> [!NOTE]
> To successfully query the Graph API, adequate [permissions](/graph/api/user-get?) must be granted
1. Select **Modify permissions (Preview)**. Scroll down and locate **User.Read.All** (or any other required permission) and select **Consent**. You'll now be prompted for delegated permissions consent
-1. In the Graph Explorer URL, enter `https://graph.microsoft.com/v1.0/users/[userid]?$select=displayName,userPrincipalName,onPremisesDistinguishedName`, where **[userid]** is the user principal name of a user in Microsoft Entra ID. Select **Run query**
+1. In the Graph Explorer URL, enter `https://graph.microsoft.com/v1.0/users/[userid]?$select=displayName,userPrincipalName,onPremisesDistinguishedName`, where **[userid]** is the user principal name of a user in Microsoft Entra ID. Select **Run query**.
> [!NOTE]
> Because the v1.0 endpoint of the Graph API only provides a limited set of parameters, we will use the $select [Optional OData query parameter](/graph/api/user-get?). For convenience, it is possible to switch the API version selector from **v1.0** to **beta** before performing the query. This will provide all available user information, but remember, **beta** endpoint queries should not be used in production scenarios.
@@ -91,7 +91,7 @@ The easiest way to verify that the onPremisesDistingushedNamne attribute is sync
GET https://graph.microsoft.com/v1.0/users/{id | userPrincipalName}?$select=displayName,userPrincipalName,onPremisesDistinguishedName
```
-1. In the returned results, review the JSON data for the **onPremisesDistinguishedName** attribute. Ensure the attribute has a value and that the value is accurate for the given user. If the **onPremisesDistinguishedName** attribute isn't synchronized the value will be **null**
+1. In the returned results, review the JSON data for the **onPremisesDistinguishedName** attribute. Ensure the attribute has a value and that the value is accurate for the given user. If the **onPremisesDistinguishedName** attribute isn't synchronized the value will be **null**.
#### Response
\ No newline at end of file
diff --git a/windows/security/includes/sections/application.md b/windows/security/includes/sections/application.md
deleted file mode 100644
index 75e29b9470..0000000000
--- a/windows/security/includes/sections/application.md
+++ /dev/null
@@ -1,28 +0,0 @@
----
-author: paolomatarazzo
-ms.author: paoloma
-ms.date: 09/18/2023
-ms.topic: include
----
-
-## Application and driver control
-
-| Feature name | Description |
-|:---|:---|
-| **[Smart App Control](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control)** | Smart App Control prevents users from running malicious applications on Windows devices by blocking untrusted or unsigned applications. Smart App Control goes beyond previous built-in browser protections, by adding another layer of security that is woven directly into the core of the OS at the process level. Using AI, our new Smart App Control only allows processes to run that are predicted to be safe based on existing and new intelligence processed daily. Smart App Control builds on top of the same cloud-based AI used in App Control for Business to predict the safety of an application, so people can be confident they're using safe and reliable applications on their new Windows 11 devices, or Windows 11 devices that have been reset. |
-| **[App Control for Business](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control)** | Your organization is only as secure as the applications that run on your devices. With application control, apps must earn trust to run, in contrast to an application trust model where all code is assumed trustworthy. By helping prevent unwanted or malicious code from running, application control is an important part of an effective security strategy. Many organizations cite application control as one of the most effective means for addressing the threat of executable file-based malware.
Windows 10 and above include App Control for Business and AppLocker. App Control is the next generation app control solution for Windows and provides powerful control over what runs in your environment. Customers who were using AppLocker on previous versions of Windows can continue to use the feature as they consider whether to switch to App Control for the stronger protection. |
-| **[AppLocker](/windows/security/application-security/application-control/windows-defender-application-control/applocker/applocker-overview)** | |
-| **[User Account Control (UAC)](/windows/security/application-security/application-control/user-account-control/)** | User Account Control (UAC) helps prevent malware from damaging a device. With UAC, apps and tasks always run in the security context of a non-administrator account, unless an administrator authorizes administrator-level access to the system. UAC can block the automatic installation of unauthorized apps and prevents inadvertent changes to system settings. Enabling UAC helps to prevent malware from altering device settings and potentially gaining access to networks and sensitive data. UAC can also block the automatic installation of unauthorized apps and prevent inadvertent changes to system settings. |
-| **[Microsoft vulnerable driver blocklist](/windows/security/application-security/application-control/windows-defender-application-control/design/microsoft-recommended-driver-block-rules)** | The Windows kernel is the most privileged software and is therefore a compelling target for malware authors. Since Windows has strict requirements for code running in the kernel, cybercriminals commonly exploit vulnerabilities in kernel drivers to get access. Microsoft works with the ecosystem partners to constantly identify and respond to potentially vulnerable kernel drivers.
Prior to Windows 11, version 22H2, the operating system enforced a block policy when HVCI is enabled to prevent vulnerable versions of drivers from running. Starting in Windows 11, version 22H2, the block policy is enabled by default for all new Windows devices, and users can opt-in to enforce the policy from the Windows Security app. |
-
-## Application isolation
-
-| Feature name | Description |
-|:---|:---|
-| **[Microsoft Defender Application Guard (MDAG) for Edge standalone mode](/windows/security/application-security/application-isolation/microsoft-defender-application-guard/md-app-guard-overview)** | Standalone mode allows Windows users to use hardware-isolated browsing sessions without any administrator or management policy configuration. In this mode, user must manually start Microsoft Edge in Application Guard from Edge menu for browsing untrusted sites. |
-| **[Microsoft Defender Application Guard (MDAG) for Edge enterprise mode and enterprise management](/windows/security/application-security/application-isolation/microsoft-defender-application-guard/configure-md-app-guard)** | Microsoft Defender Application Guard protects users' desktop while they browse the Internet using Microsoft Edge browser. Application Guard in enterprise mode automatically redirects untrusted website navigation in an anonymous and isolated Hyper-V based container, which is separate from the host operating system. With Enterprise mode, you can define your corporate boundaries by explicitly adding trusted domains and can customizing the Application Guard experience to meet and enforce your organization needs on Windows devices. |
-| **Microsoft Defender Application Guard (MDAG) public APIs** | Enable applications using them to be isolated Hyper-V based container, which is separate from the host operating system. |
-| **[Microsoft Defender Application Guard (MDAG) for Microsoft Office](https://support.microsoft.com/office/application-guard-for-office-9e0fb9c2-ffad-43bf-8ba3-78f785fdba46)** | Application Guard protects Office files including Word, PowerPoint, and Excel. Application icons have a small shield if Application Guard has been enabled and they are under protection. |
-| **[Microsoft Defender Application Guard (MDAG) configure via MDM](/windows/client-management/mdm/windowsdefenderapplicationguard-csp)** | The WindowsDefenderApplicationGuard configuration service provider (CSP) is used by the enterprise to configure the settings in Microsoft Defender Application Guard. |
-| **[App containers](/virtualization/windowscontainers/about/)** | Universal Windows Platform (UWP) applications run in Windows containers known as app containers. Processes that run in app containers operate with low integrity level, meaning they have limited access to resources they don't own. Because the default integrity level of most resources is medium integrity level, the UWP app can access only a subset of the filesystem, registry, and other resources. The app container also enforces restrictions on network connectivity; for example, access to a local host isn't allowed. As a result, malware or infected apps have limited footprint for escape. |
-| **[Windows Sandbox](/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-overview)** | Windows Sandbox provides a lightweight desktop environment to safely run untrusted Win32 applications in isolation, using the same hardware-based Hyper-V virtualization technology to isolate apps without fear of lasting impact to your PC. |
diff --git a/windows/security/includes/sections/cloud-services.md b/windows/security/includes/sections/cloud-services.md
deleted file mode 100644
index efde3a725d..0000000000
--- a/windows/security/includes/sections/cloud-services.md
+++ /dev/null
@@ -1,18 +0,0 @@
----
-author: paolomatarazzo
-ms.author: paoloma
-ms.date: 09/18/2023
-ms.topic: include
----
-
-## Protect your work information
-
-| Feature name | Description |
-|:---|:---|
-| **[Active Directory domain join, Microsoft Entra join, and Microsoft Entra hybrid join with single sign-on (SSO)](/azure/active-directory/devices/concept-directory-join)** | Microsoft Entra ID is a comprehensive cloud-based identity management solution that helps enable secure access to applications, networks, and other resources and guard against threats. |
-| **[Security baselines](/windows/security/operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines)** | Windows 11 supports modern device management so that IT pros can manage company security policies and business applications without compromising user privacy on corporate or employee-owned devices. With MDM solutions, IT can manage Windows 11 using industry-standard protocols. To simplify setup for users, management features are built directly into Windows, eliminating the need for a separate MDM client.
Windows 11 can be configured with Microsoft's MDM security baseline backed by ADMX policies, which functions like the Microsoft GP-based security baseline. The security baseline enables IT administrators to easily address security concerns and compliance needs for modern cloud-managed devices. |
-| **[Remote wipe](/windows/client-management/mdm/remotewipe-csp)** | When a device is lost or stolen, IT administrators may want to remotely wipe data stored on the device. A helpdesk agent may also want to reset devices to fix issues encountered by remote workers.
With the Remote Wipe configuration service provider (CSP), an MDM solution can remotely initiate any of the following operations on a Windows device: reset the device and remove user accounts and data, reset the device and clean the drive, reset the device but persist user accounts and data. |
-| **[Modern device management through (MDM)](/windows/client-management/mdm-overview)** | Windows 11 supports modern device management through mobile device management (MDM) protocols.
IT pros can manage company security policies and business applications without compromising user privacy on corporate or employee-owned devices. With MDM solutions, IT can manage Windows 11 using industry-standard protocols.
To simplify setup for users, management features are built directly into Windows, eliminating the need for a separate MDM client. |
-| **[Universal Print](/universal-print/)** | Unlike traditional print solutions that rely on Windows print servers, Universal Print is a Microsoft hosted cloud subscription service that supports a zero-trust security model by enabling network isolation of printers, including the Universal Print connector software, from the rest of the organization's resources. |
-| **[Windows Autopatch](/windows/deployment/windows-autopatch/)** | With the Autopatch service, IT teams can delegate management of updates to Windows 10/11, Microsoft Edge, and Microsoft 365 apps to Microsoft. Under the hood, Autopatch takes over configuration of the policies and deployment service of Windows Update for Business. What the customer gets are endpoints that are up to date, thanks to dynamically generated rings for progressive deployment that will pause and/or roll back updates (where possible) when issues arise.
The goal is to provide peace of mind to IT pros, encourage rapid adoption of updates, and to reduce bandwidth required to deploy them successfully, thereby closing gaps in protection that may have been open to exploitation by malicious actors. |
-| **[Windows Autopilot](/autopilot/)** | Windows Autopilot simplifies the way devices get deployed, reset, and repurposed, with an experience that is zero touch for IT. |
diff --git a/windows/security/includes/sections/hardware.md b/windows/security/includes/sections/hardware.md
deleted file mode 100644
index fa6c065293..0000000000
--- a/windows/security/includes/sections/hardware.md
+++ /dev/null
@@ -1,30 +0,0 @@
----
-author: paolomatarazzo
-ms.author: paoloma
-ms.date: 09/18/2023
-ms.topic: include
----
-
-## Hardware root-of-trust
-
-| Feature name | Description |
-|:---|:---|
-| **[Windows Defender System Guard](/windows/security/hardware-security/how-hardware-based-root-of-trust-helps-protect-windows)** | In Secured-core PCs, Windows Defender System Guard Secure Launch protects bootup with a technology known as the Dynamic Root of Trust for Measurement (DRTM). With DRTM, the system initially follows the normal UEFI Secure Boot process. However, before launching, the system enters a hardware-controlled trusted state that forces the CPU(s) down a hardware-secured code path. If a malware rootkit/bootkit has bypassed UEFI Secure Boot and resides in memory, DRTM will prevent it from accessing secrets and critical code protected by the virtualization-based security environment. Firmware Attack Surface Reduction technology can be used instead of DRTM on supporting devices such as Microsoft Surface. |
-| **[Trusted Platform Module (TPM)](/windows/security/hardware-security/tpm/trusted-platform-module-overview)** | TPMs provide security and privacy benefits for system hardware, platform owners, and users. Windows Hello, BitLocker, Windows Defender System Guard, and other Windows features rely on the TPM for capabilities such as key generation, secure storage, encryption, boot integrity measurements, and attestation. The 2.0 version of the specification includes support for newer algorithms, which can improve driver signing and key generation performance.
Starting with Windows 10, Microsoft's hardware certification requires all new Windows PCs to include TPM 2.0 built in and enabled by default. With Windows 11, both new and upgraded devices must have TPM 2.0. |
-| **[Microsoft Pluton](/windows/security/hardware-security/pluton/microsoft-pluton-security-processor)** | Microsoft Pluton security processors are designed by Microsoft in partnership with silicon partners. Pluton enhances the protection of Windows devices with a hardware root-of-trust that provides additional protection for cryptographic keys and other secrets. Pluton is designed to reduce the attack surface as it integrates the security chip directly into the processor. It can be used with a discreet TPM 2.0, or as a standalone security processor. When root of trust is located on a separate, discrete chip on the motherboard, the communication path between the root-of-trust and the CPU can be vulnerable to physical attack. Pluton supports the TPM 2.0 industry standard, allowing customers to immediately benefit from the enhanced security in Windows features that rely on TPMs including BitLocker, Windows Hello, and Windows Defender System Guard.
In addition to providing root-of trust, Pluton also supports other security functionality beyond what is possible with the TPM 2.0 specification, and this extensibility allows for additional Pluton firmware and OS features to be delivered over time via Windows Update. Pluton-enabled Windows 11 devices are available and the selection of options with Pluton is growing. |
-
-## Silicon assisted security
-
-| Feature name | Description |
-|:---|:---|
-| **[Virtualization-based security (VBS)](/windows-hardware/design/device-experiences/oem-vbs)** | In addition to a modern hardware root-of-trust, there are numerous other capabilities in the latest chips that harden the operating system against threats, such as by protecting the boot process, safeguarding the integrity of memory, isolating security sensitive compute logic, and more. Two examples include Virtualization-based security (VBS) and Hypervisor-protected code integrity (HVCI). Virtualization-based security (VBS), also known as core isolation, is a critical building block in a secure system. VBS uses hardware virtualization features to host a secure kernel separated from the operating system. This means that even if the operating system is compromised, the secure kernel remains protected.
Starting with Windows 10, all new devices are required to ship with firmware support for VBS and HCVI enabled by default in the BIOS. Customers can then enable the OS support in Windows. With new installs of Windows 11, OS support for VBS and HVCI is turned on by default for all devices that meet prerequisites. |
-| **[Hypervisor-protected Code Integrity (HVCI)](/windows/security/hardware-security/enable-virtualization-based-protection-of-code-integrity)** | Hypervisor-protected code integrity (HVCI), also called memory integrity, uses VBS to run Kernel Mode Code Integrity (KMCI) inside the secure VBS environment instead of the main Windows kernel. This helps to prevent attacks that attempt to modify kernel mode code, such as drivers. The KMCI role is to check that all kernel code is properly signed and hasn't been tampered with before it is allowed to run. HVCI helps to ensure that only validated code can be executed in kernel-mode.
Starting with Windows 10, all new devices are required to ship with firmware support for VBS and HCVI enabled by default in the BIOS. Customers can then enable the OS support in Windows. With new installs of Windows 11, OS support for VBS and HVCI is turned on by default for all devices that meet prerequisites. |
-| **[Hardware-enforced stack protection](https://techcommunity.microsoft.com/t5/windows-os-platform-blog/understanding-hardware-enforced-stack-protection/ba-p/1247815)** | Hardware-enforced stack protection integrates software and hardware for a modern defense against cyberthreats such as memory corruption and zero-day exploits. Based on Control-flow Enforcement Technology (CET) from Intel and AMD Shadow Stacks, hardware-enforced stack protection is designed to protect against exploit techniques that try to hijack return addresses on the stack. |
-| **[Kernel Direct Memory Access (DMA) protection](/windows/security/hardware-security/kernel-dma-protection-for-thunderbolt)** | Kernel DMA Protection protects against external peripherals from gaining unauthorized access to memory. Physical threats such as drive-by Direct Memory Access (DMA) attacks typically happen quickly while the system owner isn't present. PCIe hot plug devices such as Thunderbolt, USB4, and CFexpress allow users to attach new classes of external peripherals, including graphics cards or other PCI devices, to their PCs with the plug-and-play ease of USB. Because PCI hot plug ports are external and easily accessible, devices are susceptible to drive-by DMA attacks. |
-
-## Secured-core PC
-
-| Feature name | Description |
-|:---|:---|
-| **[Secured-core PC firmware protection](/windows-hardware/design/device-experiences/oem-highly-secure-11)** | Microsoft has worked with OEM partners to offer a special category of devices called Secured-core PCs. The devices ship with additional security measures enabled at the firmware layer, or device core, that underpins Windows. Secured-core PCs help prevent malware attacks and minimize firmware vulnerabilities by launching into a clean and trusted state at startup with a hardware-enforced root of trust. Virtualization-based security comes enabled by default. And with built-in hypervisor protected code integrity (HVCI) shielding system memory, Secured-core PCs ensure that all executables are signed by known and approved authorities only. Secured-core PCs also protect against physical threats such as drive-by Direct Memory Access (DMA) attacks. |
-| **[Secured-core configuration lock](/windows/client-management/config-lock)** | Secured-core configuration lock is a Secured-core PC (SCPC) feature that prevents users from making unwanted changes to security settings. With config lock, the OS monitors the registry keys that configure each feature and when it detects a drift, reverts to the IT-desired SCPC state in seconds. |
diff --git a/windows/security/includes/sections/identity.md b/windows/security/includes/sections/identity.md
deleted file mode 100644
index f50a087c3c..0000000000
--- a/windows/security/includes/sections/identity.md
+++ /dev/null
@@ -1,31 +0,0 @@
----
-author: paolomatarazzo
-ms.author: paoloma
-ms.date: 09/18/2023
-ms.topic: include
----
-
-## Passwordless sign in
-
-| Feature name | Description |
-|:---|:---|
-| **[Windows Hello for Business](/windows/security/identity-protection/hello-for-business/)** | Windows 11 devices can protect user identities by removing the need to use passwords from day one. It's easy to get started with the method that's right for your organization. A password may only need to be used once during the provisioning process, after which people use a PIN, face, or fingerprint to unlock credentials and sign into the device.
Windows Hello for Business replaces the username and password by combining a security key or certificate with a PIN or biometrics data, and then mapping the credentials to a user account during setup. There are multiple ways to deploy Windows Hello for Business, depending on your organization's needs. Organizations that rely on certificates typically use on-premises public key infrastructure (PKI) to support authentication through Certificate Trust. Organizations using key trust deployment require root-of-trust provided by certificates on domain controllers. |
-| **[Windows presence sensing](https://support.microsoft.com/windows/managing-presence-sensing-settings-in-windows-11-82285c93-440c-4e15-9081-c9e38c1290bb)** | Windows presence sensing provides another layer of data security protection for hybrid workers. Windows 11 devices can intelligently adapt to your presence to help you stay secure and productive, whether you're working at home, the office, or a public environment. Windows presence sensing combines presence detection sensors with Windows Hello facial recognition to automatically lock your device when you leave, and then unlock your device and sign you in using Windows Hello facial recognition when you return. Requires OEM supporting hardware. |
-| **[Windows Hello for Business Enhanced Security Sign-in (ESS)](/windows-hardware/design/device-experiences/windows-hello-enhanced-sign-in-security)** | Windows Hello biometrics also supports enhanced sign-in security, which uses specialized hardware and software components to raise the security bar even higher for biometric sign in.
Enhanced sign-in security biometrics uses VBS and the TPM to isolate user authentication processes and data and secure the pathway by which the information is communicated. These specialized components protect against a class of attacks that include biometric sample injection, replay, tampering, and more.
For example, fingerprint readers must implement Secure Device Connection Protocol, which uses key negotiation and a Microsoft-issued certificate to protect and securely store user authentication data. For facial recognition, components such as the Secure Devices (SDEV) table and process isolation with trustlets help prevent additional class of attacks. |
-| **[Windows passwordless experience](/windows/security/identity-protection/passwordless-experience)** | Windows passwordless experience is a security policy that aims to create a more user-friendly experience for Microsoft Entra joined devices by eliminating the need for passwords in certain authentication scenarios. By enabling this policy, users will not be given the option to use a password in these scenarios, which helps organizations transition away from passwords over time. |
-| **[Passkeys](/windows/security/identity-protection/passkeys)** | Passkeys provide a more secure and convenient method to logging into websites and applications compared to passwords. Unlike passwords, which users must remember and type, passkeys are stored as secrets on a device and can use a device's unlock mechanism (such as biometrics or a PIN). Passkeys can be used without the need for other sign in challenges, making the authentication process faster, secure, and more convenient. |
-| **[FIDO2 security key](/azure/active-directory/authentication/howto-authentication-passwordless-security-key)** | Fast Identity Online (FIDO) defined CTAP and WebAuthN specifications are becoming the open standard for providing strong authentication that is non-phishable, user-friendly, and privacy-respecting with implementations from major platform providers and relying parties. FIDO standards and certifications are becoming recognized as the leading standard for creating secure authentication solutions across enterprises, governments, and consumer markets.
Windows 11 can use external FIDO2 security keys for authentication alongside or in addition to Windows Hello which is also a FIDO2 certified passwordless solution. Windows 11 can be used as a FIDO authenticator for many popular identity management services. |
-| **[Smart Cards for Windows Service](/windows/security/identity-protection/smart-cards/smart-card-smart-cards-for-windows-service)** | Organizations also have the option of using smart cards, an authentication method that pre-dates biometric sign in. Smart cards are tamper-resistant, portable storage devices that can enhance Windows security when authenticating clients, signing code, securing e-mail, and signing in with Windows domain accounts. Smart cards can only be used to sign into domain accounts, not local accounts. When a password is used to sign into a domain account, Windows uses the Kerberos version 5 (v5) protocol for authentication. If you use a smart card, the operating system uses Kerberos v5 authentication with X.509 v3 certificates. |
-
-## Advanced credential protection
-
-| Feature name | Description |
-|:---|:---|
-| **[Web sign-in](/windows/security/identity-protection/web-sign-in)** | Web sign-in is a credential provider initially introduced in Windows 10 with support for Temporary Access Pass (TAP) only. With the release of Windows 11, the supported scenarios and capabilities of Web sign-in have been expanded. For example, users can sign-in to Windows using the Microsoft Authenticator app or with a federated identity. |
-| **[Federated sign-in](/education/windows/federated-sign-in)** | Windows 11 Education editions support federated sign-in with non-Microsoft identity providers. Federated sign-in enables secure sign in through methods like QR codes or pictures. |
-| **[Windows LAPS](/windows-server/identity/laps/laps-overview)** | Windows Local Administrator Password Solution (Windows LAPS) is a Windows feature that automatically manages and backs up the password of a local administrator account on your Microsoft Entra joined or Windows Server Active Directory-joined devices. You also can use Windows LAPS to automatically manage and back up the Directory Services Restore Mode (DSRM) account password on your Windows Server Active Directory domain controllers. An authorized administrator can retrieve the DSRM password and use it. |
-| **[Account Lockout Policy](/windows/security/threat-protection/security-policy-settings/account-lockout-policy)** | Account Lockout Policy settings control the response threshold for failed logon attempts and the actions to be taken after the threshold is reached. |
-| **[Enhanced phishing protection with SmartScreen](/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/enhanced-phishing-protection)** | Users who are still using passwords can benefit from powerful credential protection. Microsoft Defender SmartScreen includes enhanced phishing protection to automatically detect when a user enters their Microsoft password into any app or website. Windows then identifies if the app or site is securely authenticating to Microsoft and warns if the credentials are at risk. Since users are alerted at the moment of potential credential theft, they can take preemptive action before their password is used against them or their organization. |
-| **[Access Control (ACL/SACL)](/windows/security/identity-protection/access-control/access-control)** | Access control in Windows ensures that shared resources are available to users and groups other than the resource's owner and are protected from unauthorized use. IT administrators can manage users', groups', and computers' access to objects and assets on a network or computer. After a user is authenticated, the Windows operating system implements the second phase of protecting resources by using built-in authorization and access control technologies to determine if an authenticated user has the correct permissions.
Access Control Lists (ACL) describe the permissions for a specific object and can also contain System Access Control Lists (SACL). SACLs provide a way to audit specific system level events, such as when a user attempt to access file system objects. These events are essential for tracking activity for objects that are sensitive or valuable and require extra monitoring. Being able to audit when a resource attempts to read or write part of the operating system is critical to understanding a potential attack. |
-| **[Credential Guard](/windows/security/identity-protection/credential-guard/)** | Enabled by default in Windows 11 Enterprise, Credential Guard uses hardware-backed, Virtualization-based security (VBS) to protect against credential theft. With Credential Guard, the Local Security Authority (LSA) stores and protects secrets in an isolated environment that isn't accessible to the rest of the operating system. LSA uses remote procedure calls to communicate with the isolated LSA process.
By protecting the LSA process with Virtualization-based security, Credential Guard shields systems from credential theft attack techniques like pass-the-hash or pass-the-ticket. It also helps prevent malware from accessing system secrets even if the process is running with admin privileges. |
-| **[Remote Credential Guard](/windows/security/identity-protection/remote-credential-guard)** | Remote Credential Guard helps you protect your credentials over a Remote Desktop connection by redirecting the Kerberos requests back to the device that is requesting the connection. It also provides single sign-on experiences for Remote Desktop sessions.
Administrator credentials are highly privileged and must be protected. When you use Remote Credential Guard to connect during Remote Desktop sessions, your credential and credential derivatives are never passed over the network to the target device. If the target device is compromised, your credentials aren't exposed. |
diff --git a/windows/security/includes/sections/operating-system-security.md b/windows/security/includes/sections/operating-system-security.md
deleted file mode 100644
index 4fa55308cf..0000000000
--- a/windows/security/includes/sections/operating-system-security.md
+++ /dev/null
@@ -1,55 +0,0 @@
----
-author: paolomatarazzo
-ms.author: paoloma
-ms.date: 11/21/2023
-ms.topic: include
----
-
-## System security
-
-| Feature name | Description |
-|:---|:---|
-| **[Secure Boot and Trusted Boot](/windows/security/operating-system-security/system-security/trusted-boot)** | Secure Boot and Trusted Boot help to prevent malware and corrupted components from loading when a device starts.
Secure Boot starts with initial boot-up protection, and then Trusted Boot picks up the process. Together, Secure Boot and Trusted Boot help to ensure the system boots up safely and securely. |
-| **[Measured boot](/windows/compatibility/measured-boot)** | Measured Boot measures all important code and configuration settings during the boot of Windows. This includes: the firmware, boot manager, hypervisor, kernel, secure kernel and operating system. Measured Boot stores the measurements in the TPM on the machine, and makes them available in a log that can be tested remotely to verify the boot state of the client.
The Measured Boot feature provides anti-malware software with a trusted (resistant to spoofing and tampering) log of all boot components that started before it. The anti-malware software can use the log to determine whether components that ran before it are trustworthy, or if they're infected with malware. The anti-malware software on the local machine can send the log to a remote server for evaluation. The remote server may initiate remediation actions, either by interacting with software on the client, or through out-of-band mechanisms, as appropriate. |
-| **[Device health attestation service](/windows/security/operating-system-security/system-security/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices)** | The Windows device health attestation process supports a zero-trust paradigm that shifts the focus from static, network-based perimeters, to users, assets, and resources. The attestation process confirms the device, firmware, and boot process are in a good state and haven't been tampered with before they can access corporate resources. The determinations are made with data stored in the TPM, which provides a secure root of trust. The information is sent to an attestation service, such as Azure Attestation, to verify the device is in a trusted state. Then, an MDM tool like Microsoft Intune reviews device health and connects this information with Microsoft Entra ID for conditional access. |
-| **[Windows security policy settings and auditing](/windows/security/threat-protection/security-policy-settings/security-policy-settings)** | Microsoft provides a robust set of security settings policies that IT administrators can use to protect Windows devices and other resources in their organization. |
-| **[Assigned Access](/windows/configuration/)** | Some desktop devices in an enterprise serve a special purpose. For example, a PC in the lobby that customers use to see your product catalog. Or, a PC displaying visual content as a digital sign. Windows client offers two different locked-down experiences for public or specialized use: A single-app kiosk that runs a single Universal Windows Platform (UWP) app in full screen above the lock screen, or A multi-app kiosk that runs one or more apps from the desktop.
Kiosk configurations are based on Assigned Access, a feature in Windows that allows an administrator to manage the user's experience by limiting the application entry points exposed to the user. |
-
-## Virus and threat protection
-
-| Feature name | Description |
-|:---|:---|
-| **[Microsoft Defender Antivirus](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-windows)** | Microsoft Defender Antivirus is a protection solution included in all versions of Windows. From the moment you boot Windows, Microsoft Defender Antivirus continually monitors for malware, viruses, and security threats. Updates are downloaded automatically to help keep your device safe and protect it from threats. Microsoft Defender Antivirus includes real-time, behavior-based, and heuristic antivirus protection.
The combination of always-on content scanning, file and process behavior monitoring, and other heuristics effectively prevents security threats. Microsoft Defender Antivirus continually scans for malware and threats and also detects and blocks potentially unwanted applications (PUA) which are applications that are deemed to negatively impact your device but aren't considered malware. |
-| **[Local Security Authority (LSA) Protection](/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection)** | Windows has several critical processes to verify a user's identity. Verification processes include Local Security Authority (LSA), which is responsible for authenticating users and verifying Windows logins. LSA handles tokens and credentials such as passwords that are used for single sign-on to a Microsoft account and Azure services. To help protect these credentials, additional LSA protection only allows loading of trusted, signed code and provides significant protection against Credential theft.
LSA protection is enabled by default on new, enterprise joined Windows 11 devices with added support for non-UEFI lock and policy management controls via MDM and group policy. |
-| **[Attack surface reduction (ASR)](/microsoft-365/security/defender-endpoint/overview-attack-surface-reduction)** | Attack surface reduction (ASR) rules help to prevent software behaviors that are often abused to compromise your device or network. By reducing the number of attack surfaces, you can reduce the overall vulnerability of your organization.
Administrators can configure specific ASR rules to help block certain behaviors, such as launching executable files and scripts that attempt to download or run files, running obfuscated or otherwise suspicious scripts, performing behaviors that apps don't usually initiate during normal day-to-day work. |
-| **[Tamper protection settings for MDE](/microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection)** | Tamper protection is a capability in Microsoft Defender for Endpoint that helps protect certain security settings, such as virus and threat protection, from being disabled or changed. During some kinds of cyber attacks, bad actors try to disable security features on devices. Disabling security features provides bad actors with easier access to your data, the ability to install malware, and the ability to exploit your data, identity, and devices. Tamper protection helps guard against these types of activities. |
-| **[Controlled folder access](/microsoft-365/security/defender-endpoint/controlled-folders)** | You can protect your valuable information in specific folders by managing app access to specific folders. Only trusted apps can access protected folders, which are specified when controlled folder access is configured. Commonly used folders, such as those used for documents, pictures, downloads, are typically included in the list of controlled folders. Controlled folder access works with a list of trusted apps. Apps that are included in the list of trusted software work as expected. Apps that aren't included in the trusted list are prevented from making any changes to files inside protected folders.
Controlled folder access helps to protect user's valuable data from malicious apps and threats, such as ransomware. |
-| **[Exploit protection](/microsoft-365/security/defender-endpoint/exploit-protection)** | Exploit protection automatically applies several exploit mitigation techniques to operating system processes and apps. Exploit protection works best with Microsoft Defender for Endpoint, which gives organizations detailed reporting into exploit protection events and blocks as part of typical alert investigation scenarios. You can enable exploit protection on an individual device, and then use MDM or group policy to distribute the configuration file to multiple devices. When a mitigation is encountered on the device, a notification will be displayed from the Action Center. You can customize the notification with your company details and contact information. You can also enable the rules individually to customize which techniques the feature monitors. |
-| **[Microsoft Defender SmartScreen](/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/)** | Microsoft Defender SmartScreen protects against phishing, malware websites and applications, and the downloading of potentially malicious files. For enhanced phishing protection, SmartScreen also alerts people when they're entering their credentials into a potentially risky location. IT can customize which notifications appear via MDM or group policy. The protection runs in audit mode by default, giving IT admins full control to make decisions around policy creation and enforcement. |
-| **[Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint)** | Microsoft Defender for Endpoint is an enterprise endpoint detection and response solution that helps security teams to detect, investigate, and respond to advanced threats. Organizations can use the rich event data and attack insights Defender for Endpoint provides to investigate incidents. Defender for Endpoint brings together the following elements to provide a more complete picture of security incidents: endpoint behavioral sensors, cloud security analytics, threat intelligence and rich response capabilities. |
-
-## Network security
-
-| Feature name | Description |
-|:---|:---|
-| **[Transport Layer Security (TLS)](/windows-server/security/tls/tls-ssl-schannel-ssp-overview)** | Transport Layer Security (TLS) is a cryptographic protocol designed to provide communications security over a network. TLS 1.3 is the latest version of the protocol and is enabled by default in Windows 11. This version eliminates obsolete cryptographic algorithms, enhances security over older versions, and aims to encrypt as much of the TLS handshake as possible. The handshake is more performant with one fewer round trip per connection on average, and supports only five strong cipher suites which provide perfect forward secrecy and less operational risk. |
-| **[Domain Name System (DNS) security](/windows-server/networking/dns/doh-client-support)** | Starting in Windows 11, the Windows DNS client supports DNS over HTTPS (DoH), an encrypted DNS protocol. This allows administrators to ensure their devices protect DNS queries from on-path attackers, whether they're passive observers logging browsing behavior or active attackers trying to redirect clients to malicious sites.
In a zero-trust model where there is no trust placed in a network boundary, having a secure connection to a trusted name resolver is required. |
-| **Bluetooth pairing and connection protection** | The number of Bluetooth devices connected to Windows continues to increase. Windows supports all standard Bluetooth pairing protocols, including classic and LE Secure connections, secure simple pairing, and classic and LE legacy pairing. Windows also implements host based LE privacy. Windows updates help users stay current with OS and driver security features in accordance with the Bluetooth Special Interest Group (SIG), Standard Vulnerability Reports, and issues beyond those required by the Bluetooth core industry standards. Microsoft strongly recommends that users ensure their firmware and/ or software of their Bluetooth accessories are kept up to date. |
-| **[WiFi Security](https://support.microsoft.com/windows/faster-and-more-secure-wi-fi-in-windows-26177a28-38ed-1a8e-7eca-66f24dc63f09)** | Wi-Fi Protected Access (WPA) is a security certification program designed to secure wireless networks. WPA3 is the latest version of the certification and provides a more secure and reliable connection method as compared to WPA2 and older security protocols. Windows supports three WPA3 modes: WPA3 personal with the Hash-to-Element (H2E) protocol, WPA3 Enterprise, and WPA3 Enterprise 192-bit Suite B.
