diff --git a/windows/client-management/mdm/wifi-csp.md b/windows/client-management/mdm/wifi-csp.md
index da583b8cd9..33d21ef260 100644
--- a/windows/client-management/mdm/wifi-csp.md
+++ b/windows/client-management/mdm/wifi-csp.md
@@ -1,7 +1,8 @@
---
title: WiFi CSP
description: Learn more about the WiFi CSP.
-ms.date: 01/18/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
diff --git a/windows/client-management/mdm/wifi-ddf-file.md b/windows/client-management/mdm/wifi-ddf-file.md
index a2a8cf4407..5b19466938 100644
--- a/windows/client-management/mdm/wifi-ddf-file.md
+++ b/windows/client-management/mdm/wifi-ddf-file.md
@@ -1,7 +1,8 @@
---
title: WiFi DDF file
description: View the XML file containing the device description framework (DDF) for the WiFi configuration service provider.
-ms.date: 06/28/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
diff --git a/windows/client-management/mdm/windowsdefenderapplicationguard-csp.md b/windows/client-management/mdm/windowsdefenderapplicationguard-csp.md
index 10546d7713..0e493f19d0 100644
--- a/windows/client-management/mdm/windowsdefenderapplicationguard-csp.md
+++ b/windows/client-management/mdm/windowsdefenderapplicationguard-csp.md
@@ -1,7 +1,8 @@
---
title: WindowsDefenderApplicationGuard CSP
description: Learn more about the WindowsDefenderApplicationGuard CSP.
-ms.date: 01/18/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
diff --git a/windows/client-management/mdm/windowsdefenderapplicationguard-ddf-file.md b/windows/client-management/mdm/windowsdefenderapplicationguard-ddf-file.md
index 06f96f2518..9af969aacd 100644
--- a/windows/client-management/mdm/windowsdefenderapplicationguard-ddf-file.md
+++ b/windows/client-management/mdm/windowsdefenderapplicationguard-ddf-file.md
@@ -1,7 +1,8 @@
---
title: WindowsDefenderApplicationGuard DDF file
description: View the XML file containing the device description framework (DDF) for the WindowsDefenderApplicationGuard configuration service provider.
-ms.date: 06/28/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
diff --git a/windows/client-management/mdm/windowslicensing-csp.md b/windows/client-management/mdm/windowslicensing-csp.md
index 91e5d7b4ea..bef27c7ed9 100644
--- a/windows/client-management/mdm/windowslicensing-csp.md
+++ b/windows/client-management/mdm/windowslicensing-csp.md
@@ -1,7 +1,8 @@
---
title: WindowsLicensing CSP
description: Learn more about the WindowsLicensing CSP.
-ms.date: 08/06/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
diff --git a/windows/client-management/mdm/windowslicensing-ddf-file.md b/windows/client-management/mdm/windowslicensing-ddf-file.md
index d2abdc9fc4..22e3081e8b 100644
--- a/windows/client-management/mdm/windowslicensing-ddf-file.md
+++ b/windows/client-management/mdm/windowslicensing-ddf-file.md
@@ -1,7 +1,8 @@
---
title: WindowsLicensing DDF file
description: View the XML file containing the device description framework (DDF) for the WindowsLicensing configuration service provider.
-ms.date: 06/28/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
diff --git a/windows/client-management/mdm/wirednetwork-csp.md b/windows/client-management/mdm/wirednetwork-csp.md
index 12bac7c750..253819df28 100644
--- a/windows/client-management/mdm/wirednetwork-csp.md
+++ b/windows/client-management/mdm/wirednetwork-csp.md
@@ -1,7 +1,8 @@
---
title: WiredNetwork CSP
description: Learn more about the WiredNetwork CSP.
-ms.date: 01/18/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
diff --git a/windows/client-management/mdm/wirednetwork-ddf-file.md b/windows/client-management/mdm/wirednetwork-ddf-file.md
index 178bba80f3..9c796c3f69 100644
--- a/windows/client-management/mdm/wirednetwork-ddf-file.md
+++ b/windows/client-management/mdm/wirednetwork-ddf-file.md
@@ -1,7 +1,8 @@
---
title: WiredNetwork DDF file
description: View the XML file containing the device description framework (DDF) for the WiredNetwork configuration service provider.
-ms.date: 06/28/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
diff --git a/windows/client-management/toc.yml b/windows/client-management/toc.yml
index 711bc21aea..955dee1921 100644
--- a/windows/client-management/toc.yml
+++ b/windows/client-management/toc.yml
@@ -48,7 +48,7 @@ items:
href: enterprise-app-management.md
- name: Manage updates
href: device-update-management.md
- - name: Updated Windows and Microsoft Copilot experience
+ - name: Updated Windows and Microsoft 365 Copilot Chat experience
href: manage-windows-copilot.md
- name: Manage Recall
href: manage-recall.md
diff --git a/windows/configuration/start/includes/hide-recently-added-apps.md b/windows/configuration/start/includes/hide-recently-added-apps.md
index 43c642e888..92a4d13c36 100644
--- a/windows/configuration/start/includes/hide-recently-added-apps.md
+++ b/windows/configuration/start/includes/hide-recently-added-apps.md
@@ -7,9 +7,16 @@ ms.topic: include
### Hide recently added apps
-With this policy setting, you can prevent the Start menu from displaying a list of recently installed applications.
+With this policy setting, you can prevent the Start menu from displaying a list of recently installed applications:
-If you enable this policy, the Start menu doesn't display the **Recently added** list. The corresponding setting is also disabled in Settings.
+- If **enabled**, the Start menu doesn't display the **Recently added** list. The corresponding option in Settings can't be configured (grayed out).
+- If **disabled** or **not configured**, the Start menu displays the **Recently added** list. The corresponding option in Settings can be configured.
+
+> [!IMPORTANT]
+> Starting in Windows 11, version 22H2 with [KB5048685](https://support.microsoft.com/topic/4602-ea3736d3-6948-4fd7-9faf-8d732ac2ed59), the policy setting behavior changed.
+>
+> - If **enabled**, the corresponding option in Settings can't be configured (grayed out). The policy setting doesn't affect the display of recently installed applications in the Recommended section of the Start menu.
+> - If **disabled** or **not configured**, the corresponding option in Settings can be configured.
| | Path |
|--|--|
diff --git a/windows/configuration/taskbar/pinned-apps.md b/windows/configuration/taskbar/pinned-apps.md
index d2454b1e79..6f93e76b25 100644
--- a/windows/configuration/taskbar/pinned-apps.md
+++ b/windows/configuration/taskbar/pinned-apps.md
@@ -193,7 +193,7 @@ Alternatively, you can configure devices using a [custom policy][MEM-1] with the
- **Value:** content of the XML file
> [!NOTE]
-> The content of the file must be entered as a single line in the `Value` field. Use a text editor to remove any line breaks from the XML file, usually with a function called *join lines*.
+> The content of the file must be entered as a single line in the `Value` field. Use a text editor to remove any line breaks from the XML file, usually with a function called *join lines* or *linearize*. If customizations.xml is being modified directly instead of using the WCD editor, the XML brackets need to be escaped / replaced with \< and \> entity encodings. Single and double quote characters do not need to be escaped.
