December DDF updates

2025-05-12 13:27:23 +00:00 · 2025-01-14 16:45:06 -07:00 · 2025-01-14 16:45:06 -07:00 · 83932149e5
commit 83932149e5
parent 02538cf8e0
10 changed files with 415 additions and 54 deletions
--- a/windows/client-management/mdm/healthattestation-csp.md
+++ b/windows/client-management/mdm/healthattestation-csp.md
@ -1,7 +1,7 @@
 ---
 title: HealthAttestation CSP
 description: Learn more about the HealthAttestation CSP.
-ms.date: 01/31/2024
+ms.date: 01/14/2025
 ---

 <!-- Auto-Generated CSP Document -->
@ -51,7 +51,7 @@ The following list shows the HealthAttestation configuration service provider no
 <!-- Device-AttestErrorMessage-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
-| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 22H2 with [KB5046732](https://support.microsoft.com/help/5046732) [10.0.22621.4541] and later <br> ✅ Windows 11, version 24H2 with [KB5046617](https://support.microsoft.com/help/5046617) [10.0.26100.2314] and later <br> ✅ Windows Insider Preview |
 <!-- Device-AttestErrorMessage-Applicability-End -->

 <!-- Device-AttestErrorMessage-OmaUri-Begin -->
--- a/windows/client-management/mdm/healthattestation-ddf.md
+++ b/windows/client-management/mdm/healthattestation-ddf.md
@ -1,7 +1,7 @@
 ---
 title: HealthAttestation DDF file
 description: View the XML file containing the device description framework (DDF) for the HealthAttestation configuration service provider.
-ms.date: 06/28/2024
+ms.date: 01/14/2025
 ---

 <!-- Auto-Generated CSP Document -->
@ -436,7 +436,7 @@ The following XML file contains the device description framework (DDF) for the H
          <MIME />
        </DFType>
        <MSFT:Applicability>
-          <MSFT:OsBuildVersion>99.9.99999</MSFT:OsBuildVersion>
+          <MSFT:OsBuildVersion>99.9.99999, 10.0.26100.2314, 10.0.22621.4541</MSFT:OsBuildVersion>
          <MSFT:CspVersion>1.4</MSFT:CspVersion>
        </MSFT:Applicability>
      </DFProperties>
--- a/windows/client-management/mdm/policies-in-preview.md
+++ b/windows/client-management/mdm/policies-in-preview.md
@ -1,7 +1,7 @@
 ---
 title: Configuration service provider preview policies
 description: Learn more about configuration service provider (CSP) policies that are available for Windows Insider Preview.
-ms.date: 11/27/2024
+ms.date: 01/14/2025
 ---

 <!-- Auto-Generated CSP Document -->
@ -31,6 +31,7 @@ This article lists the policies that are applicable for Windows Insider Preview

 ## Connectivity

+- [DisableCrossDeviceResume](policy-csp-connectivity.md#disablecrossdeviceresume)
 - [UseCellularWhenWiFiPoor](policy-csp-connectivity.md#usecellularwhenwifipoor)
 - [DisableCellularSettingsPage](policy-csp-connectivity.md#disablecellularsettingspage)
 - [DisableCellularOperatorSettingsPage](policy-csp-connectivity.md#disablecellularoperatorsettingspage)
@ -46,6 +47,10 @@ This article lists the policies that are applicable for Windows Insider Preview
 - [DODisallowCacheServerDownloadsOnVPN](policy-csp-deliveryoptimization.md#dodisallowcacheserverdownloadsonvpn)
 - [DOVpnKeywords](policy-csp-deliveryoptimization.md#dovpnkeywords)

+## DeviceGuard
+
+- [MachineIdentityIsolation](policy-csp-deviceguard.md#machineidentityisolation)
+
 ## DevicePreparation CSP

 - [PageEnabled](devicepreparation-csp.md#pageenabled)
@ -80,6 +85,12 @@ This article lists the policies that are applicable for Windows Insider Preview

 - [AttestErrorMessage](healthattestation-csp.md#attesterrormessage)

+## HumanPresence
+
+- [ForcePrivacyScreen](policy-csp-humanpresence.md#forceprivacyscreen)
+- [ForcePrivacyScreenDim](policy-csp-humanpresence.md#forceprivacyscreendim)
+- [ForcePrivacyScreenNotification](policy-csp-humanpresence.md#forceprivacyscreennotification)
+
 ## InternetExplorer

 - [AllowLegacyURLFields](policy-csp-internetexplorer.md#allowlegacyurlfields)
@ -115,6 +126,10 @@ This article lists the policies that are applicable for Windows Insider Preview

 - [DisablePostLogonProvisioning](passportforwork-csp.md#devicetenantidpoliciesdisablepostlogonprovisioning)