Windows 11 also supports WFA defined WPA3 Enterprise that includes enhanced Server Cert validation and TLS 1.3 for authentication using EAP-TLS Authentication. |
-| **Opportunistic Wireless Encryption (OWE)** | Opportunistic Wireless Encryption (OWE) is a technology that allows wireless devices to establish encrypted connections to public Wi-Fi hotspots. |
-| **[Windows Firewall](/windows/security/operating-system-security/network-security/windows-firewall)** | Windows Firewall provides host-based, two-way network traffic filtering, blocking unauthorized traffic flowing into or out of the local device based on the types of networks to which the device is connected. Windows Firewall reduces the attack surface of a device with rules to restrict or allow traffic by many properties such as IP addresses, ports, or program paths. Reducing the attack surface of a device increases manageability and decreases the likelihood of a successful attack.
With its integration with Internet Protocol Security (IPsec), Windows Firewall provides a simple way to enforce authenticated, end-to-end network communications. It provides scalable, tiered access to trusted network resources, helping to enforce integrity of the data, and optionally helping to protect the confidentiality of the data. Windows Firewall is a host-based firewall that is included with the operating system, there's no additional hardware or software required. Windows Firewall is also designed to complement existing non-Microsoft network security solutions through a documented application programming interface (API). |
-| **[Virtual private network (VPN)](/windows/security/operating-system-security/network-security/vpn/vpn-guide)** | The Windows VPN client platform includes built in VPN protocols, configuration support, a common VPN user interface, and programming support for custom VPN protocols. VPN apps are available in the Microsoft Store for both enterprise and consumer VPNs, including apps for the most popular enterprise VPN gateways.
In Windows 11, the most commonly used VPN controls are integrated right into the Quick Actions pane. From the Quick Actions pane, users can see the status of their VPN, start and stop the VPN tunnels, and access the Settings app for more controls. |
-| **[Always On VPN (device tunnel)](/Windows-server/remote/remote-access/overview-always-on-vpn)** | With Always On VPN, you can create a dedicated VPN profile for the device. Unlike User Tunnel, which only connects after a user logs on to the device, Device Tunnel allows the VPN to establish connectivity before a user sign-in. Both Device Tunnel and User Tunnel operate independently with their VPN profiles, can be connected at the same time, and can use different authentication methods and other VPN configuration settings as appropriate. |
-| **[Direct Access](/windows-server/remote/remote-access/directaccess/directaccess)** | DirectAccess allows connectivity for remote users to organization network resources without the need for traditional Virtual Private Network (VPN) connections.
With DirectAccess connections, remote devices are always connected to the organization and there's no need for remote users to start and stop connections. |
-| **[Server Message Block (SMB) file service](/windows-server/storage/file-server/file-server-smb-overview)** | SMB Encryption provides end-to-end encryption of SMB data and protects data from eavesdropping occurrences on internal networks. In Windows 11, the SMB protocol has significant security updates, including AES-256 bits encryption, accelerated SMB signing, Remote Directory Memory Access (RDMA) network encryption, and SMB over QUIC for untrusted networks. Windows 11 introduces AES-256-GCM and AES-256-CCM cryptographic suites for SMB 3.1.1 encryption. Windows administrators can mandate the use of more advanced security or continue to use the more compatible, and still-safe, AES-128 encryption. |
-| **[Server Message Block Direct (SMB Direct)](/windows-server/storage/file-server/smb-direct)** | SMB Direct (SMB over remote direct memory access) is a storage protocol that enables direct memory-to-memory data transfers between device and storage, with minimal CPU usage, while using standard RDMA-capable network adapters.
SMB Direct supports encryption, and now you can operate with the same safety as traditional TCP and the performance of RDMA. Previously, enabling SMB encryption disabled direct data placement, making RDMA as slow as TCP. Now data is encrypted before placement, leading to relatively minor performance degradation while adding AES-128 and AES-256 protected packet privacy. |
-
-## Encryption and data protection
-
-| Feature name | Description |
-|:---|:---|
-| **[BitLocker management](/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-management-for-enterprises)** | The BitLocker CSP allows an MDM solution, like Microsoft Intune, to manage the BitLocker encryption features on Windows devices. This includes OS volumes, fixed drives and removeable storage, and recovery key management into Microsoft Entra ID. |
-| **[BitLocker enablement](/windows/security/operating-system-security/data-protection/bitlocker/)** | BitLocker Drive Encryption is a data protection feature that integrates with the operating system and addresses the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned computers. BitLocker uses AES algorithm in XTS or CBC mode of operation with 128-bit or 256-bit key length to encrypt data on the volume. Cloud storage on Microsoft OneDrive or Azure can be used to save recovery key content. BitLocker can be managed by any MDM solution such as Microsoft Intune, using a configuration service provider (CSP).
BitLocker provides encryption for the OS, fixed data, and removable data drives leveraging technologies like hardware security test interface (HSTI), Modern Standby, UEFI Secure Boot and TPM. |
-| **[Encrypted hard drive](/windows/security/operating-system-security/data-protection/encrypted-hard-drive)** | Encrypted hard drives are a class of hard drives that are self-encrypted at the hardware level and allow for full disk hardware encryption while being transparent to the device user. These drives combine the security and management benefits provided by BitLocker Drive Encryption with the power of self-encrypting drives.
By offloading the cryptographic operations to hardware, encrypted hard drives increase BitLocker performance and reduce CPU usage and power consumption. Because encrypted hard drives encrypt data quickly, BitLocker deployment can be expanded across enterprise devices with little to no impact on productivity. |
-| **[Personal data encryption (PDE)](/windows/security/operating-system-security/data-protection/personal-data-encryption/)** | Personal data encryption (PDE) works with BitLocker and Windows Hello for Business to further protect user documents and other files, including when the device is turned on and locked. Files are encrypted automatically and seamlessly to give users more security without interrupting their workflow.
Windows Hello for Business is used to protect the container, which houses the encryption keys used by PDE. When the user signs in, the container gets authenticated to release the keys in the container to decrypt user content. |
-| **[Email Encryption (S/MIME)](/windows/security/operating-system-security/data-protection/configure-s-mime)** | Email encryption enables users to encrypt outgoing email messages and attachments, so only intended recipients with a digital ID (certificate) can read them. Users can digitally sign a message, which verifies the identity of the sender and confirms the message hasn't been tampered with. The encrypted messages can be sent by a user to other users within their organization or external contacts if they have proper encryption certificates. |
diff --git a/windows/security/includes/sections/security-foundations.md b/windows/security/includes/sections/security-foundations.md
deleted file mode 100644
index 905fb63998..0000000000
--- a/windows/security/includes/sections/security-foundations.md
+++ /dev/null
@@ -1,29 +0,0 @@
----
-author: paolomatarazzo
-ms.author: paoloma
-ms.date: 09/18/2023
-ms.topic: include
----
-
-## Offensive research
-
-| Feature name | Description |
-|:---|:---|
-| **[Microsoft Security Development Lifecycle (SDL)](/windows/security/security-foundations/msft-security-dev-lifecycle)** | The Microsoft Security Development Lifecycle (SDL) introduces security best practices, tools, and processes throughout all phases of engineering and development. |
-| **[OneFuzz service](https://www.microsoft.com/security/blog/2020/09/15/microsoft-onefuzz-framework-open-source-developer-tool-fix-bugs/)** | A range of tools and techniques - such as threat modeling, static analysis, fuzz testing, and code quality checks - enable continued security value to be embedded into Windows by every engineer on the team from day one. Through the SDL practices, Microsoft engineers are continuously provided with actionable and up-to-date methods to improve development workflows and overall product security before the code has been released. |
-| **[Microsoft Windows Insider Preview bounty program](https://www.microsoft.com/msrc/bounty-windows-insider-preview)** | As part of our secure development process, the Microsoft Windows Insider Preview bounty program invites eligible researchers across the globe to find and submit vulnerabilities that reproduce in the latest Windows Insider Preview (WIP) Dev Channel. The goal of the Windows Insider Preview bounty program is to uncover significant vulnerabilities that have a direct and demonstrable impact on the security of customers using the latest version of Windows.
Through this collaboration with researchers across the globe, our teams identify critical vulnerabilities that were not previously found during development and quicky fix the issues before releasing the final Windows. |
-
-## Certification
-
-| Feature name | Description |
-|:---|:---|
-| **[Common Criteria certifications](/windows/security/security-foundations/certification/windows-platform-common-criteria)** | Common Criteria (CC) is an international standard currently maintained by national governments who participate in the Common Criteria Recognition Arrangement. CC defines a common taxonomy for security functional requirements, security assurance requirements, and an evaluation methodology used to ensure products undergoing evaluation satisfy the functional and assurance requirements. Microsoft ensures that products incorporate the features and functions required by relevant Common Criteria Protection Profiles and completes Common Criteria certifications of Microsoft Windows products. |
-| **[Federal Information Processing Standard (FIPS) 140 validation](/windows/security/security-foundations/certification/fips-140-validation)** | The Federal Information Processing Standard (FIPS) Publication 140 is a U.S. government standard that defines the minimum security requirements for cryptographic modules in IT products. Microsoft maintains an active commitment to meeting the requirements of the FIPS 140 standard, having validated cryptographic modules against FIPS 140-2 since it was first established in 2001. Multiple Microsoft products, including Windows 11, Windows 10, Windows Server, and many cloud services, use these cryptographic modules. |
-
-## Secure supply chain
-
-| Feature name | Description |
-|:---|:---|
-| **Software Bill of Materials (SBOM)** | SBOMs are leveraged to provide the transparency and provenance of the content as it moves through various stages of the Windows supply chain. This enables trust between each supply chain segment, ensures that tampering has not taken place during ingestion and along the way, and provides a provable chain of custody for the product that we ship to customers. |
-| **[Azure Code Signing](/windows/security/application-security/application-control/windows-defender-application-control/deployment/use-code-signing-for-better-control-and-protection)** | App Control for Business enables customers to define policies for controlling what is allowed to run on their devices. App Control policies can be remotely applied to devices using an MDM solution like Microsoft Intune.
To simplify App Control enablement, organizations can take advantage of Azure Code Signing, a secure and fully managed service for signing App Control policies and apps.
Azure Code Signing minimizes the complexity of code signing with a turnkey service backed by a Microsoft managed certificate authority, eliminating the need to procure and self-manage any signing certificates. The service is managed just as any other Azure resource and integrates easily with the leading development and CI/CD toolsets. |
-| **[Windows application software development kit (SDK)](https://developer.microsoft.com/windows/downloads/windows-sdk/)** | Developers have an opportunity to design highly secure applications that benefit from the latest Windows safeguards. The Windows App SDK provides a unified set of APIs and tools for developing secure desktop apps for Windows. To help create apps that are up-to-date and protected, the SDK follows the same security standards, protocols, and compliance as the core Windows operating system. |
diff --git a/windows/security/index.yml b/windows/security/index.yml
index 9738ace595..7b2cccd5ae 100644
--- a/windows/security/index.yml
+++ b/windows/security/index.yml
@@ -10,15 +10,36 @@ metadata:
author: paolomatarazzo
ms.author: paoloma
manager: aaroncz
- ms.date: 03/12/2024
+ ms.date: 10/18/2024
# linkListType: architecture | concept | deploy | download | get-started | how-to-guide | tutorial | overview | quickstart | reference | sample | tutorial | video | whats-new
landingContent:
- - title: Learn about hardware security
+ - title: Windows 11 security book
linkLists:
- linkListType: overview
+ links:
+ - text: Introduction
+ url: /windows/security/book
+ - text: Hardware security
+ url: /windows/security/book/hardware-security
+ - text: Operating system security
+ url: /windows/security/book/operating-system-security
+ - text: Application security
+ url: /windows/security/book/application-security
+ - text: Identity protection
+ url: /windows/security/book/identity-protection
+ - text: Privacy
+ url: /windows/security/book/privacy
+ - text: Cloud services
+ url: /windows/security/book/cloud-services
+ - text: Security foundation
+ url: /windows/security/book/security-foundation
+
+ - title: Learn about hardware security
+ linkLists:
+ - linkListType: get-started
links:
- text: Trusted Platform Module (TPM)
url: /windows/security/hardware-security/tpm/trusted-platform-module-overview
@@ -33,7 +54,7 @@ landingContent:
- title: Learn about OS security
linkLists:
- - linkListType: overview
+ - linkListType: get-started
links:
- text: Trusted boot
url: /windows/security/operating-system-security
@@ -41,7 +62,7 @@ landingContent:
url: /windows/security/operating-system-security/system-security/windows-defender-security-center/windows-defender-security-center
- text: BitLocker
url: /windows/security/operating-system-security/data-protection/bitlocker/
- - text: Personal Data Encryption (PDE)
+ - text: Personal Data Encryption
url: /windows/security/operating-system-security/data-protection/personal-data-encryption
- text: Windows security baselines
url: /windows/security/operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines
@@ -57,7 +78,7 @@ landingContent:
links:
- text: Configure BitLocker
url: /windows/security/operating-system-security/data-protection/bitlocker/configure
- - text: Configure PDE
+ - text: Configure Personal Data Encryption
url: /windows/security/operating-system-security/data-protection/personal-data-encryption/configure
- linkListType: whats-new
links:
@@ -66,7 +87,7 @@ landingContent:
- title: Learn about identity protection
linkLists:
- - linkListType: overview
+ - linkListType: get-started
links:
- text: Passwordless strategy
url: /windows/security/identity-protection/passwordless-strategy
@@ -99,7 +120,7 @@ landingContent:
- title: Learn about application security
linkLists:
- - linkListType: overview
+ - linkListType: get-started
links:
- text: App Control for Business
url: /windows/security/application-security/application-control/windows-defender-application-control/
@@ -110,7 +131,7 @@ landingContent:
- text: Microsoft Defender Application Guard (MDAG)
url: /windows/security/application-security/application-isolation/microsoft-defender-application-guard/md-app-guard-overview
- text: Windows Sandbox
- url: /windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-overview
+ url: /windows/security/application-security/application-isolation/windows-sandbox/
- linkListType: how-to-guide
links:
- text: Configure Windows Sandbox
@@ -118,7 +139,7 @@ landingContent:
- title: Learn about security foundations
linkLists:
- - linkListType: overview
+ - linkListType: get-started
links:
- text: Zero trust
url: /windows/security/security-foundations/zero-trust-windows-device-health
@@ -141,7 +162,7 @@ landingContent:
- title: Learn about cloud security
linkLists:
- - linkListType: overview
+ - linkListType: get-started
links:
- text: Security baselines with Intune
url: /mem/intune/protect/security-baselines
diff --git a/windows/security/introduction.md b/windows/security/introduction.md
deleted file mode 100644
index 53edc2cc2c..0000000000
--- a/windows/security/introduction.md
+++ /dev/null
@@ -1,54 +0,0 @@
----
-title: Introduction to Windows security
-description: System security book.
-ms.date: 07/22/2024
-ms.topic: overview
-ms.author: paoloma
-author: paolomatarazzo
----
-
-# Introduction to Windows security
-
-The acceleration of digital transformation and the expansion of both remote and hybrid work brings new opportunities to organizations, communities, and individuals. This expansion introduces new threats and risks.
-
-Organizations worldwide are adopting a **Zero Trust** security model based on the premise that no person or device anywhere can have access until safety and integrity is proven. Windows 11 is built on Zero Trust principles to enable hybrid productivity and new experiences anywhere, without compromising security. Windows 11 raises the security baselines with new requirements for advanced hardware and software protection that extends from chip to cloud.
-
-## How Windows 11 enables Zero Trust protection
-
-A Zero Trust security model gives the right people the right access at the right time. Zero Trust security is based on three principles:
-
-1. Reduce risk by explicitly verifying data points such as user identity, location, and device health for every access request, without exception
-1. When verified, give people and devices access to only necessary resources for the necessary amount of time
-1. Use continuous analytics to drive threat detection and improve defenses
-
-For Windows 11, the Zero Trust principle of *verify explicitly* applies to risks introduced by both devices and people. Windows 11 provides *chip-to-cloud security*, enabling IT administrators to implement strong authorization and authentication processes with features like [Windows Hello for Business](identity-protection/hello-for-business/index.md). IT administrators also gain attestation and measurements for determining if a device meets requirements and can be trusted. Windows 11 works out-of-the-box with Microsoft Intune and Microsoft Entra ID, which enables timely and seamless access decisions. Furthermore, IT administrators can easily customize Windows to meet specific user and policy requirements for access, privacy, compliance, and more.
-
-### Security, by default
-
-Windows 11 is a natural evolution of its predecessor, Windows 10. We have collaborated with our manufacturer and silicon partners to incorporate extra hardware security measures that address the increasingly complex security threats of today. These measures not only enable the hybrid work and learning that many organizations now embrace but also help bolster our already strong foundation and resilience against attacks.
-
-### Enhanced hardware and operating system security
-
-With hardware-based isolation security that begins at the chip, Windows 11 stores sensitive data behind other barriers separated from the operating system. As a result, information including encryption keys and user credentials are protected from unauthorized access and tampering.
-
-In Windows 11, hardware and software work together to protect the operating system. For example, new devices come with [Virtualization-based security (VBS)](/windows-hardware/design/device-experiences/oem-vbs) and [Secure Boot](operating-system-security/system-security/trusted-boot.md) built-in and enabled by default to contain and limit malware exploits.
-
-### Robust application security and privacy controls
-
-To help keep personal and business information protected and private, Windows 11 has multiple layers of application security that safeguard critical data and code integrity. Application isolation and controls, code integrity, privacy controls, and least-privilege principles enable developers to build in security and privacy from the ground up. This integrated security protects against breaches and malware, helps keep data private, and gives IT administrators the controls they need.
-
-In Windows 11, [Microsoft Defender Application Guard](application-security/application-isolation/microsoft-defender-application-guard/md-app-guard-overview.md) uses Hyper-V virtualization technology to isolate untrusted websites and Microsoft Office files in containers, separate from and unable to access the host operating system and enterprise data. To protect privacy, Windows 11 also provides more controls over which apps and features can collect and use data such as the device's location, or access resources like camera and microphone.
-
-### Secured identities
-
-Passwords have been an important part of digital security for a long time, and they're also a top target for cybercriminals. Windows 11 provides powerful protection against credential theft with chip-level hardware security. Credentials are protected by layers of hardware and software security such as [TPM 2.0](information-protection/tpm/trusted-platform-module-overview.md), [VBS](/windows-hardware/design/device-experiences/oem-vbs), and/or [Credential Guard](identity-protection/credential-guard/index.md), making it harder for attackers to steal credentials from a device. With [Windows Hello for Business](identity-protection/hello-for-business/index.md), users can quickly sign in with face, fingerprint, or PIN for passwordless protection. Windows 11 also supports [FIDO2 security keys](/azure/active-directory/authentication/howto-authentication-passwordless-security-key) and [passkeys](identity-protection/passkeys/index.md) for passwordless authentication.
-
-### Connecting to cloud services
-
-Microsoft offers comprehensive cloud services for identity, storage, and access management in addition to the tools needed to attest that Windows devices connecting to your network are trustworthy. You can also enforce compliance and conditional access with a modern device management (MDM) service such as Microsoft Intune, which works with Microsoft Entra ID and Microsoft Azure Attestation to control access to applications and data through the cloud.
-
-## Next steps
-
-To learn more about the security features included in Windows 11, read the [Windows 11 Security Book](book/index.md).
-
-
diff --git a/windows/security/licensing-and-edition-requirements.md b/windows/security/licensing-and-edition-requirements.md
index 34a527cefe..2bf77557b9 100644
--- a/windows/security/licensing-and-edition-requirements.md
+++ b/windows/security/licensing-and-edition-requirements.md
@@ -1,8 +1,8 @@
---
-title: Windows security features licensing and edition requirements
+title: Windows Security Features Licensing And Edition Requirements
description: Learn about Windows licensing and edition requirements for the features included in Windows.
-ms.topic: conceptual
-ms.date: 04/10/2024
+ms.topic: reference
+ms.date: 12/02/2024
appliesto:
- ✅ Windows 11
ms.author: paoloma
diff --git a/windows/security/operating-system-security/data-protection/bitlocker/bcd-settings-and-bitlocker.md b/windows/security/operating-system-security/data-protection/bitlocker/bcd-settings-and-bitlocker.md
index 3e29796ff1..826ae7e556 100644
--- a/windows/security/operating-system-security/data-protection/bitlocker/bcd-settings-and-bitlocker.md
+++ b/windows/security/operating-system-security/data-protection/bitlocker/bcd-settings-and-bitlocker.md
@@ -2,7 +2,7 @@
title: BCD settings and BitLocker
description: Learn how BCD settings are used by BitLocker.
ms.topic: reference
-ms.date: 06/18/2024
+ms.date: 12/05/2024
---
# Boot Configuration Data settings and BitLocker
diff --git a/windows/security/operating-system-security/data-protection/bitlocker/configure.md b/windows/security/operating-system-security/data-protection/bitlocker/configure.md
index 7fbff47e8c..5ed1607787 100644
--- a/windows/security/operating-system-security/data-protection/bitlocker/configure.md
+++ b/windows/security/operating-system-security/data-protection/bitlocker/configure.md
@@ -2,7 +2,7 @@
title: Configure BitLocker
description: Learn about the available options to configure BitLocker and how to configure them via Configuration Service Providers (CSP) or group policy (GPO).
ms.topic: how-to
-ms.date: 06/18/2024
+ms.date: 12/05/2024
---
# Configure BitLocker
diff --git a/windows/security/operating-system-security/data-protection/bitlocker/countermeasures.md b/windows/security/operating-system-security/data-protection/bitlocker/countermeasures.md
index 3eda5bed37..4e0d64f71a 100644
--- a/windows/security/operating-system-security/data-protection/bitlocker/countermeasures.md
+++ b/windows/security/operating-system-security/data-protection/bitlocker/countermeasures.md
@@ -2,7 +2,7 @@
title: BitLocker countermeasures
description: Learn about technologies and features to protect against attacks on the BitLocker encryption key.
ms.topic: concept-article
-ms.date: 06/18/2024
+ms.date: 12/05/2024
---
# BitLocker countermeasures
diff --git a/windows/security/operating-system-security/data-protection/bitlocker/csv-san.md b/windows/security/operating-system-security/data-protection/bitlocker/csv-san.md
index 15db660036..131cf2f9c9 100644
--- a/windows/security/operating-system-security/data-protection/bitlocker/csv-san.md
+++ b/windows/security/operating-system-security/data-protection/bitlocker/csv-san.md
@@ -2,8 +2,9 @@
title: Protect cluster shared volumes and storage area networks with BitLocker
description: Learn how to protect cluster shared volumes (CSV) and storage area networks (SAN) with BitLocker.
ms.topic: how-to
-ms.date: 06/18/2024
+ms.date: 12/05/2024
appliesto:
+- ✅ Windows Server 2025
- ✅ Windows Server 2022
- ✅ Windows Server 2019
- ✅ Windows Server 2016
diff --git a/windows/security/operating-system-security/data-protection/bitlocker/faq.yml b/windows/security/operating-system-security/data-protection/bitlocker/faq.yml
index b2642afed9..fcbcadf1b9 100644
--- a/windows/security/operating-system-security/data-protection/bitlocker/faq.yml
+++ b/windows/security/operating-system-security/data-protection/bitlocker/faq.yml
@@ -3,7 +3,7 @@ metadata:
title: BitLocker FAQ
description: Learn more about BitLocker by reviewing the frequently asked questions.
ms.topic: faq
- ms.date: 06/18/2024
+ ms.date: 12/05/2024
title: BitLocker FAQ
summary: Learn more about BitLocker by reviewing the frequently asked questions.
diff --git a/windows/security/operating-system-security/data-protection/bitlocker/includes/choose-how-bitlocker-protected-operating-system-drives-can-be-recovered.md b/windows/security/operating-system-security/data-protection/bitlocker/includes/choose-how-bitlocker-protected-operating-system-drives-can-be-recovered.md
index 8cfee0617e..45ad55ad06 100644
--- a/windows/security/operating-system-security/data-protection/bitlocker/includes/choose-how-bitlocker-protected-operating-system-drives-can-be-recovered.md
+++ b/windows/security/operating-system-security/data-protection/bitlocker/includes/choose-how-bitlocker-protected-operating-system-drives-can-be-recovered.md
@@ -17,6 +17,10 @@ This policy setting allows you to control how BitLocker-protected operating syst
If this policy setting is disabled or not configured, the default recovery options are supported for BitLocker recovery. By default a DRA is allowed, the recovery options can be specified by the user including the recovery password and recovery key, and recovery information is not backed up to AD DS.
+For Microsoft Entra hybrid joined devices, the BitLocker recovery password is backed up to both Active Directory and Entra ID.
+
+For Microsoft Entra joined devices, the BitLocker recovery password is backed up to Entra ID.
+
| | Path |
|--|--|
| **CSP** | `./Device/Vendor/MSFT/BitLocker/`[SystemDrivesRecoveryOptions](/windows/client-management/mdm/bitlocker-csp#systemdrivesrecoveryoptions)|
diff --git a/windows/security/operating-system-security/data-protection/bitlocker/index.md b/windows/security/operating-system-security/data-protection/bitlocker/index.md
index 69d9822b91..c6807e111b 100644
--- a/windows/security/operating-system-security/data-protection/bitlocker/index.md
+++ b/windows/security/operating-system-security/data-protection/bitlocker/index.md
@@ -2,7 +2,7 @@
title: BitLocker overview
description: Learn about BitLocker practical applications and requirements.
ms.topic: overview
-ms.date: 06/18/2024
+ms.date: 12/05/2024
---
# BitLocker overview
@@ -146,4 +146,4 @@ For more information about device encryption, see [BitLocker device encryption h
[WIN-1]: /windows/deployment/mbr-to-gpt
[WIN-2]: /windows-server/administration/windows-commands/bdehdcfg
[WIN-3]: /windows-hardware/design/device-experiences/modern-standby
-[WIN-4]: /windows-hardware/design/device-experiences/oem-bitlocker#bitlocker-automatic-device-encryption
\ No newline at end of file
+[WIN-4]: /windows-hardware/design/device-experiences/oem-bitlocker#bitlocker-automatic-device-encryption
diff --git a/windows/security/operating-system-security/data-protection/bitlocker/install-server.md b/windows/security/operating-system-security/data-protection/bitlocker/install-server.md
index a1b63ed90b..687f2418cd 100644
--- a/windows/security/operating-system-security/data-protection/bitlocker/install-server.md
+++ b/windows/security/operating-system-security/data-protection/bitlocker/install-server.md
@@ -2,8 +2,9 @@
title: Install BitLocker on Windows Server
description: Learn how to install BitLocker on Windows Server.
ms.topic: how-to
-ms.date: 06/18/2024
+ms.date: 12/05/2024
appliesto:
+- ✅ Windows Server 2025
- ✅ Windows Server 2022
- ✅ Windows Server 2019
- ✅ Windows Server 2016
diff --git a/windows/security/operating-system-security/data-protection/bitlocker/network-unlock.md b/windows/security/operating-system-security/data-protection/bitlocker/network-unlock.md
index 39be442f55..ff99a2de31 100644
--- a/windows/security/operating-system-security/data-protection/bitlocker/network-unlock.md
+++ b/windows/security/operating-system-security/data-protection/bitlocker/network-unlock.md
@@ -2,12 +2,12 @@
title: Network Unlock
description: Learn how BitLocker Network Unlock works and how to configure it.
ms.topic: how-to
-ms.date: 06/18/2024
+ms.date: 12/05/2024
---
# Network Unlock
-Network Unlock is a BitLocker *key protector* for operating system volumes. Network Unlock enables easier management for BitLocker-enabled desktops and servers in a domain environment by providing automatic unlock of operating system volumes at system reboot when connected to a wired corporate network. Network Unlock requires the client hardware to have a DHCP driver implemented in its UEFI firmware. Without Network Unlock, operating system volumes protected by `TPM+PIN` protectors require a PIN to be entered when a device reboots or resumes from hibernation (for example, by Wake on LAN). Requiring a PIN after a reboot can make it difficult to enterprises to roll out software patches to unattended desktops and remotely administered servers.
+Network Unlock is a BitLocker *key protector* for operating system volumes. Network Unlock enables easier management for BitLocker-enabled desktops and servers in a domain environment by providing automatic unlock of operating system volumes at system reboot when connected to a wired corporate network. Network Unlock requires the client hardware to have a DHCP driver implemented in its UEFI firmware. Without Network Unlock, operating system volumes protected by `TPM+PIN` protectors require a PIN to be entered when a device reboots or resumes from hibernation (for example, by Wake on LAN). Requiring a PIN after a reboot can make it difficult for enterprises to roll out software patches to unattended desktops and remotely administered servers.
Network Unlock allows BitLocker-enabled systems that have a `TPM+PIN` and that meet the hardware requirements to boot into Windows without user intervention. Network Unlock works in a similar fashion to the `TPM+StartupKey` at boot. Rather than needing to read the StartupKey from USB media, however, the Network Unlock feature needs the key to be composed from a key stored in the TPM and an encrypted network key that is sent to the server, decrypted and returned to the client in a secure session.
@@ -248,7 +248,7 @@ The following steps describe how to deploy the required group policy setting:
By default, all clients with the correct Network Unlock certificate and valid Network Unlock protectors that have wired access to a Network Unlock-enabled WDS server via DHCP are unlocked by the server. A subnet policy configuration file on the WDS server can be created to limit which are the subnet(s) the Network Unlock clients can use to unlock.
-The configuration file, called `bde-network-unlock.ini`, must be located in the same directory as the Network Unlock provider DLL (`%windir%\System32\Nkpprov.dll`) and it applies to both IPv6 and IPv4 DHCP implementations. If the subnet configuration policy becomes corrupted, the provider fails and stops responding to requests.
+The configuration file called `bde-network-unlock.ini`, must be located in the same directory as the Network Unlock provider DLL (`%windir%\System32\Nkpprov.dll`) and it applies to both IPv6 and IPv4 DHCP implementations. If the subnet configuration policy becomes corrupted, the provider fails and stops responding to requests.
The subnet policy configuration file must use a `[SUBNETS]` section to identify the specific subnets. The named subnets may then be used to specify restrictions in certificate subsections. Subnets are defined as simple name-value pairs, in the common INI format, where each subnet has its own line, with the name on the left of the equal-sign, and the subnet identified on the right of the equal-sign as a Classless Inter-Domain Routing (CIDR) address or range. The key word `ENABLED` is disallowed for subnet names.
@@ -299,6 +299,8 @@ To update the certificates used by Network Unlock, administrators need to import
Troubleshooting Network Unlock issues begins by verifying the environment. Many times, a small configuration issue can be the root cause of the failure. Items to verify include:
- Verify that the client hardware is UEFI-based and is on firmware version 2.3.1 and that the UEFI firmware is in native mode without a Compatibility Support Module (CSM) for BIOS mode enabled. Verification can be done by checking that the firmware doesn't have an option enabled such as "Legacy mode" or "Compatibility mode" or that the firmware doesn't appear to be in a BIOS-like mode
+- If client hardware is a Secure Core device, you may need to disable Secure Core functionality
+
- All required roles and services are installed and started
- Public and private certificates have been published and are in the proper certificate containers. The presence of the Network Unlock certificate can be verified in the Microsoft Management Console (MMC.exe) on the WDS server with the certificate snap-ins for the local computer enabled. The client certificate can be verified by checking the registry key **`HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SystemCertificates\FVE_NKP`** on the client computer
- Group policy for Network Unlock is enabled and linked to the appropriate domains
diff --git a/windows/security/operating-system-security/data-protection/bitlocker/operations-guide.md b/windows/security/operating-system-security/data-protection/bitlocker/operations-guide.md
index 7bf6e12c5a..2a6e018234 100644
--- a/windows/security/operating-system-security/data-protection/bitlocker/operations-guide.md
+++ b/windows/security/operating-system-security/data-protection/bitlocker/operations-guide.md
@@ -2,7 +2,7 @@
title: BitLocker operations guide
description: Learn how to use different tools to manage and operate BitLocker.
ms.topic: how-to
-ms.date: 06/18/2024
+ms.date: 12/05/2024
---
# BitLocker operations guide
@@ -462,6 +462,9 @@ From the **BitLocker Drive Encryption** Control Panel applet, select the OS driv
### Resume BitLocker
+> [!NOTE]
+> Resuming protection only works on devices that have accepted the Windows EULA.
+
#### [:::image type="icon" source="images/powershell.svg"::: **PowerShell**](#tab/powershell)
```powershell
diff --git a/windows/security/operating-system-security/data-protection/bitlocker/planning-guide.md b/windows/security/operating-system-security/data-protection/bitlocker/planning-guide.md
index c54ad2e21e..3c563aa624 100644
--- a/windows/security/operating-system-security/data-protection/bitlocker/planning-guide.md
+++ b/windows/security/operating-system-security/data-protection/bitlocker/planning-guide.md
@@ -2,7 +2,7 @@
title: BitLocker planning guide
description: Learn how to plan for a BitLocker deployment in your organization.
ms.topic: concept-article
-ms.date: 06/18/2024
+ms.date: 12/05/2024
---
# BitLocker planning guide
diff --git a/windows/security/operating-system-security/data-protection/bitlocker/preboot-recovery-screen.md b/windows/security/operating-system-security/data-protection/bitlocker/preboot-recovery-screen.md
index aaadd7678e..842b2e94c9 100644
--- a/windows/security/operating-system-security/data-protection/bitlocker/preboot-recovery-screen.md
+++ b/windows/security/operating-system-security/data-protection/bitlocker/preboot-recovery-screen.md
@@ -2,7 +2,7 @@
title: BitLocker preboot recovery screen
description: Learn about the information displayed in the BitLocker preboot recovery screen, depending on configured policy settings and recovery keys status.
ms.topic: concept-article
-ms.date: 06/19/2024
+ms.date: 12/05/2024
---
# BitLocker preboot recovery screen
diff --git a/windows/security/operating-system-security/data-protection/bitlocker/recovery-overview.md b/windows/security/operating-system-security/data-protection/bitlocker/recovery-overview.md
index 4625b2f5e0..3db9407c4b 100644
--- a/windows/security/operating-system-security/data-protection/bitlocker/recovery-overview.md
+++ b/windows/security/operating-system-security/data-protection/bitlocker/recovery-overview.md
@@ -2,7 +2,7 @@
title: BitLocker recovery overview
description: Learn about BitLocker recovery scenarios, recovery options, and how to determine root cause of failed automatic unlocks.
ms.topic: how-to
-ms.date: 06/18/2024
+ms.date: 12/05/2024
---
# BitLocker recovery overview
@@ -21,6 +21,7 @@ The following list provides examples of common events that cause a device to ent
- Docking or undocking a portable computer
- Changes to the NTFS partition table on the disk
- Changes to the boot manager
+- Using PXE boot
- Turning off, disabling, deactivating, or clearing the TPM
- TPM self-test failure
- Upgrading the motherboard to a new one with a new TPM
diff --git a/windows/security/operating-system-security/data-protection/bitlocker/recovery-process.md b/windows/security/operating-system-security/data-protection/bitlocker/recovery-process.md
index 4b1498edf5..9da8c4e609 100644
--- a/windows/security/operating-system-security/data-protection/bitlocker/recovery-process.md
+++ b/windows/security/operating-system-security/data-protection/bitlocker/recovery-process.md
@@ -2,7 +2,7 @@
title: BitLocker recovery process
description: Learn how to obtain BitLocker recovery information for Microsoft Entra joined, Microsoft Entra hybrid joined, and Active Directory joined devices, and how to restore access to a locked drive.
ms.topic: how-to
-ms.date: 07/18/2024
+ms.date: 02/11/2025
---
# BitLocker recovery process
@@ -26,6 +26,9 @@ A recovery key can't be stored in any of the following locations:
- The root directory of a nonremovable drive
- An encrypted volume
+> [!WARNING]
+> A recovery key is sensitive information that allows users to unlock an encrypted drive and perform administrative tasks on the drive. For enhanced security, it's recommended to enable self-service in trusted environments only, or rely on helpdesk recovery.