[!INCLUDE [provisioning-package-2](../../../includes/configure/provisioning-package-2.md)]
diff --git a/windows/deployment/TOC.yml b/windows/deployment/TOC.yml
index e816d252d7..db0c863b4a 100644
--- a/windows/deployment/TOC.yml
+++ b/windows/deployment/TOC.yml
@@ -294,6 +294,8 @@ items:
href: update/windows-update-logs.md
- name: Servicing stack updates
href: update/servicing-stack-updates.md
+ - name: Checkpoint cumulative updates and Microsoft Update Catalog usage
+ href: update/catalog-checkpoint-cumulative-updates.md
- name: Update CSP policies
href: /windows/client-management/mdm/policy-csp-update?context=/windows/deployment/context/context
- name: Update other Microsoft products
diff --git a/windows/deployment/do/delivery-optimization-endpoints.md b/windows/deployment/do/delivery-optimization-endpoints.md
index 79e8211757..1f8366e62b 100644
--- a/windows/deployment/do/delivery-optimization-endpoints.md
+++ b/windows/deployment/do/delivery-optimization-endpoints.md
@@ -36,4 +36,6 @@ Use the table below to reference any particular content types or services endpoi
| *.assets1.xboxlive.com, *.assets2.xboxlive.com, *.dlassets.xboxlive.com, *.dlassets2.xboxlive.com, *.d1.xboxlive.com, *.d2.xboxlive.com, *.assets.xbox.com, *.xbl-dlassets-origin.xboxlive.com, *.assets-origin.xboxlive.com, *.xvcb1.xboxlive.com, *.xvcb2.xboxlive.com, *.xvcf1.xboxlive.com, *.xvcf2.xboxlive.com | HTTP / 80 | Xbox | | Both |
| *.tlu.dl.adu.microsoft.com, *.nlu.dl.adu.microsoft.com, *.dcsfe.prod.adu.microsoft.com | HTTP / 80 | Device Update | [Complete list](/azure/iot-hub-device-update/) of endpoints for Device Update updates. | Both |
| *.do.dsp.mp.microsoft.com | HTTP / 80 HTTPs / 443 | Microsoft Connected Cache -> Delivery Optimization Services communication | [Complete list](../do/waas-delivery-optimization-faq.yml) of endpoints for Delivery Optimization only. | Connected Cache Managed in Azure |
-| *.azure-devices.net, *.global.azure-devices-provisioning.net, *.azurecr.io, *.blob.core.windows.net, *.mcr.microsoft.com, github.com | AMQP / 5671 MQTT / 8883 HTTPs / 443 | IoT Edge / IoT Hub communication| [Complete list](/azure/iot-hub/iot-hub-devguide-protocols) of Azure IoT Hub communication protocols and ports. [Azure IoT Guide](/azure/iot-hub/iot-hub-devguide-endpoints) to understanding Azure IoT Hub endpoints. | Connected Cache Managed in Azure |
+| *.azure-devices.net, *.global.azure-devices-provisioning.net, *.azurecr.io, *.blob.core.windows.net, *.mcr.microsoft.com, github.com | HTTPs / 443 | IoT Edge / IoT Hub communication| [Complete list](/azure/iot-hub/iot-hub-devguide-protocols) of Azure IoT Hub communication protocols and ports. [Azure IoT Guide](/azure/iot-hub/iot-hub-devguide-endpoints) to understanding Azure IoT Hub endpoints. | Connected Cache Managed in Azure |
+| *.ubuntu.com, api.snapcraft.io | HTTP / 80 HTTPs / 443 | Ubuntu package updates | Used by Linux distribution image in WSL on Windows host machine to deploy Connected Cache. | Connected Cache Managed in Azure |
+| packages.microsoft.com | HTTP / 80 HTTPs / 443 | Microsoft package updates | Used to deploy required Connected Cache packages to Windows and Linux host machines. | Connected Cache Managed in Azure |
diff --git a/windows/deployment/do/mcc-ent-prerequisites.md b/windows/deployment/do/mcc-ent-prerequisites.md
index f30f503e31..f8ddaef129 100644
--- a/windows/deployment/do/mcc-ent-prerequisites.md
+++ b/windows/deployment/do/mcc-ent-prerequisites.md
@@ -30,6 +30,8 @@ This article details the requirements and recommended specifications for using M
- [Windows Enterprise E3 or E5](/windows/whats-new/windows-licensing#windows-11-enterprise), included in [Microsoft 365 F3, E3, or E5](https://www.microsoft.com/microsoft-365/enterprise/microsoft365-plans-and-pricing?msockid=32c407b43d5968050f2b13443c746916)
- Windows Education A3 or A5, included in [Microsoft 365 A3 or A5](https://www.microsoft.com/education/products/microsoft-365?msockid=32c407b43d5968050f2b13443c746916#Education-plans)
+ Note that there is no limit to the number of licensed machines that may concurrently download from a Connected Cache node.
+
## Cache node host machine requirements
### General requirements
diff --git a/windows/deployment/do/mcc-ent-release-notes.md b/windows/deployment/do/mcc-ent-release-notes.md
index 28471a7fb7..7a69747aff 100644
--- a/windows/deployment/do/mcc-ent-release-notes.md
+++ b/windows/deployment/do/mcc-ent-release-notes.md
@@ -18,16 +18,29 @@ ms.date: 10/30/2024
This article contains details about the latest releases of Connected Cache. Since Connected Cache is a preview service, some releases may contain breaking changes.
+## Install script v2.0.0.2
+
+Released on **2/7/2025**
+
+These changes only affect the installation scripts for Connected Cache. To take advantage of these changes, you'll need to redeploy your existing cache nodes using the updated installation script.
+
+### Improvements
+
+- **Removes dependency on AMQP/MQTT ports**: Cache nodes deployed using this updated installation script will no longer use AMQP (5671) or MQTT (8883) ports. This change simplifies the network configuration for cache nodes and reduces the number of ports that need to be opened in your network security group.
+- **Improves cleanup during uninstall**: Windows-hosted cache nodes will now remove port proxy rules when uninstalled using the `uninstallmcconwsl.ps1` script. This change ensures that the host machine's WSL port-forwarding rules are cleaned up properly when uninstalling Connected Cache.
+- **Changes install error codes from decimal to hex code**: Install error codes for Windows-hosted cache nodes are now displayed in hex code format, improving error code readability.
+- **Uses configured proxy to perform install**: If a proxy was configured for the Windows-hosted cache node in Azure portal, the cache node uses the specified proxy during installation.
+
## Release v1.2.1.2076_E (public preview launch)
The public preview released on **10/30/2024**
-For customers that installed earlier versions of Connected Cache, this release contains breaking changes that affect both Linux and Windows host machines. Please see the [early preview documentation page](mcc-ent-early-preview.md) for more details.
+For customers that installed earlier versions of Connected Cache, this release contains breaking changes that affect both Linux and Windows host machines. See the [early preview documentation page](mcc-ent-early-preview.md) for more details.
### Feature updates
- **Metrics and charts in Azure portal**: You can now visualize *Outbound egress* and *Volume by Content type* charts for your cache node on Azure portal. You can also create custom monitoring charts for your cache nodes. This capability is under the **Metrics** tab on Azure portal.
-- **Cache nodes for Windows or Linux host machines**: Cache nodes can now be created and deployed to Windows host machine or Linux host machines by simply choosing the OS when creating cache nodes.
+- **Cache nodes for Windows or Linux host machines**: Cache nodes can now be created and deployed to Windows host machine or Linux host machines by choosing the OS when creating cache nodes.
- **Ubuntu 22.04 LTS**: Cache nodes can now be deployed on Ubuntu 22.04 LTS.
- **Azure CLI support**: Cache nodes can now be created and managed via Azure CLI.
- **Proxy**: We added support for unauthenticated proxy and cloud proxy integration.
diff --git a/windows/deployment/do/mcc-ent-troubleshooting.md b/windows/deployment/do/mcc-ent-troubleshooting.md
index 9e896b0acf..fd4a693300 100644
--- a/windows/deployment/do/mcc-ent-troubleshooting.md
+++ b/windows/deployment/do/mcc-ent-troubleshooting.md
@@ -23,8 +23,6 @@ This article contains instructions on how to troubleshoot different issues you m
This section describes known issues with the latest release of Microsoft Connected Cache for Enterprise and Education. See the [Release Notes page](mcc-ent-release-notes.md) for more details on the fixes included in the latest release.
-### Cache node monitoring chart in the Azure portal user interface displays incorrect information
-
### Script provisionmcconwsl.ps1 fails when executed on a Windows 11 host machine configured to use Japanese language
In the Connected Cache installation script (provisionmcconwsl.ps1), the check processing is executed until the value of the last execution code (Last Result) of the installation task becomes 0 in the following processing. However, in Japanese OS, the return value is null because "Last Result" is displayed, and an exception occurs.
@@ -82,6 +80,10 @@ You can expect to see the following types of log files:
1. **WSL_Mcc_UserUninstall_Transcript**: This log file records the output of the "uninstallmcconwsl.ps1" script that the user can run to uninstall MCC software from the host machine.
1. **WSL_Mcc_Uninstall_FromRegisteredTask_Transcript**: This log file records the output of the "MCC_Uninstall_Task" scheduled task that is responsible for uninstalling the MCC software from the host machine when called by the "uninstallmcconwsl.ps1" script.
+### Group Policy Object conflicts with Scheduled Task registration
+
+Enabling the Group Policy Object: [Network access: Do not allow storage of passwords and credentials for network authentication](/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/network-access-do-not-allow-storage-of-passwords-and-credentials-for-network-authentication) will prevent the Connected Cache software from registering the scheduled tasks necessary for successful cache node registration and operation.
+
### WSL2 fails to install with message "A specified logon session doesn't exist"
If you're encountering this failure message when attempting to run the PowerShell command `wsl.exe --install --no-distribution` on your Windows host machine, verify that you're logged on as a local administrator and running the command from an elevated PowerShell window.
diff --git a/windows/deployment/update/catalog-checkpoint-cumulative-updates.md b/windows/deployment/update/catalog-checkpoint-cumulative-updates.md
new file mode 100644
index 0000000000..ce4b36fd45
--- /dev/null
+++ b/windows/deployment/update/catalog-checkpoint-cumulative-updates.md
@@ -0,0 +1,93 @@
+---
+title: Checkpoint cumulative updates and the Microsoft Update Catalog
+description: This article describes how to handle checkpoint cumulative updates when you use the Microsoft Update Catalog to update devices and images.