+## Printers
+
+- [ConfigureIppTlsCertificatePolicy](policy-csp-printers.md#configureipptlscertificatepolicy)
+
 ## Reboot CSP

 - [WeeklyRecurrent](reboot-csp.md#scheduleweeklyrecurrent)
--- a/windows/client-management/mdm/policy-csp-connectivity.md
+++ b/windows/client-management/mdm/policy-csp-connectivity.md
@ -1,7 +1,7 @@
 ---
 title: Connectivity Policy CSP
 description: Learn more about the Connectivity Area in Policy CSP.
-ms.date: 11/05/2024
+ms.date: 01/14/2025
 ---

 <!-- Auto-Generated CSP Document -->
@ -684,6 +684,61 @@ This policy makes all configurable settings in the 'Cellular' Settings page read

 <!-- DisableCellularSettingsPage-End -->

+<!-- DisableCrossDeviceResume-Begin -->
+## DisableCrossDeviceResume
+
+<!-- DisableCrossDeviceResume-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ❌ Device <br> ✅ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+<!-- DisableCrossDeviceResume-Applicability-End -->
+
+<!-- DisableCrossDeviceResume-OmaUri-Begin -->
+```User
+./User/Vendor/MSFT/Policy/Config/Connectivity/DisableCrossDeviceResume
+```
+<!-- DisableCrossDeviceResume-OmaUri-End -->
+
+<!-- DisableCrossDeviceResume-Description-Begin -->
+<!-- Description-Source-DDF -->
+This policy allows IT admins to turn off CrossDeviceResume feature to continue tasks, such as browsing file, continue using 1P/3P apps that require linking between Phone and PC.
+
+- If you enable this policy setting, the Windows device won't receive any CrossDeviceResume notification.
+
+- If you disable this policy setting, the Windows device will receive notification to resume activity from linked phone.
+
+- If you don't configure this policy setting, the default behavior is that the CrossDeviceResume feature is turned 'ON'. Changes to this policy take effect on reboot.
+<!-- DisableCrossDeviceResume-Description-End -->
+
+<!-- DisableCrossDeviceResume-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- DisableCrossDeviceResume-Editable-End -->
+
+<!-- DisableCrossDeviceResume-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `int` |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value  | 0 |
+<!-- DisableCrossDeviceResume-DFProperties-End -->
+
+<!-- DisableCrossDeviceResume-AllowedValues-Begin -->
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 (Default) | CrossDeviceResume is Enabled. |
+| 1 | CrossDeviceResume is Disabled. |
+<!-- DisableCrossDeviceResume-AllowedValues-End -->
+
+<!-- DisableCrossDeviceResume-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- DisableCrossDeviceResume-Examples-End -->
+
+<!-- DisableCrossDeviceResume-End -->
+
 <!-- DisableDownloadingOfPrintDriversOverHTTP-Begin -->
 ## DisableDownloadingOfPrintDriversOverHTTP

--- a/windows/client-management/mdm/policy-csp-deliveryoptimization.md
+++ b/windows/client-management/mdm/policy-csp-deliveryoptimization.md
@ -1,7 +1,7 @@
 ---
 title: DeliveryOptimization Policy CSP
 description: Learn more about the DeliveryOptimization Area in Policy CSP.
-ms.date: 08/06/2024
+ms.date: 01/14/2025
 ---

 <!-- Auto-Generated CSP Document -->
@ -93,7 +93,7 @@ The value 0 (zero) means "unlimited" cache; Delivery Optimization will clear the

 <!-- DOAllowVPNPeerCaching-Description-Begin -->
 <!-- Description-Source-DDF-Forced -->
-Specifies whether the device is allowed to participate in Peer Caching while connected via VPN to the domain network. This means the device can download from or upload to other domain network devices, either on VPN or on the corporate domain network.
+Specifies whether the device, with an active VPN connection, is allowed to participate in P2P or not.
 <!-- DOAllowVPNPeerCaching-Description-End -->

 <!-- DOAllowVPNPeerCaching-Editable-Begin -->
@ -240,10 +240,18 @@ If this policy isn't configured, the client will attempt to automatically find a
 |:--|:--|
 | Format | `int` |
 | Access Type | Add, Delete, Get, Replace |
-| Allowed Values | Range: `[0-4294967295]` |
 | Default Value  | 0 |
 <!-- DOCacheHostSource-DFProperties-End -->

+<!-- DOCacheHostSource-AllowedValues-Begin -->
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 1 | DHCP Option 235. |
+| 2 | DHCP Option 235 Force. |
+<!-- DOCacheHostSource-AllowedValues-End -->
+
 <!-- DOCacheHostSource-GpMapping-Begin -->
 **Group policy mapping**:

@ -342,7 +350,7 @@ The recommended value is 1 hour (3600).