+
### Self-recovery with recovery password
If you have access to the recovery key, enter the 48-digits in the preboot recovery screen.
@@ -72,7 +75,7 @@ The following list can be used as a template for creating a recovery process for
There are a few Microsoft Entra ID roles that allow a delegated administrator to read BitLocker recovery passwords from the devices in the tenant. While it's common for organizations to use the existing Microsoft Entra ID *[Cloud Device Administrator][ENTRA-2]* or *[Helpdesk Administrator][ENTRA-3]* built-in roles, you can also [create a custom role][ENTRA-5], delegating access to BitLocker keys using the `microsoft.directory/bitlockerKeys/key/read` permission. Roles can be delegated to access BitLocker recovery passwords for devices in specific Administrative Units.
> [!NOTE]
-> When devices that utilize [Windows Autopilot](/mem/autopilot/windows-autopilot) are reused to join to Entra, **and there is a new device owner**, that new device owner must contact an administrator to acquire the BitLocker recovery key for that device. Custom role or administrative unit scoped administrators will lose access to BitLocker recovery keys for those devices that have undergone device ownership changes. These scoped administrators will need to contact a non-scoped administrator for the recovery keys. For more information, see the article [Find the primary user of an Intune device](/mem/intune/remote-actions/find-primary-user#change-a-devices-primary-user).
+> When devices that utilize [Windows Autopilot](/mem/autopilot/windows-autopilot) are reused to join to Entra, **and there is a new device owner**, that new device owner must contact an administrator to acquire the BitLocker recovery key for that device. Custom role or administrative unit scoped administrators will continue to have access to BitLocker recovery keys for those devices that have undergone device ownership changes, unless the new device owner belongs to a custom role or adminstrative unit scope. In such an instance, the user will need to contact other scoped administrator for the recovery keys. For more information, see the article [Find the primary user of an Intune device](/mem/intune/remote-actions/find-primary-user#change-a-devices-primary-user).
The [Microsoft Entra admin center][ENTRA] allows administrators to retrieve BitLocker recovery passwords. To learn more about the process, see [View or copy BitLocker keys][ENTRA-4]. Another option to access BitLocker recovery passwords is to use the Microsoft Graph API, which might be useful for integrated or scripted solutions. For more information about this option, see [Get bitlockerRecoveryKey][GRAPH-1].
@@ -180,6 +183,9 @@ When a volume is unlocked using a recovery password:
After the volume is unlocked, BitLocker behaves the same way, regardless of how the access was granted.
+> [!NOTE]
+> If you move an OS volume with a TPM protector to a different device and unlock it using a recovery protector, BitLocker will bind to the new TPM. Returning the volume to the original device will prompt for the recovery protector due to the TPM mismatch. Once unlocked using recovery protector again, the volume will re-bind to the original device.
+
If a device experiences multiple recovery password events, an administrator should perform post-recovery analysis to determine the root cause of the recovery. Then, refresh the BitLocker platform validation to prevent entering a recovery password each time that the device starts up.
### Determine the root cause of the recovery
diff --git a/windows/security/operating-system-security/data-protection/configure-s-mime.md b/windows/security/operating-system-security/data-protection/configure-s-mime.md
index 7781de30a9..8005268fd0 100644
--- a/windows/security/operating-system-security/data-protection/configure-s-mime.md
+++ b/windows/security/operating-system-security/data-protection/configure-s-mime.md
@@ -1,8 +1,8 @@
---
-title: Configure S/MIME for Windows
+title: Configure S/MIME For Windows
description: S/MIME lets users encrypt outgoing messages and attachments so that only intended recipients with a digital ID, also known as a certificate, can read them. Learn how to configure S/MIME for Windows.
ms.topic: how-to
-ms.date: 04/10/2024
+ms.date: 02/25/2025
---
@@ -68,4 +68,4 @@ When you receive a signed email, the app provides a feature to install correspon
1. Select the digital signature icon in the reading pane
1. Select **Install.**
- :::image type="content" alt-text="Screenshot of the Windows Mail app, showing a message to install the sender's encryption certificate." source="images/install-cert.png":::
+ :::image type="content" alt-text="Screenshot of the Windows Mail app, showing a message to install the sender's encryption certificate." source="images/install-cert.png":::
diff --git a/windows/security/operating-system-security/data-protection/encrypted-hard-drive.md b/windows/security/operating-system-security/data-protection/encrypted-hard-drive.md
index 61a6b9a820..625c644314 100644
--- a/windows/security/operating-system-security/data-protection/encrypted-hard-drive.md
+++ b/windows/security/operating-system-security/data-protection/encrypted-hard-drive.md
@@ -1,7 +1,7 @@
---
title: Encrypted hard drives
description: Learn how encrypted hard drives use the rapid encryption that is provided by BitLocker to enhance data security and management.
-ms.date: 07/22/2024
+ms.date: 02/25/2025
ms.topic: concept-article
---
diff --git a/windows/security/operating-system-security/data-protection/personal-data-encryption/configure.md b/windows/security/operating-system-security/data-protection/personal-data-encryption/configure.md
index 34c2ed5f4a..c39add4606 100644
--- a/windows/security/operating-system-security/data-protection/personal-data-encryption/configure.md
+++ b/windows/security/operating-system-security/data-protection/personal-data-encryption/configure.md
@@ -1,42 +1,42 @@
---
-title: PDE settings and configuration
-description: Learn about the available options to configure Personal Data Encryption (PDE) and how to configure them via Microsoft Intune or Configuration Service Providers (CSP).
+title: Personal Data Encryption settings and configuration
+description: Learn about the available options to configure Personal Data Encryption (Personal Data Encryption) and how to configure them via Microsoft Intune or Configuration Service Providers (CSP).
ms.topic: how-to
ms.date: 09/24/2024
---
-# PDE settings and configuration
+# Personal Data Encryption settings and configuration
-This article describes the Personal Data Encryption (PDE) settings and how to configure them via Microsoft Intune or Configuration Service Providers (CSP).
+This article describes the Personal Data Encryption settings and how to configure them via Microsoft Intune or Configuration Service Providers (CSP).
> [!NOTE]
-> PDE can be configured using MDM policies. The content to be protected by PDE can be specified using [PDE APIs](/uwp/api/windows.security.dataprotection.userdataprotectionmanager). There is no user interface in Windows to either enable PDE or protect content using PDE.
+> Personal Data Encryption can be configured using MDM policies. The content to be protected by Personal Data Encryption can be specified using [Personal Data Encryption APIs](/uwp/api/windows.security.dataprotection.userdataprotectionmanager). There is no user interface in Windows to either enable Personal Data Encryption or protect content using Personal Data Encryption.
>
-> The PDE APIs can be used to create custom applications and scripts to specify which content to protect and at what level to protect the content. Additionally, the PDE APIs can't be used to protect content until the PDE policy has been enabled.
+> The Personal Data Encryption APIs can be used to create custom applications and scripts to specify which content to protect and at what level to protect the content. Additionally, the Personal Data Encryption APIs can't be used to protect content until the Personal Data Encryption policy has been enabled.
-## PDE settings
+## Personal Data Encryption settings
-The following table lists the required settings to enable PDE.
+The following table lists the required settings to enable Personal Data Encryption.
| Setting name | Description |
|-|-|
-|Enable Personal Data Encryption|PDE isn't enabled by default. Before PDE can be used, you must enable it.|
-|Sign-in and lock last interactive user automatically after a restart| Winlogon automatic restart sign-on (ARSO) isn't supported for use with PDE. To use PDE, ARSO must be disabled.|
+|Enable Personal Data Encryption|Personal Data Encryption isn't enabled by default. Before Personal Data Encryption can be used, you must enable it.|
+|Sign-in and lock last interactive user automatically after a restart| Winlogon automatic restart sign-on (ARSO) isn't supported for use with Personal Data Encryption. To use Personal Data Encryption, ARSO must be disabled.|
-## PDE hardening recommendations
+## Personal Data Encryption hardening recommendations
-The following table lists the recommended settings to improve PDE's security.
+The following table lists the recommended settings to improve Personal Data Encryption's security.
| Setting name | Description |
|-|-|
-|Kernel-mode crash dumps and live dumps|Kernel-mode crash dumps and live dumps can potentially cause the keys used by PDE to protect content to be exposed. For greatest security, disable kernel-mode crash dumps and live dumps.|
-|Windows Error Reporting (WER)/user-mode crash dumps|Disabling Windows Error Reporting prevents user-mode crash dumps. User-mode crash dumps can potentially cause the keys used by PDE to protect content to be exposed. For greatest security, disable user-mode crash dumps.|
-|Hibernation|Hibernation files can potentially cause the keys used by Personal Data Encryption (PDE) to protect content to be exposed. For greatest security, disable hibernation.|
-|Allow users to select when a password is required when resuming from connected standby |When this policy isn't configured on Microsoft Entra joined devices, users on a Connected Standby device can change the amount of time after the device´s screen turns off before a password is required to wake the device. During the time when the screen turns off but a password isn't required, the keys used by PDE to protect content could potentially be exposed. It's recommended to explicitly disable this policy on Microsoft Entra joined devices.|
+|Kernel-mode crash dumps and live dumps|Kernel-mode crash dumps and live dumps can potentially cause the keys used by Personal Data Encryption to protect content to be exposed. For greatest security, disable kernel-mode crash dumps and live dumps.|
+|Windows Error Reporting (WER)/user-mode crash dumps|Disabling Windows Error Reporting prevents user-mode crash dumps. User-mode crash dumps can potentially cause the keys used by Personal Data Encryption to protect content to be exposed. For greatest security, disable user-mode crash dumps.|
+|Hibernation|Hibernation files can potentially cause the keys used by Personal Data Encryption to protect content to be exposed. For greatest security, disable hibernation.|
+|Allow users to select when a password is required when resuming from connected standby |When this policy isn't configured on Microsoft Entra joined devices, users on a Connected Standby device can change the amount of time after the device´s screen turns off before a password is required to wake the device. During the time when the screen turns off but a password isn't required, the keys used by Personal Data Encryption to protect content could potentially be exposed. It's recommended to explicitly disable this policy on Microsoft Entra joined devices.|
-## Configure PDE with Microsoft Intune
+## Configure Personal Data Encryption with Microsoft Intune
-If you use Microsoft Intune to manage your devices, you can configure PDE using a disk encryption policy, a settings catalog policy, or a custom profile.
+If you use Microsoft Intune to manage your devices, you can configure Personal Data Encryption using a disk encryption policy, a settings catalog policy, or a custom profile.
### Disk encryption policy
@@ -77,9 +77,9 @@ Content-Type: application/json
{ "id": "00-0000-0000-0000-000000000000", "name": "_MSLearn_PDE", "description": "", "platforms": "windows10", "technologies": "mdm", "roleScopeTagIds": [ "0" ], "settings": [ { "@odata.type": "#microsoft.graph.deviceManagementConfigurationSetting", "settingInstance": { "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance", "settingDefinitionId": "device_vendor_msft_policy_config_admx_credentialproviders_allowdomaindelaylock", "choiceSettingValue": { "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingValue", "value": "device_vendor_msft_policy_config_admx_credentialproviders_allowdomaindelaylock_0", "children": [] } } }, { "@odata.type": "#microsoft.graph.deviceManagementConfigurationSetting", "settingInstance": { "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance", "settingDefinitionId": "device_vendor_msft_policy_config_errorreporting_disablewindowserrorreporting", "choiceSettingValue": { "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingValue", "value": "device_vendor_msft_policy_config_errorreporting_disablewindowserrorreporting_1", "children": [] } } }, { "@odata.type": "#microsoft.graph.deviceManagementConfigurationSetting", "settingInstance": { "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance", "settingDefinitionId": "device_vendor_msft_policy_config_windowslogon_allowautomaticrestartsignon", "choiceSettingValue": { "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingValue", "value": "device_vendor_msft_policy_config_windowslogon_allowautomaticrestartsignon_0", "children": [] } } }, { "@odata.type": "#microsoft.graph.deviceManagementConfigurationSetting", "settingInstance": { "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance", "settingDefinitionId": "device_vendor_msft_policy_config_memorydump_allowcrashdump", "choiceSettingValue": { "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingValue", "value": "device_vendor_msft_policy_config_memorydump_allowcrashdump_0", "children": [] } } }, { "@odata.type": "#microsoft.graph.deviceManagementConfigurationSetting", "settingInstance": { "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance", "settingDefinitionId": "device_vendor_msft_policy_config_memorydump_allowlivedump", "choiceSettingValue": { "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingValue", "value": "device_vendor_msft_policy_config_memorydump_allowlivedump_0", "children": [] } } }, { "@odata.type": "#microsoft.graph.deviceManagementConfigurationSetting", "settingInstance": { "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance", "settingDefinitionId": "user_vendor_msft_pde_enablepersonaldataencryption", "choiceSettingValue": { "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingValue", "value": "user_vendor_msft_pde_enablepersonaldataencryption_1", "children": [] } } }, { "@odata.type": "#microsoft.graph.deviceManagementConfigurationSetting", "settingInstance": { "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance", "settingDefinitionId": "device_vendor_msft_policy_config_power_allowhibernate", "choiceSettingValue": { "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingValue", "value": "device_vendor_msft_policy_config_power_allowhibernate_0", "children": [] } } } ] }
```
-## Configure PDE with CSP
+## Configure Personal Data Encryption with CSP
-Alternatively, you can configure devices using the [Policy CSP][CSP-1] and [PDE CSP][CSP-2].
+Alternatively, you can configure devices using the [Policy CSP][CSP-1] and [Personal Data Encryption CSP][CSP-2].
|OMA-URI|Format|Value|
|-|-|-|
@@ -91,13 +91,13 @@ Alternatively, you can configure devices using the [Policy CSP][CSP-1] and [PDE
|`./Device/Vendor/MSFT/Policy/Config/Power/AllowHibernate` |int| `0`|
|`./Device/Vendor/MSFT/Policy/Config/ADMX_CredentialProviders/AllowDomainDelayLock`|string|``|
-## Disable PDE
+## Disable Personal Data Encryption
-Once PDE is enabled, it isn't recommended to disable it. However if you need to disable PDE, you can do so using the following steps.
+Once Personal Data Encryption is enabled, it isn't recommended to disable it. However if you need to disable Personal Data Encryption, you can do so using the following steps.
-### Disable PDE with a disk encryption policy
+### Disable Personal Data Encryption with a disk encryption policy
-To disable PDE devices using a [disk encryption policy](/mem/intune/protect/endpoint-security-disk-encryption-policy), go to **Endpoint security** > **Disk encryption** and select **Create policy**:
+To disable Personal Data Encryption devices using a [disk encryption policy](/mem/intune/protect/endpoint-security-disk-encryption-policy), go to **Endpoint security** > **Disk encryption** and select **Create policy**:
- **Platform** > **Windows**
- **Profile** > **Personal Data Encryption**
@@ -106,7 +106,7 @@ Provide a name, and select **Next**. In the **Configuration settings** page, sel
Assign the policy to a group that contains as members the devices or users that you want to configure.
-### Disable PDE with a settings catalog policy in Intune
+### Disable Personal Data Encryption with a settings catalog policy in Intune
[!INCLUDE [intune-settings-catalog-1](../../../../../includes/configure/intune-settings-catalog-1.md)]
@@ -116,24 +116,24 @@ Assign the policy to a group that contains as members the devices or users that
[!INCLUDE [intune-settings-catalog-2](../../../../../includes/configure/intune-settings-catalog-2.md)]
-### Disable PDE with CSP
+### Disable Personal Data Encryption with CSP
-You can disable PDE with CSP using the following setting:
+You can disable Personal Data Encryption with CSP using the following setting:
|OMA-URI|Format|Value|
|-|-|-|
|`./User/Vendor/MSFT/PDE/EnablePersonalDataEncryption`|int|`0`|
-## Decrypt PDE-encrypted content
+## Decrypt encrypted content
-Disabling PDE doesn't decrypt any PDE protected content. It only prevents the PDE API from being able to protect any additional content. PDE-protected files can be manually decrypted using the following steps:
+Disabling Personal Data Encryption doesn't decrypt any Personal Data Encryption protected content. It only prevents the Personal Data Encryption API from being able to protect any additional content. Pprotected files can be manually decrypted using the following steps:
1. Open the properties of the file
1. Under the **General** tab, select **Advanced...**
1. Uncheck the option **Encrypt contents to secure data**
1. Select **OK**, and then **OK** again
-PDE-protected files can also be decrypted using [`cipher.exe`][WINS-1], which can be helpful in the following scenarios:
+Protected files can also be decrypted using [`cipher.exe`][WINS-1], which can be helpful in the following scenarios:
- Decrypting a large number of files on a device
- Decrypting files on multiple of devices
@@ -153,11 +153,11 @@ To decrypt files on a device using `cipher.exe`:
```
> [!IMPORTANT]
-> Once a user selects to manually decrypt a file, the user won't be able to manually protect the file again using PDE.
+> Once a user selects to manually decrypt a file, the user won't be able to manually protect the file again using Personal Data Encryption.
## Next steps
-- Review the [Personal Data Encryption (PDE) FAQ](faq.yml)
+- Review the [Personal Data Encryption FAQ](faq.yml)
diff --git a/windows/security/operating-system-security/data-protection/personal-data-encryption/faq.yml b/windows/security/operating-system-security/data-protection/personal-data-encryption/faq.yml
index 8aeed21090..2be94a9a24 100644
--- a/windows/security/operating-system-security/data-protection/personal-data-encryption/faq.yml
+++ b/windows/security/operating-system-security/data-protection/personal-data-encryption/faq.yml
@@ -1,51 +1,51 @@
### YamlMime:FAQ
metadata:
- title: Frequently asked questions for Personal Data Encryption (PDE)
- description: Answers to common questions regarding Personal Data Encryption (PDE).
+ title: Frequently asked questions for Personal Data Encryption
+ description: Answers to common questions regarding Personal Data Encryption.
ms.topic: faq
ms.date: 09/24/2024
-title: Frequently asked questions for Personal Data Encryption (PDE)
+title: Frequently asked questions for Personal Data Encryption
summary: |
- Here are some answers to common questions regarding Personal Data Encryption (PDE)
+ Here are some answers to common questions regarding Personal Data Encryption
sections:
- name: General
questions:
- - question: Can PDE encrypt entire volumes or drives?
+ - question: Can Personal Data Encryption encrypt entire volumes or drives?
answer: |
- No, PDE only encrypts specified files and content.
- - question: How are files and content protected by PDE selected?
+ No, Personal Data Encryption only encrypts specified files and content.
+ - question: How are files and content protected by Personal Data Encryption selected?
answer: |
- [PDE APIs](/uwp/api/windows.security.dataprotection.userdataprotectionmanager) are used to select which files and content are protected using PDE.
- - question: Can users manually encrypt and decrypt files with PDE?
+ [Personal Data Encryption APIs](/uwp/api/windows.security.dataprotection.userdataprotectionmanager) are used to select which files and content are protected using Personal Data Encryption.
+ - question: Can users manually encrypt and decrypt files with Personal Data Encryption?
answer: |
- Currently users can decrypt files manually but they can't encrypt files manually. For information on how a user can manually decrypt a file, see the section [Decrypt PDE-encrypted content](configure.md#decrypt-pde-encrypted-content).
- - question: Can PDE protected content be accessed after signing on via a Remote Desktop connection (RDP)?
+ Currently users can decrypt files manually but they can't encrypt files manually. For information on how a user can manually decrypt a file, see the section [Decrypt encrypted content](configure.md#decrypt-encrypted-content).
+ - question: Can Personal Data Encryption protected content be accessed after signing on via a Remote Desktop connection (RDP)?
answer: |
- No, it's not supported to access PDE-protected content over RDP.
- - question: Can PDE protected content be accessed via a network share?
+ No, it's not supported to access protected content over RDP.
+ - question: Can Personal Data Encryption protected content be accessed via a network share?
answer: |
- No, PDE protected content can only be accessed after signing on locally to Windows with Windows Hello for Business credentials.
- - question: What encryption method and strength does PDE use?
+ No, Personal Data Encryption protected content can only be accessed after signing on locally to Windows with Windows Hello for Business credentials.
+ - question: What encryption method and strength does Personal Data Encryption use?
answer: |
- PDE uses AES-CBC with a 256-bit key to encrypt content.
+ Personal Data Encryption uses AES-CBC with a 256-bit key to encrypt content.
- - name: PDE and other Windows features
+ - name: Personal Data Encryption and other Windows features
questions:
- - question: What is the relation between Windows Hello for Business and PDE?
+ - question: What is the relation between Windows Hello for Business and Personal Data Encryption?
answer: |
- During user sign-on, Windows Hello for Business unlocks the keys that PDE uses to protect content.
- - question: If a user signs into Windows with a password instead of Windows Hello for Business, will they be able to access their PDE protected content?
+ During user sign-on, Windows Hello for Business unlocks the keys that Personal Data Encryption uses to protect content.
+ - question: If a user signs into Windows with a password instead of Windows Hello for Business, will they be able to access their Personal Data Encryption protected content?
answer: |
- No, the keys used by PDE to protect content are protected by Windows Hello for Business credentials and will only be unlocked when signing on with Windows Hello for Business PIN or biometrics.
- - question: Can a file be protected with both PDE and EFS at the same time?
+ No, the keys used by Personal Data Encryption to protect content are protected by Windows Hello for Business credentials and will only be unlocked when signing on with Windows Hello for Business PIN or biometrics.
+ - question: Can a file be protected with both Personal Data Encryption and EFS at the same time?
answer: |
- No, PDE and EFS are mutually exclusive.
- - question: Is PDE a replacement for BitLocker?
+ No, Personal Data Encryption and EFS are mutually exclusive.
+ - question: Is Personal Data Encryption a replacement for BitLocker?
answer: |
No, it's recommended to encrypt all volumes with BitLocker Drive Encryption for increased security.
- question: Do I need to use OneDrive in Microsoft 365 as my backup provider?
answer: |
- No, PDE doesn't have a requirement for a backup provider, including OneDrive in Microsoft 365. However, backups are recommended in case the keys used by PDE to protect files are lost. OneDrive in Microsoft 365 is a recommended backup provider.
+ No, Personal Data Encryption doesn't have a requirement for a backup provider, including OneDrive in Microsoft 365. However, backups are recommended in case the keys used by Personal Data Encryption to protect files are lost. OneDrive in Microsoft 365 is a recommended backup provider.
diff --git a/windows/security/operating-system-security/data-protection/personal-data-encryption/index.md b/windows/security/operating-system-security/data-protection/personal-data-encryption/index.md
index 7e28595993..2f0191609b 100644
--- a/windows/security/operating-system-security/data-protection/personal-data-encryption/index.md
+++ b/windows/security/operating-system-security/data-protection/personal-data-encryption/index.md
@@ -1,104 +1,104 @@
---
-title: Personal Data Encryption (PDE)
+title: Personal Data Encryption
description: Personal Data Encryption unlocks user encrypted files at user sign-in instead of at boot.
ms.topic: how-to
ms.date: 09/24/2024
---
-# Personal Data Encryption (PDE)
+# Personal Data Encryption
-Starting in Windows 11, version 22H2, Personal Data Encryption (PDE) is a security feature that provides file-based data encryption capabilities to Windows.
+Starting in Windows 11, version 22H2, Personal Data Encryption is a security feature that provides file-based data encryption capabilities to Windows.
-PDE utilizes Windows Hello for Business to link *data encryption keys* with user credentials. When a user signs in to a device using Windows Hello for Business, decryption keys are released, and encrypted data is accessible to the user.\
+Personal Data Encryption utilizes Windows Hello for Business to link *data encryption keys* with user credentials. When a user signs in to a device using Windows Hello for Business, decryption keys are released, and encrypted data is accessible to the user.\
When a user logs off, decryption keys are discarded and data is inaccessible, even if another user signs into the device.
The use of Windows Hello for Business offers the following advantages:
- It reduces the number of credentials to access encrypted content: users only need to sign-in with Windows Hello for Business
-- The accessibility features available when using Windows Hello for Business extend to PDE protected content
+- The accessibility features available when using Windows Hello for Business extend to Personal Data Encryption protected content
-PDE differs from BitLocker in that it encrypts files instead of whole volumes and disks. PDE occurs in addition to other encryption methods such as BitLocker.\
-Unlike BitLocker that releases data encryption keys at boot, PDE doesn't release data encryption keys until a user signs in using Windows Hello for Business.
+Personal Data Encryption differs from BitLocker in that it encrypts files instead of whole volumes and disks. Personal Data Encryption occurs in addition to other encryption methods such as BitLocker.\
+Unlike BitLocker that releases data encryption keys at boot, Personal Data Encryption doesn't release data encryption keys until a user signs in using Windows Hello for Business.
## Prerequisites
-To use PDE, the following prerequisites must be met:
+To use Personal Data Encryption, the following prerequisites must be met:
- Windows 11, version 22H2 and later
-- The devices must be [Microsoft Entra joined][AAD-1]. Domain-joined and Microsoft Entra hybrid joined devices aren't supported
+- The devices must be [Microsoft Entra joined][ENTRA-1] or [Microsoft Entra hybrid joined][ENTRA-2]. Domain-joined devices aren't supported
- Users must sign in using [Windows Hello for Business](../../../identity-protection/hello-for-business/index.md)
> [!IMPORTANT]
-> If you sign in with a password or a [security key][AAD-2], you can't access PDE protected content.
+> If you sign in with a password or a [FIDO2 security key][ENTRA-3], you can't access Personal Data Encryption protected content.
[!INCLUDE [personal-data-encryption-pde](../../../../../includes/licensing/personal-data-encryption-pde.md)]
-## PDE protection levels
+## Personal Data Encryption protection levels
-PDE uses *AES-CBC* with a *256-bit key* to protect content and offers two levels of protection. The level of protection is determined based on the organizational needs. These levels can be set via the [PDE APIs](/uwp/api/windows.security.dataprotection.userdataprotectionmanager).
+Personal Data Encryption uses *AES-CBC* with a *256-bit key* to protect content and offers two levels of protection. The level of protection is determined based on the organizational needs. These levels can be set via the [Personal Data Encryption APIs](/uwp/api/windows.security.dataprotection.userdataprotectionmanager).
| Item | Level 1 | Level 2 |
|---|---|---|
-| PDE protected data accessible when user has signed in via Windows Hello for Business | Yes | Yes |
-| PDE protected data is accessible at Windows lock screen | Yes | Data is accessible for one minute after lock, then it's no longer available |
-| PDE protected data is accessible after user signs out of Windows | No | No |
-| PDE protected data is accessible when device is shut down | No | No |
-| PDE protected data is accessible via UNC paths | No | No |
-| PDE protected data is accessible when signing with Windows password instead of Windows Hello for Business | No | No |
-| PDE protected data is accessible via Remote Desktop session | No | No |
-| Decryption keys used by PDE discarded | After user signs out of Windows | One minute after Windows lock screen is engaged or after user signs out of Windows |
+| Protected data accessible when user has signed in via Windows Hello for Business | Yes | Yes |
+| Protected data is accessible at Windows lock screen | Yes | Data is accessible for one minute after lock, then it's no longer available |
+| Protected data is accessible after user signs out of Windows | No | No |
+| Protected data is accessible when device is shut down | No | No |
+| Protected data is accessible via UNC paths | No | No |
+| Protected data is accessible when signing with Windows password instead of Windows Hello for Business | No | No |
+| Protected data is accessible via Remote Desktop session | No | No |
+| Decryption keys used by Personal Data Encryption discarded | After user signs out of Windows | One minute after Windows lock screen is engaged or after user signs out of Windows |
-## PDE protected content accessibility
+## Personal Data Encryption protected content accessibility
-When a file is protected with PDE, its icon will show a padlock. If the user hasn't signed in locally with Windows Hello for Business or an unauthorized user attempts to access PDE protected content, they'll be denied access to the content.
+When a file is protected with Personal Data Encryption, its icon will show a padlock. If the user hasn't signed in locally with Windows Hello for Business or an unauthorized user attempts to access Personal Data Encryption protected content, they'll be denied access to the content.
-Scenarios where a user will be denied access to PDE protected content include:
+Scenarios where a user will be denied access to Personal Data Encryption protected content include:
- User has signed into Windows via a password instead of signing in with Windows Hello for Business biometric or PIN
- If protected via level 2 protection, when the device is locked
- When trying to access content on the device remotely. For example, UNC network paths
- Remote Desktop sessions
-- Other users on the device who aren't owners of the content, even if they're signed in via Windows Hello for Business and have permissions to navigate to the PDE protected content
+- Other users on the device who aren't owners of the content, even if they're signed in via Windows Hello for Business and have permissions to navigate to the Personal Data Encryption protected content
-## Differences between PDE and BitLocker
+## Differences between Personal Data Encryption and BitLocker
-PDE is meant to work alongside BitLocker. PDE isn't a replacement for BitLocker, nor is BitLocker a replacement for PDE. Using both features together provides better security than using either BitLocker or PDE alone. However there are differences between BitLocker and PDE and how they work. These differences are why using them together offers better security.
+Personal Data Encryption is meant to work alongside BitLocker. Personal Data Encryption isn't a replacement for BitLocker, nor is BitLocker a replacement for Personal Data Encryption. Using both features together provides better security than using either BitLocker or Personal Data Encryption alone. However there are differences between BitLocker and Personal Data Encryption and how they work. These differences are why using them together offers better security.
-| Item | PDE | BitLocker |
+| Item | Personal Data Encryption | BitLocker |
|--|--|--|
| Release of decryption key | At user sign-in via Windows Hello for Business | At boot |
| Decryption keys discarded | When user signs out of Windows or one minute after Windows lock screen is engaged | At shutdown |
| Protected content | All files in protected folders | Entire volume/drive |
| Authentication to access protected content | Windows Hello for Business | When BitLocker with TPM + PIN is enabled, BitLocker PIN plus Windows sign-in |
-## Differences between PDE and EFS
+## Differences between Personal Data Encryption and EFS
-The main difference between protecting files with PDE instead of EFS is the method they use to protect the file. PDE uses Windows Hello for Business to secure the keys that protect the files. EFS uses certificates to secure and protect the files.
+The main difference between protecting files with Personal Data Encryption instead of EFS is the method they use to protect the file. Personal Data Encryption uses Windows Hello for Business to secure the keys that protect the files. EFS uses certificates to secure and protect the files.
-To see if a file is protected with PDE or with EFS:
+To see if a file is protected with Personal Data Encryption or with EFS:
1. Open the properties of the file
1. Under the **General** tab, select **Advanced...**
1. In the **Advanced Attributes** windows, select **Details**
-For PDE protected files, under **Protection status:** there will be an item listed as **Personal Data Encryption is:** and it will have the attribute of **On**.
+For Personal Data Encryption protected files, under **Protection status:** there will be an item listed as **Personal Data Encryption is:** and it will have the attribute of **On**.
For EFS protected files, under **Users who can access this file:**, there will be a **Certificate thumbprint** next to the users with access to the file. There will also be a section at the bottom labeled **Recovery certificates for this file as defined by recovery policy:**.
Encryption information including what encryption method is being used to protect the file can be obtained with the [`cipher.exe /c`](/windows-server/administration/windows-commands/cipher) command.