+ms.service: windows-client
+ms.subservice: itpro-updates
+ms.topic: conceptual
+ms.author: mstewart
+author: mestew
+manager: aaroncz
+ms.collection:
+ - tier2
+ms.localizationpriority: medium
+appliesto:
+ - ✅ Windows 11, version 24H2 and later
+ - ✅ Windows Server 2025 and later
+ms.date: 01/31/2025
+---
+
+# Checkpoint cumulative updates and Microsoft Update Catalog usage
+
+Starting Windows 11, version 24H2, monthly security updates and optional nonsecurity preview release updates might be preceded by a checkpoint cumulative update. Devices updating from Windows Update (WU) and Windows Server Update Services (WSUS) release channels can continue to seamlessly install the latest monthly security update or the optional nonsecurity preview release regardless of whether there are any preceding checkpoint cumulative updates, so **update processes involving WU and WSUS remain unchanged**. This article covers how Microsoft Update Catalog users can easily update their devices (or images) through checkpoint cumulative updates.
+
+## Checkpoint cumulative updates
+
+Windows 11 quality updates use servicing technology and are built cumulatively from the time when a new Windows OS was released to manufacturing (RTM). These monthly updates include all the changes since RTM in the form of binary differentials computed from the initial version of those binaries.
+
+With Windows 11, version 24H2, Microsoft introduced a new concept of checkpoint cumulative updates. This change allows you to get features and security enhancements via the latest cumulative update through smaller, incremental differentials containing only the changes since the previous checkpoint cumulative update. This change means that you can save time, bandwidth, and hard drive space.
+
+Going forward, Microsoft might periodically release cumulative updates as checkpoints. The subsequent updates will then consist of:
+- The update package files associated with the checkpoints, and
+- New update package files that contain incremental binary differentials against the version of binaries in the last checkpoint.
+
+This process might be repeated multiple times, thereby generating multiple checkpoints during the lifecycle of a given Windows release. The Windows 11, version 24H2 servicing stack can merge all the checkpoints and only download and install content that's missing on the device.
+
+If any checkpoint cumulative updates precede a target update, a device or image needs to take all prior checkpoint cumulative updates before it can take the target update. In other words, a post-checkpoint latest cumulative update can be applied to images/devices that are on that checkpoint or on a subsequent latest cumulative update. For updates sourced from WU and WSUS this process happens seamlessly. You can continue to use the same tools and processes that you currently use for approving and deploying updates. We expect that your experience updating through a checkpoint cumulative update will position you to efficiently take future checkpoint cumulative updates.
+
+### Applicability
+
+A checkpoint cumulative update is just another monthly security update that informs how subsequent updates are built. There's no policy change or new requirement around when users must take these updates, though it's best practice to take monthly security updates at the earliest opportunity to keep your devices protected and productive.
+
+### Update Windows installation media
+
+This feature doesn't introduce any change to the applicability of monthly security updates. As before, these updates apply to the main OS (install.wim) and to WinPE (boot.wim) but not to WinRE (winre.wim).
+
+WinRE is serviced by applying the servicing stack update from a cumulative update (latest cumulative update doesn't apply) and SafeOS Dynamic Update. This is how it has been for a while now, and there's no recent change to WinRE servicing and certainly no change due to the checkpoint cumulative updates feature. We understand that not everybody may have had a shared understanding about this, but applying servicing stack update then SafeOS Dynamic Update is the only way to ensure WinRE is serviced. For more information, see [Update Windows installation media with Dynamic Update](media-dynamic-update.md).
+
+
+## Updating from the Microsoft Update Catalog
+
+When installing a given monthly security or optional nonsecurity preview update, [Microsoft Update Catalog](https://www.catalog.update.microsoft.com) users can determine and download the prior checkpoint cumulative updates and apply them sequentially under certain situations, or in one go using Deployment Image Servicing and Management (DISM).
+
+### Finding prior checkpoint cumulative updates
+
+For a given update, users can look up the KB article and find all preceding checkpoints, if any, listed under the **Catalog** release channel. For instance, the 2024-12 monthly security update (KB5048667) has one preceding checkpoint cumulative update per [December 10, 2024-KB5048667 (OS Build 26100.2605)](https://support.microsoft.com/topic/708755a6-d809-4a8a-8d20-53c4108590e6#ID0ELBD=Catalog):
+
+ > Install each MSU file individually, in order Download and install each MSU file individually either using DISM or [Windows Update Standalone Installer](https://support.microsoft.com/topic/799ba3df-ec7e-b05e-ee13-1cdae8f23b19) in the following order:
- windows11.0-kb5043080-x64_953449672073f8fb99badb4cc6d5d7849b9c83e8.msu
- windows11.0-kb5048667-x64_d4ad0ca69de9a02bc356757581e0e0d6960c9f93.msu
+
+Alternately, users can search the KB number in the [Microsoft Update Catalog](https://catalog.update.microsoft.com/) and select the **Download** button for the selected architecture. The download pop-up shows all prior checkpoints for the update so that users can conveniently download all `.msu` files and apply them to their image or device. For instance, Microsoft Update Catalog shows the [2024-12 cumulative update (KB5048667)](https://support.microsoft.com/help/5048667) has one preceding checkpoint cumulative update, [KB5043080](https://support.microsoft.com/help/5043080).
+
+### Updating through checkpoint cumulative updates
+
+**Device has the latest checkpoint cumulative update and doesn't need customization:**
+
+Devices or images that have the latest checkpoint cumulative update installed and don't need Features on Demand (FoD) or language pack customization can be updated to the latest target cumulative update with no change to your existing process. You can copy the target `.msu` file from Microsoft Update Catalog and install it, for instance using [Add-WindowsPackage (DISM)](/powershell/module/dism/add-windowspackage) or [DISM operating system package (`.cab` or `.msu`) servicing command-line options](/windows-hardware/manufacture/desktop/dism-operating-system-package-servicing-command-line-options).
+
+Examples of eligible devices:
+
+| Device is on | Needs to install|
+|---|---|
+|- The checkpoint cumulative update, 2024-09 (KB5043080)
|- A subsequent monthly security update like 2024-11 (KB5046617), or
- A subsequent optional nonsecurity release like 2024-11 (KB5046740)
|
+|- A subsequent optional nonsecurity preview release like 2024-09 (KB5043178), or
- A subsequent monthly security update like 2024-10 (KB5044284)
|- A subsequent monthly security update like 2025-01 (KB5050009), or
- A subsequent optional nonsecurity release like 2024-11 (KB5046740)
|
+
+**Device needs FoD or language pack customization:**
+
+Installing FoDs or language packs requires the full latest cumulative update payload, which now can be split across files associated with each preceding checkpoint cumulative update. So, when customizing FoDs or language packs for offline media, all prior checkpoint cumulative updates and the target cumulative update need to be installed regardless of whether the device already had any of the prior checkpoints cumulative update installed. This needs to be done using DISM.
+
+1. Copy the .msu files of the latest cumulative update (the target) and all prior checkpoint cumulative updates to a local folder. Make sure there are no other .msu files present.
+1. Mount the install.wim file.
+1. Run `DISM /add-package` with the latest `.msu` file as the sole target.
+1. Run `/Cleanup-Image /StartComponentCleanup`.
+1. Unmount.
+1. Run `DISM /export-image` to optimize the image size, if that's important to you.
+
+**Device doesn't have the latest checkpoint cumulative update and doesn't need customization:**
+
+Devices that aren't on the latest checkpoint cumulative update and don't need FoD/language pack customization can either install all needed cumulative updates one by one in the right sequence. Alternately they can be updated using DISM to install all cumulative updates in one go. For more information, see the [Updating through checkpoint cumulative updates](#updating-through-checkpoint-cumulative-updates) section. If there are total four checkpoint cumulative updates available and device already has the first one installed, DISM applies the remaining three checkpoint cumulative updates in the right order followed by the target cumulative update, all in one go.