 <!-- DODelayCacheServerFallbackBackground-Description-Begin -->
 <!-- Description-Source-DDF-Forced -->
-Specifies the time in seconds to delay the fallback from Cache Server to the HTTP source for a background content download. Note that the DODelayBackgroundDownloadFromHttp policy takes precedence over this policy to allow downloads from peers first.
+For background downloads that use a cache server, specifies the time to wait before falling back to download from the original HTTP source.
 <!-- DODelayCacheServerFallbackBackground-Description-End -->

 <!-- DODelayCacheServerFallbackBackground-Editable-Begin -->
@ -397,7 +405,7 @@ Specifies the time in seconds to delay the fallback from Cache Server to the HTT

 <!-- DODelayCacheServerFallbackForeground-Description-Begin -->
 <!-- Description-Source-DDF-Forced -->
-Specifies the time in seconds to delay the fallback from Cache Server to the HTTP source for foreground content download. Note that the DODelayForegroundDownloadFromHttp policy takes precedence over this policy to allow downloads from peers first.
+For foreground downloads that use a cache server, specifies the time to wait before falling back to download from the original HTTP source.
 <!-- DODelayCacheServerFallbackForeground-Description-End -->

 <!-- DODelayCacheServerFallbackForeground-Editable-Begin -->
@ -513,7 +521,7 @@ The recommended value is 1 minute (60).

 <!-- DODisallowCacheServerDownloadsOnVPN-Description-Begin -->
 <!-- Description-Source-DDF -->
-Disallow downloads from Microsoft Connected Cache servers when the device connects via VPN. By default, the device is allowed to download from Microsoft Connected Cache when connected via VPN.
+Specify to disallow downloads from Microsoft Connected Cache servers when the device has an active VPN connection. By default, the button is 'Not Set'. This means the device is allowed to download from Microsoft Connected Cache when the device has an active VPN connection. To block these downloads, turn the button on to 'Enabled'.
 <!-- DODisallowCacheServerDownloadsOnVPN-Description-End -->

 <!-- DODisallowCacheServerDownloadsOnVPN-Editable-Begin -->
@ -535,8 +543,8 @@ Disallow downloads from Microsoft Connected Cache servers when the device connec

 | Value | Description |
 |:--|:--|
-| 0 (Default) | Allowed. |
-| 1 | Not allowed. |
+| 0 (Default) | Not Set. |
+| 1 | Enabled. |
 <!-- DODisallowCacheServerDownloadsOnVPN-AllowedValues-End -->

 <!-- DODisallowCacheServerDownloadsOnVPN-GpMapping-Begin -->
@ -572,7 +580,7 @@ Disallow downloads from Microsoft Connected Cache servers when the device connec

 <!-- DODownloadMode-Description-Begin -->
 <!-- Description-Source-DDF-Forced -->
-Specifies the download method that Delivery Optimization can use in downloads of Windows Updates, Apps and App updates. The default value is 1.
+Specifies the method that Delivery Optimization can use to download content on behalf of various Microsoft products.
 <!-- DODownloadMode-Description-End -->

 <!-- DODownloadMode-Editable-Begin -->
@ -598,10 +606,10 @@ Specifies the download method that Delivery Optimization can use in downloads of
 |:--|:--|
 | 0 (Default) | HTTP only, no peering. |
 | 1 | HTTP blended with peering behind the same NAT. |
-| 2 | When this option is selected, peering will cross NATs. To create a custom group use Group ID in combination with Mode 2. |
+| 2 | HTTP blended with peering across a private group. |
 | 3 | HTTP blended with Internet peering. |
-| 99 | Simple download mode with no peering. Delivery Optimization downloads using HTTP only and doesn't attempt to contact the Delivery Optimization cloud services. Added in Windows 10, version 1607. |
-| 100 | Bypass mode. Windows 10: Don't use Delivery Optimization and use BITS instead. Windows 11: Deprecated, use Simple mode instead. |
+| 99 | HTTP only, no peering, no use of DO cloud service. |
+| 100 | Bypass mode, deprecated in Windows 11. |
 <!-- DODownloadMode-AllowedValues-End -->

 <!-- DODownloadMode-GpMapping-Begin -->
@ -698,7 +706,7 @@ Note this is a best effort optimization and shouldn't be relied on for an authen