-## Recommendations for using PDE
+## Recommendations for using Personal Data Encryption
-The following are recommendations for using PDE:
+The following are recommendations for using Personal Data Encryption:
-- Enable [BitLocker Drive Encryption](../bitlocker/index.md). Although PDE works without BitLocker, it's recommended to enable BitLocker. PDE is meant to work alongside BitLocker for increased security at it isn't a replacement for BitLocker
-- Backup solution such as [OneDrive in Microsoft 365](/sharepoint/onedrive-overview). In certain scenarios, such as TPM resets or destructive PIN resets, the keys used by PDE to protect content will be lost making any PDE-protected content inaccessible. The only way to recover such content is from a backup. If the files are synced to OneDrive, to regain access you must re-sync OneDrive
-- [Windows Hello for Business PIN reset service](../../../identity-protection/hello-for-business/hello-feature-pin-reset.md). Destructive PIN resets will cause keys used by PDE to protect content to be lost, making any content protected with PDE inaccessible. After a destructive PIN reset, content protected with PDE must be recovered from a backup. For this reason, Windows Hello for Business PIN reset service is recommended since it provides non-destructive PIN resets
+- Enable [BitLocker Drive Encryption](../bitlocker/index.md). Although Personal Data Encryption works without BitLocker, it's recommended to enable BitLocker. Personal Data Encryption is meant to work alongside BitLocker for increased security at it isn't a replacement for BitLocker
+- Backup solution such as [OneDrive in Microsoft 365](/sharepoint/onedrive-overview). In certain scenarios, such as TPM resets or destructive PIN resets, the keys used by Personal Data Encryption to protect content will be lost making any protected content inaccessible. The only way to recover such content is from a backup. If the files are synced to OneDrive, to regain access you must re-sync OneDrive
+- [Windows Hello for Business PIN reset service](../../../identity-protection/hello-for-business/hello-feature-pin-reset.md). Destructive PIN resets will cause keys used by Personal Data Encryption to protect content to be lost, making any content protected with Personal Data Encryption inaccessible. After a destructive PIN reset, content protected with Personal Data Encryption must be recovered from a backup. For this reason, Windows Hello for Business PIN reset service is recommended since it provides non-destructive PIN resets
- [Windows Hello Enhanced Sign-in Security](/windows-hardware/design/device-experiences/windows-hello-enhanced-sign-in-security) offers additional security when authenticating with Windows Hello for Business via biometrics or PIN
-## Windows out of box applications that support PDE
+## Windows out of box applications that support Personal Data Encryption
-Certain Windows applications support PDE out of the box. If PDE is enabled on a device, these applications will utilize PDE:
+Certain Windows applications support Personal Data Encryption out of the box. If Personal Data Encryption is enabled on a device, these applications will utilize Personal Data Encryption:
| App name | Details |
|-|-|
@@ -106,10 +106,11 @@ Certain Windows applications support PDE out of the box. If PDE is enabled on a
## Next steps
-- Learn about the available options to configure Personal Data Encryption (PDE) and how to configure them via Microsoft Intune or configuration Service Provider (CSP): [PDE settings and configuration](configure.md)
-- Review the [Personal Data Encryption (PDE) FAQ](faq.yml)
+- Learn about the available options to configure Personal Data Encryption and how to configure them via Microsoft Intune or configuration Service Provider (CSP): [Personal Data Encryption settings and configuration](configure.md)
+- Review the [Personal Data Encryption FAQ](faq.yml)
-[AAD-1]: /azure/active-directory/devices/concept-azure-ad-join
-[AAD-2]: /azure/active-directory/authentication/howto-authentication-passwordless-security-key
+[ENTRA-1]: /entra/identity/devices/concept-directory-join
+[ENTRA-2]: /entra/identity/devices/concept-hybrid-join
+[ENTRA-3]: /entra/identity/authentication/howto-authentication-passwordless-security-key-windows#sign-in-with-fido2-security-key
diff --git a/windows/security/operating-system-security/data-protection/personal-data-encryption/toc.yml b/windows/security/operating-system-security/data-protection/personal-data-encryption/toc.yml
index f526600bd4..ac20c878c3 100644
--- a/windows/security/operating-system-security/data-protection/personal-data-encryption/toc.yml
+++ b/windows/security/operating-system-security/data-protection/personal-data-encryption/toc.yml
@@ -1,7 +1,7 @@
items:
-- name: PDE overview
+- name: Overview
href: index.md
-- name: Configure PDE
+- name: Configure Personal Data Encryption
href: configure.md
-- name: PDE frequently asked questions (FAQ)
+- name: Frequently asked questions (FAQ)
href: faq.yml
\ No newline at end of file
diff --git a/windows/security/operating-system-security/data-protection/toc.yml b/windows/security/operating-system-security/data-protection/toc.yml
index 81f918fba2..ee4a57ab27 100644
--- a/windows/security/operating-system-security/data-protection/toc.yml
+++ b/windows/security/operating-system-security/data-protection/toc.yml
@@ -3,9 +3,7 @@ items:
href: bitlocker/toc.yml
- name: Encrypted hard drives
href: encrypted-hard-drive.md
-- name: Personal data encryption (PDE)
+- name: Personal data encryption
href: personal-data-encryption/toc.yml
- name: Email Encryption (S/MIME)
href: configure-s-mime.md
-- name: Windows Information Protection (WIP)
- href: /previous-versions/windows/it-pro/windows-10/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip
diff --git a/windows/security/operating-system-security/device-management/windows-security-configuration-framework/get-support-for-security-baselines.md b/windows/security/operating-system-security/device-management/windows-security-configuration-framework/get-support-for-security-baselines.md
index c652900182..e4e9708f86 100644
--- a/windows/security/operating-system-security/device-management/windows-security-configuration-framework/get-support-for-security-baselines.md
+++ b/windows/security/operating-system-security/device-management/windows-security-configuration-framework/get-support-for-security-baselines.md
@@ -2,8 +2,8 @@
title: Get support for security baselines
description: Find answers to frequently asked question on how to get support for baselines, the Security Compliance Toolkit (SCT), and related articles.
ms.localizationpriority: medium
-ms.topic: conceptual
-ms.date: 07/10/2024
+ms.topic: article
+ms.date: 10/01/2024
---
# Get Support
@@ -16,16 +16,7 @@ The Security Compliance Manager (SCM) is now retired and is no longer supported.
More information about this change can be found on the [Microsoft Security Guidance blog](/archive/blogs/secguide/security-compliance-manager-scm-retired-new-tools-and-procedures).
-### Where can I get an older version of a Windows baseline?
-
-Any version of Windows baseline before Windows 10, version 1703, can still be downloaded using SCM. Any future versions of Windows baseline will be available through SCT. See the version matrix in this article to see if your version of Windows baseline is available on SCT.
-
-- [SCM 4.0 Download](/previous-versions/tn-archive/cc936627(v=technet.10))
-- [SCM Frequently Asked Questions (FAQ)](https://social.technet.microsoft.com/wiki/contents/articles/1836.microsoft-security-compliance-manager-scm-frequently-asked-questions-faq.aspx)
-- [SCM Release Notes](https://social.technet.microsoft.com/wiki/contents/articles/1864.microsoft-security-compliance-manager-scm-release-notes.aspx)
-- [SCM baseline download help](https://social.technet.microsoft.com/wiki/contents/articles/1865.microsoft-security-compliance-manager-scm-baseline-download-help.aspx)
-
-### What file formats are supported by the new SCT?
+### What file formats are supported by the SCT?
The toolkit supports formats created by the Windows GPO backup feature (`.pol`, `.inf`, and `.csv`). Policy Analyzer saves its data in XML files with a `.PolicyRules` file extension. LGPO also supports its own LGPO text file format as a text-based analog for the binary registry.pol file format. For more information, see the LGPO documentation. Keep in mind that SCMs' `.cab` files are no longer supported.
@@ -47,6 +38,7 @@ No. SCM supported only SCAP 1.0, which wasn't updated as SCAP evolved. The new t
| Name | Build | Baseline release date | Security tools |
|--|--|--|--|
+| Windows 11 | [24H2](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/windows-11-version-24h2-security-baseline/ba-p/4252801) | October 2024 | [SCT 1.0](https://www.microsoft.com/download/details.aspx?id=55319) |
| Windows 11 | [23H2](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/windows-11-version-23h2-security-baseline/ba-p/3967618) | October 2023 | [SCT 1.0](https://www.microsoft.com/download/details.aspx?id=55319) |
| Windows 11 | [22H2](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/windows-11-version-22h2-security-baseline/ba-p/3632520) | September 2022 | [SCT 1.0](https://www.microsoft.com/download/details.aspx?id=55319) |
| Windows 10 | [22H2](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/windows-10-version-22h2-security-baseline/ba-p/3655724) [21H2](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/security-baseline-for-windows-10-version-21h2/ba-p/3042703) [20H2](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/security-baseline-final-for-windows-10-and-windows-server/ba-p/1999393) [1809](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/security-baseline-final-for-windows-10-v1809-and-windows-server/ba-p/701082) [1607](/archive/blogs/secguide/security-baseline-for-windows-10-v1607-anniversary-edition-and-windows-server-2016) [1507](/archive/blogs/secguide/security-baseline-for-windows-10-v1507-build-10240-th1-ltsb-update) | October 2022 December 2021 December 2020 October 2018 October 2016 January 2016 | [SCT 1.0](https://www.microsoft.com/download/details.aspx?id=55319) |
@@ -55,16 +47,16 @@ No. SCM supported only SCAP 1.0, which wasn't updated as SCAP evolved. The new t
| Name | Build | Baseline Release Date | Security Tools |
|--|--|--|--|
+| Windows Server 2025 | [SecGuide](https://techcommunity.microsoft.com/blog/microsoft-security-baselines/windows-server-2025-security-baseline/4358733) | January 2025 | [SCT 1.0](https://www.microsoft.com/download/details.aspx?id=55319) |
| Windows Server 2022 | [SecGuide](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/windows-server-2022-security-baseline/ba-p/2724685) | September 2021 | [SCT 1.0](https://www.microsoft.com/download/details.aspx?id=55319) |
| Windows Server 2019 | [SecGuide](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/security-baseline-final-for-windows-10-v1809-and-windows-server/ba-p/701082) | November 2018 | [SCT 1.0](https://www.microsoft.com/download/details.aspx?id=55319) |
| Windows Server 2016 | [SecGuide](/archive/blogs/secguide/security-baseline-for-windows-10-v1607-anniversary-edition-and-windows-server-2016) | October 2016 | [SCT 1.0](https://www.microsoft.com/download/details.aspx?id=55319) |
-| Windows Server 2012 R2 | [SecGuide](/archive/blogs/secguide/security-baseline-for-windows-10-v1607-anniversary-edition-and-windows-server-2016) | August 2014 | [SCT 1.0](https://www.microsoft.com/download/details.aspx?id=55319) |
### Microsoft products
| Name | Details | Security Tools |
|--|--|--|
-| Microsoft 365 Apps for enterprise, version 2306 | [SecGuide](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/security-baseline-for-m365-apps-for-enterprise-v2306/ba-p/3858702) | [SCT 1.0](https://www.microsoft.com/download/details.aspx?id=55319) |
+| Microsoft 365 Apps for enterprise, version 2412 | [SecGuide](https://techcommunity.microsoft.com/blog/microsoft-security-baselines/security-baseline-for-m365-apps-for-enterprise-v2412/4357320) | [SCT 1.0](https://www.microsoft.com/download/details.aspx?id=55319) |
| Microsoft Edge, version 128 | [SecGuide](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/security-baseline-for-microsoft-edge-version-128/ba-p/4237524) | [SCT 1.0](https://www.microsoft.com/download/details.aspx?id=55319) |
## Related articles
diff --git a/windows/security/operating-system-security/device-management/windows-security-configuration-framework/mbsa-removal-and-guidance.md b/windows/security/operating-system-security/device-management/windows-security-configuration-framework/mbsa-removal-and-guidance.md
index 08bb94eda4..1d9af2fdd1 100644
--- a/windows/security/operating-system-security/device-management/windows-security-configuration-framework/mbsa-removal-and-guidance.md
+++ b/windows/security/operating-system-security/device-management/windows-security-configuration-framework/mbsa-removal-and-guidance.md
@@ -3,7 +3,7 @@ title: Guide to removing Microsoft Baseline Security Analyzer (MBSA)
description: This article documents the removal of Microsoft Baseline Security Analyzer (MBSA) and provides alternative solutions.
ms.localizationpriority: medium
ms.date: 07/10/2024
-ms.topic: conceptual
+ms.topic: concept-article
---
# What is Microsoft Baseline Security Analyzer and its uses?
diff --git a/windows/security/operating-system-security/device-management/windows-security-configuration-framework/security-compliance-toolkit-10.md b/windows/security/operating-system-security/device-management/windows-security-configuration-framework/security-compliance-toolkit-10.md
index a1a1d93059..704206929a 100644
--- a/windows/security/operating-system-security/device-management/windows-security-configuration-framework/security-compliance-toolkit-10.md
+++ b/windows/security/operating-system-security/device-management/windows-security-configuration-framework/security-compliance-toolkit-10.md
@@ -1,8 +1,8 @@
---
title: Microsoft Security Compliance Toolkit Guide
description: This article describes how to use Security Compliance Toolkit in your organization.
-ms.topic: conceptual
-ms.date: 07/10/2024
+ms.topic: concept-article
+ms.date: 10/01/2024
---
# Microsoft Security Compliance Toolkit - How to use
@@ -16,24 +16,23 @@ The SCT enables administrators to effectively manage their enterprise's Group Po
The Security Compliance Toolkit consists of:
- Windows 11 security baseline
+ - Windows 11, version 24H2
- Windows 11, version 23H2
- Windows 11, version 22H2
- Windows 11, version 21H2
- Windows 10 security baselines
- Windows 10, version 22H2
- Windows 10, version 21H2
- - Windows 10, version 20H2
- Windows 10, version 1809
- Windows 10, version 1607
- Windows 10, version 1507
- Windows Server security baselines
+ - Windows Server 2025
- Windows Server 2022
- Windows Server 2019
- Windows Server 2016
- - Windows Server 2012 R2
- Microsoft Office security baseline
- - Office 2016
- - Microsoft 365 Apps for Enterprise Version 2206
+ - Microsoft 365 Apps for Enterprise Version 2412
- Microsoft Edge security baseline
- Microsoft Edge version 128
- Tools
diff --git a/windows/security/operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines.md b/windows/security/operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines.md
index 436a88a7a3..50bf145b5d 100644
--- a/windows/security/operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines.md
+++ b/windows/security/operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines.md
@@ -1,7 +1,7 @@
---
title: Security baselines guide
description: Learn how to use security baselines in your organization.
-ms.topic: conceptual
+ms.topic: article
ms.date: 07/10/2024
---
diff --git a/windows/security/operating-system-security/index.md b/windows/security/operating-system-security/index.md
deleted file mode 100644
index e8c0197c75..0000000000
--- a/windows/security/operating-system-security/index.md
+++ /dev/null
@@ -1,16 +0,0 @@
----
-title: Windows operating system security
-description: Securing the operating system includes system security, encryption, network security, and threat protection.
-ms.date: 07/10/2024
-ms.topic: overview
----
-
-# Windows operating system security
-
-Security and privacy depend on an operating system that guards your system and information from the moment it starts up, providing fundamental chip-to-cloud protection. Windows 11 is the most secure Windows yet with extensive security measures designed to help keep you safe. These measures include built-in advanced encryption and data protection, robust network and system security, and intelligent safeguards against ever-evolving threats.
-
-Watch the latest [Microsoft Mechanics Windows 11 security](https://youtu.be/tg9QUrnVFho) video that shows off some of the latest Windows 11 security technology.
-
-Use the links in the following sections to learn more about the operating system security features and capabilities in Windows.
-
-[!INCLUDE [operating-system-security](../includes/sections/operating-system-security.md)]
diff --git a/windows/security/operating-system-security/network-security/vpn/how-to-configure-diffie-hellman-protocol-over-ikev2-vpn-connections.md b/windows/security/operating-system-security/network-security/vpn/how-to-configure-diffie-hellman-protocol-over-ikev2-vpn-connections.md
index c2a7ae57a8..2fc0efca6e 100644
--- a/windows/security/operating-system-security/network-security/vpn/how-to-configure-diffie-hellman-protocol-over-ikev2-vpn-connections.md
+++ b/windows/security/operating-system-security/network-security/vpn/how-to-configure-diffie-hellman-protocol-over-ikev2-vpn-connections.md
@@ -1,7 +1,7 @@
---
title: How to configure cryptographic settings for IKEv2 VPN connections
description: Learn how to update the IKEv2 cryptographic settings of VPN servers and clients by running VPN cmdlets to secure connections.
-ms.date: 05/06/2024
+ms.date: 01/27/2025
ms.topic: how-to
---
diff --git a/windows/security/operating-system-security/network-security/vpn/how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md b/windows/security/operating-system-security/network-security/vpn/how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md
index daf7f89f5d..9a4865a98c 100644
--- a/windows/security/operating-system-security/network-security/vpn/how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md
+++ b/windows/security/operating-system-security/network-security/vpn/how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md
@@ -1,7 +1,7 @@
---
title: How to use single sign-on (SSO) over VPN and Wi-Fi connections
description: Explains requirements to enable single sign-on (SSO) to on-premises domain resources over WiFi or VPN connections.
-ms.date: 05/06/2024
+ms.date: 01/27/2025
ms.topic: how-to
---
diff --git a/windows/security/operating-system-security/network-security/vpn/vpn-authentication.md b/windows/security/operating-system-security/network-security/vpn/vpn-authentication.md
index 539eeaeda6..26a2c22a06 100644
--- a/windows/security/operating-system-security/network-security/vpn/vpn-authentication.md
+++ b/windows/security/operating-system-security/network-security/vpn/vpn-authentication.md
@@ -1,7 +1,7 @@
---
title: VPN authentication options
description: Learn about the EAP authentication methods that Windows supports in VPNs to provide secure authentication using username/password and certificate-based methods.
-ms.date: 05/06/2024
+ms.date: 01/27/2025
ms.topic: concept-article
---
@@ -80,14 +80,3 @@ The following image shows the field for EAP XML in a Microsoft Intune VPN profil
:::image type="content" source="images/vpn-eap-xml.png" alt-text="Screenshot showing EAP XML configuration in Intune profile.":::
-## Related topics
-
-- [VPN technical guide](vpn-guide.md)
-- [VPN connection types](vpn-connection-type.md)
-- [VPN routing decisions](vpn-routing.md)
-- [VPN and conditional access](vpn-conditional-access.md)
-- [VPN name resolution](vpn-name-resolution.md)
-- [VPN auto-triggered profile options](vpn-auto-trigger-profile.md)
-- [VPN security features](vpn-security-features.md)
-- [VPN profile options](vpn-profile-options.md)
-- [Extensible Authentication Protocol (EAP) for network access](/windows-server/networking/technologies/extensible-authentication-protocol/network-access)
diff --git a/windows/security/operating-system-security/network-security/vpn/vpn-auto-trigger-profile.md b/windows/security/operating-system-security/network-security/vpn/vpn-auto-trigger-profile.md
index 85b51dd4d1..53c870afc0 100644
--- a/windows/security/operating-system-security/network-security/vpn/vpn-auto-trigger-profile.md
+++ b/windows/security/operating-system-security/network-security/vpn/vpn-auto-trigger-profile.md
@@ -1,7 +1,7 @@
---
title: VPN auto-triggered profile options
description: With auto-triggered VPN profile options, Windows can automatically establish a VPN connection based on IT admin-defined rules. Learn about the types of auto-trigger rules that you can create for VPN connections.
-ms.date: 05/06/2024
+ms.date: 01/27/2025
ms.topic: how-to
---
@@ -77,14 +77,3 @@ See [VPN profile options](vpn-profile-options.md) and [VPNv2 CSP](/windows/clien
The following image shows associating apps to a VPN connection in a VPN Profile configuration policy using Microsoft Intune.
:::image type="content" source="images/vpn-app-trigger.png" alt-text="Creation of VPN profile in Intune: application association options." lightbox="images/vpn-app-trigger.png":::
-
-## Related articles
-
-- [VPN technical guide](vpn-guide.md)
-- [VPN connection types](vpn-connection-type.md)
-- [VPN routing decisions](vpn-routing.md)
-- [VPN authentication options](vpn-authentication.md)
-- [VPN and conditional access](vpn-conditional-access.md)
-- [VPN name resolution](vpn-name-resolution.md)
-- [VPN security features](vpn-security-features.md)
-- [VPN profile options](vpn-profile-options.md)
diff --git a/windows/security/operating-system-security/network-security/vpn/vpn-conditional-access.md b/windows/security/operating-system-security/network-security/vpn/vpn-conditional-access.md
index 8fa4ab6725..9702c4afee 100644
--- a/windows/security/operating-system-security/network-security/vpn/vpn-conditional-access.md
+++ b/windows/security/operating-system-security/network-security/vpn/vpn-conditional-access.md
@@ -1,7 +1,7 @@
---
title: VPN and conditional access
description: Learn how to integrate the VPN client with the Conditional Access platform, and how to create access rules for Microsoft Entra connected apps.
-ms.date: 05/06/2024
+ms.date: 01/27/2025
ms.topic: how-to
---
@@ -19,7 +19,7 @@ Conditional Access Platform components used for Device Compliance include the fo
- [Windows Health Attestation Service](../../system-security/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md) (optional)
- Microsoft Entra Certificate Authority - It's a requirement that the client certificate used for the cloud-based device compliance solution be issued by a Microsoft Entra ID-based Certificate Authority (CA). A Microsoft Entra CA is essentially a mini-CA cloud tenant in Azure. The Microsoft Entra CA can't be configured as part of an on-premises Enterprise CA.
See also [Always On VPN deployment for Windows Server and Windows 10](/windows-server/remote/remote-access/vpn/always-on-vpn/deploy/always-on-vpn-deploy).
-- Microsoft Entra ID-issued short-lived certificates - When a VPN connection attempt is made, the Microsoft Entra Token Broker on the local device communicates with Microsoft Entra ID, which then checks for health based on compliance rules. If compliant, Microsoft Entra ID sends back a short-lived certificate that is used to authenticate the VPN. Note that certificate authentication methods such as EAP-TLS can be used. When the client reconnects and determines that the certificate has expired, the client will again check with Microsoft Entra ID for health validation before a new certificate is issued.
+- Microsoft Entra ID-issued short-lived certificates - When a VPN connection attempt is made, the Microsoft Entra Token Broker on the local device communicates with Microsoft Entra ID, which then checks for health based on compliance rules. If compliant, Microsoft Entra ID sends back a short-lived certificate that is used to authenticate the VPN. Certificate authentication methods such as EAP-TLS can be used. When the client reconnects and determines that the certificate has expired, the client will again check with Microsoft Entra ID for health validation before a new certificate is issued.
- [Microsoft Intune device compliance policies](/mem/intune/protect/device-compliance-get-started): Cloud-based device compliance uses Microsoft Intune Compliance Policies, which are capable of querying the device state and define compliance rules for the following, among other things.
- Antivirus status
- Auto-update status and update compliance
@@ -35,7 +35,7 @@ The following client-side components are also required:
## VPN device compliance
-At this time, the Microsoft Entra certificates issued to users don't contain a CRL Distribution Point (CDP) and aren't suitable for Key Distribution Centers (KDCs) to issue Kerberos tokens. For users to gain access to on-premises resources such as files on a network share, client authentication certificates must be deployed to the Windows profiles of the users, and their VPNv2 profiles must contain the <SSO> section.
+At this time, the Microsoft Entra certificates issued to users don't contain a CRL Distribution Point (CDP) and aren't suitable for Key Distribution Centers (KDCs) to issue Kerberos tokens. For users to gain access to on-premises resources such as files on a network share, client authentication certificates must be deployed to the Windows profiles of the users, and their VPNv2 profiles must contain the `` section.
Server-side infrastructure requirements to support VPN device compliance include:
@@ -60,8 +60,8 @@ Two client-side configuration service providers are leveraged for VPN device com
- Upon request, forward the Health Attestation Certificate (received from HAS) and related runtime information to the MDM server for verification
> [!NOTE]
-> It's required that certificates used for obtaining Kerberos tickets to be issued from an on-premises CA, and that SSO to be enabled in the user's VPN profile. This will enable the user to access on-premises resources.
-> In the case of AzureAD-only joined devices (not hybrid joined devices), if the user certificate issued by the on-premises CA has the user UPN from AzureAD in Subject and SAN (Subject Alternative Name), the VPN profile must be modified to ensure that the client does not cache the credentials used for VPN authentication. To do this, after deploying the VPN profile to the client, modify the *Rasphone.pbk* on the client by changing the entry **UseRasCredentials** from 1 (default) to 0 (zero).
+> It's required that certificates used for obtaining Kerberos tickets to be issued from an on-premises CA, and that SSO to be enabled in the user's VPN profile. This allows the user to access on-premises resources.
+> In the case of Microsoft Entra joined devices (not hybrid joined devices), if the user certificate issued by the on-premises CA has the user UPN from Microsoft Entra in Subject and SAN (Subject Alternative Name), the VPN profile must be modified to ensure that the client doesn't cache the credentials used for VPN authentication. To do this, after deploying the VPN profile to the client, modify the *Rasphone.pbk* on the client by changing the entry **UseRasCredentials** from 1 (default) to 0 (zero).
## Client connection flow
@@ -71,7 +71,7 @@ The VPN client side connection flow works as follows:
When a VPNv2 Profile is configured with \ \true<\/Enabled> the VPN client uses this connection flow:
-1. The VPN client calls into Windows 10's or Windows 11's Microsoft Entra Token Broker, identifying itself as a VPN client.
+1. The VPN client calls into Windows 10 or Windows 11 Microsoft Entra Token Broker, identifying itself as a VPN client.
1. The Microsoft Entra Token Broker authenticates to Microsoft Entra ID and provides it with information about the device trying to connect. The Microsoft Entra Server checks if the device is in compliance with the policies.
1. If compliant, Microsoft Entra ID requests a short-lived certificate.
1. Microsoft Entra ID pushes down a short-lived certificate to the Certificate Store via the Token Broker. The Token Broker then returns control back over to the VPN client for further connection processing.
@@ -92,14 +92,3 @@ See [VPN profile options](vpn-profile-options.md) and [VPNv2 CSP](/windows/clien
- [Tip of the Day: The Conditional Access Framework and Device Compliance for VPN (Part 2)](/archive/blogs/tip_of_the_day/tip-of-the-day-the-conditional-access-framework-and-device-compliance-for-vpn-part-2)
- [Tip of the Day: The Conditional Access Framework and Device Compliance for VPN (Part 3)](/archive/blogs/tip_of_the_day/tip-of-the-day-the-conditional-access-framework-and-device-compliance-for-vpn-part-3)
- [Tip of the Day: The Conditional Access Framework and Device Compliance for VPN (Part 4)](/archive/blogs/tip_of_the_day/tip-of-the-day-the-conditional-access-framework-and-device-compliance-for-vpn-part-4)
-
-## Related articles
-
-- [VPN technical guide](vpn-guide.md)
-- [VPN connection types](vpn-connection-type.md)
-- [VPN routing decisions](vpn-routing.md)
-- [VPN authentication options](vpn-authentication.md)
-- [VPN name resolution](vpn-name-resolution.md)
-- [VPN auto-triggered profile options](vpn-auto-trigger-profile.md)
-- [VPN security features](vpn-security-features.md)
-- [VPN profile options](vpn-profile-options.md)
diff --git a/windows/security/operating-system-security/network-security/vpn/vpn-connection-type.md b/windows/security/operating-system-security/network-security/vpn/vpn-connection-type.md
index 7199978f6c..0c0b47c65c 100644
--- a/windows/security/operating-system-security/network-security/vpn/vpn-connection-type.md
+++ b/windows/security/operating-system-security/network-security/vpn/vpn-connection-type.md
@@ -1,7 +1,7 @@
---
title: VPN connection types
description: Learn about Windows VPN platform clients and the VPN connection-type features that can be configured.
-ms.date: 05/06/2024
+ms.date: 01/27/2025
ms.topic: concept-article
---
@@ -46,13 +46,3 @@ In Intune, you can also include custom XML for non-Microsoft plug-in profiles:
> [!div class="mx-imgBorder"]
> 
-## Related articles
-
-- [VPN technical guide](vpn-guide.md)
-- [VPN routing decisions](vpn-routing.md)
-- [VPN authentication options](vpn-authentication.md)
-- [VPN and conditional access](vpn-conditional-access.md)
-- [VPN name resolution](vpn-name-resolution.md)
-- [VPN auto-triggered profile options](vpn-auto-trigger-profile.md)
-- [VPN security features](vpn-security-features.md)
-- [VPN profile options](vpn-profile-options.md)
diff --git a/windows/security/operating-system-security/network-security/vpn/vpn-guide.md b/windows/security/operating-system-security/network-security/vpn/vpn-guide.md
index 3233517baa..c1c9ac3826 100644
--- a/windows/security/operating-system-security/network-security/vpn/vpn-guide.md
+++ b/windows/security/operating-system-security/network-security/vpn/vpn-guide.md
@@ -1,7 +1,7 @@
---
title: Windows VPN technical guide
description: Learn how to plan and configure Windows devices for your organization's VPN solution.
-ms.date: 05/06/2024
+ms.date: 01/27/2025
ms.topic: overview
---
diff --git a/windows/security/operating-system-security/network-security/vpn/vpn-name-resolution.md b/windows/security/operating-system-security/network-security/vpn/vpn-name-resolution.md
index 666f60d6c1..36074af74a 100644
--- a/windows/security/operating-system-security/network-security/vpn/vpn-name-resolution.md
+++ b/windows/security/operating-system-security/network-security/vpn/vpn-name-resolution.md
@@ -1,7 +1,7 @@
---
title: VPN name resolution
description: Learn how name resolution works when using a VPN connection.
-ms.date: 05/06/2024
+ms.date: 01/27/2025
ms.topic: concept-article
---
@@ -58,14 +58,3 @@ The fields in **Add or edit DNS rule** in the Intune profile correspond to the X
| **Name** | **VPNv2/*ProfileName*/DomainNameInformationList/*dniRowId*/DomainName** |
| **Servers (comma separated)** | **VPNv2/*ProfileName*/DomainNameInformationList/*dniRowId*/DnsServers** |
| **Proxy server** | **VPNv2/*ProfileName*/DomainNameInformationList/*dniRowId*/WebServers** |
-
-## Related articles
-
-- [VPN technical guide](vpn-guide.md)
-- [VPN connection types](vpn-connection-type.md)
-- [VPN routing decisions](vpn-routing.md)
-- [VPN authentication options](vpn-authentication.md)
-- [VPN and conditional access](vpn-conditional-access.md)
-- [VPN auto-triggered profile options](vpn-auto-trigger-profile.md)
-- [VPN security features](vpn-security-features.md)
-- [VPN profile options](vpn-profile-options.md)
\ No newline at end of file
diff --git a/windows/security/operating-system-security/network-security/vpn/vpn-office-365-optimization.md b/windows/security/operating-system-security/network-security/vpn/vpn-office-365-optimization.md
index aced17dd8e..02b7c5daff 100644
--- a/windows/security/operating-system-security/network-security/vpn/vpn-office-365-optimization.md
+++ b/windows/security/operating-system-security/network-security/vpn/vpn-office-365-optimization.md
@@ -2,7 +2,7 @@
title: Optimize Microsoft 365 traffic for remote workers with the Windows VPN client
description: Learn how to optimize Microsoft 365 traffic for remote workers with the Windows VPN client
ms.topic: how-to
-ms.date: 05/06/2024
+ms.date: 01/27/2025
---
# Optimize Microsoft 365 traffic for remote workers with the Windows VPN client
diff --git a/windows/security/operating-system-security/network-security/vpn/vpn-profile-options.md b/windows/security/operating-system-security/network-security/vpn/vpn-profile-options.md
index 4fdbb86971..43f5802163 100644
--- a/windows/security/operating-system-security/network-security/vpn/vpn-profile-options.md
+++ b/windows/security/operating-system-security/network-security/vpn/vpn-profile-options.md
@@ -1,7 +1,7 @@
---
title: VPN profile options
description: Windows adds Virtual Private Network (VPN) profile options to help manage how users connect. VPNs give users secure remote access to the company network.
-ms.date: 05/06/2024
+ms.date: 01/27/2025
ms.topic: how-to
---
@@ -316,13 +316,3 @@ After you configure the settings that you want using ProfileXML, you can create
- [VPNv2 configuration service provider (CSP) reference](/windows/client-management/mdm/vpnv2-csp)
- [How to Create VPN Profiles in Configuration Manager](/previous-versions/system-center/system-center-2012-R2/dn261200(v=technet.10))
-## Related articles
-
-- [VPN technical guide](vpn-guide.md)
-- [VPN connection types](vpn-connection-type.md)
-- [VPN routing decisions](vpn-routing.md)
-- [VPN authentication options](vpn-authentication.md)
-- [VPN and conditional access](vpn-conditional-access.md)
-- [VPN name resolution](vpn-name-resolution.md)
-- [VPN auto-triggered profile options](vpn-auto-trigger-profile.md)
-- [VPN security features](vpn-security-features.md)
diff --git a/windows/security/operating-system-security/network-security/vpn/vpn-routing.md b/windows/security/operating-system-security/network-security/vpn/vpn-routing.md
index e5f0bc3f68..6bbae9aa58 100644
--- a/windows/security/operating-system-security/network-security/vpn/vpn-routing.md
+++ b/windows/security/operating-system-security/network-security/vpn/vpn-routing.md
@@ -1,5 +1,5 @@
---
-ms.date: 05/06/2024
+ms.date: 01/27/2025
title: VPN routing decisions
description: Learn about approaches that either send all data through a VPN or only selected data. The one you choose impacts capacity planning and security expectations.
ms.topic: concept-article
@@ -43,14 +43,3 @@ When you configure a VPN profile in Microsoft Intune, you can enable split tunne
Once enabled, you can add the routes that should use the VPN connection.
-
-## Related articles
-
-- [VPN technical guide](vpn-guide.md)
-- [VPN connection types](vpn-connection-type.md)
-- [VPN authentication options](vpn-authentication.md)
-- [VPN and conditional access](vpn-conditional-access.md)
-- [VPN name resolution](vpn-name-resolution.md)
-- [VPN auto-triggered profile options](vpn-auto-trigger-profile.md)
-- [VPN security features](vpn-security-features.md)
-- [VPN profile options](vpn-profile-options.md)
\ No newline at end of file
diff --git a/windows/security/operating-system-security/network-security/vpn/vpn-security-features.md b/windows/security/operating-system-security/network-security/vpn/vpn-security-features.md
index 0ca87d7370..2e53eeeae5 100644
--- a/windows/security/operating-system-security/network-security/vpn/vpn-security-features.md
+++ b/windows/security/operating-system-security/network-security/vpn/vpn-security-features.md
@@ -1,7 +1,7 @@
---
title: VPN security features
description: Learn about security features for VPN, including LockDown VPN and traffic filters.
-ms.date: 05/06/2024
+ms.date: 01/27/2025
ms.topic: concept-article
---
@@ -55,14 +55,3 @@ A VPN profile configured with LockDown secures the device to only allow network
> [!CAUTION]
> Be careful when deploying LockDown VPN, as the resultant connection won't be able to send or receive any network traffic without the VPN connection being established.
-
-## Related articles
-
-- [VPN technical guide](vpn-guide.md)
-- [VPN connection types](vpn-connection-type.md)
-- [VPN routing decisions](vpn-routing.md)
-- [VPN authentication options](vpn-authentication.md)
-- [VPN and conditional access](vpn-conditional-access.md)
-- [VPN name resolution](vpn-name-resolution.md)
-- [VPN auto-triggered profile options](vpn-auto-trigger-profile.md)
-- [VPN profile options](vpn-profile-options.md)
diff --git a/windows/security/operating-system-security/network-security/windows-firewall/configure-with-command-line.md b/windows/security/operating-system-security/network-security/windows-firewall/configure-with-command-line.md
index b1b37ca008..b332d7b87d 100644
--- a/windows/security/operating-system-security/network-security/windows-firewall/configure-with-command-line.md
+++ b/windows/security/operating-system-security/network-security/windows-firewall/configure-with-command-line.md
@@ -32,19 +32,19 @@ netsh.exe advfirewall set allprofiles state on
### Control Windows Firewall behavior
The global default settings can be defined through the command-line interface. These modifications are also available through the Windows Firewall console.