+
+## Related articles
+
+- [Servicing stack updates](/windows/deployment/update/servicing-stack-updates)
+- [Features on Demand](/windows-hardware/manufacture/desktop/features-on-demand-v2--capabilities)
+- [How to download updates that include drivers and hotfixes from the Microsoft Update Catalog](/troubleshoot/windows-client/installing-updates-features-roles/download-updates-drivers-hotfixes-windows-update-catalog)
+- [Update Windows installation media with Dynamic Update](media-dynamic-update.md)
diff --git a/windows/deployment/update/includes/checkpoint-cumulative-updates.md b/windows/deployment/update/includes/checkpoint-cumulative-updates.md
new file mode 100644
index 0000000000..dd9b0e1abd
--- /dev/null
+++ b/windows/deployment/update/includes/checkpoint-cumulative-updates.md
@@ -0,0 +1,17 @@
+---
+author: mestew
+ms.author: mstewart
+manager: aaroncz
+ms.subservice: itpro-updates
+ms.service: windows-client
+ms.topic: include
+ms.date: 01/31/2025
+ms.localizationpriority: medium
+---
+
+
+Starting Windows 11, version 24H2, Microsoft may periodically release cumulative updates as checkpoints. The subsequent updates will consist of:
+- The update package files associated with the checkpoints, and
+- New update package files that contain incremental binary differentials against the version of binaries in the last checkpoint.
+
+Multiple checkpoints may be shipped during the lifecycle of a given Windows release. Devices updating from Windows Update and WSUS can continue to seamlessly install the latest monthly security update regardless of whether there are any preceding checkpoint cumulative updates, **no change is needed to their update process**. Catalog users can review [Checkpoint cumulative updates and Microsoft Update Catalog usage](../catalog-checkpoint-cumulative-updates.md) for reference.
diff --git a/windows/deployment/update/media-dynamic-update.md b/windows/deployment/update/media-dynamic-update.md
index e5b5cd4a0b..33f43d08f6 100644
--- a/windows/deployment/update/media-dynamic-update.md
+++ b/windows/deployment/update/media-dynamic-update.md
@@ -13,7 +13,7 @@ appliesto:
- ✅ Windows 11
- ✅ Windows 10
- ✅ Windows Server
-ms.date: 11/11/2024
+ms.date: 1/31/2024
---
# Update Windows installation media with Dynamic Update
@@ -62,7 +62,7 @@ You can obtain Dynamic Update packages from the [Microsoft Update Catalog](https
|Servicing stack Dynamic Update | YYYY-MM Servicing Stack Update for Microsoft server operating system version 23H2 |
### Azure Stack HCI, version 22H2 Dynamic Update packages
-**Title**, **Product** and **Description** are required to distinguish each Dynamic Package. Latest cumulative update has the servicing stack embedded. Servicing stack published separately only if necessary as a prerequisite for a given cumulative update.
+**Title**, **Product**, and **Description** are required to distinguish each Dynamic Package. Latest cumulative update has the servicing stack embedded. Servicing stack published separately only if necessary as a prerequisite for a given cumulative update.
| Update packages |Title |Product |Description |
|-----------------------------------|----------------------------------------------------------------------------------------|----------------------------------------------|------------------|
@@ -72,7 +72,7 @@ You can obtain Dynamic Update packages from the [Microsoft Update Catalog](https
|Servicing stack Dynamic Update | YYYY-MM Servicing Stack Update for Microsoft server operating system, version 22H2 | | |
### Windows Server 2022 later Dynamic Update packages
-**Title**, **Product** and **Description** are required to distinguish each Dynamic Package. Latest cumulative update has the servicing stack embedded. Servicing stack published separately only if necessary as a prerequisite for a given cumulative update.
+**Title**, **Product**, and **Description** are required to distinguish each Dynamic Package. Latest cumulative update has the servicing stack embedded. Servicing stack published separately only if necessary as a prerequisite for a given cumulative update.
| Update packages |Title |Product |Description |
|-----------------------------------|----------------------------------------------------------------------------------------|----------------------------------------------|------------------|
@@ -81,8 +81,8 @@ You can obtain Dynamic Update packages from the [Microsoft Update Catalog](https
|Latest cumulative update | YYYY-MM Cumulative Update for Microsoft server operating system, version 21H2 | | |
|Servicing stack Dynamic Update | YYYY-MM Servicing Stack Update for Microsoft server operating system, version 21H2 | | |
-### Windows 11, version 22H2 and later Dynamic Update packages
-**Title** can distinguish each Dynamic Package. Latest cumulative updates have the servicing stack embedded. The servicing stack is published only if necessary for a given cumulative update. Titles below are for Windows 11, version 22H2. Windows 11, version 23H2 and 24H2 have a similar format.
+### Windows 11, version 22H2, and later Dynamic Update packages
+**Title** can distinguish each Dynamic Package. Latest cumulative updates have the servicing stack embedded. The servicing stack is published only if necessary for a given cumulative update. The following titles are for Windows 11, version 22H2. Windows 11, version 23H2, and version 24H2 have a similar format:
| Update packages |Title |
|-----------------------------------|---------------------------------------------------------------|
@@ -92,7 +92,7 @@ You can obtain Dynamic Update packages from the [Microsoft Update Catalog](https
|Servicing stack Dynamic Update | YYYY-MM Servicing Stack Update for Windows 11 Version 22H2 |
### Windows 11, version 21H2 Dynamic Update packages
-**Title**, **Product** and **Description** are required to distinguish each Dynamic Package. Latest cumulative update has the servicing stack embedded. Servicing stack published separately only if necessary as a prerequisite for a given cumulative update.
+**Title**, **Product**, and **Description** are required to distinguish each Dynamic Package. Latest cumulative update has the servicing stack embedded. Servicing stack published separately only if necessary as a prerequisite for a given cumulative update.
| Update packages |Title |Product |Description |
|-----------------------------------|---------------------------------------------------------------|----------------------------------------------|------------------|
@@ -102,7 +102,7 @@ You can obtain Dynamic Update packages from the [Microsoft Update Catalog](https
|Servicing stack Dynamic Update | YYYY-MM Servicing Stack Update for Windows 11 Version 21H2 | | |
### Windows 10, version 22H2 Dynamic Update packages
-**Title**, **Product** and **Description** are required to distinguish each Dynamic Package. Latest cumulative update has the servicing stack embedded. Servicing stack published separately only if necessary as a prerequisite for a given cumulative update.
+**Title**, **Product**, and **Description** are required to distinguish each Dynamic Package. Latest cumulative update has the servicing stack embedded. Servicing stack published separately only if necessary as a prerequisite for a given cumulative update.
| Update packages |Title |Product |Description |
|-----------------------------------|---------------------------------------------------------------|----------------------------------------------|------------------|
@@ -124,30 +124,30 @@ Properly updating the installation media involves many actions operating on seve
This table shows the correct sequence for applying the various tasks to the files. For example, the full sequence starts with adding the servicing stack update to WinRE (1) and concludes with adding boot manager from WinPE to the new media (28).
-|Task |WinRE (winre.wim) |Operating system (install.wim) | WinPE (boot.wim) | New media |
-|-------------------------------------------|-------------------|--------------------------------|------------------|-----------|
-|Add servicing stack Dynamic Update | 1 | 9 | 17 | |
-|Add language pack | 2 | 10 | 18 | |
-|Add localized optional packages | 3 | | 19 | |
-|Add font support | 4 | | 20 | |
-|Add text-to-speech | 5 | | 21 | |
-|Update Lang.ini | | | 22 | |
-|Add Features on Demand | | 11 | | |
-|Add Safe OS Dynamic Update | 6 | | | |
-|Add Setup Dynamic Update | | | | 26 |
-|Add setup.exe and setuphost.exe from WinPE | | | | 27 |
-|Add boot manager from WinPE | | | | 28 |
-|Add latest cumulative update | | 12 | 23 | |
-|Clean up the image | 7 | 13 | 24 | |
-|Add Optional Components | | 14 | | |
-|Add .NET and .NET cumulative updates | | 15 | | |
-|Export image | 8 | 16 | 25 | |
+|Task |WinRE (winre.wim) |Operating system (install.wim) | WinPE (boot.wim) | New media |
+|--------------------------------------------------------|-------------------|--------------------------------|------------------|-----------|
+|Add servicing stack update via latest cumulative update | 1 | 9 | 17 | |
+|Add language pack | 2 | 10 | 18 | |
+|Add localized optional packages | 3 | | 19 | |
+|Add font support | 4 | | 20 | |
+|Add text-to-speech | 5 | | 21 | |
+|Update Lang.ini | | | 22 | |
+|Add Features on Demand | | 11 | | |
+|Add Optional Components | | 12 | | |
+|Add Safe OS Dynamic Update | 6 | | | |
+|Add Setup Dynamic Update | | | | 26 |
+|Add Setup.exe and setuphost.exe from WinPE | | | | 27 |
+|Add boot manager from WinPE | | | | 28 |
+|Add latest cumulative update | | 13 | 23 | |
+|Clean up the image | 7 | 14 | 24 | |
+|Add .NET and .NET cumulative updates | | 15 | | |
+|Export image | 8 | 16 | 25 | |
> [!NOTE]
-> Starting in February 2021, the latest cumulative update and servicing stack update will be combined and distributed in the Microsoft Update Catalog as a new combined cumulative update. For Steps 1, 9, and 18 that require the servicing stack update for updating the installation media, you should use the combined cumulative update. For more information on the combined cumulative update, see [Servicing stack updates](./servicing-stack-updates.md).