 <!-- DOGroupIdSource-Description-Begin -->
 <!-- Description-Source-DDF-Forced -->
-Set this policy to restrict peer selection to a specific source. Available options are: 1 = AD Site, 2 = Authenticated domain SID, 3 = DHCP Option ID, 4 = DNS Suffix, 5 = Microsoft Entra ID. When set, the Group ID will be assigned automatically from the selected source. This policy is ignored if the GroupID policy is also set. The options set in this policy only apply to Group (2) download mode. If Group (2) isn't set as Download mode, this policy will be ignored. For option 3 - DHCP Option ID, the client will query DHCP Option ID 234 and use the returned GUID value as the Group ID. Starting with Windows 10, version 1903, you can use the Microsoft Entra tenant ID as a means to define groups. To do this, set the value of DOGroupIdSource to 5.
+Specifies the source of group ID used for peer selection.
 <!-- DOGroupIdSource-Description-End -->

 <!-- DOGroupIdSource-Editable-Begin -->
@ -722,12 +730,12 @@ Set this policy to restrict peer selection to a specific source. Available optio

 | Value | Description |
 |:--|:--|
-| 0 (Default) | Unset. |
+| 0 (Default) | Not Set. |
 | 1 | AD site. |
 | 2 | Authenticated domain SID. |
-| 3 | DHCP user option. |
-| 4 | DNS suffix. |
-| 5 | Microsoft Entra ID. |
+| 3 | DHCP Option ID. |
+| 4 | DNS Suffix. |
+| 5 | Entra ID Tenant ID. |
 <!-- DOGroupIdSource-AllowedValues-End -->

 <!-- DOGroupIdSource-GpMapping-Begin -->
@ -824,7 +832,7 @@ The default value 0 (zero) means that Delivery Optimization dynamically adjusts

 <!-- DOMaxCacheAge-Description-Begin -->
 <!-- Description-Source-DDF-Forced -->
-Specifies the maximum time in seconds that each file is held in the Delivery Optimization cache after downloading successfully. The value 0 (zero) means unlimited; Delivery Optimization will hold the files in the cache longer and make the files available for uploads to other devices, as long as the cache size hasn't exceeded. The value 0 is new in Windows 10, version 1607. The default value is 604800 seconds (7 days).
+Specifies the maximum time in seconds that each file is held in the Delivery Optimization cache after downloading successfully.
 <!-- DOMaxCacheAge-Description-End -->

 <!-- DOMaxCacheAge-Editable-Begin -->
@ -879,7 +887,7 @@ Specifies the maximum time in seconds that each file is held in the Delivery Opt

 <!-- DOMaxCacheSize-Description-Begin -->
 <!-- Description-Source-DDF-Forced -->
-Specifies the maximum cache size that Delivery Optimization can utilize, as a percentage of disk size (1-100). The default value is 20.
+Specifies the maximum cache size that Delivery Optimization can utilize, as a percentage of the available drive space.
 <!-- DOMaxCacheSize-Description-End -->

 <!-- DOMaxCacheSize-Editable-Begin -->
@ -991,7 +999,7 @@ The default value 0 (zero) means that Delivery Optimization dynamically adjusts

 <!-- DOMinBackgroundQos-Description-Begin -->
 <!-- Description-Source-DDF-Forced -->
-Specifies the minimum download QoS (Quality of Service or speed) in KiloBytes/sec for background downloads. This policy affects the blending of peer and HTTP sources. Delivery Optimization complements the download from the HTTP source to achieve the minimum QoS value set. The default value is 20480 (20 MB/s).
+Specifies the minimum download QoS (Quality of Service) in KiloBytes/sec for background downloads.
 <!-- DOMinBackgroundQos-Description-End -->

 <!-- DOMinBackgroundQos-Editable-Begin -->
@ -1165,7 +1173,7 @@ Recommended values: 64 GB to 256 GB.

 <!-- DOMinFileSizeToCache-Description-Begin -->
 <!-- Description-Source-DDF-Forced -->
-Specifies the minimum content file size in MB enabled to use Peer Caching. Recommended values: 1 MB to 100,000 MB. The default value is 100 MB.
+Specifies the minimum content file size in MB eligible to use P2P.
 <!-- DOMinFileSizeToCache-Description-End -->

 <!-- DOMinFileSizeToCache-Editable-Begin -->
@ -1220,7 +1228,7 @@ Specifies the minimum content file size in MB enabled to use Peer Caching. Recom

 <!-- DOMinRAMAllowedToPeer-Description-Begin -->
 <!-- Description-Source-DDF-Forced -->
-Specifies the minimum RAM size in GB required to use Peer Caching. For example, if the minimum set is 1 GB, then devices with 1 GB or higher available RAM will be allowed to use Peer caching. Recommended values: 1 GB to 4 GB. The default value is 4 GB.
+Specifies the minimum total RAM size in GB required to use P2P.
 <!-- DOMinRAMAllowedToPeer-Description-End -->

 <!-- DOMinRAMAllowedToPeer-Editable-Begin -->
@ -1330,7 +1338,7 @@ By default, %SystemDrive% is used to store the cache. The drive location can be