-The following scriptlets set the default inbound and outbound actions, specifies protected network connections, and allows notifications to be displayed to the user when a program is blocked from receiving inbound connections. It allows unicast response to multicast or broadcast network traffic, and it specifies logging settings for troubleshooting.
+The following scriptlets set the default inbound and outbound actions, specifies protected network connections, and disallows notifications to be displayed to the user when a program is blocked from receiving inbound connections. It allows unicast response to multicast or broadcast network traffic, and it specifies logging settings for troubleshooting.
# [:::image type="icon" source="images/powershell.svg"::: **PowerShell**](#tab/powershell)
```powershell
-Set-NetFirewallProfile -DefaultInboundAction Block -DefaultOutboundAction Allow -NotifyOnListen True -AllowUnicastResponseToMulticast True -LogFileName %SystemRoot%\System32\LogFiles\Firewall\pfirewall.log
+Set-NetFirewallProfile -DefaultInboundAction Block -DefaultOutboundAction Allow -NotifyOnListen False -AllowUnicastResponseToMulticast True -LogFileName %SystemRoot%\System32\LogFiles\Firewall\pfirewall.log
```
# [:::image type="icon" source="images/cmd.svg"::: **Command Prompt**](#tab/cmd)
```cmd
netsh advfirewall set allprofiles firewallpolicy blockinbound,allowoutbound
-netsh advfirewall set allprofiles settings inboundusernotification enable
+netsh advfirewall set allprofiles settings inboundusernotification disable
netsh advfirewall set allprofiles settings unicastresponsetomulticast enable
netsh advfirewall set allprofiles logging filename %SystemRoot%\System32\LogFiles\Firewall\pfirewall.log
```
@@ -53,19 +53,14 @@ netsh advfirewall set allprofiles logging filename %SystemRoot%\System32\LogFile
### Disable Windows Firewall
-Microsoft recommends that you don't disable Windows Firewall because you lose other benefits provided by the service, such as the ability to use Internet Protocol security (IPsec) connection security rules, network protection from attacks that employ network fingerprinting, [Windows Service Hardening](https://go.microsoft.com/fwlink/?linkid=104976), and [boot time filters](https://blogs.technet.microsoft.com/networking/2009/03/24/stopping-the-windows-authenticating-firewall-service-and-the-boot-time-policy/).
-Disabling Windows Firewall can also cause problems, including:
+Microsoft recommends that you don't disable Windows Firewall because you lose other benefits, such as the ability to use Internet Protocol security (IPsec) connection security rules, network protection from attacks that employ network fingerprinting, Windows Service Hardening, and [boot time filters][BTF]. Non-Microsoft firewall software can programmatically disable only the [rule types][FWRC] of Windows Firewall that need to be disabled for compatibility. You shouldn't disable the firewall yourself for this purpose.
+If disabling Windows Firewall is required, don't disable it by stopping the Windows Firewall service (in the Services snap-in, the display name is Windows Defender Firewall and the service name is MpsSvc). Stopping the Windows Firewall service isn't supported by Microsoft and can cause problems, including:
- Start menu can stop working
- Modern applications can fail to install or update
- Activation of Windows via phone fails
- Application or OS incompatibilities that depend on Windows Firewall
-Microsoft recommends disabling Windows Firewall only when installing a non-Microsoft firewall, and resetting Windows Firewall back to defaults when the non-Microsoft software is disabled or removed.
-If disabling Windows Firewall is required, don't disable it by stopping the Windows Firewall service (in the **Services** snap-in, the display name is Windows Firewall and the service name is MpsSvc).
-Stopping the Windows Firewall service isn't supported by Microsoft.
-Non-Microsoft firewall software can programmatically disable only the parts of Windows Firewall that need to be disabled for compatibility.
-You shouldn't disable the firewall yourself for this purpose.
The proper method to disable the Windows Firewall is to disable the Windows Firewall Profiles and leave the service running.
Use the following procedure to turn off the firewall, or disable the Group Policy setting **Computer Configuration|Administrative Templates|Network|Network Connections|Windows Firewall|Domain Prolfile|Windows Firewall:Protect all network connections**.
For more information, see [Windows Firewall deployment guide](windows-firewall-with-advanced-security-deployment-guide.md).
@@ -79,6 +74,10 @@ Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled False
# [:::image type="icon" source="images/cmd.svg"::: **Command Prompt**](#tab/cmd)
+``` cmd
+netsh.exe advfirewall set allprofiles state off
+```
+
---
## Deploy basic firewall rules
@@ -569,3 +568,6 @@ netsh advfirewall firewall add rule name="Inbound Secure Bypass Rule" dir=in sec
```
---
+[BTF]: /windows/win32/fwp/basic-operation
+[MFWC]: /windows/security/operating-system-security/network-security/windows-firewall/configure-with-command-line
+[FWRC]: /windows/win32/api/icftypes/ne-icftypes-net_fw_rule_category
diff --git a/windows/security/operating-system-security/network-security/windows-firewall/configure.md b/windows/security/operating-system-security/network-security/windows-firewall/configure.md
index b8e9d793fc..f6540ef8df 100644
--- a/windows/security/operating-system-security/network-security/windows-firewall/configure.md
+++ b/windows/security/operating-system-security/network-security/windows-firewall/configure.md
@@ -11,7 +11,7 @@ This article contains examples how to configure Windows Firewall rules using the
## Access the Windows Firewall with Advanced Security console
-If you're configuring devices joined to an Active Directory domain, to complete these procedures you must be a member of the Domain Administrators group, or otherwise have delegated permissions to modify the GPOs in the domain. To access the *Windows Firewall with Advanced Security* console, [create or edit](/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc754740(v=ws.11)) a group policy object (GPO) and expand the nodes **Computer Configuration** > **Policies** > **Windows Settings** > **Security Settings** > **Windows Firewall with Advanced Security**.
+If you're configuring devices joined to an Active Directory domain, to complete these procedures you must be a member of the Domain Administrators group, or otherwise have delegated permissions to modify the GPOs in the domain. To access the *Windows Firewall with Advanced Security* console, [create or edit](/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc754740(v=ws.11)) a group policy object (GPO) and expand the nodes **Computer Configuration** > **Policies** > **Windows Settings** > **Security Settings** > **Windows Firewall with Advanced Security**. Pay attention to the [Group policy processing considerations][GPPC] when using Group Policy.
If you are configuring a single device, you must have administrative rights on the device. In which case, to access the *Windows Firewall with Advanced Security* console, select START, type `wf.msc`, and press ENTER.
@@ -176,3 +176,5 @@ Using the two rules configured as described in this topic helps to protect your
1. On the **Action** page, select **Allow the connection**, and then select **Next**
1. On the **Profile** page, select the network location types to which this rule applies, and then select **Next**
1. On the **Name** page, type a name and description for your rule, and then select **Finish**
+
+[GPPC]: /windows/security/operating-system-security/network-security/windows-firewall/tools#group-policy-processing-considerations
\ No newline at end of file
diff --git a/windows/security/operating-system-security/network-security/windows-firewall/index.md b/windows/security/operating-system-security/network-security/windows-firewall/index.md
index 8952b535cf..4de85b91d4 100644
--- a/windows/security/operating-system-security/network-security/windows-firewall/index.md
+++ b/windows/security/operating-system-security/network-security/windows-firewall/index.md
@@ -73,6 +73,18 @@ The *public network* profile is designed with higher security in mind for public
> [!TIP]
> Use the PowerShell cmdlet `Get-NetConnectionProfile` to retrieve the active network category (`NetworkCategory`). Use the PowerShell cmdlet `Set-NetConnectionProfile` to switch the category between *private* and *public*.
+## Disable Windows Firewall
+
+Microsoft recommends that you don't disable Windows Firewall because you lose other benefits, such as the ability to use Internet Protocol security (IPsec) connection security rules, network protection from attacks that employ network fingerprinting, Windows Service Hardening, and [boot time filters][BTF]. Non-Microsoft firewall software can programmatically disable only the [rule types][FWRC] of Windows Firewall that need to be disabled for compatibility. You shouldn't disable the firewall yourself for this purpose.
+If disabling Windows Firewall is required, don't disable it by stopping the Windows Firewall service (in the Services snap-in, the display name is Windows Defender Firewall and the service name is MpsSvc). Stopping the Windows Firewall service isn't supported by Microsoft and can cause problems, including:
+
+- Start menu can stop working
+- Modern applications can fail to install or update
+- Activation of Windows via phone fails
+- Application or OS incompatibilities that depend on Windows Firewall
+
+The proper method to disable the Windows Firewall is to disable the Windows Firewall Profiles and leave the service running. See [Manage Windows Firewall with the command line][MFWC] for detailed steps.
+
## Next steps
> [!div class="nextstepaction"]
@@ -89,3 +101,6 @@ To provide feedback for Windows Firewall, open [**Feedback Hub**][FHUB] (WI
[FHUB]: feedback-hub:?tabid=2&newFeedback=true
[NLA]: /windows/win32/winsock/network-location-awareness-service-provider-nla--2
[CSP-1]: /windows/client-management/mdm/policy-csp-networklistmanager
+[BTF]: /windows/win32/fwp/basic-operation
+[MFWC]: /windows/security/operating-system-security/network-security/windows-firewall/configure-with-command-line
+[FWRC]: /windows/win32/api/icftypes/ne-icftypes-net_fw_rule_category
diff --git a/windows/security/operating-system-security/network-security/windows-firewall/rules.md b/windows/security/operating-system-security/network-security/windows-firewall/rules.md
index 3daf29314e..64b6580098 100644
--- a/windows/security/operating-system-security/network-security/windows-firewall/rules.md
+++ b/windows/security/operating-system-security/network-security/windows-firewall/rules.md
@@ -30,11 +30,13 @@ When first installed, network applications and services issue a *listen call* sp
:::row:::
:::column span="2":::
- If there's no active application or administrator-defined allow rule(s), a dialog box prompts the user to either allow or block an application's packets the first time the app is launched or tries to communicate in the network:
-
- - If the user has admin permissions, they're prompted. If they respond *No* or cancel the prompt, block rules are created. Two rules are typically created, one each for TCP and UDP traffic
- - If the user isn't a local admin, they won't be prompted. In most cases, block rules are created
+ If there's no active application or administrator-defined allow rule(s), a dialog box prompts the user to either allow or block an application's packets the first time the app is launched or tries to communicate in the network:
+
+- If the user has admin permissions, they're prompted. If they respond *No* or cancel the prompt, block rules are created. Two rules are typically created, one each for TCP and UDP traffic
+- If the user isn't a local admin and they are prompted, block rules are created. It doesn't matter what option is selected
+To disable the notification prompt, you can use the [command line](/windows/security/operating-system-security/network-security/windows-firewall/configure-with-command-line) or the **Windows Firewall with Advanced Security** console
+
:::column-end:::
:::column span="2":::
:::image type="content" source="images/uac.png" alt-text="Screenshot showing the User Account Control (UAC) prompt to allow Microsoft Teams." border="false":::
diff --git a/windows/security/operating-system-security/system-security/cryptography-certificate-mgmt.md b/windows/security/operating-system-security/system-security/cryptography-certificate-mgmt.md
index 5cff1aedaa..0cc64c4d6f 100644
--- a/windows/security/operating-system-security/system-security/cryptography-certificate-mgmt.md
+++ b/windows/security/operating-system-security/system-security/cryptography-certificate-mgmt.md
@@ -1,9 +1,9 @@
---
title: Cryptography and Certificate Management
description: Get an overview of cryptography and certificate management in Windows
-ms.topic: conceptual
+ms.topic: article
ms.date: 07/10/2024
-ms.reviewer: skhadeer, raverma
+ms.reviewer: skhadeer, aathipsa
---
# Cryptography and Certificate Management
@@ -17,13 +17,19 @@ Cryptography in Windows is Federal Information Processing Standards (FIPS) 140 c
Windows cryptographic modules provide low-level primitives such as:
- Random number generators (RNG)
-- Symmetric and asymmetric encryption (support for AES 128/256 and RSA 512 to 16384, in 64-bit increments and ECDSA over NIST-standard prime curves P-256, P-384, P-521)
-- Hashing (support for SHA-256, SHA-384, and SHA-512)
+- Symmetric and asymmetric encryption (support for AES 128/256 and RSA 512 to 16384, in 64-bit increments and ECDSA over NIST-standard prime curves P-256, P-384, P-521)
+- Hashing (support for SHA-256, SHA-384, SHA-512, and SHA-3*)
- Signing and verification (padding support for OAEP, PSS, PKCS1)
- Key agreement and key derivation (support for ECDH over NIST-standard prime curves P-256, P-384, P-521, and HKDF)
These modules are natively exposed on Windows through the Crypto API (CAPI) and the Cryptography Next Generation API (CNG) which is powered by Microsoft's open-source cryptographic library SymCrypt. Application developers can use these APIs to perform low-level cryptographic operations (BCrypt), key storage operations (NCrypt), protect static data (DPAPI), and securely share secrets (DPAPI-NG).
+*With this release we added support for the SHA-3 family of hash functions and SHA-3 derived functions (SHAKE, cSHAKE, and KMAC). These are the latest standardized hash functions by the National Institute of Standards and Technology (NIST) and can be leveraged through the Windows CNG library. Below is a list of the supported SHA-3 functions:
+
+Supported SHA-3 hash functions: SHA3-256, SHA3-384, SHA3-512 (SHA3-224 is not supported)
+Supported SHA-3 HMAC algorithms: HMAC-SHA3-256, HMAC-SHA3-384, HMAC-SHA3-512
+Supported SHA-3 derived algorithms: extendable-output functions (XOF) (SHAKE128, SHAKE256), customizable XOFs (cSHAKE128, cSHAKE256), and KMAC (KMAC128, KMAC256, KMACXOF128, KMACXOF256).
+
## Certificate management
Windows offers several APIs to operate and manage certificates. Certificates are crucial to public key infrastructure (PKI) as they provide the means for safeguarding and authenticating information. Certificates are electronic documents used to claim ownership of a public key. Public keys are used to prove server and client identity, validate code integrity, and used in secure emails. Windows offers users the ability to autoenroll and renew certificates in Active Directory with Group Policy to reduce the risk of potential outages due to certificate expiration or misconfiguration. Windows validates certificates through an automatic update mechanism that downloads certificate trust lists (CTL) daily. Trusted root certificates are used by applications as a reference for trustworthy PKI hierarchies and digital certificates. The list of trusted and untrusted certificates are stored in the CTL and can be updated by administrators. In the case of certificate revocation, a certificate is added as an untrusted certificate in the CTL causing it to be revoked globally across user devices immediately.
diff --git a/windows/security/operating-system-security/system-security/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md b/windows/security/operating-system-security/system-security/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md
index 1c997805c4..f25f5692a9 100644
--- a/windows/security/operating-system-security/system-security/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md
+++ b/windows/security/operating-system-security/system-security/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md
@@ -2,7 +2,7 @@
title: Control the health of Windows devices
description: This article details an end-to-end solution that helps you protect high-value assets by enforcing, controlling, and reporting the health of Windows devices.
ms.date: 07/10/2024
-ms.topic: conceptual
+ms.topic: how-to
---
# Control the health of Windows devices
diff --git a/windows/security/operating-system-security/system-security/secure-the-windows-10-boot-process.md b/windows/security/operating-system-security/system-security/secure-the-windows-10-boot-process.md
index c931ca2dcb..39e6da5648 100644
--- a/windows/security/operating-system-security/system-security/secure-the-windows-10-boot-process.md
+++ b/windows/security/operating-system-security/system-security/secure-the-windows-10-boot-process.md
@@ -1,7 +1,7 @@
---
title: Secure the Windows boot process
description: This article describes how Windows security features help protect your PC from malware, including rootkits and other applications.
-ms.topic: conceptual
+ms.topic: how-to
ms.date: 07/10/2024
ms.collection:
- tier1
diff --git a/windows/security/operating-system-security/system-security/toc.yml b/windows/security/operating-system-security/system-security/toc.yml
index 657b99e5df..0309711be5 100644
--- a/windows/security/operating-system-security/system-security/toc.yml
+++ b/windows/security/operating-system-security/system-security/toc.yml
@@ -13,7 +13,7 @@ items:
href: ../../threat-protection/security-policy-settings/security-policy-settings.md
- name: Security auditing
href: ../../threat-protection/auditing/security-auditing-overview.md
-- name: Assigned Access 🔗
+- name: Kiosks and restricted user experiences 🔗
href: /windows/configuration/assigned-access
- name: Windows Security settings
href: windows-defender-security-center/windows-defender-security-center.md
diff --git a/windows/security/operating-system-security/system-security/trusted-boot.md b/windows/security/operating-system-security/system-security/trusted-boot.md
index 4da0621dc6..8265bf9725 100644
--- a/windows/security/operating-system-security/system-security/trusted-boot.md
+++ b/windows/security/operating-system-security/system-security/trusted-boot.md
@@ -1,7 +1,7 @@
---
title: Secure Boot and Trusted Boot
description: Trusted Boot prevents corrupted components from loading during the boot-up process in Windows 11
-ms.topic: conceptual
+ms.topic: article
ms.date: 07/10/2024
ms.reviewer: jsuther
appliesto:
diff --git a/windows/security/operating-system-security/system-security/windows-defender-security-center/windows-defender-security-center.md b/windows/security/operating-system-security/system-security/windows-defender-security-center/windows-defender-security-center.md
index 2a65943ed8..0fdbcab450 100644
--- a/windows/security/operating-system-security/system-security/windows-defender-security-center/windows-defender-security-center.md
+++ b/windows/security/operating-system-security/system-security/windows-defender-security-center/windows-defender-security-center.md
@@ -2,7 +2,7 @@
title: Windows Security
description: Windows Security brings together common Windows security features into one place.
ms.date: 06/27/2024
-ms.topic: conceptual
+ms.topic: article
---
# Windows Security
diff --git a/windows/security/operating-system-security/toc.yml b/windows/security/operating-system-security/toc.yml
index 1e8df2650f..5c37753d30 100644
--- a/windows/security/operating-system-security/toc.yml
+++ b/windows/security/operating-system-security/toc.yml
@@ -1,13 +1,11 @@
items:
-- name: Overview
- href: index.md
- name: System security
href: system-security/toc.yml
- name: Encryption and data protection
href: data-protection/toc.yml
-- name: Device management
- href: device-management/toc.yml
- name: Network security
href: network-security/toc.yml
- name: Virus and threat protection
- href: virus-and-threat-protection/toc.yml
\ No newline at end of file
+ href: virus-and-threat-protection/toc.yml
+- name: Device management
+ href: device-management/toc.yml
\ No newline at end of file
diff --git a/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/available-settings.md b/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/available-settings.md
index d53d8c5dc7..9824baf8c1 100644
--- a/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/available-settings.md
+++ b/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/available-settings.md
@@ -1,7 +1,7 @@
---
title: Available Microsoft Defender SmartScreen settings
description: A list of all available settings for Microsoft Defender SmartScreen using Group Policy and mobile device management (MDM) settings.
-ms.date: 07/10/2024
+ms.date: 10/10/2024
ms.topic: reference
---
@@ -9,7 +9,7 @@ ms.topic: reference
Microsoft Defender SmartScreen works with Intune, Group Policy, and mobile device management (MDM) settings to help you manage your organization's computer settings. Based on how you set up Microsoft Defender SmartScreen, you can show users a warning page and let them continue to the site, or you can block the site entirely.
-See [Windows settings to protect devices using Intune](/intune/endpoint-protection-windows-10#windows-defender-smartscreen-settings) for the controls you can use in Intune.
+See [Windows settings to protect devices using Intune](/mem/intune/protect/endpoint-protection-windows-10#microsoft-defender-smartscreen-settings) for the controls you can use in Intune.
> [!NOTE]
> For a list of settings available for Enhanced phishing protection, see [Enhanced phishing protection](enhanced-phishing-protection.md#configure-enhanced-phishing-protection-for-your-organization).
diff --git a/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/enhanced-phishing-protection.md b/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/enhanced-phishing-protection.md
index ee7a31a01b..595cb143ba 100644
--- a/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/enhanced-phishing-protection.md
+++ b/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/enhanced-phishing-protection.md
@@ -2,7 +2,7 @@
title: Enhanced Phishing Protection in Microsoft Defender SmartScreen
description: Learn how Enhanced Phishing Protection for Microsoft Defender SmartScreen helps protect Microsoft school or work passwords against phishing and unsafe usage on sites and apps.
ms.date: 07/10/2024
-ms.topic: conceptual
+ms.topic: article
appliesto:
- ✅ Windows 11, version 22H2
---
diff --git a/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/index.md b/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/index.md
index 56fc48b2bf..909ccb5dd2 100644
--- a/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/index.md
+++ b/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/index.md
@@ -2,7 +2,7 @@
title: Microsoft Defender SmartScreen overview
description: Learn how Microsoft Defender SmartScreen protects against phishing or malware websites and applications, and the downloading of potentially malicious files.
ms.date: 07/10/2024
-ms.topic: conceptual
+ms.topic: overview
appliesto:
- ✅ Windows 11
- ✅ Windows 10
diff --git a/windows/security/security-foundations/certification/fips-140-validation.md b/windows/security/security-foundations/certification/fips-140-validation.md
index 739b778e25..af7736d41e 100644
--- a/windows/security/security-foundations/certification/fips-140-validation.md
+++ b/windows/security/security-foundations/certification/fips-140-validation.md
@@ -1,7 +1,7 @@
---
title: Windows FIPS 140 validation
description: Learn how Microsoft products and cryptographic modules follow the U.S. Federal government standard FIPS 140.
-ms.date: 2/1/2024
+ms.date: 11/13/2024
ms.topic: reference
---
@@ -21,6 +21,8 @@ The Windows client releases listed below include cryptographic modules that have
#### Windows 10 releases
+- [Windows 10, version 21H1 (May 2021 Update)](validations/fips-140-windows10.md#windows-10-version-21h1-may-2021-update)
+- [Windows 10, version 20H2 (October 2020 Update)](validations/fips-140-windows10.md#windows-10-version-20h2-october-2020-update)
- [Windows 10, version 2004 (May 2020 Update)](validations/fips-140-windows10.md#windows-10-version-2004-may-2020-update)
- [Windows 10, version 1909 (November 2019 Update)](validations/fips-140-windows10.md#windows-10-version-1909-november-2019-update)
- [Windows 10, version 1903 (May 2019 Update)](validations/fips-140-windows10.md#windows-10-version-1903-may-2019-update)
@@ -60,16 +62,18 @@ The Windows client releases listed below include cryptographic modules that have
The Windows Server releases listed below include cryptographic modules that have completed FIPS 140 validation. Click on the release for details, including the CMVP certificate, Security Policy document, and algorithm scope for each module. When the CMVP certificate validation label includes the note *When operated in FIPS mode*, specific configuration and security rules outlined in the Security Policy must be followed.
-#### Windows Server 2019 and 2016 releases
+#### Windows Server 2022, 2019, and 2016 releases
+- [Windows Server 2022](validations/fips-140-windows-server-2022.md#windows-server-2022)
- [Windows Server 2019](validations/fips-140-windows-server-2019.md#windows-server-2019)
- [Windows Server 2016](validations/fips-140-windows-server-2016.md#windows-server-2016)
#### Windows Server semi-annual releases
-- [Windows Server, version 2004](validations/fips-140-windows-server-semi-annual.md#windows-server-version-2004-may-2020-update)
-- [Windows Server, version 1909](validations/fips-140-windows-server-semi-annual.md#windows-server-version-1909-november-2019-update)
-- [Windows Server, version 1903](validations/fips-140-windows-server-semi-annual.md#windows-server-version-1903-may-2019-update)
+- [Windows Server, version 20H2](validations/fips-140-windows-server-semi-annual.md#windows-server-version-20h2)
+- [Windows Server, version 2004](validations/fips-140-windows-server-semi-annual.md#windows-server-version-2004)
+- [Windows Server, version 1909](validations/fips-140-windows-server-semi-annual.md#windows-server-version-1909)
+- [Windows Server, version 1903](validations/fips-140-windows-server-semi-annual.md#windows-server-version-1903)
- [Windows Server, version 1809](validations/fips-140-windows-server-semi-annual.md#windows-server-version-1809)
- [Windows Server, version 1803](validations/fips-140-windows-server-semi-annual.md#windows-server-version-1803)
- [Windows Server, version 1709](validations/fips-140-windows-server-semi-annual.md#windows-server-version-1709)
diff --git a/windows/security/security-foundations/certification/toc.yml b/windows/security/security-foundations/certification/toc.yml
index 33099035c3..98c1522666 100644
--- a/windows/security/security-foundations/certification/toc.yml
+++ b/windows/security/security-foundations/certification/toc.yml
@@ -9,6 +9,8 @@ items:
href: validations/fips-140-windows10.md
- name: Previous Windows releases
href: validations/fips-140-windows-previous.md
+ - name: Windows Server 2022
+ href: validations/fips-140-windows-server-2022.md
- name: Windows Server 2019
href: validations/fips-140-windows-server-2019.md
- name: Windows Server 2016
@@ -32,4 +34,4 @@ items:
- name: Windows Server semi-annual releases
href: validations/cc-windows-server-semi-annual.md
- name: Previous Windows Server releases
- href: validations/cc-windows-server-previous.md
\ No newline at end of file
+ href: validations/cc-windows-server-previous.md
diff --git a/windows/security/security-foundations/certification/validations/cc-windows-previous.md b/windows/security/security-foundations/certification/validations/cc-windows-previous.md
index 8d5cd8c275..d648de3a05 100644
--- a/windows/security/security-foundations/certification/validations/cc-windows-previous.md
+++ b/windows/security/security-foundations/certification/validations/cc-windows-previous.md
@@ -30,14 +30,14 @@ The following tables list the completed Common Criteria certifications for Windo
|Product details |Date |Scope |Documents |
|---------|---------|---------|---------|
-|Validated editions: Enterprise, Ultimate. |March 24, 2011 |Certified against the Protection Profile for General Purpose Operating Systems. |[Security Target][security-target-march-2011]; [Administrative Guide][admin-guide-march-2011]; [Certification Report][certification-report-march-2011] |
+|Validated editions: Enterprise, Ultimate. |March 24, 2011 |Certified against the Protection Profile for General Purpose Operating Systems. |[Security Target][security-target-march-2011]; [Certification Report][certification-report-march-2011] |
## Windows Vista
|Product details |Date |Scope |Documents |
|---------|---------|---------|---------|
-|Validated edition: Enterprise. |August 15, 2009 |EAL 4. Controlled Access Protection Profile. CC Part 2: security functional requirements. CC Part 3: security assurance requirements. |[Security Target][security-target-august-2009]; [Administrative Guide][admin-guide-august-2009]; [Certification Report][certification-report-august-2009] |
-|Validated edition: Enterprise. |September 17, 2008 |EAL 1. CC Part 2: security functional requirements. CC Part 3: security assurance requirements. |[Security Target][security-target-september-2008]; [Administrative Guide][admin-guide-september-2008]; [Certification Report][certification-report-september-2008] |
+|Validated edition: Enterprise. |August 15, 2009 |EAL 4. Controlled Access Protection Profile. CC Part 2: security functional requirements. CC Part 3: security assurance requirements. |[Security Target][security-target-august-2009]; [Certification Report][certification-report-august-2009] |
+|Validated edition: Enterprise. |September 17, 2008 |EAL 1. CC Part 2: security functional requirements. CC Part 3: security assurance requirements. |[Security Target][security-target-september-2008]; [Certification Report][certification-report-september-2008] |
---
@@ -65,9 +65,6 @@ The following tables list the completed Common Criteria certifications for Windo
[admin-guide-january-2015-rt]: https://download.microsoft.com/download/8/6/e/86e8c001-8556-4949-90cf-f5beac918026/microsoft%20windows%208%20microsoft%20windows%20rt%20common%20criteria%20supplemental%20admin.docx
[admin-guide-april-2014]: https://download.microsoft.com/download/0/8/4/08468080-540b-4326-91bf-f2a33b7e1764/administrative%20guidance%20for%20software%20full%20disk%20encryption%20clients.pdf
[admin-guide-january-2014]: https://download.microsoft.com/download/a/9/f/a9fd7e2d-023b-4925-a62f-58a7f1a6bd47/microsoft%20windows%208%20windows%20server%202012%20supplemental%20admin%20guidance%20ipsec%20vpn%20client.docx
-[admin-guide-march-2011]: https://www.microsoft.com/downloads/en/details.aspx?familyid=ee05b6d0-9939-4765-9217-63083bb94a00
-[admin-guide-august-2009]: https://www.microsoft.com/downloads/en/details.aspx?familyid=06166288-24c4-4c42-9daa-2b2473ddf567
-[admin-guide-september-2008]: https://www.microsoft.com/downloads/en/details.aspx?familyid=06166288-24c4-4c42-9daa-2b2473ddf567
diff --git a/windows/security/security-foundations/certification/validations/cc-windows-server-previous.md b/windows/security/security-foundations/certification/validations/cc-windows-server-previous.md
index 392c293fd2..d41e015648 100644
--- a/windows/security/security-foundations/certification/validations/cc-windows-server-previous.md
+++ b/windows/security/security-foundations/certification/validations/cc-windows-server-previous.md
@@ -1,7 +1,7 @@
---
title: Common Criteria certifications for previous Windows Server releases
description: Learn about the completed Common Criteria certifications for previous Windows Server releases.
-ms.date: 2/1/2024
+ms.date: 2/24/2025
ms.topic: reference
---
@@ -28,16 +28,16 @@ The following tables list the completed Common Criteria certifications for Windo
|Product details |Date |Scope |Documents |
|---------|---------|---------|---------|
-|Validated editions: Standard, Enterprise, Datacenter, Itanium. |March 24, 2011 |(OS certification.) Certified against the Protection Profile for General Purpose Operating Systems. |[Security Target][security-target-march-2011]; [Administrative Guide][admin-guide-march-2011]; [Certification Report][certification-report-march-2011] |
+|Validated editions: Standard, Enterprise, Datacenter, Itanium. |March 24, 2011 |(OS certification.) Certified against the Protection Profile for General Purpose Operating Systems. |[Security Target][security-target-march-2011]; [Certification Report][certification-report-march-2011] |
|Server Core 2008 R2: Hyper-V Server Role|July 24, 2009 |(Hyper-V certification.) Common Criteria for Information Technology Security Evaluation Version 3.1 Revision 3. It is CC Part 2 extended and Part 3 conformant, with a claimed Evaluation Assurance Level of EAL4, augmented by ALC_FLR.3. |[Security Target][security-target-july-2009]; [Administrative Guide][admin-guide-july-2009]; [Certification Report][certification-report-july-2009] |
## Windows Server 2008
|Product details |Date |Scope |Documents |
|---------|---------|---------|---------|
-|Validated edition: Standard, Enterprise, Datacenter. |August 15, 2009 |Controlled Access Protection Profile. CC Part 2: security functional requirements. CC Part 3: security assurance requirements, at EAL 4. |[Security Target][security-target-august-2009]; [Administrative Guide][admin-guide-august-2009]; [Certification Report][certification-report-august-2009] |
+|Validated edition: Standard, Enterprise, Datacenter. |August 15, 2009 |Controlled Access Protection Profile. CC Part 2: security functional requirements. CC Part 3: security assurance requirements, at EAL 4. |[Security Target][security-target-august-2009]; [Certification Report][certification-report-august-2009] |
|Microsoft Windows Server Core 2008: Hyper-V Server Role. |July 24, 2009 |CC Part 2: security functional requirements. CC Part 3: security assurance requirements, at EAL 4. |[Security Target][security-target-july-2009-hyperv]; [Administrative Guide][admin-guide-july-2009-hyperv]; [Certification Report][certification-report-july-2009-hyperv] |
-|Validated edition: Standard, Enterprise, Datacenter. |September 17, 2008 |CC Part 2: security functional requirements. CC Part 3: security assurance requirements, at EAL 1. |[Security Target][security-target-september-2008]; [Administrative Guide][admin-guide-september-2008]; [Certification Report][certification-report-september-2008] |
+|Validated edition: Standard, Enterprise, Datacenter. |September 17, 2008 |CC Part 2: security functional requirements. CC Part 3: security assurance requirements, at EAL 1. |[Security Target][security-target-september-2008]; [Certification Report][certification-report-september-2008] |
## Windows Server 2003 Certificate Server
@@ -77,11 +77,8 @@ The following tables list the completed Common Criteria certifications for Windo
[admin-guide-january-2015-pro]: https://download.microsoft.com/download/6/0/b/60b27ded-705a-4751-8e9f-642e635c3cf3/microsoft%20windows%208%20windows%20server%202012%20common%20criteria%20supplemental%20admin%20guidance.docx
[admin-guide-april-2014]: https://download.microsoft.com/download/0/8/4/08468080-540b-4326-91bf-f2a33b7e1764/administrative%20guidance%20for%20software%20full%20disk%20encryption%20clients.pdf
[admin-guide-january-2014]: https://download.microsoft.com/download/a/9/f/a9fd7e2d-023b-4925-a62f-58a7f1a6bd47/microsoft%20windows%208%20windows%20server%202012%20supplemental%20admin%20guidance%20ipsec%20vpn%20client.docx
-[admin-guide-march-2011]: https://www.microsoft.com/downloads/en/details.aspx?familyid=ee05b6d0-9939-4765-9217-63083bb94a00
[admin-guide-july-2009]: https://www.microsoft.com/download/en/details.aspx?id=29308
[admin-guide-july-2009-hyperv]: https://www.microsoft.com/en-us/download/details.aspx?id=14252
-[admin-guide-august-2009]: https://www.microsoft.com/downloads/en/details.aspx?familyid=06166288-24c4-4c42-9daa-2b2473ddf567
-[admin-guide-september-2008]: https://www.microsoft.com/downloads/en/details.aspx?familyid=06166288-24c4-4c42-9daa-2b2473ddf567
diff --git a/windows/security/security-foundations/certification/validations/fips-140-windows-server-2022.md b/windows/security/security-foundations/certification/validations/fips-140-windows-server-2022.md
new file mode 100644
index 0000000000..828e85d5b7
--- /dev/null
+++ b/windows/security/security-foundations/certification/validations/fips-140-windows-server-2022.md
@@ -0,0 +1,33 @@
+---
+title: FIPS 140 validated modules for Windows Server 2022
+description: This topic lists the completed FIPS 140 cryptographic module validations for Windows Server 2022.