+> Starting in February 2021, the latest cumulative update and servicing stack update is combined and distributed in the Microsoft Update Catalog as a new combined cumulative update. For Steps 1, 9, and 17 that require the servicing stack update for updating the installation media, you should use the combined cumulative update. For more information on the combined cumulative update, see [Servicing stack updates](./servicing-stack-updates.md).
> [!NOTE]
-> Microsoft will remove the Flash component from Windows through KB4577586, "Update for Removal of Adobe Flash Player". You can also remove Flash anytime by deploying the update in KB4577586 (available on the Catalog) between steps 20 and 21. As of July 2021, KB4577586, "Update for Removal of Adobe Flash Player" will be included in the latest cumulative update for Windows 10, versions 1607 and 1507. The update will also be included in the Monthly Rollup and the Security Only Update for Windows 8.1, Windows Server 2012, and Windows Embedded 8 Standard. For more information, see [Update on Adobe Flash Player End of Support](https://blogs.windows.com/msedgedev/2020/09/04/update-adobe-flash-end-support/).
+> Microsoft removes the Flash component from Windows through [KB4577586: Update for Removal of Adobe Flash Player](https://support.microsoft.com/kb/4577586). You can also remove Flash anytime by deploying the update in KB4577586 (available on the Catalog) between steps 20 and 21. As of July 2021, KB4577586, "Update for Removal of Adobe Flash Player" will be included in the latest cumulative update for Windows 10, versions 1607 and 1507. The update will also be included in the Monthly Rollup and the Security Only Update for Windows 8.1, Windows Server 2012, and Windows Embedded 8 Standard. For more information, see [Update on Adobe Flash Player End of Support](https://blogs.windows.com/msedgedev/2020/09/04/update-adobe-flash-end-support/).
### Multiple Windows editions
@@ -157,13 +157,13 @@ The main operating system file (install.wim) might contain multiple editions of
You don't have to add more languages and features to the image to accomplish the updates, but it's an opportunity to customize the image with more languages, Optional Components, and Features on Demand beyond what's in your starting image. When you add more languages and features, it's important to make these changes in the correct order: first apply servicing stack updates, followed by language additions, then by feature additions, and finally the latest cumulative update. The provided sample script installs a second language (in this case Japanese (ja-JP)). Since this language is backed by an lp.cab, there's no need to add a Language Experience Pack. Japanese is added to both the main operating system and to the recovery environment to allow the user to see the recovery screens in Japanese. This includes adding localized versions of the packages currently installed in the recovery image.
-Optional Components, along with the .NET feature, can be installed offline, however doing so creates pending operations that require the device to restart. As a result, the call to perform image cleanup would fail. There are two options to avoid the cleanup failure. One option is to skip the image cleanup step, though that results in a larger install.wim. Another option is to install the .NET and Optional Components in a step after cleanup but before export. This is the option in the sample script. By doing this, you'll have to start with the original install.wim (with no pending actions) when you maintain or update the image the next time (for example, the next month).
+Optional Components, along with the .NET feature, can be installed offline. However, doing so creates pending operations that require the device to restart. As a result, the call to perform image cleanup would fail. There are two options to avoid the cleanup failure. One option is to skip the image cleanup step, though that results in a larger install.wim. Another option is to install the .NET and Optional Components in a step after cleanup but before export. This is the option in the sample script. By doing this, you'll have to start with the original install.wim (with no pending actions) when you maintain or update the image the next time (for example, the next month).
### Checkpoint cumulative updates
-Starting with Windows 11, version 24H2, and Windows Server 2025, the latest cumulative update may have a prerequisite cumulative update that is required to be installed first. These are known as checkpoint cumulative updates. In these cases, the cumulative update file level differentials are based on a previous cumulative update instead of the Windows RTM release. The benefit is a smaller update package and faster installation. When you obtain the latest cumulative update from the [Microsoft Update Catalog](https://catalog.update.microsoft.com), checkpoint cumulative updates will be available from the download button. In addition, the knowledge base article for the cumulative update will provide additional information.
+Starting with Windows 11, version 24H2, and Windows Server 2025, the latest cumulative update might have a prerequisite cumulative update that is required to be installed first. These updates are known as checkpoint cumulative updates. In these cases, the cumulative update file level differentials are based on a previous cumulative update instead of the Windows RTM release. The benefit is a smaller update package and faster installation. When you obtain the latest cumulative update from the [Microsoft Update Catalog](https://catalog.update.microsoft.com), checkpoint cumulative updates are available from the download button. In addition, the knowledge base article for the cumulative update provides additional information.
-To install the checkpoint(s) when servicing the Windows OS (steps 9 & 12) and WinPE (steps 17 & 23), call `Add-WindowsPackage` with the target cumulative update. The folder from `-PackagePath` will be used to discover and install one or more checkpoints as needed. Only the target cumulative update and checkpoint cumulative updates should be in the `-PackagePath` folder. Cumulative update packages with a revision <= the target cumulative update will be processed. If you are not customizing the image with additional languages and/or optional features, then separate calls to `Add-WindowsPackage` (checkpoint cumulative updates first) can be used for steps 9 & 17 above. Separate calls cannot be used for steps 12 and 23.
+To install the checkpoint(s) when servicing the Windows OS (steps 9 & 12) and WinPE (steps 17 & 23), call `Add-WindowsPackage` with the target cumulative update. The folder from `-PackagePath` is used to discover and install one or more checkpoints as needed. Only the target cumulative update and checkpoint cumulative updates should be in the `-PackagePath` folder. Cumulative update packages with a revision <= the target cumulative update are processed. If you aren't customizing the image with additional languages and/or optional features, then separate calls to `Add-WindowsPackage` (checkpoint cumulative updates first) can be used for steps 9 & 17 above. Separate calls can't be used for steps 12 and 23.
## Windows PowerShell scripts to apply Dynamic Updates to an existing image
@@ -178,7 +178,8 @@ These examples are for illustration only, and therefore lack error handling. The
### Get started
-The script starts by declaring global variables and creating folders to use for mounting images. Then, make a copy of the original media, from \oldMedia to \newMedia, keeping the original media in case there's a script error and it's necessary to start over from a known state. Also, it provides a comparison of old versus new media to evaluate changes. To ensure that the new media updates, make sure they aren't read-only.
+The script starts by declaring global variables and creating folders to use for mounting images. Then, make a copy of the original media, from \oldMedia to \newMedia, keeping the original media in case there's a script error and it's necessary to start over from a known state. Also, it provides a comparison of old versus new media to evaluate changes. To ensure that the new media updates, make sure they aren't read-only. The script also showcases adding additional languages, Features on Demand, and Optional Components. These aren't required, but added to highlight when in the sequence they should be added. Starting with Windows 11, version 21H2, the language pack (LANGPACK) ISO is superseded by the Features on Demand ISO. Language packs and the \Windows Preinstallation Environment packages are part of the Features on Demand ISO. Further, the path for main OS language and optional features moved to \LanguagesAndOptionalFeatures instead of the root. If you're using this script for Windows 10, modify to mount and use the language pack (LANGPACK) ISO.
+
```powershell
#Requires -RunAsAdministrator
@@ -187,40 +188,38 @@ function Get-TS { return "{0:HH:mm:ss}" -f [DateTime]::Now }
Write-Output "$(Get-TS): Starting media refresh"
-# Declare language for showcasing adding optional localized components
-$LANG = "ja-jp"
-$LANG_FONT_CAPABILITY = "jpan"
-
-# Declare media for FOD and LPs
-# Note: Starting with Windows 11, version 21H2, the language pack (LANGPACK) ISO has been superseded by the FOD ISO.
-# Language packs and the \Windows Preinstallation Environment packages are part of the LOF ISO.
-# If you are using this script for Windows 10, modify to mount and use the LANGPACK ISO.