 <!-- DOMonthlyUploadDataCap-Description-Begin -->
 <!-- Description-Source-DDF-Forced -->
-Specifies the maximum total bytes in GB that Delivery Optimization is allowed to upload to Internet peers in each calendar month. The value 0 (zero) means unlimited; No monthly upload limit's applied if 0 is set. The default value is 5120 (5 TB).
+Specifies the maximum bytes in GB that Delivery Optimization is allowed to upload to Internet peers in each calendar month.
 <!-- DOMonthlyUploadDataCap-Description-End -->

 <!-- DOMonthlyUploadDataCap-Editable-Begin -->
@ -1501,7 +1509,7 @@ The default value 0 (zero) means that Delivery Optimization dynamically adjusts

 <!-- DORestrictPeerSelectionBy-Description-Begin -->
 <!-- Description-Source-DDF-Forced -->
-Set this policy to restrict peer selection via selected option. Options available are: 1=Subnet mask, 2 = Local discovery (DNS-SD). These options apply to both Download Mode LAN (1) and Group (2).
+Specifies to restrict peer selection using the selected method, in addition to the DownloadMode policy.
 <!-- DORestrictPeerSelectionBy-Description-End -->

 <!-- DORestrictPeerSelectionBy-Editable-Begin -->
@ -1528,7 +1536,7 @@ In Windows 11 the 'Local Peer Discovery' option was introduced to restrict peer
 |:--|:--|
 | 0 (Default) | None. |
 | 1 | Subnet mask. |
-| 2 | Local peer discovery (DNS-SD). |
+| 2 | Local discovery (DNS-SD). |
 <!-- DORestrictPeerSelectionBy-AllowedValues-End -->

 <!-- DORestrictPeerSelectionBy-GpMapping-Begin -->
--- a/windows/client-management/mdm/policy-csp-deviceguard.md
+++ b/windows/client-management/mdm/policy-csp-deviceguard.md
@ -1,7 +1,7 @@
 ---
 title: DeviceGuard Policy CSP
 description: Learn more about the DeviceGuard Area in Policy CSP.
-ms.date: 01/18/2024
+ms.date: 01/14/2025
 ---

 <!-- Auto-Generated CSP Document -->
@ -9,6 +9,8 @@ ms.date: 01/18/2024
 <!-- DeviceGuard-Begin -->
 # Policy CSP - DeviceGuard

+[!INCLUDE [Windows Insider tip](includes/mdm-insider-csp-note.md)]
+
 <!-- DeviceGuard-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 <!-- DeviceGuard-Editable-End -->
@ -205,6 +207,70 @@ Credential Guard Configuration: 0 - Turns off CredentialGuard remotely if config

 <!-- LsaCfgFlags-End -->

+<!-- MachineIdentityIsolation-Begin -->
+## MachineIdentityIsolation
+
+<!-- MachineIdentityIsolation-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device <br> ❌ User | ❌ Pro <br> ✅ Enterprise <br> ✅ Education <br> ❌ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+<!-- MachineIdentityIsolation-Applicability-End -->
+
+<!-- MachineIdentityIsolation-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Policy/Config/DeviceGuard/MachineIdentityIsolation
+```
+<!-- MachineIdentityIsolation-OmaUri-End -->
+
+<!-- MachineIdentityIsolation-Description-Begin -->
+<!-- Description-Source-DDF-Forced -->
+Machine Identity Isolation: 0 - Machine password is only LSASS-bound and stored in $MACHINE.ACC registry key. 1 - Machine password both LSASS-bound and IUM-bound. It's stored in $MACHINE.ACC and $MACHINE.ACC.IUM registry keys. 2 - Machine password is only IUM-bound and stored in $MACHINE.ACC.IUM registry key.
+<!-- MachineIdentityIsolation-Description-End -->
+
+<!-- MachineIdentityIsolation-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- MachineIdentityIsolation-Editable-End -->
+
+<!-- MachineIdentityIsolation-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `int` |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value  | 0 |
+<!-- MachineIdentityIsolation-DFProperties-End -->
+
+<!-- MachineIdentityIsolation-AllowedValues-Begin -->
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 (Default) | (Disabled) Machine password is only LSASS-bound and stored in $MACHINE.ACC registry key. |
+| 1 | (Enabled in audit mode) Machine password both LSASS-bound and IUM-bound. It's stored in $MACHINE.ACC and $MACHINE.ACC.IUM registry keys. |
+| 2 | (Enabled in enforcement mode) Machine password is only IUM-bound and stored in $MACHINE.ACC.IUM registry key. |
+<!-- MachineIdentityIsolation-AllowedValues-End -->
+
+<!-- MachineIdentityIsolation-GpMapping-Begin -->
+**Group policy mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | VirtualizationBasedSecurity |
+| Friendly Name | Turn On Virtualization Based Security |
+| Element Name | Machine Identity Isolation Configuration. |
+| Location | Computer Configuration |
+| Path | System > Device Guard |
+| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\DeviceGuard |
+| ADMX File Name | DeviceGuard.admx |
+<!-- MachineIdentityIsolation-GpMapping-End -->
+
+<!-- MachineIdentityIsolation-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- MachineIdentityIsolation-Examples-End -->
+
+<!-- MachineIdentityIsolation-End -->
+
 <!-- RequirePlatformSecurityFeatures-Begin -->
 ## RequirePlatformSecurityFeatures