+ms.date: 11/13/2024
+ms.topic: reference
+---
+
+# FIPS 140 validated modules in Windows Server 2022
+
+The following tables list the completed FIPS 140 validations of cryptographic modules used in Windows Server 2022, organized by major release of the operating system. The linked Security Policy document for each module provides details on the module capabilities and the policies the operator must follow to use the module in its FIPS approved mode of operation. For information on using the overall operating system in its FIPS approved mode, see [Use Windows in a FIPS approved mode of operation](../fips-140-validation.md#use-windows-in-a-fips-approved-mode-of-operation). For details on the FIPS approved algorithms used by each module, see its linked Security Policy document or module certificate.
+
+## Windows Server 2022
+
+Build: 10.0.20348. Validated Editions: Standard, Datacenter, and Datacenter: Azure.
+
+|Cryptographic Module (linked to Security Policy document)|CMVP Certificate #|Validated Algorithms|
+|--- |--- |--- |
+|[Cryptographic Primitives Library][sp-4825]|[#4825][certificate-4825]|FIPS Approved: AES, CKG, CVL, DRBG, DSA, ECDSA, ENT (P), HMAC, KAS, KAS-SSC, KBKDF, KTS, PBKDF, RSA, SHS, and Triple-DES|
+|[Kernel Mode Cryptographic Primitives Library][sp-4766]|[#4766][certificate-4766]|FIPS Approved: AES, CKG, CVL, DRBG, DSA, ECDSA, ENT (P), HMAC, KAS, KAS-SSC, KBKDF, KTS, PBKDF, RSA, SHS, and Triple-DES|
+
+---
+
+
+
+
+
+[certificate-4766]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/4766
+[certificate-4825]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/4825
+
+
+
+[sp-4766]: https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp4766.pdf
+[sp-4825]: https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp4825.pdf
diff --git a/windows/security/security-foundations/certification/validations/fips-140-windows-server-semi-annual.md b/windows/security/security-foundations/certification/validations/fips-140-windows-server-semi-annual.md
index d1d1724b36..5ca0829279 100644
--- a/windows/security/security-foundations/certification/validations/fips-140-windows-server-semi-annual.md
+++ b/windows/security/security-foundations/certification/validations/fips-140-windows-server-semi-annual.md
@@ -1,7 +1,7 @@
---
title: FIPS 140 validated modules for Windows Server Semi-Annual Releases
description: This topic lists the completed FIPS 140 cryptographic module validations for Windows Server semi-annual releases.
-ms.date: 2/1/2024
+ms.date: 11/13/2024
ms.topic: reference
---
@@ -9,7 +9,16 @@ ms.topic: reference
The following tables list the completed FIPS 140 validations of cryptographic modules used in Windows Server semi-annual releases, organized by major release of the operating system. The linked Security Policy document for each module provides details on the module capabilities and the policies the operator must follow to use the module in its FIPS approved mode of operation. For information on using the overall operating system in its FIPS approved mode, see [Use Windows in a FIPS approved mode of operation](../fips-140-validation.md#use-windows-in-a-fips-approved-mode-of-operation). For details on the FIPS approved algorithms used by each module, including CAVP algorithm certificates, see the module's linked Security Policy document or CMVP module certificate.
-## Windows Server, version 2004 (May 2020 Update)
+## Windows Server, version 20H2
+
+Build: 10.0.19042. Validated Editions: Standard Core, Datacenter Core
+
+|Cryptographic Module (linked to Security Policy document)|CMVP Certificate #|Validated Algorithms|
+|--- |--- |--- |
+|[Cryptographic Primitives Library][sp-4825]|[#4825][certificate-4825]|FIPS Approved: AES, CKG, CVL, DRBG, DSA, ECDSA, ENT (P), HMAC, KAS, KAS-SSC, KBKDF, KTS, PBKDF, RSA, SHS, and Triple-DES|
+|[Kernel Mode Cryptographic Primitives Library][sp-4766]|[#4766][certificate-4766]|FIPS Approved: AES, CKG, CVL, DRBG, DSA, ECDSA, ENT (P), HMAC, KAS, KAS-SSC, KBKDF, KTS, PBKDF, RSA, SHS, and Triple-DES|
+
+## Windows Server, version 2004
Build: 10.0.19041. Validated Editions: Standard Core, Datacenter Core
@@ -24,7 +33,7 @@ Build: 10.0.19041. Validated Editions: Standard Core, Datacenter Core
|[Virtual TPM][sp-4537]|[#4537][certificate-4537]|FIPS Approved: AES, CKG, CVL, DRBG, ECDSA, HMAC, KAS, KBKDF, KTS, RSA, and SHS; Other Allowed: NDRNG|
|[Windows OS Loader][sp-4339]|[#4339][certificate-4339]|FIPS Approved: AES, CKG, DRBG, RSA, and SHS; Other Allowed: NDRNG|
-## Windows Server, version 1909 (November 2019 Update)
+## Windows Server, version 1909
Build: 10.0.18363. Validated Editions: Standard Core, Datacenter Core
@@ -39,7 +48,7 @@ Build: 10.0.18363. Validated Editions: Standard Core, Datacenter Core
|[Virtual TPM][sp-4537]|[#4537][certificate-4537]|FIPS Approved: AES, CKG, CVL, DRBG, ECDSA, HMAC, KAS, KBKDF, KTS, RSA, and SHS; Other Allowed: NDRNG|
|[Windows OS Loader][sp-4339]|[#4339][certificate-4339]|FIPS Approved: AES, CKG, DRBG, RSA, and SHS; Other Allowed: NDRNG|
-## Windows Server, version 1903 (May 2019 Update)
+## Windows Server, version 1903
Build: 10.0.18362. Validated Editions: Standard Core, Datacenter Core
@@ -123,6 +132,8 @@ Build: 10.0.16299. Validated Editions: Standard Core, Datacenter Core
[certificate-4536]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/4536
[certificate-4537]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/4537
[certificate-4538]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/4538
+[certificate-4766]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/4766
+[certificate-4825]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/4825
@@ -146,3 +157,5 @@ Build: 10.0.16299. Validated Editions: Standard Core, Datacenter Core
[sp-4536]: https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp4536.pdf
[sp-4537]: https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp4537.pdf
[sp-4538]: https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp4537.pdf
+[sp-4766]: https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp4766.pdf
+[sp-4825]: https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp4825.pdf
diff --git a/windows/security/security-foundations/certification/validations/fips-140-windows10.md b/windows/security/security-foundations/certification/validations/fips-140-windows10.md
index e555337cb5..e7cecf69e6 100644
--- a/windows/security/security-foundations/certification/validations/fips-140-windows10.md
+++ b/windows/security/security-foundations/certification/validations/fips-140-windows10.md
@@ -1,7 +1,7 @@
---
title: FIPS 140 validated modules for Windows 10
description: This topic lists the completed FIPS 140 cryptographic module validations for Windows 10.
-ms.date: 2/1/2024
+ms.date: 2/24/2025
ms.topic: reference
---
@@ -9,6 +9,24 @@ ms.topic: reference
The following tables list the completed FIPS 140 validations of cryptographic modules used in Windows 10, organized by major release of the operating system. The linked Security Policy document for each module provides details on the module capabilities and the policies the operator must follow to use the module in its FIPS approved mode of operation. For information on using the overall operating system in its FIPS approved mode, see [Use Windows in a FIPS approved mode of operation](../fips-140-validation.md#use-windows-in-a-fips-approved-mode-of-operation). For details on the FIPS approved algorithms used by each module, including CAVP algorithm certificates, see the module's linked Security Policy document or CMVP module certificate.
+## Windows 10, version 21H1 (May 2021 Update)
+
+Build: 10.0.19043. Validated Editions: Pro, Enterprise
+
+|Cryptographic Module (linked to Security Policy document)|CMVP Certificate #|Validated Algorithms|
+|--- |--- |--- |
+|[Cryptographic Primitives Library][sp-4825]|[#4825][certificate-4825]|FIPS Approved: AES, CKG, CVL, DRBG, DSA, ECDSA, ENT (P), HMAC, KAS, KAS-SSC, KBKDF, KTS, PBKDF, RSA, SHS, and Triple-DES|
+|[Kernel Mode Cryptographic Primitives Library][sp-4766]|[#4766][certificate-4766]|FIPS Approved: AES, CKG, CVL, DRBG, DSA, ECDSA, ENT (P), HMAC, KAS, KAS-SSC, KBKDF, KTS, PBKDF, RSA, SHS, and Triple-DES|
+
+## Windows 10, version 20H2 (October 2020 Update)
+
+Build: 10.0.19042. Validated Editions: Pro, Enterprise
+
+|Cryptographic Module (linked to Security Policy document)|CMVP Certificate #|Validated Algorithms|
+|--- |--- |--- |
+|[Cryptographic Primitives Library][sp-4825]|[#4825][certificate-4825]|FIPS Approved: AES, CKG, CVL, DRBG, DSA, ECDSA, ENT (P), HMAC, KAS, KAS-SSC, KBKDF, KTS, PBKDF, RSA, SHS, and Triple-DES|
+|[Kernel Mode Cryptographic Primitives Library][sp-4766]|[#4766][certificate-4766]|FIPS Approved: AES, CKG, CVL, DRBG, DSA, ECDSA, ENT (P), HMAC, KAS, KAS-SSC, KBKDF, KTS, PBKDF, RSA, SHS, and Triple-DES|
+
## Windows 10, version 2004 (May 2020 Update)
Build: 10.0.19041. Validated Editions: Home, Pro, Enterprise, Education
@@ -257,6 +275,8 @@ Build: 10.0.10240. Validated Editions: Home, Pro, Enterprise, Enterprise LTSB, M
[certificate-4536]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/4536
[certificate-4537]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/4537
[certificate-4538]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/4538
+[certificate-4766]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/4766
+[certificate-4825]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/4825
@@ -319,4 +339,6 @@ Build: 10.0.10240. Validated Editions: Home, Pro, Enterprise, Enterprise LTSB, M
[sp-4515]: https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp4515.pdf
[sp-4536]: https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp4536.pdf
[sp-4537]: https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp4537.pdf
-[sp-4538]: https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp4537.pdf
+[sp-4538]: https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp4538.pdf
+[sp-4766]: https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp4766.pdf
+[sp-4825]: https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp4825.pdf
diff --git a/windows/security/security-foundations/certification/validations/fips-140-windows11.md b/windows/security/security-foundations/certification/validations/fips-140-windows11.md
index bf551c22b5..f9b596134b 100644
--- a/windows/security/security-foundations/certification/validations/fips-140-windows11.md
+++ b/windows/security/security-foundations/certification/validations/fips-140-windows11.md
@@ -1,7 +1,7 @@
---
title: FIPS 140 validated modules for Windows 11
description: This topic lists the completed FIPS 140 cryptographic module validations for Windows 11.
-ms.date: 2/1/2024
+ms.date: 11/12/2024
ms.topic: reference
---
@@ -16,6 +16,8 @@ Build: 10.0.22000. Validated Edition: Windows 11
|Cryptographic Module (linked to Security Policy document)|CMVP Certificate #|Validated Algorithms|
|--- |--- |--- |
|[Boot Manager][sp-4546]|[#4546][certificate-4546]|FIPS Approved: AES, CKG, HMAC, PBKDF, RSA, and SHS|
+|[Cryptographic Primitives Library][sp-4825]|[#4825][certificate-4825]|FIPS Approved: AES, CKG, CVL, DRBG, DSA, ECDSA, ENT (P), HMAC, KAS, KAS-SSC, KBKDF, KTS, PBKDF, RSA, SHS, and Triple-DES|
+|[Kernel Mode Cryptographic Primitives Library][sp-4766]|[#4766][certificate-4766]|FIPS Approved: AES, CKG, CVL, DRBG, DSA, ECDSA, ENT (P), HMAC, KAS, KAS-SSC, KBKDF, KTS, PBKDF, RSA, SHS, and Triple-DES|
---
@@ -24,7 +26,11 @@ Build: 10.0.22000. Validated Edition: Windows 11
[certificate-4546]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/4546
+[certificate-4766]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/4766
+[certificate-4825]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/4825
[sp-4546]: https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp4546.pdf
+[sp-4766]: https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp4766.pdf
+[sp-4825]: https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp4825.pdf
diff --git a/windows/security/security-foundations/index.md b/windows/security/security-foundations/index.md
deleted file mode 100644
index 0275431b52..0000000000
--- a/windows/security/security-foundations/index.md
+++ /dev/null
@@ -1,18 +0,0 @@
----
-title: Windows security foundations
-description: Get an overview of security foundations, including the security development lifecycle, common criteria, and the bug bounty program.
-ms.topic: overview
-ms.date: 04/10/2024
-author: paolomatarazzo
-ms.author: paoloma
----
-
-# Windows security foundations
-
-Microsoft is committed to continuously invest in improving our software development process, building highly secure-by-design software, and addressing security compliance requirements. At Microsoft, we embed security and privacy considerations from the earliest life-cycle phases of all our software development processes. We build in security from the ground for powerful defense in today's threat environment.
-
-Our strong security foundation uses Microsoft Security Development Lifecycle (SDL) Bug Bounty, support for product security standards and certifications, and Azure Code signing. As a result, we improve security by producing software with fewer defects and vulnerabilities instead of relying on applying updates after vulnerabilities have been identified.
-
-Use the links in the following table to learn more about the security foundations:
-
-[!INCLUDE [security-foundations](../includes/sections/security-foundations.md)]
diff --git a/windows/security/security-foundations/toc.yml b/windows/security/security-foundations/toc.yml
index 7fc4c3adff..e8439d170b 100644
--- a/windows/security/security-foundations/toc.yml
+++ b/windows/security/security-foundations/toc.yml
@@ -1,8 +1,4 @@
items:
-- name: Overview
- href: index.md
-- name: Zero Trust and Windows
- href: zero-trust-windows-device-health.md
- name: Offensive research
items:
- name: Microsoft Security Development Lifecycle 🔗
diff --git a/windows/security/security-foundations/zero-trust-windows-device-health.md b/windows/security/security-foundations/zero-trust-windows-device-health.md
deleted file mode 100644
index cacb76f47d..0000000000
--- a/windows/security/security-foundations/zero-trust-windows-device-health.md
+++ /dev/null
@@ -1,59 +0,0 @@
----
-title: Zero Trust and Windows device health
-description: Describes the process of Windows device health attestation
-ms.topic: concept-article
-manager: aaroncz
-ms.author: paoloma
-author: paolomatarazzo
-ms.date: 09/06/2024
----
-
-# Zero Trust and Windows device health
-
-Organizations need a security model that more effectively adapts to the complexity of the modern work environment. IT admins need to embrace the hybrid workplace, while protecting people, devices, apps, and data wherever they're located. Implementing a Zero Trust model for security helps address today's complex environments.
-
-The [Zero Trust](https://www.microsoft.com/security/business/zero-trust) principles are:
-
-- **Verify explicitly**. Always authenticate and authorize based on all available data points, including user identity, location, device health, service or workload, data classification, and monitor anomalies
-- **Use least-privileged access**. Limit user access with just-in-time and just-enough-access, risk-based adaptive policies, and data protection to help secure data and maintain productivity
-- **Assume breach**. Prevent attackers from obtaining access to minimize potential damage to data and systems. Protect privileged roles, verify end-to-end encryption, use analytics to get visibility, and drive threat detection to improve defenses
-
-The Zero Trust concept of **verify explicitly** applies to the risks introduced by both devices and users. Windows enables **device health attestation** and **conditional access** capabilities, which are used to grant access to corporate resources.
-
-[Conditional access](/azure/active-directory/conditional-access/overview) evaluates identity signals to confirm that users are who they say they are before they're granted access to corporate resources.
-
-Windows 11 supports device health attestation, helping to confirm that devices are in a good state and haven't been tampered with. This capability helps users access corporate resources whether they're in the office, at home, or when they're traveling.
-
-Attestation helps verify the identity and status of essential components and that the device, firmware, and boot process haven't been altered. Information about the firmware, boot process, and software, is used to validate the security state of the device. This information is cryptographically stored in the security co-processor Trusted Platform Module (TPM). Once the device is attested, it can be granted access to resources.
-
-## Device health attestation on Windows
-
- Many security risks can emerge during the boot process as this process can be the most privileged component of the whole system. The verification process uses remote attestation as the secure channel to determine and present the device's health. Remote attestation determines:
-
-- If the device can be trusted
-- If the operating system booted correctly
-- If the OS has the right set of security features enabled
-
-These determinations are made with the help of a secure root of trust using the Trusted Platform Module (TPM). Devices can attest that the TPM is enabled, and that the device hasn't been tampered with.
-
-Windows includes many security features to help protect users from malware and attacks. However, trusting the Windows security components can only be achieved if the platform boots as expected and wasn't tampered with. Windows relies on Unified Extensible Firmware Interface (UEFI) Secure Boot, Early-launch antimalware (ELAM), Dynamic Root of Trust for Measurement (DRTM), Trusted Boot, and other low-level hardware and firmware security features. When you power on your PC until your anti-malware starts, Windows is backed with the appropriate hardware configuration to help keep you safe. [Measured and Trusted boot](../operating-system-security/system-security/secure-the-windows-10-boot-process.md), implemented by bootloaders and BIOS, verifies and cryptographically records each step of the boot in a chained manner. These events are bound to a security coprocessor (TPM) that acts as the Root of Trust. Remote Attestation is the mechanism by which these events are read and verified by a service to provide a verifiable, unbiased, and tamper resilient report. Remote attestation is the trusted auditor of your system's boot, allowing specific entities to trust the device.
-
-A summary of the steps involved in attestation and Zero Trust on the device side are as follows:
-
-1. During each step of the boot process, such as a file load, update of special variables, and more, information such as file hashes and signature are measured in the TPM PCRs. The measurements are bound by a [Trusted Computing Group specification](https://trustedcomputinggroup.org/resource/pc-client-platform-tpm-profile-ptp-specification/) (TCG) that dictates what events can be recorded and the format of each event
-1. Once Windows has booted, the attestor/verifier requests the TPM to fetch the measurements stored in its Platform Configuration Register (PCR) alongside a TCG log. The measurements in both these components together form the attestation evidence that is then sent to the attestation service
-1. The TPM is verified by using the keys/cryptographic material available on the chipset with an [Azure Certificate Service](/windows-server/identity/ad-ds/manage/component-updates/tpm-key-attestation)
-1. This information is then sent to the attestation service in the cloud to verify that the device is safe. Microsoft Endpoint Manger integrates with Microsoft Azure Attestation to review device health comprehensively and connect this information with Microsoft Entra Conditional Access. This integration is key for Zero Trust solutions that help bind trust to an untrusted device
-1. The attestation service does the following tasks:
-
- - Verify the integrity of the evidence. This verification is done by validating the PCRs that match the values recomputed by replaying the TCG log
- - Verify that the TPM has a valid Attestation Identity Key issued by the authenticated TPM
- - Verify that the security features are in the expected states
-
-1. The attestation service returns an attestation report that contains information about the security features based on the policy configured in the attestation service
-1. The device then sends the report to the Microsoft Intune cloud to assess the trustworthiness of the platform according to the admin-configured device compliance rules
-1. Conditional access, along with device-compliance state then decides to allow or deny access
-
-## Other Resources
-
-Learn more about Microsoft Zero Trust solutions in the [Zero Trust Guidance Center](/security/zero-trust/).
diff --git a/windows/security/threat-protection/index.md b/windows/security/threat-protection/index.md
index 68fce9d079..a7938a1a29 100644
--- a/windows/security/threat-protection/index.md
+++ b/windows/security/threat-protection/index.md
@@ -4,7 +4,7 @@ description: Describes the security capabilities in Windows client focused on th
author: aczechowski
ms.author: aaroncz
manager: aaroncz
-ms.topic: conceptual
+ms.topic: article
ms.date: 12/31/2017
---
@@ -25,7 +25,7 @@ See the following articles to learn more about the different areas of Windows th
- [Virtualization-Based Protection of Code Integrity](../hardware-security/enable-virtualization-based-protection-of-code-integrity.md)
- [Web Protection](/microsoft-365/security/defender-endpoint/web-protection-overview)
- [Windows Firewall](../operating-system-security/network-security/windows-firewall/index.md)
-- [Windows Sandbox](../application-security/application-isolation/windows-sandbox/windows-sandbox-overview.md)
+- [Windows Sandbox](../application-security/application-isolation/windows-sandbox/index.md)
## Next-generation protection
diff --git a/windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10.md b/windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10.md
index 5b5fb3e06e..abb60675b1 100644
--- a/windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10.md
+++ b/windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10.md
@@ -6,7 +6,7 @@ author: aczechowski
ms.author: aaroncz
manager: aaroncz
ms.date: 12/31/2017
-ms.topic: conceptual
+ms.topic: how-to
---
# Mitigate threats by using Windows 10 security features
@@ -56,7 +56,7 @@ Windows 10 mitigations that you can configure are listed in the following two ta
| **Windows Defender SmartScreen** helps prevent malicious applications from being downloaded | Windows Defender SmartScreen can check the reputation of a downloaded application by using a service that Microsoft maintains. The first time a user runs an app that originates from the Internet (even if the user copied it from another PC), SmartScreen checks to see if the app lacks a reputation or is known to be malicious, and responds accordingly.
**More information**: [Windows Defender SmartScreen](#windows-defender-smartscreen), later in this topic |
| **Credential Guard** helps keep attackers from gaining access through Pass-the-Hash or Pass-the-Ticket attacks | Credential Guard uses virtualization-based security to isolate secrets, such as NTLM password hashes and Kerberos Ticket Granting Tickets, so that only privileged system software can access them. Credential Guard is included in Windows 10 Enterprise and Windows Server 2016.
**More information**: [Protect derived domain credentials with Credential Guard](/windows/access-protection/credential-guard/credential-guard) |
| **Enterprise certificate pinning** helps prevent man-in-the-middle attacks that use PKI | Enterprise certificate pinning enables you to protect your internal domain names from chaining to unwanted certificates or to fraudulently issued certificates. With enterprise certificate pinning, you can "pin" (associate) an X.509 certificate and its public key to its Certification Authority, either root or leaf.
**More information**: [Enterprise Certificate Pinning](/windows/access-protection/enterprise-certificate-pinning) |
-| **Device Guard** helps keep a device from running malware or other untrusted apps | Device Guard includes a Code Integrity policy that you create; an allowlist of trusted apps—the only apps allowed to run in your organization. Device Guard also includes a powerful system mitigation called hypervisor-protected code integrity (HVCI), which uses virtualization-based security (VBS) to protect Windows' kernel-mode code integrity validation process. HVCI has specific hardware requirements, and works with Code Integrity policies to help stop attacks even if they gain access to the kernel. Device Guard is included in Windows 10 Enterprise and Windows Server 2016.
**More information**: [Introduction to Device Guard](/windows/device-security/device-guard/introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies) |
+| **Device Guard** helps keep a device from running malware or other untrusted apps | Device Guard includes a Code Integrity policy that you create; an allowlist of trusted apps—the only apps allowed to run in your organization. Device Guard also includes a powerful system mitigation called hypervisor-protected code integrity (HVCI), which uses virtualization-based security (VBS) to protect Windows' kernel-mode code integrity validation process. HVCI has specific hardware requirements, and works with Code Integrity policies to help stop attacks even if they gain access to the kernel. Device Guard is included in Windows 10 Enterprise and Windows Server 2016.
**More information**: [Introduction to Device Guard](/windows/security/application-security/application-control/introduction-to-virtualization-based-security-and-appcontrol) |
| **Microsoft Defender Antivirus**, which helps keep devices free of viruses and other malware | Windows 10 includes Microsoft Defender Antivirus, a robust inbox anti-malware solution. Microsoft Defender Antivirus has been improved significantly since it was introduced in Windows 8.
**More information**: [Microsoft Defender Antivirus](#microsoft-defender-antivirus), later in this topic |
| **Blocking of untrusted fonts** helps prevent fonts from being used in elevation-of-privilege attacks | Block Untrusted Fonts is a setting that allows you to prevent users from loading fonts that are "untrusted" onto your network, which can mitigate elevation-of-privilege attacks associated with the parsing of font files. However, as of Windows 10, version 1703, this mitigation is less important, because font parsing is isolated in an [AppContainer sandbox](/windows/win32/secauthz/appcontainer-isolation) (for a list describing this and other kernel pool protections, see [Kernel pool protections](#kernel-pool-protections), later in this topic).
**More information**: [Block untrusted fonts in an enterprise](/windows/threat-protection/block-untrusted-fonts-in-enterprise) |
| **Memory protections** help prevent malware from using memory manipulation techniques such as buffer overruns | These mitigations, listed in [Table 2](#table-2), help to protect against memory-based attacks, where malware or other code manipulates memory to gain control of a system (for example, malware that attempts to use buffer overruns to inject malicious executable code into memory. Note: A subset of apps won't be able to run if some of these mitigations are set to their most restrictive settings. Testing can help you maximize protection while still allowing these apps to run.
**More information**: [Table 2](#table-2), later in this topic |
@@ -88,14 +88,14 @@ For more information, see [Microsoft Defender SmartScreen overview](/windows/sec
Microsoft Defender Antivirus in Windows 10 uses a multi-pronged approach to improve anti-malware:
+- **Tamper proofing** helps guard Microsoft Defender Antivirus itself against malware attacks. For example, Microsoft Defender Antivirus uses Protected Processes, which prevents untrusted processes from attempting to tamper with Microsoft Defender Antivirus components, its registry keys, and so on. ([Protected Processes](#protected-processes) is described later in this topic.)
+
- **Cloud-delivered protection** helps detect and block new malware within seconds, even if the malware has never been seen before. The service, available as of Windows 10, version 1703, uses distributed resources and machine learning to deliver protection to endpoints at a rate that is far faster than traditional signature updates.
-- **Rich local context** improves how malware is identified. Windows 10 informs Microsoft Defender Antivirus not only about content like files and processes but also where the content came from, where it has been stored, and more. The information about source and history enables Microsoft Defender Antivirus to apply different levels of scrutiny to different content.
+- **Rich local context** improves how malware is identified. Windows 11 informs Microsoft Defender Antivirus not only about content like files and processes but also where the content came from, where it has been stored, and more. The information about source and history enables Microsoft Defender Antivirus to apply different levels of scrutiny to different content.
- **Extensive global sensors** help keep Microsoft Defender Antivirus current and aware of even the newest malware. This up-to-date status is accomplished in two ways: by collecting the rich local context data from end points and by centrally analyzing that data.
-- **Tamper proofing** helps guard Microsoft Defender Antivirus itself against malware attacks. For example, Microsoft Defender Antivirus uses Protected Processes, which prevents untrusted processes from attempting to tamper with Microsoft Defender Antivirus components, its registry keys, and so on. ([Protected Processes](#protected-processes) is described later in this topic.)
-
- **Enterprise-level features** give IT pros the tools and configuration options necessary to make Microsoft Defender Antivirus an enterprise-class anti-malware solution.
diff --git a/windows/security/toc.yml b/windows/security/toc.yml
index 6fbbd83941..bb89fd8728 100644
--- a/windows/security/toc.yml
+++ b/windows/security/toc.yml
@@ -1,6 +1,4 @@
items:
-- name: Introduction to Windows security
- href: introduction.md
- name: Windows 11 security book 🔗
href: book/index.md
- name: Security features licensing and edition requirements
diff --git a/windows/whats-new/deprecated-features-resources.md b/windows/whats-new/deprecated-features-resources.md
index 7c53798b03..87ff332844 100644
--- a/windows/whats-new/deprecated-features-resources.md
+++ b/windows/whats-new/deprecated-features-resources.md
@@ -34,7 +34,7 @@ Customers concerned about NTLM usage in their environments are encouraged to uti
In many cases, applications should be able to replace NTLM with Negotiate using a one-line change in their `AcquireCredentialsHandle` request to the SSPI. One known exception is for applications that have made hard assumptions about the maximum number of round trips needed to complete authentication. In most cases, Negotiate will add at least one additional round trip. Some scenarios may require additional configuration. For more information, see [Kerberos authentication troubleshooting guidance](/troubleshoot/windows-server/windows-security/kerberos-authentication-troubleshooting-guidance).
-Negotiate's built-in fallback to NTLM is preserved to mitigate compatibility issues during this transition. For updates on NTLM deprecation, see [https://aka.ms/ntlm](https://aka.ms/ntlm).
+Negotiate's built-in fallback to NTLM is preserved to mitigate compatibility issues during this transition. For updates on NTLM deprecation, see [https://aka.ms/ntlm](https://aka.ms/ntlm).
## WordPad
diff --git a/windows/whats-new/deprecated-features.md b/windows/whats-new/deprecated-features.md
index a12c5b5eb4..88573222b7 100644
--- a/windows/whats-new/deprecated-features.md
+++ b/windows/whats-new/deprecated-features.md
@@ -1,7 +1,7 @@
---
title: Deprecated features in the Windows client
description: Review the list of features that Microsoft is no longer actively developing in Windows 10 and Windows 11.
-ms.date: 10/01/2024
+ms.date: 02/19/2025
ms.service: windows-client
ms.subservice: itpro-fundamentals
ms.localizationpriority: medium
@@ -21,9 +21,9 @@ appliesto:
Each version of Windows client adds new features and functionality. Occasionally, new versions also remove features and functionality, often because they added a newer option. This article provides details about the features and functionalities that are no longer being developed in Windows client. For more information about features that were removed, see [Windows features removed](removed-features.md).
-For more information about features in Windows 11, see [Feature deprecations and removals](https://www.microsoft.com/windows/windows-11-specifications#table3).
-
-To understand the distinction between *deprecation* and *removal*, see [Windows client features lifecycle](feature-lifecycle.md).
+- To understand the distinction between *deprecation* and *removal*, see [Windows client features lifecycle](feature-lifecycle.md).
+- For more information about how deprecation fits into the Windows lifecycle, see [Deprecation: What it means in the Windows lifecycle](https://techcommunity.microsoft.com/blog/windows-itpro-blog/deprecation-what-it-means-in-the-windows-lifecycle/4372457).
+- For more information about features removed on upgrade to Windows 11 from Windows 10, see [Feature deprecations and removals](https://www.microsoft.com/windows/windows-11-specifications#table3).
The features in this article are no longer being actively developed, and might be removed in a future update. Some features were replaced with other features or functionality and some are now available from other sources.