-$FOD_ISO_PATH = "C:\mediaRefresh\packages\FOD-PACKAGES_OEM_PT1_amd64fre_MULTI.iso"
-
# Declare Dynamic Update packages. A dedicated folder is used for the latest cumulative update, and as needed
# checkpoint cumulative updates.
$LCU_PATH = "C:\mediaRefresh\packages\CU\LCU.msu"
-$SSU_PATH = "C:\mediaRefresh\packages\Other\SSU_DU.msu"
$SETUP_DU_PATH = "C:\mediaRefresh\packages\Other\Setup_DU.cab"
$SAFE_OS_DU_PATH = "C:\mediaRefresh\packages\Other\SafeOS_DU.cab"
$DOTNET_CU_PATH = "C:\mediaRefresh\packages\Other\DotNet_CU.msu"
-# Declare folders for mounted images and temp files
-$MEDIA_OLD_PATH = "C:\mediaRefresh\oldMedia"
-$MEDIA_NEW_PATH = "C:\mediaRefresh\newMedia"
-$WORKING_PATH = "C:\mediaRefresh\temp"
-$MAIN_OS_MOUNT = "C:\mediaRefresh\temp\MainOSMount"
-$WINRE_MOUNT = "C:\mediaRefresh\temp\WinREMount"
-$WINPE_MOUNT = "C:\mediaRefresh\temp\WinPEMount"
+# Declare media for FOD and LPs
+$FOD_ISO_PATH = "C:\mediaRefresh\packages\CLIENT_LOF_PACKAGES_OEM.iso"
+
+# Array of Features On Demand for main OS
+# This is optional to showcase where these are added
+$FOD = @(
+'XPS.Viewer~~~~0.0.1.0'
+)
+
+# Array of Legacy Features for main OS
+# This is optional to showcase where these are added
+$OC = @(
+'MediaPlayback'
+'WindowsMediaPlayer'
+)
# Mount the Features on Demand ISO
Write-Output "$(Get-TS): Mounting FOD ISO"
$FOD_ISO_DRIVE_LETTER = (Mount-DiskImage -ImagePath $FOD_ISO_PATH -ErrorAction stop | Get-Volume).DriveLetter
-
-# Note: Starting with Windows 11, version 21H2, the correct path for main OS language and optional features
-# moved to \LanguagesAndOptionalFeatures instead of the root. For Windows 10, use $FOD_PATH = $FOD_ISO_DRIVE_LETTER + ":\"
$FOD_PATH = $FOD_ISO_DRIVE_LETTER + ":\LanguagesAndOptionalFeatures"
+# Declare language for showcasing adding optional localized components
+$LANG = "ja-jp"
+$LANG_FONT_CAPABILITY = "jpan"
+
# Declare language related cabs
$WINPE_OC_PATH = "$FOD_ISO_DRIVE_LETTER`:\Windows Preinstallation Environment\x64\WinPE_OCs"
$WINPE_OC_LANG_PATH = "$WINPE_OC_PATH\$LANG"
@@ -231,6 +230,14 @@ $WINPE_SPEECH_TTS_PATH = "$WINPE_OC_PATH\WinPE-Speech-TTS.cab"
$WINPE_SPEECH_TTS_LANG_PATH = "$WINPE_OC_PATH\WinPE-Speech-TTS-$LANG.cab"
$OS_LP_PATH = "$FOD_PATH\Microsoft-Windows-Client-Language-Pack_x64_$LANG.cab"
+# Declare folders for mounted images and temp files
+$MEDIA_OLD_PATH = "C:\mediaRefresh\oldMedia\Ge\client_professional_en-us"
+$MEDIA_NEW_PATH = "C:\mediaRefresh\newMedia"
+$WORKING_PATH = "C:\mediaRefresh\temp"
+$MAIN_OS_MOUNT = "C:\mediaRefresh\temp\MainOSMount"
+$WINRE_MOUNT = "C:\mediaRefresh\temp\WinREMount"
+$WINPE_MOUNT = "C:\mediaRefresh\temp\WinPEMount"
+
# Create folders for mounting images and storing temporary files
New-Item -ItemType directory -Path $WORKING_PATH -ErrorAction Stop | Out-Null
New-Item -ItemType directory -Path $MAIN_OS_MOUNT -ErrorAction stop | Out-Null
@@ -241,15 +248,16 @@ New-Item -ItemType directory -Path $WINPE_MOUNT -ErrorAction stop | Out-Null
Write-Output "$(Get-TS): Copying original media to new media path"
Copy-Item -Path $MEDIA_OLD_PATH"\*" -Destination $MEDIA_NEW_PATH -Force -Recurse -ErrorAction stop | Out-Null
Get-ChildItem -Path $MEDIA_NEW_PATH -Recurse | Where-Object { -not $_.PSIsContainer -and $_.IsReadOnly } | ForEach-Object { $_.IsReadOnly = $false }
+
```
### Update WinRE and each main OS Windows edition
-The script will update each edition of Windows within the main operating system file (install.wim). For each edition, the main OS image is mounted.
+The script updates each edition of Windows within the main operating system file (install.wim). For each edition, the main OS image is mounted.
-For the first image, Winre.wim is copied to the working folder, and mounted. It then applies servicing stack Dynamic Update, since its components are used for updating other components. Since the script is optionally adding Japanese, it adds the language pack to the image, and installs the Japanese versions of all optional packages already installed in Winre.wim. Then, it applies the Safe OS Dynamic Update package. It finishes by cleaning and exporting the image to reduce the image size.
+For the first image, Winre.wim is copied to the working folder, and mounted. It then applies servicing stack via the latest cumulative update, since its components are used for updating other components. Depending on the Windows release that you're updating, there are two different approaches for updating the servicing stack. The first approach is to use the combined cumulative update. This is for Windows releases that are shipping a combined cumulative update that includes the servicing stack updates (that is, SSU + LCU are combined). Windows 11, version 21H2, and Windows 11, version 22H2 are examples. In these cases, the servicing stack update isn't published separately; the combined cumulative update should be used for this step. However, in rare cases, there might be a breaking change in the combined cumulative update format change, that requires a standalone servicing stack update to be published, and installed first before the combined cumulative update can be installed. Since the script is optionally adding Japanese, it adds the language pack to the image, and installs the Japanese versions of all optional packages already installed in Winre.wim. Then, it applies the Safe OS Dynamic Update package. It finishes by cleaning and exporting the image to reduce the image size.
-Next, for the mounted OS image, the script starts by applying the servicing stack Dynamic Update. Then, it adds Japanese language support and then the Japanese language features. Unlike the Dynamic Update packages, it uses `Add-WindowsCapability` to add these features. For a full list of such features, and their associated capability name, see [Available Features on Demand](/windows-hardware/manufacture/desktop/features-on-demand-non-language-fod). Now is the time to enable other Optional Components or add other Features on Demand. If such a feature has an associated cumulative update (for example, .NET), this is the time to apply those. The script then proceeds with applying the latest cumulative update. Finally, the script cleans and exports the image. You can install Optional Components, along with the .NET feature, offline, but that requires the device to be restarted. This is why the script installs .NET and Optional Components after cleanup and before export.
+Next, for the mounted OS image, the script starts by applying the servicing stack via the latest cumulative update. Then, it adds Japanese language support and then the Japanese language features. Unlike the Dynamic Update packages, it uses `Add-WindowsCapability` to add these features. For a full list of such features, and their associated capability name, see [Available Features on Demand](/windows-hardware/manufacture/desktop/features-on-demand-non-language-fod). Now is the time to enable other Optional Components or add other Features on Demand. If such a feature has an associated cumulative update (for example, .NET), this is the time to apply those. The script then attempts to clean the image, then a final step to apply the latest cumulative update. It's important to apply the latest cumulative update last, to ensure Features on Demand, Optional Components, and Languages are updated from their initial release state. The .NET feature is an exception that's added along with its cumulative update next. Finally, the script exports the image.
This process is repeated for each edition of Windows within the main operating system file. To reduce size, the serviced Winre.wim file from the first image is saved, and used to update each subsequent Windows edition. This reduces the final size of install.wim.
@@ -262,13 +270,15 @@ This process is repeated for each edition of Windows within the main operating s
# Get the list of images contained within the main OS
$WINOS_IMAGES = Get-WindowsImage -ImagePath $MEDIA_NEW_PATH"\sources\install.wim"
-Foreach ($IMAGE in $WINOS_IMAGES) {
+Foreach ($IMAGE in $WINOS_IMAGES)
+{
# first mount the main OS image
Write-Output "$(Get-TS): Mounting main OS, image index $($IMAGE.ImageIndex)"
Mount-WindowsImage -ImagePath $MEDIA_NEW_PATH"\sources\install.wim" -Index $IMAGE.ImageIndex -Path $MAIN_OS_MOUNT -ErrorAction stop| Out-Null
- if ($IMAGE.ImageIndex -eq "1") {
+ if ($IMAGE.ImageIndex -eq "1")
+ {
#
# update Windows Recovery Environment (WinRE) within this OS image
@@ -278,29 +288,9 @@ Foreach ($IMAGE in $WINOS_IMAGES) {
Mount-WindowsImage -ImagePath $WORKING_PATH"\winre.wim" -Index 1 -Path $WINRE_MOUNT -ErrorAction stop | Out-Null
# Add servicing stack update (Step 1 from the table)
-
- # Depending on the Windows release that you are updating, there are 2 different approaches for updating the servicing stack
- # The first approach is to use the combined cumulative update. This is for Windows releases that are shipping a combined
- # cumulative update that includes the servicing stack updates (i.e. SSU + LCU are combined). Windows 11, version 21H2 and
- # Windows 11, version 22H2 are examples. In these cases, the servicing stack update is not published seperately; the combined
- # cumulative update should be used for this step. However, in hopefully rare cases, there may breaking change in the combined
- # cumulative update format, that requires a standalone servicing stack update to be published, and installed first before the
- # combined cumulative update can be installed.