--- a/windows/client-management/mdm/policy-csp-humanpresence.md
+++ b/windows/client-management/mdm/policy-csp-humanpresence.md
@ -1,7 +1,7 @@
 ---
 title: HumanPresence Policy CSP
 description: Learn more about the HumanPresence Area in Policy CSP.
-ms.date: 09/27/2024
+ms.date: 01/14/2025
 ---

 <!-- Auto-Generated CSP Document -->
@ -9,6 +9,8 @@ ms.date: 09/27/2024
 <!-- HumanPresence-Begin -->
 # Policy CSP - HumanPresence

+[!INCLUDE [Windows Insider tip](includes/mdm-insider-csp-note.md)]
+
 <!-- HumanPresence-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 <!-- HumanPresence-Editable-End -->
@ -526,6 +528,183 @@ Determines the timeout for Lock on Leave forced by the MDM policy. The user will

 <!-- ForceLockTimeout-End -->

+<!-- ForcePrivacyScreen-Begin -->
+## ForcePrivacyScreen
+
+<!-- ForcePrivacyScreen-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ❌ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+<!-- ForcePrivacyScreen-Applicability-End -->
+
+<!-- ForcePrivacyScreen-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Policy/Config/HumanPresence/ForcePrivacyScreen
+```
+<!-- ForcePrivacyScreen-OmaUri-End -->
+
+<!-- ForcePrivacyScreen-Description-Begin -->
+<!-- Description-Source-DDF -->
+Determines whether detect when other people are looking at my screen is forced on/off by the MDM policy. The user won't be able to change this setting and the UI will be greyed out.
+<!-- ForcePrivacyScreen-Description-End -->
+
+<!-- ForcePrivacyScreen-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- ForcePrivacyScreen-Editable-End -->
+
+<!-- ForcePrivacyScreen-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `int` |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value  | 0 |
+<!-- ForcePrivacyScreen-DFProperties-End -->
+
+<!-- ForcePrivacyScreen-AllowedValues-Begin -->
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 2 | ForcedOff. |
+| 1 | ForcedOn. |
+| 0 (Default) | DefaultToUserChoice. |
+<!-- ForcePrivacyScreen-AllowedValues-End -->
+
+<!-- ForcePrivacyScreen-GpMapping-Begin -->
+**Group policy mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | ForcePrivacyScreen |
+| Path | Sensors > AT > WindowsComponents > HumanPresence |
+<!-- ForcePrivacyScreen-GpMapping-End -->
+
+<!-- ForcePrivacyScreen-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- ForcePrivacyScreen-Examples-End -->
+
+<!-- ForcePrivacyScreen-End -->
+
+<!-- ForcePrivacyScreenDim-Begin -->
+## ForcePrivacyScreenDim
+
+<!-- ForcePrivacyScreenDim-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ❌ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+<!-- ForcePrivacyScreenDim-Applicability-End -->
+
+<!-- ForcePrivacyScreenDim-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Policy/Config/HumanPresence/ForcePrivacyScreenDim
+```
+<!-- ForcePrivacyScreenDim-OmaUri-End -->
+
+<!-- ForcePrivacyScreenDim-Description-Begin -->
+<!-- Description-Source-DDF -->
+Determines whether dim the screen when other people are looking at my screen checkbox is forced checked/unchecked by the MDM policy. The user won't be able to change this setting and the checkbox in the UI will be greyed out.
+<!-- ForcePrivacyScreenDim-Description-End -->
+
+<!-- ForcePrivacyScreenDim-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- ForcePrivacyScreenDim-Editable-End -->
+
+<!-- ForcePrivacyScreenDim-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `int` |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value  | 0 |
+<!-- ForcePrivacyScreenDim-DFProperties-End -->
+
+<!-- ForcePrivacyScreenDim-AllowedValues-Begin -->
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 2 | ForcedUnchecked. |
+| 1 | ForcedChecked. |
+| 0 (Default) | DefaultToUserChoice. |
+<!-- ForcePrivacyScreenDim-AllowedValues-End -->
+
+<!-- ForcePrivacyScreenDim-GpMapping-Begin -->
+**Group policy mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | ForcePrivacyScreenDim |
+| Path | Sensors > AT > WindowsComponents > HumanPresence |
+<!-- ForcePrivacyScreenDim-GpMapping-End -->
+
+<!-- ForcePrivacyScreenDim-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- ForcePrivacyScreenDim-Examples-End -->
+
+<!-- ForcePrivacyScreenDim-End -->
+
+<!-- ForcePrivacyScreenNotification-Begin -->
+## ForcePrivacyScreenNotification
+
+<!-- ForcePrivacyScreenNotification-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ❌ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+<!-- ForcePrivacyScreenNotification-Applicability-End -->
+
+<!-- ForcePrivacyScreenNotification-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Policy/Config/HumanPresence/ForcePrivacyScreenNotification
+```
+<!-- ForcePrivacyScreenNotification-OmaUri-End -->
+
+<!-- ForcePrivacyScreenNotification-Description-Begin -->
+<!-- Description-Source-DDF -->
+Determines whether providing alert when people are looking at my screen checkbox is forced checked/unchecked by the MDM policy. The user won't be able to change this setting and the checkbox in the UI will be greyed out.
+<!-- ForcePrivacyScreenNotification-Description-End -->
+
+<!-- ForcePrivacyScreenNotification-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- ForcePrivacyScreenNotification-Editable-End -->
+
+<!-- ForcePrivacyScreenNotification-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `int` |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value  | 0 |
+<!-- ForcePrivacyScreenNotification-DFProperties-End -->
+
+<!-- ForcePrivacyScreenNotification-AllowedValues-Begin -->
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 2 | ForcedUnchecked. |
+| 1 | ForcedChecked. |
+| 0 (Default) | DefaultToUserChoice. |
+<!-- ForcePrivacyScreenNotification-AllowedValues-End -->
+
+<!-- ForcePrivacyScreenNotification-GpMapping-Begin -->
+**Group policy mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | ForcePrivacyScreenNotification |
+| Path | Sensors > AT > WindowsComponents > HumanPresence |
+<!-- ForcePrivacyScreenNotification-GpMapping-End -->
+
+<!-- ForcePrivacyScreenNotification-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- ForcePrivacyScreenNotification-Examples-End -->
+
+<!-- ForcePrivacyScreenNotification-End -->
+
 <!-- HumanPresence-CspMoreInfo-Begin -->
 <!-- Add any additional information about this CSP here. Anything outside this section will get overwritten. -->
 <!-- HumanPresence-CspMoreInfo-End -->
--- a/windows/client-management/mdm/policy-csp-printers.md
+++ b/windows/client-management/mdm/policy-csp-printers.md
@ -1,7 +1,7 @@
 ---
 title: Printers Policy CSP
 description: Learn more about the Printers Area in Policy CSP.
-ms.date: 09/27/2024
+ms.date: 01/14/2025
 ---