@@ -47,17 +47,20 @@ The features in this article are no longer being actively developed, and might b
| Feature | Details and mitigation | Deprecation announced |
|---|---|---|
+| Line printer daemon (LPR/LPD) | Deprecation reminder: [The line printer daemon protocol (LPR/LPD) was deprecated](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831568(v=ws.11)#printing) starting in Windows Server 2012. As removal of the line printer daemon protocol nears, we'd like to remind customers to ensure their environments are prepared for removal. When these features are eventually removed, clients that print to a server using this protocol, such as UNIX clients, will not be able to connect or print. Instead, UNIX clients should use IPP. Windows clients can connect to UNIX shared printers using the [Windows Standard Port Monitor](/troubleshoot/windows-server/printing/standard-port-monitor-for-tcpip). | [Original announcement: Windows Server 2012](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831568(v=ws.11)#printing) Courtesy reminder: February 2025 |
+| Location History | We are deprecating and removing the Location History feature, an [API](/uwp/api/windows.devices.geolocation.geolocator.getgeopositionhistoryasync) that allowed Cortana to access 24 hours of device history when location was enabled. With the removal of the Location History feature, location data will no longer be saved locally and the corresponding settings will also be removed from the **Privacy & Security** > **Location** page in **Settings**. | February 2025 |
+| Suggested actions | Suggested actions that appear when you copy a phone number or future date in Windows 11 are deprecated and will be removed in a future Windows 11 update. | December 2024 |
| Legacy DRM services | Legacy DRM services, used by either Windows Media Player, Silverlight clients, Windows 7, or Windows 8 clients are deprecated. The following functionality won't work when these services are fully retired:
Playback of protected content in the legacy Windows Media Player on Windows 7
Playback of protected content in a Silverlight client and Windows 8 clients
In-home streaming playback from a Silverlight client or Windows 8 client to an Xbox 360
Playback of protected content ripped from a personal CD on Windows 7 clients using Windows Media Player
| September 2024 |
| Paint 3D | Paint 3D is deprecated and will be removed from the Microsoft Store on November 4, 2024. To view and edit 2D images, you can use [Paint](https://apps.microsoft.com/detail/9pcfs5b6t72h) or [Photos](https://apps.microsoft.com/detail/9wzdncrfjbh4). For viewing 3D content, you can use [3D Viewer](https://apps.microsoft.com/detail/9nblggh42ths). For more information, see [Resources for deprecated features](deprecated-features-resources.md#paint-3d). | August 2024 |
-| Adobe Type1 fonts | Adobe PostScript Type1 fonts are deprecated and support will be removed in a future release of Windows. In January 2023, Adobe announced the [end of support for PostScript Type1 fonts](https://helpx.adobe.com/fonts/kb/postscript-type-1-fonts-end-of-support.html) for their latest software offerings. Remove any dependencies on this font type by selecting a supported font type. To display currently installed fonts, go to **Settings** > **Personalization** > **Fonts**. Application developers and content owners should test their apps and data files with the Adobe Type1 fonts removed. For more information, contact the application vendor or Adobe. | August 2024 |
+| Adobe Type1 fonts | Adobe PostScript Type1 fonts are deprecated and support will be removed in a future release of Windows. In January 2023, Adobe announced the [end of support for PostScript Type1 fonts](https://helpx.adobe.com/fonts/kb/postscript-type-1-fonts-end-of-support.html) for their latest software offerings. Remove any dependencies on this font type by selecting a supported font type. To display currently installed fonts, go to **Settings** > **Personalization** > **Fonts**. Application developers and content owners should test their apps and data files with the Adobe Type1 fonts removed. For more information, contact the application vendor or Adobe. | August 2024 |
| DirectAccess | DirectAccess is deprecated and will be removed in a future release of Windows. We recommend [migrating from DirectAccess to Always On VPN](/windows-server/remote/remote-access/da-always-on-vpn-migration/da-always-on-migration-overview). | June 2024 |
-| NTLM | All versions of [NTLM](/windows/win32/secauthn/microsoft-ntlm), including LANMAN, NTLMv1, and NTLMv2, are no longer under active feature development and are deprecated. Use of NTLM will continue to work in the next release of Windows Server and the next annual release of Windows. Calls to NTLM should be replaced by calls to Negotiate, which will try to authenticate with Kerberos and only fall back to NTLM when necessary. For more information, see [Resources for deprecated features](deprecated-features-resources.md). | June 2024 |
+| NTLM | All versions of [NTLM](/windows/win32/secauthn/microsoft-ntlm), including LANMAN, NTLMv1, and NTLMv2, are no longer under active feature development and are deprecated. Use of NTLM will continue to work in the next release of Windows Server and the next annual release of Windows. Calls to NTLM should be replaced by calls to Negotiate, which tries to authenticate with Kerberos and only falls back to NTLM when necessary. For more information, see, [Resources for deprecated features](deprecated-features-resources.md). **[Update - November 2024]**: NTLMv1 is [removed](removed-features.md) starting in Windows 11, version 24H2 and Windows Server 2025. | June 2024 |
| Driver Verifier GUI (verifiergui.exe) | Driver Verifier GUI, verifiergui.exe, is deprecated and will be removed in a future version of Windows. You can use the [Verifier Command Line](/windows-hardware/drivers/devtest/verifier-command-line) (verifier.exe) instead of the Driver Verifier GUI.| May 2024 |
-| NPLogonNotify and NPPasswordChangeNotify APIs | Starting in Windows 11, version 24H2, the inclusion of password payload in MPR notifications is set to disabled by default through group policy in [NPLogonNotify](/windows/win32/api/npapi/nf-npapi-nplogonnotify) and [NPPasswordChangeNotify](/windows/win32/api/npapi/nf-npapi-nppasswordchangenotify) APIs. The APIs may be removed in a future release. The primary reason for disabling this feature is to enhance security. When enabled, these APIs allow the caller to retrieve a user's password, presenting potential risks for password exposure and harvesting by malicious users. To include password payload in MPR notifications, set the [EnableMPRNotifications](/windows/client-management/mdm/policy-csp-windowslogon#enablemprnotifications) policy to `enabled`.| March 2024 |
-| TLS server authentication certificates using RSA keys with key lengths shorter than 2048 bits | Support for certificates using RSA keys with key lengths shorter than 2048 bits will be deprecated. Internet standards and regulatory bodies disallowed the use of 1024-bit keys in 2013, recommending specifically that RSA keys should have a key length of 2048 bits or longer. For more information, see [Transitioning of Cryptographic Algorithms and Key Sizes - Discussion Paper (nist.gov)](https://csrc.nist.gov/CSRC/media/Projects/Key-Management/documents/transitions/Transitioning_CryptoAlgos_070209.pdf). This deprecation focuses on ensuring that all RSA certificates used for TLS server authentication must have key lengths greater than or equal to 2048 bits to be considered valid by Windows. TLS certificates issued by enterprise or test certification authorities (CA) aren't impacted with this change. However, we recommend that they be updated to RSA keys greater than or equal to 2048 bits as a security best practice. This change is necessary to preserve security of Windows customers using certificates for authentication and cryptographic purposes.| March 2024|
+| NPLogonNotify and NPPasswordChangeNotify APIs | Starting in Windows 11, version 24H2, the inclusion of password payload in MPR notifications is set to `disabled` by default through group policy in [NPLogonNotify](/windows/win32/api/npapi/nf-npapi-nplogonnotify) and [NPPasswordChangeNotify](/windows/win32/api/npapi/nf-npapi-nppasswordchangenotify) APIs. The APIs may be removed in a future release. The primary reason for disabling this feature is to enhance security. When enabled, these APIs allow the caller to retrieve a user's password, presenting potential risks for password exposure and harvesting by malicious users. To include password payload in MPR notifications, set the [EnableMPRNotifications](/windows/client-management/mdm/policy-csp-windowslogon#enablemprnotifications) policy to `enabled`.| March 2024 |
+| TLS server authentication certificates using RSA keys with key lengths shorter than 2048 bits | Support for certificates using RSA keys with key lengths shorter than 2048 bits is deprecated. Internet standards and regulatory bodies disallowed the use of 1024-bit keys in 2013, recommending specifically that RSA keys should have a key length of 2048 bits or longer. For more information, see [Transitioning of Cryptographic Algorithms and Key Sizes - Discussion Paper (nist.gov)](https://csrc.nist.gov/CSRC/media/Projects/Key-Management/documents/transitions/Transitioning_CryptoAlgos_070209.pdf). This deprecation focuses on ensuring that all RSA certificates used for TLS server authentication must have key lengths greater than or equal to 2048 bits to be considered valid by Windows. TLS certificates issued by enterprise or test certification authorities (CA) aren't impacted with this change. However, we recommend that they be updated to RSA keys greater than or equal to 2048 bits as a security best practice. This change is necessary to preserve security of Windows customers using certificates for authentication and cryptographic purposes.| March 2024|
| Test Base | [Test Base for Microsoft 365](/microsoft-365/test-base/overview), an Azure cloud service for application testing, is deprecated. The service will be retired in the future and will be no longer available for use after retirement. | March 2024 |
-| Windows Mixed Reality | [Windows Mixed Reality](/windows/mixed-reality/enthusiast-guide/before-you-start) is deprecated and will be removed in Windows 11, version 24H2. This deprecation includes the [Mixed Reality Portal](/windows/mixed-reality/enthusiast-guide/install-windows-mixed-reality) app, [Windows Mixed Reality for SteamVR](/windows/mixed-reality/enthusiast-guide/using-steamvr-with-windows-mixed-reality), and Steam VR Beta. Existing Windows Mixed Reality devices will continue to work with Steam through November 2026, if users remain on their current released version of Windows 11, version 23H2. After November 2026, Windows Mixed Reality will no longer receive security updates, nonsecurity updates, bug fixes, technical support, or online technical content updates. This deprecation doesn't affect HoloLens. We remain committed to HoloLens and our enterprise customers. | December 2023 |
-| Microsoft Defender Application Guard for Edge | [Microsoft Defender Application Guard](/windows/security/application-security/application-isolation/microsoft-defender-application-guard/md-app-guard-overview), including the [Windows Isolated App Launcher APIs](/windows/win32/api/isolatedapplauncher/), is being deprecated for Microsoft Edge for Business and [will no longer be updated](feature-lifecycle.md). To learn more about Edge for Business security capabilities, see [Microsoft Edge security for your business](/deployedge/ms-edge-security-for-business). **[Update - April 2024]**: Because Application Guard is deprecated there will not be a migration to Edge Manifest V3. The corresponding extensions and associated Windows Store app will not be available after May 2024. This affects the following browsers: *Application Guard Extension - Chrome* and *Application Guard Extension - Firefox*. If you want to block unprotected browsers until you are ready to retire MDAG usage in your enterprise, we recommend using AppLocker policies or [Microsoft Edge management service](/deployedge/microsoft-edge-management-service). For more information, see [Microsoft Edge and Microsoft Defender Application Guard](/deployedge/microsoft-edge-security-windows-defender-application-guard). | December 2023 |
+| Windows Mixed Reality | [Windows Mixed Reality](/windows/mixed-reality/enthusiast-guide/before-you-start) is deprecated and will be removed in Windows 11, version 24H2. This deprecation includes the [Mixed Reality Portal](/windows/mixed-reality/enthusiast-guide/install-windows-mixed-reality) app, [Windows Mixed Reality for SteamVR](/windows/mixed-reality/enthusiast-guide/using-steamvr-with-windows-mixed-reality), and Steam VR Beta. Existing Windows Mixed Reality devices will continue to work with Steam through November 2026, if users remain on their current released version of Windows 11, version 23H2. After November 2026, Windows Mixed Reality will no longer receive security updates, nonsecurity updates, bug fixes, technical support, or online technical content updates. | December 2023 |
+| Microsoft Defender Application Guard for Edge | [Microsoft Defender Application Guard](/windows/security/application-security/application-isolation/microsoft-defender-application-guard/md-app-guard-overview), including the [Windows Isolated App Launcher APIs](/windows/win32/api/isolatedapplauncher/), is deprecated for Microsoft Edge for Business and [will no longer be updated](feature-lifecycle.md). To learn more about Edge for Business security capabilities, see [Microsoft Edge security for your business](/deployedge/ms-edge-security-for-business). **[Update - October 2024]**: Starting with Windows 11, version 24H2, Microsoft Defender Application Guard, including the [Windows Isolated App Launcher APIs](/windows/win32/api/isolatedapplauncher/), is no longer available.
**[Update - April 2024]**: Because Application Guard is deprecated there won't be a migration to Edge Manifest V3. The corresponding extensions and associated Windows Store app won't be available after May 2024. This change affects the following browsers: *Application Guard Extension - Chrome* and *Application Guard Extension - Firefox*. If you want to block unprotected browsers until you're ready to retire MDAG usage in your enterprise, we recommend using AppLocker policies or [Microsoft Edge management service](/deployedge/microsoft-edge-management-service). For more information, see [Microsoft Edge and Microsoft Defender Application Guard](/deployedge/microsoft-edge-security-windows-defender-application-guard). | December 2023 |
| Legacy console mode | The [legacy console mode](/windows/console/legacymode) is deprecated and no longer being updated. In future Windows releases, it will be available as an optional [Feature on Demand](/windows-hardware/manufacture/desktop/features-on-demand-v2--capabilities). This feature won't be installed by default. | December 2023 |
| Windows speech recognition | [Windows speech recognition](https://support.microsoft.com/windows/83ff75bd-63eb-0b6c-18d4-6fae94050571) is deprecated and is no longer being developed. This feature is being replaced with [voice access](https://support.microsoft.com/topic/4dcd23ee-f1b9-4fd1-bacc-862ab611f55d). Voice access is available for Windows 11, version 22H2, or later devices. Currently, voice access supports five English locales: English - US, English - UK, English - India, English - New Zealand, English - Canada, and English - Australia. For more information, see [Setup voice access](https://support.microsoft.com/topic/set-up-voice-access-9fc44e29-12bf-4d86-bc4e-e9bb69df9a0e). | December 2023 |
| Microsoft Defender Application Guard for Office | [Microsoft Defender Application Guard for Office](/microsoft-365/security/office-365-security/app-guard-for-office-install), including the [Windows Isolated App Launcher APIs](/windows/win32/api/isolatedapplauncher/), is being deprecated and will no longer be updated. We recommend transitioning to Microsoft Defender for Endpoint [attack surface reduction rules](/microsoft-365/security/defender-endpoint/overview-attack-surface-reduction) along with [Protected View](/microsoft-365/security/office-365-security/recommended-settings-for-eop-and-office365#global-settings-for-safe-attachments) and [Windows Defender Application Control](/windows/security/application-security/application-control/windows-defender-application-control/wdac). | November 2023 |
@@ -75,7 +78,7 @@ The features in this article are no longer being actively developed, and might b
| Microsoft Support Diagnostic Tool (MSDT) | [MSDT](/windows-server/administration/windows-commands/msdt) is deprecated and will be removed in a future release of Windows. MSDT is used to gather diagnostic data for analysis by support professionals. For more information, see [Resources for deprecated features](deprecated-features-resources.md) | January 2023 |
| Universal Windows Platform (UWP) Applications for 32-bit Arm | This change is applicable only to devices with an Arm processor, for example Snapdragon processors from Qualcomm. If you have a PC built with a processor from Intel or AMD, this content isn't applicable. If you aren't sure which type of processor you have, check **Settings** > **System** > **About**. Support for 32-bit Arm versions of applications will be removed in a future release of Windows 11. After this change, for the small number of applications affected, app features might be different and you might notice a difference in performance. For more technical details about this change, see [Update app architecture from Arm32 to Arm64](/windows/arm/arm32-to-arm64). | January 2023 |
| Update Compliance | [Update Compliance](/windows/deployment/update/update-compliance-monitor), a cloud-based service for the Windows client, is no longer being developed. This service was replaced with [Windows Update for Business reports](/windows/deployment/update/wufb-reports-overview), which provides reporting on client compliance with Microsoft updates from the Azure portal. | November 2022|
-| Windows Information Protection | [Windows Information Protection](/previous-versions/windows/it-pro/windows-10/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip) will no longer be developed in future versions of Windows. For more information, see [Announcing sunset of Windows Information Protection (WIP)](https://go.microsoft.com/fwlink/?linkid=2202124).
For your data protection needs, Microsoft recommends that you use [Microsoft Purview Information Protection](/microsoft-365/compliance/information-protection) and [Microsoft Purview Data Loss Prevention](/microsoft-365/compliance/dlp-learn-about-dlp). | July 2022 |
+| Windows Information Protection | [Windows Information Protection](/previous-versions/windows/it-pro/windows-10/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip) will no longer be developed in future versions of Windows. For more information, see [Announcing sunset of Windows Information Protection (WIP)](https://go.microsoft.com/fwlink/?linkid=2202124).
For your data protection needs, Microsoft recommends that you use [Microsoft Purview Information Protection](/microsoft-365/compliance/information-protection) and [Microsoft Purview Data Loss Prevention](/microsoft-365/compliance/dlp-learn-about-dlp). Windows Information Protection is removed starting in Windows 11, version 24H2. | July 2022 |
| BitLocker To Go Reader | **Note: BitLocker to Go as a feature is still supported.** Reading of BitLocker-protected removable drives ([BitLocker To Go](/windows/security/information-protection/bitlocker/bitlocker-to-go-faq)) from Windows XP or Windows Vista in later operating systems is deprecated and might be removed in a future release of Windows client. The following items might not be available in a future release of Windows client: - ADMX policy: **Allow access to BitLocker-protected removable data drives from earlier versions of Windows** - Command line parameter: [`manage-bde -DiscoveryVolumeType`](/windows-server/administration/windows-commands/manage-bde-on) (-dv) - Catalog file: **c:\windows\BitLockerDiscoveryVolumeContents** - BitLocker 2 Go Reader app: **bitlockertogo.exe** and associated files | 21H1 |
| Personalization roaming | Roaming of Personalization settings (including wallpaper, slideshow, accent colors, and lock screen images) is no longer being developed and might be removed in a future release. | 21H1 |
| Windows Management Instrumentation command-line (WMIC) utility. | The WMIC utility is deprecated in Windows 10, version 21H1 and the 21H1 General Availability Channel release of Windows Server. This utility is superseded by [Windows PowerShell for WMI](/powershell/scripting/learn/ps101/07-working-with-wmi). Note: This deprecation applies to only the [command-line management utility](/windows/win32/wmisdk/wmic). WMI itself isn't affected. **[Update - January 2024]**: Currently, WMIC is a Feature on Demand (FoD) that's [preinstalled by default](/windows-hardware/manufacture/desktop/features-on-demand-non-language-fod#wmic) in Windows 11, versions 23H2 and 22H2. In the next release of Windows, the WMIC FoD will be disabled by default. | 21H1 |
@@ -83,7 +86,7 @@ The features in this article are no longer being actively developed, and might b
| Microsoft Edge | The legacy version of Microsoft Edge is no longer being developed.| 2004 |
| Companion Device Framework | The [Companion Device Framework](/windows-hardware/design/device-experiences/windows-hello-companion-device-framework) is no longer under active development.| 2004 |
| Dynamic Disks | The [Dynamic Disks](/windows/win32/fileio/basic-and-dynamic-disks#dynamic-disks) feature is no longer being developed. This feature will be fully replaced by [Storage Spaces](/windows-server/storage/storage-spaces/overview) in a future release.| 2004 |
-| Microsoft BitLocker Administration and Monitoring (MBAM)| [Microsoft BitLocker Administration and Monitoring (MBAM)](/microsoft-desktop-optimization-pack/mbam-v25/), part of the [Microsoft Desktop Optimization Pack (MDOP)](/lifecycle/announcements/mdop-extended) is no longer being developed. | September 2019 |
+| Microsoft Desktop Optimization Pack (MDOP) | The [Microsoft Desktop Optimization Pack (MDOP)](/lifecycle/announcements/mdop-extended) is no longer being developed. End of extended support is April 14, 2026. This end of support includes the [User Experience Virtualization (UE-V) client in Windows](/microsoft-desktop-optimization-pack/ue-v/uev-for-windows).
As of November 2024, the [Application Virtualization (App-V) client in Windows](/microsoft-desktop-optimization-pack/app-v/appv-support-policy) is no longer deprecated and persists with a fixed extended support lifecycle. | September 2019 |
| Language Community tab in Feedback Hub | The Language Community tab will be removed from the Feedback Hub. The standard feedback process: [Feedback Hub - Feedback](feedback-hub://?newFeedback=true&feedbackType=2) is the recommended way to provide translation feedback. | 1909 |
| My People / People in the Shell | My People is no longer being developed. It may be removed in a future update. | 1909 |
| Package State Roaming (PSR) | PSR will be removed in a future update. PSR allows non-Microsoft developers to access roaming data on devices, enabling developers of UWP applications to write data to Windows and synchronize it to other instantiations of Windows for that user.
The recommended replacement for PSR is [Azure App Service](/azure/app-service/). Azure App Service is widely supported, well documented, reliable, and supports cross-platform/cross-ecosystem scenarios such as iOS, Android and web.
PSR was removed in Windows 11.| 1909 |
diff --git a/windows/whats-new/extended-security-updates.md b/windows/whats-new/extended-security-updates.md
index de53336b4b..0a74721232 100644
--- a/windows/whats-new/extended-security-updates.md
+++ b/windows/whats-new/extended-security-updates.md
@@ -7,8 +7,8 @@ ms.author: mstewart
author: mestew
manager: aaroncz
ms.localizationpriority: medium
-ms.topic: conceptual
-ms.date: 11/01/2023
+ms.topic: article
+ms.date: 02/19/2025
ms.collection:
- highpri
- tier2
@@ -43,15 +43,19 @@ The following are frequently asked questions about the ESU program for Windows 1
### How much does ESU cost?
-Final pricing and enrollment conditions will be made available closer to the October 2025 date for end of support, approximately one year before the end of support for Windows 10. ESU will be free for all Windows 365 customers. For more information about Windows 365, see [What is Windows 365?](/windows-365/overview).
+Extended Security Updates for organizations and businesses on Windows 10 can be purchased today through the Microsoft Volume Licensing Program, at $61 USD per device for Year One. For more information, see [When to use Windows 10 Extended Security Updates](https://techcommunity.microsoft.com/blog/windows-itpro-blog/when-to-use-windows-10-extended-security-updates/4102628). The price doubles every consecutive year, for a maximum of three years. ESU is available at no additional cost for Windows 10 virtual machines running in Windows 365 or Azure Virtual Desktop. Additionally, Windows 10 endpoints connecting to Windows 365 Cloud PCs will be entitled to the ESU for up to three years, with an active Windows 365 subscription license. For more information about Windows 365, see [What is Windows 365?](/windows-365/overview).
+
+For individuals or Windows 10 Home customers, Extended Security Updates for Windows 10 will be available for purchase at $30 for one year.
+
### Is there a minimum license purchase requirement for Windows 10 ESU?
-There are no minimum license purchase requirements for Windows 10 ESU.
+The minimum license purchase requirements for Windows 10 ESU is one license.
### Can ESUs be purchased for a specific duration?
-Customers can't buy partial periods, for instance, only six months. Extended Security Updates are transacted per year (12-month period), starting with the end of support date.
+The Extended Security Update Program for Windows 10 must be purchased by year. Customers can't buy partial periods, for instance, only six months. Year One starts in November 2025. If you decide to purchase the program in Year Two, you'll have to pay for Year One too, as ESUs are cumulative.
+
### When will the ESU offer be available for licensing?
diff --git a/windows/whats-new/ltsc/whats-new-windows-11-2024.md b/windows/whats-new/ltsc/whats-new-windows-11-2024.md
index 3fbb4a3529..2e098597d2 100644
--- a/windows/whats-new/ltsc/whats-new-windows-11-2024.md
+++ b/windows/whats-new/ltsc/whats-new-windows-11-2024.md
@@ -18,7 +18,7 @@ appliesto:
This article lists some of the new and updated features and content that is of interest to IT Pros for Windows 11 Enterprise long-term servicing channel (LTSC) 2024, compared to Windows 10 Enterprise LTSC 2021. For a brief description of the LTSC servicing channel and associated support, see [Windows Enterprise LTSC](overview.md).
-Windows 11 Enterprise LTSC 2024 builds on Windows 10 Enterprise LTSC 2021, adding premium features such as advanced protection against modern security threats and comprehensive device management, app management, and control capabilities.
+Windows 11 Enterprise LTSC 2024 builds on Windows 10 Enterprise LTSC 2021, adding premium features such as advanced protection against modern security threats and comprehensive device management, app management, and control capabilities.
The Windows 11 Enterprise LTSC 2024 release includes the cumulative enhancements provided in Windows 11 versions 21H2, 22H2, 23H2, and 24H2. Details about these enhancements are provided below.
@@ -37,7 +37,7 @@ Windows 11 Enterprise LTSC 2024 was first available on October 1, 2024. Features
| Feature [Release] | Description |
| --- | --- |
-| **Windows accessibility** [22H2][22H2] | Improvements for people with disabilities: system-wide live captions, Focus sessions, voice access, and more natural voices for Narrator. For more information, see: • [New accessibility features coming to Windows 11](https://blogs.windows.com/windowsexperience/2022/05/10/new-accessibility-features-coming-to-windows-11/) • [How inclusion drives innovation in Windows 11](https://blogs.windows.com/windowsexperience/?p=177554) • [Accessibility information for IT professionals](/windows/configuration/windows-10-accessibility-for-itpros). |
+| **Windows accessibility** [22H2][22H2] | Improvements for people with disabilities: system-wide live captions, Focus sessions, voice access, and more natural voices for Narrator. For more information, see: * [New accessibility features coming to Windows 11](https://blogs.windows.com/windowsexperience/2022/05/10/new-accessibility-features-coming-to-windows-11/) * [How inclusion drives innovation in Windows 11](https://blogs.windows.com/windowsexperience/?p=177554) * [Accessibility information for IT professionals](/windows/configuration/windows-10-accessibility-for-itpros). |
| **Braille displays** [23H2][23H2] | Braille displays work seamlessly and reliably across multiple screen readers, improving the end user experience. We also added support for new braille displays and new braille input and output languages in Narrator. For more information, see [Accessibility information for IT professionals](/windows/configuration/windows-accessibility-for-ITPros). |
| **Narrator improvements** [23H2][23H2] | Scripting functionality was added to Narrator. Narrator includes more natural voices. For more information, see [Complete guide to Narrator](https://support.microsoft.com/topic/e4397a0d-ef4f-b386-d8ae-c172f109bdb1). |
| **Bluetooth ® LE audio support for assistive devices** [24H2][24H2] | Windows has taken a significant step forward in accessibility by supporting the use of assistive hearing devices equipped with the latest Bluetooth ® Low Energy Audio technology. For more information, see [Using hearing devices with your Windows 11 PC](https://support.microsoft.com/topic/fcb566e7-13c3-491a-ad5b-8219b098d647). |
@@ -95,15 +95,15 @@ The security and privacy features in Windows 11 are similar to Windows 10. Secur
| --- | --- |
| **Windows Security app** [21H2][21H2] | Windows Security app is an easy-to-use interface, and combines commonly used security features. For example, your get access to virus & threat protection, firewall & network protection, account protection, and more. For more information, see [the Windows Security app](/windows/security/threat-protection/windows-defender-security-center/windows-defender-security-center). |
| **Security baselines** [21H2][21H2] | Security baselines include security settings that are already configured, and ready to be deployed to your devices. If you don't know where to start, or it's too time consuming to go through all the settings, then you should look at Security Baselines. For more information, see [Windows security baselines](/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines). |
-| **Microsoft Defender Antivirus** [21H2][21H2] | Microsoft Defender Antivirus helps protect devices using next-generation security. When used with Microsoft Defender for Endpoint, your organization gets strong endpoint protection, and advanced endpoint protection & response. If you use Intune to manage devices, then you can create policies based on threat levels in Microsoft Defender for Endpoint. For more information, see: • [Microsoft Defender Antivirus](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-windows) • [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint) • [Enforce compliance for Microsoft Defender for Endpoint](/mem/intune/protect/advanced-threat-protection) |
+| **Microsoft Defender Antivirus** [21H2][21H2] | Microsoft Defender Antivirus helps protect devices using next-generation security. When used with Microsoft Defender for Endpoint, your organization gets strong endpoint protection, and advanced endpoint protection & response. If you use Intune to manage devices, then you can create policies based on threat levels in Microsoft Defender for Endpoint. For more information, see: * [Microsoft Defender Antivirus](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-windows) * [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint) * [Enforce compliance for Microsoft Defender for Endpoint](/mem/intune/protect/advanced-threat-protection) |
| **Application Security** [21H2][21H2] | The Application Security features help prevent unwanted or malicious code from running, isolate untrusted websites & untrusted Office files, protect against phishing or malware websites, and more. For more information, see [Windows application security](/windows/security/apps). |
| **Microsoft Pluton** [22H2][22H2] | Pluton, designed by Microsoft and built by silicon partners, is a secure crypto-processor built into the CPU. Pluton provides security at the core to ensure code integrity and the latest protection with updates delivered by Microsoft through Windows Update. Pluton protects credentials, identities, personal data, and encryption keys. Information is harder to be removed even if an attacker installed malware or has complete physical possession. For more information, see [Microsoft Pluton security processor](/windows/security/information-protection/pluton/microsoft-pluton-security-processor). |
-| **Enhanced Phishing Protection** [22H2][22H2] | Enhanced Phishing Protection in Microsoft Defender SmartScreen helps protect Microsoft passwords against phishing and unsafe usage. Enhanced Phishing Protection works alongside Windows security protections to help protect sign-in passwords. For more information, see: • [Enhanced Phishing Protection in Microsoft Defender SmartScreen](/windows/security/threat-protection/microsoft-defender-smartscreen/phishing-protection-microsoft-defender-smartscreen) • [Protect passwords with enhanced phishing protection](https://aka.ms/EnhancedPhishingProtectionBlog) in the Windows IT Pro blog. |
+| **Enhanced Phishing Protection** [22H2][22H2] | Enhanced Phishing Protection in Microsoft Defender SmartScreen helps protect Microsoft passwords against phishing and unsafe usage. Enhanced Phishing Protection works alongside Windows security protections to help protect sign-in passwords. For more information, see: * [Enhanced Phishing Protection in Microsoft Defender SmartScreen](/windows/security/threat-protection/microsoft-defender-smartscreen/phishing-protection-microsoft-defender-smartscreen) * [Protect passwords with enhanced phishing protection](https://aka.ms/EnhancedPhishingProtectionBlog) in the Windows IT Pro blog. |
| **Smart App Control** [22H2][22H2] | Smart App Control adds significant protection from malware, including new and emerging threats, by blocking apps that are malicious or untrusted. Smart App Control helps block unwanted apps that affect performance, display unexpected ads, offer extra software you didn't want, and other things you don't expect. For more information, see [Smart App Control](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control#wdac-and-smart-app-control). |
| **Credential Guard** [22H2][22H2] | Credential Guard, enabled by default, uses Virtualization-based security (VBS) to isolate secrets so that only privileged system software can access them. Unauthorized access to these secrets can lead to credential theft attacks like pass the hash and pass the ticket. For more information, see [Configure Credential Guard](/windows/security/identity-protection/credential-guard/configure).|
| **Malicious and vulnerable driver blocking** [22H2][22H2] | The vulnerable driver blocklist is automatically enabled on devices when Smart App Control is enabled and for clean installs of Windows. For more information, see [recommended block rules](/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules#microsoft-vulnerable-driver-blocklist).|
| **Security hardening and threat protection** [22H2][22H2] | Enhanced support with Local Security Authority (LSA) to prevent code injection that could compromise credentials. For more information, see [Configuring Additional LSA Protection](/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection?toc=/windows/security/toc.json&bc=/windows/security/breadcrumb/toc.json). |
-| **Personal Data Encryption (PDE)** [22H2][22H2] | [Personal Data Encryption (PDE)](/windows/security/operating-system-security/data-protection/personal-data-encryption/) is a security feature that provides file-based data encryption capabilities to Windows. PDE utilizes Windows Hello for Business to link data encryption keys with user credentials. When a user signs in to a device using Windows Hello for Business, decryption keys are released, and encrypted data is accessible to the user. |
+| **Personal Data Encryption** [22H2][22H2] | [Personal Data Encryption](/windows/security/operating-system-security/data-protection/personal-data-encryption/) is a security feature that provides file-based data encryption capabilities to Windows. Personal Data Encryption utilizes Windows Hello for Business to link data encryption keys with user credentials. When a user signs in to a device using Windows Hello for Business, decryption keys are released, and encrypted data is accessible to the user. |
| **Passkeys in Windows** [23H2][23H2] | Windows provides a native experience for passkey management. You can use the Settings app to view and manage passkeys saved for apps or websites. For more information, see [Support for passkeys in Windows](/windows/security/identity-protection/passkeys). |
| **Windows passwordless experience** [23H2][23H2] | Windows passwordless experience is a security policy that promotes a user experience without passwords on [Microsoft Entra](https://www.microsoft.com/security/business/microsoft-entra?ef_id=_k_910ee369e9a812f6048b86296a6a402c_k_&OCID=AIDcmmdamuj0pc_SEM__k_910ee369e9a812f6048b86296a6a402c_k_&msclkid=910ee369e9a812f6048b86296a6a402c) joined devices. When the policy is enabled, certain Windows authentication scenarios don't offer users the option to use a password, helping organizations and preparing users to gradually move away from passwords. For more information, see [Windows passwordless experience](/windows/security/identity-protection/passwordless-experience/). |
| **Web sign-in for Windows** [23H2][23H2] | You can enable a web-based sign-in experience on [Microsoft Entra](https://www.microsoft.com/security/business/microsoft-entra?ef_id=_k_910ee369e9a812f6048b86296a6a402c_k_&OCID=AIDcmmdamuj0pc_SEM__k_910ee369e9a812f6048b86296a6a402c_k_&msclkid=910ee369e9a812f6048b86296a6a402c) joined devices, unlocking new sign-in options, and capabilities. For more information, see [Web sign-in for Windows](/windows/security/identity-protection/web-sign-in). |
@@ -112,10 +112,10 @@ The security and privacy features in Windows 11 are similar to Windows 10. Secur
| **App Control for Business** [24H2][24H2] | Customers can now use App Control for Business (formerly called Windows Defender Application Control) and its next-generation capabilities to protect their digital property from malicious code. With App Control for Business, IT teams can configure what runs in a business environment through Microsoft Intune or other MDMs in the admin console, including setting up Intune as a managed installer. For more information, see [Application Control for Windows](/windows/security/application-security/application-control/app-control-for-business/appcontrol).|
| **Local Security Authority (LSA) protection enablement** [24H2][24H2]| An audit occurs for incompatibilities with [LSA protection](/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection) for a period of time, starting with this upgrade. If incompatibilities aren't detected, LSA protection is automatically enabled. You can check and change the enablement state of LSA protection in the Windows Security application under the **Device Security** > **Core Isolation** page. In the event log, [LSA protection logs](/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection#identify-plug-ins-and-drivers-that-lsassexe-fails-to-load) whether programs are blocked from loading into LSA. |
| **Rust in the Windows kernel** [24H2][24H2] | There's a new implementation of [GDI region](/windows/win32/gdi/regions) in `win32kbase_rs.sys`. Since Rust offers advantages in reliability and security over traditional programs written in C/C++, you'll continue to see more use of it in the kernel. |
-| **SHA-3 support** [24H2][24H2] | Support for the SHA-3 family of hash functions and SHA-3 derived functions (SHAKE, cSHAKE, KMAC) was added. The SHA-3 family of algorithms is the latest standardized hash functions by the National Institute of Standards and Technology (NIST). Support for these functions is enabled through the Windows [CNG](/windows/win32/seccng/cng-portal) library. |
+| **SHA-3 support** [24H2][24H2] | Support for the SHA-3 family of hash functions and SHA-3 derived functions (SHAKE, cSHAKE, KMAC) was added. The SHA-3 family of algorithms is the latest standardized hash functions by the National Institute of Standards and Technology (NIST). Support for these functions is enabled through the Windows [CNG](/windows/win32/seccng/cng-portal) library. |
| **Windows Local Admin Password Solution (LAPS)** [24H2][24H2] | Windows Local Administrator Password Solution (Windows LAPS) is a Windows feature that automatically manages and backs up the password of a local administrator account on your Microsoft Entra joined or Windows Server Active Directory-joined devices. Windows LAPS is the successor for the now deprecated legacy Microsoft LAPS product. For more information, see [What is Windows LAPS?](/windows-server/identity/laps/laps-overview)|