-
- # This is the code to handle the rare case that the SSU is published and required for the combined cumulative update
- # Write-Output "$(Get-TS): Adding package $SSU_PATH"
- # Add-WindowsPackage -Path $WINRE_MOUNT -PackagePath $SSU_PATH | Out-Null
-
- # Now, attempt the combined cumulative update.
- # There is a known issue where the servicing stack update is installed, but the cumulative update will fail. This error should
- # be caught and ignored, as the last step will be to apply the Safe OS update and thus the image will be left with the correct
- # packages installed.
-
-
Write-Output "$(Get-TS): Adding package $LCU_PATH to WinRE"
try
{
-
Add-WindowsPackage -Path $WINRE_MOUNT -PackagePath $LCU_PATH | Out-Null
}
Catch
@@ -308,38 +298,36 @@ Foreach ($IMAGE in $WINOS_IMAGES) {
$theError = $_
Write-Output "$(Get-TS): $theError"
- if ($theError.Exception -like "*0x8007007e*") {
- Write-Output "$(Get-TS): This failure is a known issue with combined cumulative update, we can ignore."
+ if ($theError.Exception -like "*0x8007007e*")
+ {
+ Write-Warning "$(Get-TS): Failed with error 0x8007007e. This failure is a known issue with combined cumulative update, we can ignore."
}
- else {
+ else
+ {
throw
}
}
- # The second approach for Step 1 is for Windows releases that have not adopted the combined cumulative update
- # but instead continue to have a seperate servicing stack update published. In this case, we'll install the SSU
- # update. This second approach is commented out below.
-
- # Write-Output "$(Get-TS): Adding package $SSU_PATH"
- # Add-WindowsPackage -Path $WINRE_MOUNT -PackagePath $SSU_PATH | Out-Null
-
#
# Optional: Add the language to recovery environment
#
+
# Install lp.cab cab
Write-Output "$(Get-TS): Adding package $WINPE_OC_LP_PATH to WinRE"
Add-WindowsPackage -Path $WINRE_MOUNT -PackagePath $WINPE_OC_LP_PATH -ErrorAction stop | Out-Null
# Install language cabs for each optional package installed
$WINRE_INSTALLED_OC = Get-WindowsPackage -Path $WINRE_MOUNT
- Foreach ($PACKAGE in $WINRE_INSTALLED_OC) {
-
- if ( ($PACKAGE.PackageState -eq "Installed") -and ($PACKAGE.PackageName.startsWith("WinPE-")) -and ($PACKAGE.ReleaseType -eq "FeaturePack") ) {
-
+ Foreach ($PACKAGE in $WINRE_INSTALLED_OC)
+ {
+ if ( ($PACKAGE.PackageState -eq "Installed") -and ($PACKAGE.PackageName.startsWith("WinPE-")) -and ($PACKAGE.ReleaseType -eq "FeaturePack") )
+ {
$INDEX = $PACKAGE.PackageName.IndexOf("-Package")
- if ($INDEX -ge 0) {
+ if ($INDEX -ge 0)
+ {
$OC_CAB = $PACKAGE.PackageName.Substring(0, $INDEX) + "_" + $LANG + ".cab"
- if ($WINPE_OC_LANG_CABS.Contains($OC_CAB)) {
+ if ($WINPE_OC_LANG_CABS.Contains($OC_CAB))
+ {
$OC_CAB_PATH = Join-Path $WINPE_OC_LANG_PATH $OC_CAB
Write-Output "$(Get-TS): Adding package $OC_CAB_PATH to WinRE"
Add-WindowsPackage -Path $WINRE_MOUNT -PackagePath $OC_CAB_PATH -ErrorAction stop | Out-Null
@@ -349,15 +337,17 @@ Foreach ($IMAGE in $WINOS_IMAGES) {
}
# Add font support for the new language
- if ( (Test-Path -Path $WINPE_FONT_SUPPORT_PATH) ) {
+ if ( (Test-Path -Path $WINPE_FONT_SUPPORT_PATH) )
+ {
Write-Output "$(Get-TS): Adding package $WINPE_FONT_SUPPORT_PATH to WinRE"
Add-WindowsPackage -Path $WINRE_MOUNT -PackagePath $WINPE_FONT_SUPPORT_PATH -ErrorAction stop | Out-Null
}
# Add TTS support for the new language
- if (Test-Path -Path $WINPE_SPEECH_TTS_PATH) {
- if ( (Test-Path -Path $WINPE_SPEECH_TTS_LANG_PATH) ) {
-
+ if (Test-Path -Path $WINPE_SPEECH_TTS_PATH)
+ {
+ if ( (Test-Path -Path $WINPE_SPEECH_TTS_LANG_PATH) )
+ {
Write-Output "$(Get-TS): Adding package $WINPE_SPEECH_TTS_PATH to WinRE"
Add-WindowsPackage -Path $WINRE_MOUNT -PackagePath $WINPE_SPEECH_TTS_PATH -ErrorAction stop | Out-Null
@@ -373,6 +363,10 @@ Foreach ($IMAGE in $WINOS_IMAGES) {
# Perform image cleanup
Write-Output "$(Get-TS): Performing image cleanup on WinRE"
DISM /image:$WINRE_MOUNT /cleanup-image /StartComponentCleanup /ResetBase /Defer | Out-Null
+ if ($LastExitCode -ne 0)
+ {
+ throw "Error: Failed to perform image cleanup on WinRE. Exit code: $LastExitCode"
+ }
# Dismount
Dismount-WindowsImage -Path $WINRE_MOUNT -Save -ErrorAction stop | Out-Null
@@ -389,35 +383,15 @@ Foreach ($IMAGE in $WINOS_IMAGES) {
# update Main OS
#
- # Add servicing stack update (Step 18 from the table)
-
- # Depending on the Windows release that you are updating, there are 2 different approaches for updating the servicing stack
- # The first approach is to use the combined cumulative update. This is for Windows releases that are shipping a combined cumulative update that
- # includes the servicing stack updates (i.e. SSU + LCU are combined). Windows 11, version 21H2 and Windows 11, version 22H2 are examples. In these
- # cases, the servicing stack update is not published seperately; the combined cumulative update should be used for this step. However, in hopefully
- # rare cases, there may breaking change in the combined cumulative update format, that requires a standalone servicing stack update to be published,
- # and installed first before the combined cumulative update can be installed.
-
- # This is the code to handle the rare case that the SSU is published and required for the combined cumulative update
- # Write-Output "$(Get-TS): Adding package $SSU_PATH"
- # Add-WindowsPackage -Path $MAIN_OS_MOUNT -PackagePath $SSU_PATH | Out-Null
-
- # Now, attempt the combined cumulative update. Unlike WinRE and WinPE, we don't need to check for error 0x8007007e
+ # Add servicing stack update (Step 17 from the table). Unlike WinRE and WinPE, we don't need to check for error 0x8007007e
Write-Output "$(Get-TS): Adding package $LCU_PATH to main OS, index $($IMAGE.ImageIndex)"
Add-WindowsPackage -Path $MAIN_OS_MOUNT -PackagePath $LCU_PATH | Out-Null
- # The second approach for Step 18 is for Windows releases that have not adopted the combined cumulative update
- # but instead continue to have a seperate servicing stack update published. In this case, we'll install the SSU
- # update. This second approach is commented out below.
- # Write-Output "$(Get-TS): Adding package $SSU_PATH to main OS, index $($IMAGE.ImageIndex)"
- # Add-WindowsPackage -Path $MAIN_OS_MOUNT -PackagePath $SSU_PATH | Out-Null
-
- # Optional: Add language to main OS
+ # Optional: Add language to main OS and corresponding language experience Features on Demand
Write-Output "$(Get-TS): Adding package $OS_LP_PATH to main OS, index $($IMAGE.ImageIndex)"
Add-WindowsPackage -Path $MAIN_OS_MOUNT -PackagePath $OS_LP_PATH -ErrorAction stop | Out-Null
- # Optional: Add a Features on Demand to the image
Write-Output "$(Get-TS): Adding language FOD: Language.Fonts.Jpan~~~und-JPAN~0.0.1.0 to main OS, index $($IMAGE.ImageIndex)"
Add-WindowsCapability -Name "Language.Fonts.$LANG_FONT_CAPABILITY~~~und-$LANG_FONT_CAPABILITY~0.0.1.0" -Path $MAIN_OS_MOUNT -Source $FOD_PATH -ErrorAction stop | Out-Null
@@ -436,22 +410,47 @@ Foreach ($IMAGE in $WINOS_IMAGES) {
Write-Output "$(Get-TS): Adding language FOD: Language.Speech~~~$LANG~0.0.1.0 to main OS, index $($IMAGE.ImageIndex)"
Add-WindowsCapability -Name "Language.Speech~~~$LANG~0.0.1.0" -Path $MAIN_OS_MOUNT -Source $FOD_PATH -ErrorAction stop | Out-Null
- # Note: If I wanted to enable additional Features on Demand, I'd add these here.