 <!-- Auto-Generated CSP Document -->
@ -11,6 +11,8 @@ ms.date: 09/27/2024

 [!INCLUDE [ADMX-backed CSP tip](includes/mdm-admx-csp-note.md)]

+[!INCLUDE [Windows Insider tip](includes/mdm-insider-csp-note.md)]
+
 <!-- Printers-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 <!-- Printers-Editable-End -->
@ -348,6 +350,56 @@ The following are the supported values:

 <!-- ConfigureIppPageCountsPolicy-End -->

+<!-- ConfigureIppTlsCertificatePolicy-Begin -->
+## ConfigureIppTlsCertificatePolicy
+
+<!-- ConfigureIppTlsCertificatePolicy-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+<!-- ConfigureIppTlsCertificatePolicy-Applicability-End -->
+
+<!-- ConfigureIppTlsCertificatePolicy-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Policy/Config/Printers/ConfigureIppTlsCertificatePolicy
+```
+<!-- ConfigureIppTlsCertificatePolicy-OmaUri-End -->
+
+<!-- ConfigureIppTlsCertificatePolicy-Description-Begin -->
+<!-- Description-Source-Not-Found -->
+<!-- ConfigureIppTlsCertificatePolicy-Description-End -->
+
+<!-- ConfigureIppTlsCertificatePolicy-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- ConfigureIppTlsCertificatePolicy-Editable-End -->
+
+<!-- ConfigureIppTlsCertificatePolicy-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `chr` (string) |
+| Access Type | Add, Delete, Get, Replace |
+<!-- ConfigureIppTlsCertificatePolicy-DFProperties-End -->
+
+<!-- ConfigureIppTlsCertificatePolicy-AdmxBacked-Begin -->
+<!-- ADMX-Not-Found -->
+[!INCLUDE [ADMX-backed policy note](includes/mdm-admx-policy-note.md)]
+
+**ADMX mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | ConfigureIppTlsCertificatePolicy |
+| ADMX File Name | Printing.admx |
+<!-- ConfigureIppTlsCertificatePolicy-AdmxBacked-End -->
+
+<!-- ConfigureIppTlsCertificatePolicy-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- ConfigureIppTlsCertificatePolicy-Examples-End -->
+
+<!-- ConfigureIppTlsCertificatePolicy-End -->
+
 <!-- ConfigureRedirectionGuardPolicy-Begin -->
 ## ConfigureRedirectionGuardPolicy