-| **Windows LAPS** Automatic account management [24H2][24H2] | [Windows Local Administrator Password Solution (LAPS)](/windows-server/identity/laps/laps-overview) has a new automatic account management feature. Admins can configure Windows LAPS to: • Automatically create the managed local account • Configure name of account • Enable or disable the account • Randomize the name of the account |
-| **Windows LAPS** Policy improvements [24H2][24H2]| • Added passphrase settings for the [PasswordComplexity](/windows/client-management/mdm/laps-csp#policiespasswordcomplexity) policy • Use [PassphraseLength](/windows/client-management/mdm/laps-csp#policiespassphraselength) to control the number of words in a new passphrase • Added an improved readability setting for the [PasswordComplexity](/windows/client-management/mdm/laps-csp#policiespasswordcomplexity) policy, which generates passwords without using characters that are easily confused with another character. For example, the number 0 and the letter O aren't used in the password since the characters can be confused. • Added the `Reset the password, logoff the managed account, and terminate any remaining processes` setting to the [PostAuthenticationActions](/windows/client-management/mdm/laps-csp#policiespostauthenticationactions) policy. The event logging messages that are emitted during post-authentication-action execution were also expanded, to give insights into exactly what was done during the operation. |
+| **Windows LAPS** Automatic account management [24H2][24H2] | [Windows Local Administrator Password Solution (LAPS)](/windows-server/identity/laps/laps-overview) has a new automatic account management feature. Admins can configure Windows LAPS to: * Automatically create the managed local account * Configure name of account * Enable or disable the account * Randomize the name of the account |
+| **Windows LAPS** Policy improvements [24H2][24H2]| * Added passphrase settings for the [PasswordComplexity](/windows/client-management/mdm/laps-csp#policiespasswordcomplexity) policy * Use [PassphraseLength](/windows/client-management/mdm/laps-csp#policiespassphraselength) to control the number of words in a new passphrase * Added an improved readability setting for the [PasswordComplexity](/windows/client-management/mdm/laps-csp#policiespasswordcomplexity) policy, which generates passwords without using characters that are easily confused with another character. For example, the number 0 and the letter O aren't used in the password since the characters can be confused. * Added the `Reset the password, logoff the managed account, and terminate any remaining processes` setting to the [PostAuthenticationActions](/windows/client-management/mdm/laps-csp#policiespostauthenticationactions) policy. The event logging messages that are emitted during post-authentication-action execution were also expanded, to give insights into exactly what was done during the operation. |
| **Windows LAPS** Image rollback detection [24H2][24H2] | Image rollback detection was introduced for LAPS. LAPS can detect when a device was rolled back to a previous image. When a device is rolled back, the password in Active Directory might not match the password on the device that was rolled back. This new feature adds an Active Directory attribute, `msLAPS-CurrentPasswordVersion`, to the [Windows LAPS schema](/windows-server/identity/laps/laps-technical-reference#mslaps-currentpasswordversion). This attribute contains a random GUID that Windows LAPS writes every time a new password is persisted in Active Directory, followed by saving a local copy. During every processing cycle, the GUID stored in `msLAPS-CurrentPasswordVersion` is queried and compared to the locally persisted copy. If the GUIDs are different, the password is immediately rotated. To enable this feature, you need to run the latest version of the [Update-LapsADSchema PowerShell cmdlet](/powershell/module/laps/update-lapsadschema). |
| **Windows protected print mode** [24H2][24H2] | Windows protected print mode (WPP) enables a modern print stack which is designed to work exclusively with [Mopria certified printers](https://mopria.org/certified-products). For more information, see [What is Windows protected print mode (WPP)](https://techcommunity.microsoft.com/t5/security-compliance-and-identity/a-new-modern-and-secure-print-experience-from-windows/ba-p/4002645) and [Windows Insider WPP announcement](https://blogs.windows.com/windows-insider/2023/12/13/announcing-windows-11-insider-preview-build-26016-canary-channel/). |
| **SMB signing requirement changes** [24H2][24H2] | [SMB signing is now required](/windows-server/storage/file-server/smb-signing) by default for all connections. SMB signing ensures every message contains a signature generated using session key and cipher suite. The client puts a hash of the entire message into the signature field of the SMB header. If anyone changes the message itself later on the wire, the hash won't match and SMB knows that someone tampered with the data. It also confirms to sender and receiver that they are who they say they are, breaking relay attacks. For more information about SMB signing being required by default, see [https://aka.ms/SMBSigningOBD](https://techcommunity.microsoft.com/t5/storage-at-microsoft/smb-signing-required-by-default-in-windows-insider/ba-p/3831704). |
@@ -123,8 +123,8 @@ The security and privacy features in Windows 11 are similar to Windows 10. Secur
| **SMB signing and encryption auditing** [24H2][24H2] | Administrators can now [enable auditing](/windows-server/storage/file-server/smb-signing-overview#smb-signing-and-encryption-auditing) of the SMB server and client for support of SMB signing and encryption. This shows if a third-party client or server doesn't support SMB encryption or signing. The SMB signing and encryption auditing settings can be modified in Group Policy or through PowerShell. |
| **SMB alternative client and server ports** [24H2][24H2] | The SMB client now supports connecting to an SMB server over TCP, QUIC, or RDMA using [alternative network ports](/windows-server/storage/file-server/smb-ports) to the hardcoded defaults. However, you can only connect to alternative ports if the SMB server is configured to support listening on that port. Starting in [Windows Server Insider build 26040](https://techcommunity.microsoft.com/t5/windows-server-insiders/announcing-windows-server-preview-build-26040/m-p/4040858), the SMB server now supports listening on an alternative network port for SMB over QUIC. Windows Server doesn't support configuring alternative SMB server TCP ports, but some third parties do. For more information about this change, see [https://aka.ms/SMBAlternativePorts](https://techcommunity.microsoft.com/t5/storage-at-microsoft/smb-alternative-ports-now-supported-in-windows-insider/ba-p/3974509). |
| **SMB NTLM blocking exception list** [24H2][24H2] |The SMB client now supports [blocking NTLM](/windows-server/storage/file-server/smb-ntlm-blocking) for remote outbound connections. With this new option, administrators can intentionally block Windows from offering NTLM via SMB and specify exceptions for NTLM usage. An attacker who tricks a user or application into sending NTLM challenge responses to a malicious server will no longer receive any NTLM data and can't brute force, crack, or pass hashes. This change adds a new level of protection for enterprises without a requirement to entirely disable NTLM usage in the OS. For more information about this change, see [https://aka.ms/SmbNtlmBlock](https://techcommunity.microsoft.com/t5/storage-at-microsoft/smb-ntlm-blocking-now-supported-in-windows-insider/ba-p/3916206). |
-| **SMB dialect management** [24H2][24H2] | The SMB server now supports controlling which [SMB 2 and 3 dialects](/windows-server/storage/file-server/manage-smb-dialects) it negotiates. With this new option, an administrator can remove specific SMB protocols from use in the organization, blocking older, less secure, and less capable Windows devices and third parties from connecting. For example, admins can specify to only use SMB 3.1.1, the most secure dialect of the protocol. For more information about this change, see [https://aka.ms/SmbDialectManage](https://techcommunity.microsoft.com/t5/storage-at-microsoft/smb-dialect-management-now-supported-in-windows-insider/ba-p/3916368).|
-| **SMB over QUIC client access control** [24H2][24H2] | [SMB over QUIC](/windows-server/storage/file-server/smb-over-quic), which introduced an alternative to TCP and RDMA, supplies secure connectivity to edge file servers over untrusted networks like the Internet. QUIC has significant advantages, the largest being mandatory certificate-based encryption instead of relying on passwords. SMB over QUIC [client access control](/windows-server/storage/file-server/configure-smb-over-quic-client-access-control) improves the existing SMB over QUIC feature. Administrators now have more options for SMB over QUIC such as: • [Specifying which clients](/windows-server/storage/file-server/configure-smb-over-quic-client-access-control#grant-individual-clients) can access SMB over QUIC servers. This gives organizations more protection but doesn't change the Windows authentication used to make the SMB connection or the end user experience. • [Disabling SMB over QUIC](/windows-server/storage/file-server/configure-smb-over-quic-client-access-control#disable-smb-over-quic) for client with Group Policy and PowerShell • [Auditing client connection events](/windows-server/storage/file-server/smb-over-quic#smb-over-quic-client-auditing) for SMB over QUIC For more information about these changes, see [https://aka.ms/SmbOverQUICCAC](/windows-server/storage/file-server/configure-smb-over-quic-client-access-control). |
+| **SMB dialect management** [24H2][24H2] | The SMB server now supports controlling which [SMB 2 and 3 dialects](/windows-server/storage/file-server/manage-smb-dialects) it negotiates. With this new option, an administrator can remove specific SMB protocols from use in the organization, blocking older, less secure, and less capable Windows devices and third parties from connecting. For example, admins can specify to only use SMB 3.1.1, the most secure dialect of the protocol. For more information about this change, see [https://aka.ms/SmbDialectManage](https://techcommunity.microsoft.com/t5/storage-at-microsoft/smb-dialect-management-now-supported-in-windows-insider/ba-p/3916368).|
+| **SMB over QUIC client access control** [24H2][24H2] | [SMB over QUIC](/windows-server/storage/file-server/smb-over-quic), which introduced an alternative to TCP and RDMA, supplies secure connectivity to edge file servers over untrusted networks like the Internet. QUIC has significant advantages, the largest being mandatory certificate-based encryption instead of relying on passwords. SMB over QUIC [client access control](/windows-server/storage/file-server/configure-smb-over-quic-client-access-control) improves the existing SMB over QUIC feature. Administrators now have more options for SMB over QUIC such as: * [Specifying which clients](/windows-server/storage/file-server/configure-smb-over-quic-client-access-control#grant-individual-clients) can access SMB over QUIC servers. This gives organizations more protection but doesn't change the Windows authentication used to make the SMB connection or the end user experience. * [Disabling SMB over QUIC](/windows-server/storage/file-server/configure-smb-over-quic-client-access-control#disable-smb-over-quic) for client with Group Policy and PowerShell * [Auditing client connection events](/windows-server/storage/file-server/smb-over-quic#smb-over-quic-client-auditing) for SMB over QUIC For more information about these changes, see [https://aka.ms/SmbOverQUICCAC](/windows-server/storage/file-server/configure-smb-over-quic-client-access-control). |
| **SMB firewall rule changes** [24H2][24H2] | The Windows Firewall [default behavior has changed](/windows-server/storage/file-server/smb-secure-traffic#updated-firewall-rules-preview). Previously, creating an SMB share automatically configured the firewall to enable the rules in the **File and Printer Sharing** group for the given firewall profiles. Now, Windows automatically configures the new **File and Printer Sharing (Restrictive)** group, which no longer contains inbound NetBIOS ports 137-139. This change enforces a higher degree of default of network security and brings SMB firewall rules closer to the Windows Server **File Server** role behavior, which only opens the minimum ports needed to connect and manage sharing. Administrators can still configure the **File and Printer Sharing** group if necessary as well as modify this new firewall group, these are just default behaviors. For more information about this change, see [https://aka.ms/SMBfirewall](https://techcommunity.microsoft.com/t5/storage-at-microsoft/smb-firewall-rule-changes-in-windows-insider/ba-p/3974496). For more information about SMB network security, see [Secure SMB Traffic in Windows Server](/windows-server/storage/file-server/smb-secure-traffic). |
## Servicing
@@ -132,7 +132,7 @@ The security and privacy features in Windows 11 are similar to Windows 10. Secur
| Feature [Release] | Description |
| --- | --- |
-| **Windows Updates and Delivery optimization** [21H2][21H2] | Delivery optimization helps reduce bandwidth consumption. It shares the work of downloading the update packages with multiple devices in your deployment. Windows 11 updates are smaller, as they only pull down source files that are different. You can create policies that configure delivery optimization settings. For example, set the maximum upload and download bandwidth, set caching sizes, and more. For more information, see: • [Delivery Optimization for Windows updates](/windows/deployment/update/waas-delivery-optimization) • [Installation & updates](https://support.microsoft.com/topic/2f9c1819-310d-48a7-ac12-25191269903c#PickTab=Windows_11) • [Manage updates in Windows](https://support.microsoft.com/topic/643e9ea7-3cf6-7da6-a25c-95d4f7f099fe)|
+| **Windows Updates and Delivery optimization** [21H2][21H2] | Delivery optimization helps reduce bandwidth consumption. It shares the work of downloading the update packages with multiple devices in your deployment. Windows 11 updates are smaller, as they only pull down source files that are different. You can create policies that configure delivery optimization settings. For example, set the maximum upload and download bandwidth, set caching sizes, and more. For more information, see: * [Delivery Optimization for Windows updates](/windows/deployment/update/waas-delivery-optimization) * [Installation & updates](https://support.microsoft.com/topic/2f9c1819-310d-48a7-ac12-25191269903c#PickTab=Windows_11) * [Manage updates in Windows](https://support.microsoft.com/topic/643e9ea7-3cf6-7da6-a25c-95d4f7f099fe)|
| **Control Windows Update notifications** [22H2][22H2] | You can now block user notifications for Windows Updates during active hours. This setting is especially useful for organizations that want to prevent Windows Update notifications from occurring during business hours. For more information, see [Control restart notifications](/windows/deployment/update/waas-restart#control-restart-notifications).|
| **Organization name in update notifications** |The organization name now appears in the Windows Update notifications when Windows clients are associated with a Microsoft Entra ID tenant. For more information, see [Display organization name in Windows Update notifications](/windows/deployment/update/waas-wu-settings#bkmk_display-name). |
| **Checkpoint cumulative updates** [24H2][24H2] | Windows quality updates are provided as cumulative updates throughout the life cycle of a Windows release. Checkpoint cumulative updates introduce periodic baselines that reduce the size of future cumulative updates making the distribution of monthly quality updates more efficient. For more information, see [https://aka.ms/CheckpointCumulativeUpdates](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/introducing-windows-11-checkpoint-cumulative-updates/ba-p/4182552). |
@@ -152,7 +152,7 @@ The security and privacy features in Windows 11 are similar to Windows 10. Secur
## Features Removed
-Each version of Windows client adds new features and functionality. Occasionally, [features and functionality are removed](/windows/whats-new/removed-features), often because a newer option was added. For a list of features no longer in active development that might be removed in a future release, see [deprecated features](/windows/whats-new/deprecated-features). The following features are removed in Windows 11 Enterprise LTSC 2024:
+Each version of Windows client adds new features and functionality. Occasionally, [features and functionality are removed](/windows/whats-new/removed-features), often because a newer option was added. For a list of features no longer in active development that might be removed in a future release, see [deprecated features](/windows/whats-new/deprecated-features). The following features are removed in Windows 11 Enterprise LTSC 2024:
| Feature | Description |
|---------|-------------|
@@ -170,5 +170,5 @@ Each version of Windows client adds new features and functionality. Occasionally
[21H2]: ..\windows-11-overview.md
[22H2]: ..\whats-new-windows-11-version-22H2.md
-[23H2]: ..\whats-new-windows-11-version-23h2.md
+[23H2]: ..\whats-new-windows-11-version-23h2.md
[24H2]: ..\whats-new-windows-11-version-24H2.md
diff --git a/windows/whats-new/removed-features.md b/windows/whats-new/removed-features.md
index 7d8297fb4a..0c7e01a1bf 100644
--- a/windows/whats-new/removed-features.md
+++ b/windows/whats-new/removed-features.md
@@ -8,8 +8,8 @@ ms.author: mstewart
manager: aaroncz
ms.topic: reference
ms.subservice: itpro-fundamentals
-ms.date: 08/23/2024
-ms.collection:
+ms.date: 02/25/2025
+ms.collection:
- highpri
- tier1
appliesto:
@@ -38,6 +38,10 @@ The following features and functionalities have been removed from the installed
|Feature | Details and mitigation | Support removed |
| ----------- | --------------------- | ------ |
+| Data Encryption Standard (DES) | DES, the symmetric-key block encryption cipher, is considered nonsecure against modern cryptographic attacks, and replaced by more robust encryption algorithms. DES was disabled by default starting with Windows 7 and Windows Server 2008 R2. It's removed from Windows 11, version 24H2 and later, and [Windows Server 2025](/windows-server/get-started/removed-deprecated-features-windows-server-2025) and later.| September 2025 |
+| NTLMv1 | NTLMv1 is removed starting in Windows 11, version 24H2 and Windows Server 2025. | 24H2 |
+| Windows Information Protection | Windows Information Protection is removed starting in Windows 11, version 24H2. | 24H2 |
+| Microsoft Defender Application Guard for Edge | [Microsoft Defender Application Guard](/windows/security/application-security/application-isolation/microsoft-defender-application-guard/md-app-guard-overview), including the [Windows Isolated App Launcher APIs](/windows/win32/api/isolatedapplauncher/), is deprecated for Microsoft Edge for Business and is no longer available starting with Windows 11, version 24H2. | 24H2 |
| WordPad | WordPad is removed from all editions of Windows starting in Windows 11, version 24H2 and Windows Server 2025. We recommend Microsoft Word for rich text documents like .doc and .rtf and Windows Notepad for plain text documents like .txt. If you're a developer and need information about the affected binaries, see [Resources for deprecated features](deprecated-features-resources.md#wordpad). | October 1, 2024 |
| Alljoyn | Microsoft's implementation of AllJoyn, which included the [Windows.Devices.AllJoyn API namespace](/uwp/api/windows.devices.alljoyn), a [Win32 API](/windows/win32/api/_alljoyn/), a [management configuration service provider (CSP)](/windows/client-management/mdm/alljoynmanagement-csp), and an [Alljoyn Router Service](/windows-server/security/windows-services/security-guidelines-for-disabling-system-services-in-windows-server#alljoyn-router-service) is retired. [AllJoyn](https://openconnectivity.org/technology/reference-implementation/alljoyn/), sponsored by AllSeen Alliance, was an open source discovery and communication protocol for Internet of Things scenarios such as turning on/off lights or reading temperatures. AllSeen Alliance promoted the AllJoyn project from 2013 until 2016 when it merged with the Open Connectivity Foundation (OCF), the sponsors of [Iotivity.org](https://iotivity.org/), another protocol for Internet of Things scenarios. Customers should refer to the [Iotivity.org](https://iotivity.org/) website for alternatives such as [Iotivity Lite](https://github.com/iotivity/iotivity-lite) or [Iotivity](https://github.com/iotivity/iotivity). | October 1, 2024 |
| Update Compliance | Update Compliance, a cloud-based service for the Windows client, is retired. This service has been replaced with [Windows Update for Business reports](/windows/deployment/update/wufb-reports-overview), which provides reporting on client compliance with Microsoft updates from the Azure portal. | March 31, 2023 |
diff --git a/windows/whats-new/whats-new-windows-11-version-22H2.md b/windows/whats-new/whats-new-windows-11-version-22H2.md
index a76a1b6abb..3b1f47426d 100644
--- a/windows/whats-new/whats-new-windows-11-version-22H2.md
+++ b/windows/whats-new/whats-new-windows-11-version-22H2.md
@@ -70,9 +70,9 @@ For more information, see [Configuring Additional LSA Protection](/windows-serve
## Personal Data Encryption
-Personal data encryption (PDE) is a security feature introduced in Windows 11, version 22H2 that provides additional encryption features to Windows. PDE differs from BitLocker in that it encrypts individual files instead of whole volumes and disks. PDE occurs in addition to other encryption methods such as BitLocker.
+Personal Data Encryption is a security feature introduced in Windows 11, version 22H2 that provides additional encryption features to Windows. Personal Data Encryption differs from BitLocker in that it encrypts individual files instead of whole volumes and disks. Personal Data Encryption occurs in addition to other encryption methods such as BitLocker.
-PDE utilizes Windows Hello for Business to link data encryption keys with user credentials. This feature can minimize the number of credentials the user has to remember to gain access to files. For example, when using BitLocker with PIN, a user would need to authenticate twice - once with the BitLocker PIN and a second time with Windows credentials. This requirement requires users to remember two different credentials. With PDE, users only need to enter one set of credentials via Windows Hello for Business.
+Personal Data Encryption utilizes Windows Hello for Business to link data encryption keys with user credentials. This feature can minimize the number of credentials the user has to remember to gain access to files. For example, when using BitLocker with PIN, a user would need to authenticate twice - once with the BitLocker PIN and a second time with Windows credentials. This requirement requires users to remember two different credentials. With Personal Data Encryption, users only need to enter one set of credentials via Windows Hello for Business.
For more information, see [Personal Data Encryption](/windows/security/information-protection/personal-data-encryption/overview-pde).
diff --git a/windows/whats-new/whats-new-windows-11-version-24h2.md b/windows/whats-new/whats-new-windows-11-version-24h2.md
index 795ddf0bd1..a5f7acda5a 100644
--- a/windows/whats-new/whats-new-windows-11-version-24h2.md
+++ b/windows/whats-new/whats-new-windows-11-version-24h2.md
@@ -18,7 +18,7 @@ appliesto:
# What's new in Windows 11, version 24H2
-Windows 11, version 24H2 is a feature update for Windows 11. It includes all features and fixes in previous cumulative updates to Windows 11, version 23H2. This article lists the new and updated features IT Pros should know.
+Windows 11, version 24H2 is a feature update for Windows 11. It includes all features and fixes in previous cumulative updates to Windows 11, version 23H2. This article lists the new and updated features IT Pros should know.
>**Looking for consumer information?** See [Windows 11 2024 update](https://support.microsoft.com/topic/93c5c27c-f96e-43c2-a08e-5812d92f220d#windowsupdate=26100).
@@ -42,21 +42,21 @@ To learn more about the status of the update rollout, known issues, and new info
There aren't any features under temporary enterprise control between Windows 11, version 23H2 and Windows 11, version 24H2. For a list of features that were under temporary enterprise control between Windows 11, version 22H2 and Windows 11, version 23H2, see, [Windows 11 features behind temporary enterprise feature control](temporary-enterprise-feature-control.md).
## Checkpoint cumulative updates
-
+
Microsoft is introducing checkpoint cumulative updates, a new servicing model that enables devices running Windows 11, version 24H2 or later to save time, bandwidth and hard drive space when getting features and security enhancements via the latest cumulative update. Previously, the cumulative updates contained all changes to the binaries since the last release to manufacturing (RTM) version. The size of the cumulative updates could grow large over time since RTM was used as the baseline for each update.
With checkpoint cumulative updates, the update file level differentials are based on a previous cumulative update instead of the RTM release. Cumulative updates that serve as a checkpoint will be released periodically. Using a checkpoint rather than RTM means the subsequent update packages are smaller, which makes downloads and installations faster. Using a checkpoint also means that in order for a device to install the latest cumulative update, the installation of a prerequisite cumulative update might be required. For more information about checkpoint cumulative updates, see [https://aka.ms/CheckpointCumulativeUpdates](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/introducing-windows-11-checkpoint-cumulative-updates/ba-p/4182552).
## Features exclusive to Copilot+ PCs in 24H2
-Copilot+ PCs are a new class of Windows 11 AI PCs that are powered by a neural processing unit (NPU) that can perform more than 40 trillion operations per second (TOPS). The following features are exclusive to [Copilot+ PCs](https://www.microsoft.com/windows/copilot-plus-pcs) in Windows 11, version 24H2:
+Copilot+ PCs are a new class of Windows 11 AI PCs that are powered by a neural processing unit (NPU) that can perform more than 40 trillion operations per second (TOPS). The following features are exclusive to [Copilot+ PCs](https://www.microsoft.com/windows/copilot-plus-pcs) in Windows 11, version 24H2:
- Live Captions allow you to translate audio and video content into English subtitles from 44 languages. For more information, see [Use live captions to better understand audio](https://support.microsoft.com/topic/b52da59c-14b8-4031-aeeb-f6a47e6055df).
- Windows Studio Effects is the collective name of AI-powered video call and audio effects that are available on Copilot+ PCs and select Windows 11 devices with compatible NPUs. Windows Studio Effects automatically improves lighting and cancels noises during video calls. For more information, see [Windows Studio Effects](https://support.microsoft.com/topic/273c1fa8-2b3f-41b1-a587-7cc7a24b62d8).
@@ -80,7 +80,7 @@ The following changes were made for SMB signing and encryption:
- **SMB client encryption**: SMB now supports [requiring encryption](/windows-server/storage/file-server/configure-smb-client-require-encryption) on all outbound SMB client connections. Encryption of all outbound SMB client connections enforces the highest level of network security and brings management parity to SMB signing, which allows both client and server requirements. With this new option, administrators can mandate that all destination servers use SMB 3 and encryption, and if missing those capabilities, the client won't connect. For more information about this change, see [https://aka.ms/SmbClientEncrypt](https://techcommunity.microsoft.com/t5/storage-at-microsoft/smb-client-encryption-mandate-now-supported-in-windows-insider/ba-p/3964037).
-- **SMB signing and encryption auditing**: Administrators can now [enable auditing](/windows-server/storage/file-server/smb-signing-overview#smb-signing-and-encryption-auditing) of the SMB server and client for support of SMB signing and encryption. This shows if a third-party client or server doesn't support SMB encryption or signing. The SMB signing and encryption auditing settings can be modified in Group Policy or through PowerShell.
+- **SMB signing and encryption auditing**: Administrators can now [enable auditing](/windows-server/storage/file-server/smb-signing-overview#smb-signing-and-encryption-auditing) of the SMB server and client for support of SMB signing and encryption. This shows if a third-party client or server doesn't support SMB encryption or signing. The SMB signing and encryption auditing settings can be modified in Group Policy or through PowerShell.
#### SMB alternative client and server ports
@@ -104,7 +104,7 @@ For more information about this change, see [https://aka.ms/SmbDialectManage](ht
[SMB over QUIC](/windows-server/storage/file-server/smb-over-quic), which introduced an alternative to TCP and RDMA, supplies secure connectivity to edge file servers over untrusted networks like the Internet. QUIC has significant advantages, the largest being mandatory certificate-based encryption instead of relying on passwords. SMB over QUIC [client access control](/windows-server/storage/file-server/configure-smb-over-quic-client-access-control) improves the existing SMB over QUIC feature.
-Administrators now have more options for SMB over QUIC such as:
+Administrators now have more options for SMB over QUIC such as:
- [Specifying which clients](/windows-server/storage/file-server/configure-smb-over-quic-client-access-control#grant-individual-clients) can access SMB over QUIC servers. This gives organizations more protection but doesn't change the Windows authentication used to make the SMB connection or the end user experience.
- [Disabling SMB over QUIC](/windows-server/storage/file-server/configure-smb-over-quic-client-access-control#disable-smb-over-quic) for client with Group Policy and PowerShell
@@ -124,7 +124,7 @@ For more information about this change, see [https://aka.ms/SMBfirewall](https:/
[LSA protection](/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection) helps protect against theft of secrets and credentials used for logon by preventing unauthorized code from running in the LSA process and by preventing dumping of process memory. An audit occurs for incompatibilities with LSA protection for a period of time, starting with this upgrade. If incompatibilities aren't detected, LSA protection is automatically enabled. You can check and change the enablement state of LSA protection in the Windows Security application under the **Device Security** > **Core Isolation** page. In the event log, LSA protection records whether programs are blocked from loading into LSA. If you would like to check if something was blocked, review the [logging](/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection#identify-plug-ins-and-drivers-that-lsassexe-fails-to-load).
-
+
### Remote Mailslot protocol disabled by default
[Remote Mailslot protocol](/openspecs/windows_protocols/ms-mail/47ac910f-1dec-4791-8486-9b3e8fd542da) was [deprecated](deprecated-features.md#deprecated-features) in November 2023 and is now disabled by default starting in Windows 11, version 24H2. For more information on Remote Mailslots, see [About Mailslots](/windows/win32/ipc/about-mailslots).
@@ -144,18 +144,18 @@ LAPS has the following policy improvements:
- Added an improved readability setting for the [PasswordComplexity](/windows/client-management/mdm/laps-csp#policiespasswordcomplexity) policy, which generates passwords without using characters that are easily confused with another character. For example, the zero and the letter O aren't used in the password since the characters can be confused.
- Added the `Reset the password, logoff the managed account, and terminate any remaining processes` setting to the [PostAuthenticationActions](/windows/client-management/mdm/laps-csp#policiespostauthenticationactions) policy. The event logging messages that are emitted during post-authentication-action execution were also expanded, to give insights into exactly what was done during the operation.
-Image rollback detection was introduced for LAPS. LAPS can detect when a device was rolled back to a previous image. When a device is rolled back, the password in Active Directory might not match the password on the device that was rolled back. This new feature adds an Active Directory attribute, `msLAPS-CurrentPasswordVersion`, to the [Windows LAPS schema](/windows-server/identity/laps/laps-technical-reference#mslaps-currentpasswordversion). This attribute contains a random GUID that Windows LAPS writes every time a new password is persisted in Active Directory, followed by saving a local copy. During every processing cycle, the GUID stored in `msLAPS-CurrentPasswordVersion` is queried and compared to the locally persisted copy. If the GUIDs are different, the password is immediately rotated. To enable this feature, you need to run the latest version of the [Update-LapsADSchema PowerShell cmdlet](/powershell/module/laps/update-lapsadschema).
+Image rollback detection was introduced for LAPS. LAPS can detect when a device was rolled back to a previous image. When a device is rolled back, the password in Active Directory might not match the password on the device that was rolled back. This new feature adds an Active Directory attribute, `msLAPS-CurrentPasswordVersion`, to the [Windows LAPS schema](/windows-server/identity/laps/laps-technical-reference#mslaps-currentpasswordversion). This attribute contains a random GUID that Windows LAPS writes every time a new password is persisted in Active Directory, followed by saving a local copy. During every processing cycle, the GUID stored in `msLAPS-CurrentPasswordVersion` is queried and compared to the locally persisted copy. If the GUIDs are different, the password is immediately rotated. To enable this feature, you need to run the latest version of the [Update-LapsADSchema PowerShell cmdlet](/powershell/module/laps/update-lapsadschema).
### Rust in the Windows kernel
There's a new implementation of [GDI region](/windows/win32/gdi/regions) in `win32kbase_rs.sys`. Since Rust offers advantages in reliability and security over traditional programs written in C/C++, you'll continue to see more use of it in the kernel.
-### Personal Data Encryption (PDE) for folders
+### Personal Data Encryption for folders
-PDE for folders is a security feature where the contents of the known Windows folders (Documents, Desktop and Pictures) are protected using a user authenticated encryption mechanism. Windows Hello is the user authentication used to provide the keys for encrypting user data in the folders. PDE for folders can be [enabled from a policy in Intune](/mem/intune/protect/endpoint-security-disk-encryption-policy). IT admins can select all of the folders, or a subset, then apply the policy to a group of users in their organization.
-PDE for Folders settings is available on Intune under **Endpoint Security** > **Disk encryption**.
+Personal Data Encryption for folders is a security feature where the contents of the known Windows folders (Documents, Desktop and Pictures) are protected using a user authenticated encryption mechanism. Windows Hello is the user authentication used to provide the keys for encrypting user data in the folders. Personal Data Encryption for folders can be [enabled from a policy in Intune](/mem/intune/protect/endpoint-security-disk-encryption-policy). IT admins can select all of the folders, or a subset, then apply the policy to a group of users in their organization.
+Personal Data Encryption for Folders settings is available on Intune under **Endpoint Security** > **Disk encryption**.
-For more information about PDE, see [PDE overview](/windows/security/operating-system-security/data-protection/personal-data-encryption)
+For more information about Personal Data Encryption, see [Personal Data Encryption overview](/windows/security/operating-system-security/data-protection/personal-data-encryption)
### Windows protected print mode
@@ -184,7 +184,7 @@ Support for Wi-Fi 7 was added for consumer access points. Wi-Fi 7, also known a
### Bluetooth ® LE audio support for assistive devices
-Customers who use these assistive hearing devices are now able to directly pair, stream audio, take calls, and control audio presets when they use an LE Audio-compatible PC. Users who have Bluetooth LE Audio capable assistive hearing devices can determine if their PC is LE Audio-compatible, set up, and manage their devices via **Settings** > **Accessibility** > **Hearing devices**. For more information, see [Using hearing devices with your Windows 11 PC](https://support.microsoft.com/topic/fcb566e7-13c3-491a-ad5b-8219b098d647).
+Customers who use these assistive hearing devices are now able to directly pair, stream audio, take calls, and control audio presets when they use an LE Audio-compatible PC. Users who have Bluetooth LE Audio capable assistive hearing devices can determine if their PC is LE Audio-compatible, set up, and manage their devices via **Settings** > **Accessibility** > **Hearing devices**. For more information, see [Using hearing devices with your Windows 11 PC](https://support.microsoft.com/topic/fcb566e7-13c3-491a-ad5b-8219b098d647).
### Windows location improvements
@@ -213,7 +213,7 @@ In addition to the monthly cumulative update, optional updates are available to
### Remote Desktop Connection improvements
Remote Desktop Connection has the following improvements:
-- The Remote Desktop Connection setup window (mstsc.exe) follows the text scaling settings under **Settings** > **Accessibility** > **Text size**.
+- The Remote Desktop Connection setup window (mstsc.exe) follows the text scaling settings under **Settings** > **Accessibility** > **Text size**.
- Remote Desktop Connection supports zoom options of 350, 400, 450, and 500%
- Improvements to the connection bar design
@@ -223,11 +223,11 @@ Remote Desktop Connection has the following improvements:
- **File Explorer**: The following changes were made to File Explorer context menu:
- Support for creating 7-zip and TAR archives
- - **Compress to** > **Additional options** allows you to compress individual files with gzip, BZip2, xz, or Zstandard
+ - **Compress to** > **Additional options** allows you to compress individual files with gzip, BZip2, xz, or Zstandard
- Labels were added to the context menu icons for actions like copy, paste, delete, and rename
- **OOBE improvement**: when you need to connect to a network and there's no Wi-Fi drivers, you're given an *Install drivers* option to install drivers that are already downloaded
- **Registry Editor**: The Registry Editor supports limiting a search to the currently selected key and its descendants
-- **Task Manager**: The Task Manager settings page has [Mica material](/windows/apps/design/style/mica) and a redesigned icon
+- **Task Manager**: The Task Manager settings page has [Mica material](/windows/apps/design/style/mica) and a redesigned icon
### Developer APIs
@@ -242,5 +242,6 @@ The following developer APIs were added or updated:
The following [deprecated features](deprecated-features.md) are [removed](removed-features.md) in Windows 11, version 24H2:
+- **NTLMv1**: NTLMv1 is removed starting in Windows 11, version 24H2 and Windows Server 2025.
- **WordPad**: WordPad is removed from all editions of Windows starting in Windows 11, version 24H2 and Windows Server 2025.
- **Alljoyn**: Microsoft's implementation of AllJoyn, which included the [Windows.Devices.AllJoyn API namespace](/uwp/api/windows.devices.alljoyn), a [Win32 API](/windows/win32/api/_alljoyn/), a [management configuration service provider (CSP)](/windows/client-management/mdm/alljoynmanagement-csp), and an [Alljoyn Router Service](/windows-server/security/windows-services/security-guidelines-for-disabling-system-services-in-windows-server#alljoyn-router-service) is retired.
diff --git a/windows/whats-new/windows-11-requirements.md b/windows/whats-new/windows-11-requirements.md
index a348f85ad3..909814ca56 100644
--- a/windows/whats-new/windows-11-requirements.md
+++ b/windows/whats-new/windows-11-requirements.md
@@ -6,7 +6,7 @@ author: mestew
ms.author: mstewart
ms.service: windows-client
ms.localizationpriority: medium
-ms.topic: conceptual
+ms.topic: article
ms.collection:
- highpri
- tier1
diff --git a/windows/whats-new/windows-licensing.md b/windows/whats-new/windows-licensing.md
index 40e15cb0a2..c50c610a28 100644
--- a/windows/whats-new/windows-licensing.md
+++ b/windows/whats-new/windows-licensing.md
@@ -1,5 +1,5 @@
---
-title: Windows commercial licensing overview
+title: Windows Commercial Licensing Overview
description: Learn about products and use rights available through Windows commercial licensing.
ms.subservice: itpro-security
author: paolomatarazzo
@@ -8,7 +8,7 @@ manager: aaroncz
ms.collection:
- tier2
ms.topic: overview
-ms.date: 02/29/2024
+ms.date: 12/02/2024
appliesto:
- ✅ Windows 11
ms.service: windows-client
@@ -143,7 +143,7 @@ The following table lists the Windows 11 Enterprise features and their Windows e
|**[Credential Guard][WIN-1]**|❌|Yes|
|**[Microsoft Defender Application Guard (MDAG) for Microsoft Edge][WIN-11]**|Yes|Yes|
|**[Modern BitLocker Management][WIN-2]**|Yes|Yes|
-|**[Personal data encryption (PDE)][WIN-3]**|❌|Yes|
+|**[Personal Data Encryption][WIN-3]**|❌|Yes|
|**[Direct Access][WINS-1]**|Yes|Yes|
|**[Always On VPN][WINS-2]**|Yes|Yes|
|**[Windows Experience customization][WIN-4]**|❌|Yes|