--- a/windows/client-management/mdm/vpnv2-csp.md
+++ b/windows/client-management/mdm/vpnv2-csp.md
@ -1,7 +1,7 @@
 ---
 title: VPNv2 CSP
 description: Learn more about the VPNv2 CSP.
-ms.date: 01/18/2024
+ms.date: 01/14/2025
 ---

 <!-- Auto-Generated CSP Document -->
@ -863,11 +863,7 @@ Returns the type of App/Id. This value can be either of the following: PackageFa

 <!-- Device-{ProfileName}-ByPassForLocal-Description-Begin -->
 <!-- Description-Source-DDF -->
-False: Don't Bypass for Local traffic.
-
-True: ByPass VPN Interface for Local Traffic.
-
-Optional. When this setting is True, requests to local resources that are available on the same Wi-Fi network as the VPN client can bypass the VPN. For example, if enterprise policy for VPN requires force tunnel for VPN, but enterprise intends to allow the remote user to connect locally to media center in their home, then this option should be set to True. The user can bypass VPN for local subnet traffic. When this is set to False, the setting is disabled and no subnet exceptions are allowed.
+Not supported.
 <!-- Device-{ProfileName}-ByPassForLocal-Description-End -->

 <!-- Device-{ProfileName}-ByPassForLocal-Editable-Begin -->
@ -5160,11 +5156,7 @@ Returns the type of App/Id. This value can be either of the following: PackageFa

 <!-- User-{ProfileName}-ByPassForLocal-Description-Begin -->
 <!-- Description-Source-DDF -->
-False: Don't Bypass for Local traffic.
-
-True: ByPass VPN Interface for Local Traffic.
-
-Optional. When this setting is True, requests to local resources that are available on the same Wi-Fi network as the VPN client can bypass the VPN. For example, if enterprise policy for VPN requires force tunnel for VPN, but enterprise intends to allow the remote user to connect locally to media center in their home, then this option should be set to True. The user can bypass VPN for local subnet traffic. When this is set to False, the setting is disabled and no subnet exceptions are allowed.
+Not supported.
 <!-- User-{ProfileName}-ByPassForLocal-Description-End -->

 <!-- User-{ProfileName}-ByPassForLocal-Editable-Begin -->
--- a/windows/client-management/mdm/vpnv2-ddf-file.md
+++ b/windows/client-management/mdm/vpnv2-ddf-file.md
@ -1,7 +1,7 @@
 ---
 title: VPNv2 DDF file
 description: View the XML file containing the device description framework (DDF) for the VPNv2 configuration service provider.
-ms.date: 06/28/2024
+ms.date: 01/14/2025
 ---

 <!-- Auto-Generated CSP Document -->
@ -1156,10 +1156,7 @@ The following XML file contains the device description framework (DDF) for the V
            <Replace />
          </AccessType>
          <Description>
-                        False : Do not Bypass for Local traffic
-                        True : ByPass VPN Interface for Local Traffic
-
-                        Optional. When this setting is True, requests to local resources that are available on the same Wi-Fi network as the VPN client can bypass the VPN. For example, if enterprise policy for VPN requires force tunnel for VPN, but enterprise intends to allow the remote user to connect locally to media center in their home, then this option should be set to True. The user can bypass VPN for local subnet traffic. When this is set to False, the setting is disabled and no subnet exceptions are allowed.
+                        Not supported.
                    </Description>
          <DFFormat>
            <bool />
@ -4425,10 +4422,7 @@ A device tunnel profile must be deleted before another device tunnel profile can
            <Replace />
          </AccessType>
          <Description>
-                        False : Do not Bypass for Local traffic
-                        True : ByPass VPN Interface for Local Traffic
-
-                        Optional. When this setting is True, requests to local resources that are available on the same Wi-Fi network as the VPN client can bypass the VPN. For example, if enterprise policy for VPN requires force tunnel for VPN, but enterprise intends to allow the remote user to connect locally to media center in their home, then this option should be set to True. The user can bypass VPN for local subnet traffic. When this is set to False, the setting is disabled and no subnet exceptions are allowed.
+                        Not supported.
                    </Description>
          <DFFormat>
            <bool />