+ # Optional: Add additional Features On Demand
+ For ( $index = 0; $index -lt $FOD.count; $index++)#
+ {
+ Write-Output "$(Get-TS): Adding $($FOD[$index]) to main OS, index $($IMAGE.ImageIndex)"
+ Add-WindowsCapability -Name $($FOD[$index]) -Path $MAIN_OS_MOUNT -Source $FOD_PATH -ErrorAction stop | Out-Null
+ }
+
+ # Optional: Add Legacy Features
+ For ( $index = 0; $index -lt $OC.count; $index++)
+ {
+ Write-Output "$(Get-TS): Adding $($OC[$index]) to main OS, index $($IMAGE.ImageIndex)"
+ DISM /Image:$MAIN_OS_MOUNT /Enable-Feature /FeatureName:$($OC[$index]) /All | Out-Null
+ if ($LastExitCode -ne 0)
+ {
+ throw "Error: Failed to add $($OC[$index]) to main OS, index $($IMAGE.ImageIndex). Exit code: $LastExitCode"
+ }
+ }
# Add latest cumulative update
Write-Output "$(Get-TS): Adding package $LCU_PATH to main OS, index $($IMAGE.ImageIndex)"
Add-WindowsPackage -Path $MAIN_OS_MOUNT -PackagePath $LCU_PATH -ErrorAction stop | Out-Null
- # Perform image cleanup
+ # Perform image cleanup. Some Optional Components might require the image to be booted, and thus
+ # image cleanup may fail. We'll catch and handle as a warning.
Write-Output "$(Get-TS): Performing image cleanup on main OS, index $($IMAGE.ImageIndex)"
DISM /image:$MAIN_OS_MOUNT /cleanup-image /StartComponentCleanup | Out-Null
+ if ($LastExitCode -ne 0)
+ {
+ if ($LastExitCode -eq -2146498554)
+ {
+ # We hit 0x800F0806 CBS_E_PENDING. We will ignore this with a warning
+ # This is likely due to legacy components being added that require online operations.
+ Write-Warning "$(Get-TS): Failed to perform image cleanup on main OS, index $($IMAGE.ImageIndex). Exit code: $LastExitCode. The operation cannot be performed until pending servicing operations are completed. The image must be booted to complete the pending servicing operation."
+ }
+ else
+ {
+ throw "Error: Failed to perform image cleanup on main OS, index $($IMAGE.ImageIndex). Exit code: $LastExitCode"
+ }
+ }
- #
- # Note: If I wanted to enable additional Optional Components, I'd add these here.
- # In addition, we'll add .NET 3.5 here as well. Both .NET and Optional Components might require
- # the image to be booted, and thus if we tried to cleanup after installation, it would fail.
- #
-
+ # Finally, we'll add .NET 3.5 and the .NET cumulative update
Write-Output "$(Get-TS): Adding NetFX3~~~~ to main OS, index $($IMAGE.ImageIndex)"
Add-WindowsCapability -Name "NetFX3~~~~" -Path $MAIN_OS_MOUNT -Source $FOD_PATH -ErrorAction stop | Out-Null
@@ -465,7 +464,6 @@ Foreach ($IMAGE in $WINOS_IMAGES) {
# Export
Write-Output "$(Get-TS): Exporting image to $WORKING_PATH\install2.wim"
Export-WindowsImage -SourceImagePath $MEDIA_NEW_PATH"\sources\install.wim" -SourceIndex $IMAGE.ImageIndex -DestinationImagePath $WORKING_PATH"\install2.wim" -ErrorAction stop | Out-Null
-
}
Move-Item -Path $WORKING_PATH"\install2.wim" -Destination $MEDIA_NEW_PATH"\sources\install.wim" -Force -ErrorAction stop | Out-Null
@@ -474,7 +472,7 @@ Move-Item -Path $WORKING_PATH"\install2.wim" -Destination $MEDIA_NEW_PATH"\sourc
### Update WinPE
-This script is similar to the one that updates WinRE, but instead it mounts Boot.wim, applies the packages with the latest cumulative update last, and saves. It repeats this for all images inside of Boot.wim, typically two images. It starts by applying the servicing stack Dynamic Update. Since the script is customizing this media with Japanese, it installs the language pack from the WinPE folder on the language pack ISO. Additionally, it adds font support and text to speech (TTS) support. Since the script is adding a new language, it rebuilds lang.ini, used to identify languages installed in the image. For the second image, we'll save setup.exe and setuphost.exe for later use, to ensure these versions matches the \sources\setup.exe and \sources\setuphost.exe version from the installation media. If these binaries aren't identical, Windows Setup will fail during installation. We'll also save the serviced boot manager files for later use in the script. Finally, the script cleans and exports Boot.wim, and copies it back to the new media.
+This script is similar to the one that updates WinRE, but instead it mounts Boot.wim, applies the packages with the latest cumulative update last, and saves. It repeats this for all images inside of Boot.wim, typically two images. It starts by applying the servicing stack Dynamic Update. Since the script is customizing this media with Japanese, it installs the language pack from the WinPE folder on the language pack ISO. Additionally, it adds font support and text to speech (TTS) support. Since the script is adding a new language, it rebuilds lang.ini, used to identify languages installed in the image. For the second image, we save setup.exe and setuphost.exe for later use, to ensure these versions matches the \sources\setup.exe and \sources\setuphost.exe version from the installation media. If these binaries aren't identical, Windows Setup will fail during installation. We'll also save the serviced boot manager files for later use in the script. Finally, the script cleans and exports Boot.wim, and copies it back to the new media.
```powershell
#
@@ -484,31 +482,14 @@ This script is similar to the one that updates WinRE, but instead it mounts Boot
# Get the list of images contained within WinPE
$WINPE_IMAGES = Get-WindowsImage -ImagePath $MEDIA_NEW_PATH"\sources\boot.wim"
-Foreach ($IMAGE in $WINPE_IMAGES) {
+Foreach ($IMAGE in $WINPE_IMAGES)
+{
# update WinPE
Write-Output "$(Get-TS): Mounting WinPE, image index $($IMAGE.ImageIndex)"
Mount-WindowsImage -ImagePath $MEDIA_NEW_PATH"\sources\boot.wim" -Index $IMAGE.ImageIndex -Path $WINPE_MOUNT -ErrorAction stop | Out-Null
# Add servicing stack update (Step 9 from the table)
-
- # Depending on the Windows release that you are updating, there are 2 different approaches for updating the servicing stack
- # The first approach is to use the combined cumulative update. This is for Windows releases that are shipping a combined
- # cumulative update that includes the servicing stack updates (i.e. SSU + LCU are combined). Windows 11, version 21H2 and
- # Windows 11, version 22H2 are examples. In these cases, the servicing stack update is not published separately; the combined
- # cumulative update should be used for this step. However, in hopefully rare cases, there may breaking change in the combined
- # cumulative update format, that requires a standalone servicing stack update to be published, and installed first before the
- # combined cumulative update can be installed.
-
- # This is the code to handle the rare case that the SSU is published and required for the combined cumulative update
- # Write-Output "$(Get-TS): Adding package $SSU_PATH"
- # Add-WindowsPackage -Path $WINPE_MOUNT -PackagePath $SSU_PATH | Out-Null
-
- # Now, attempt the combined cumulative update.
- # There is a known issue where the servicing stack update is installed, but the cumulative update will fail.
- # This error should be caught and ignored, as the last step will be to apply the cumulative update
- # (or in this case the combined cumulative update) and thus the image will be left with the correct packages installed.
-
try
{
Write-Output "$(Get-TS): Adding package $LCU_PATH to WinPE, image index $($IMAGE.ImageIndex)"
@@ -518,38 +499,34 @@ Foreach ($IMAGE in $WINPE_IMAGES) {
{
$theError = $_
Write-Output "$(Get-TS): $theError"
-
- if ($theError.Exception -like "*0x8007007e*") {
- Write-Output "$(Get-TS): This failure is a known issue with combined cumulative update, we can ignore."
+ if ($theError.Exception -like "*0x8007007e*")
+ {
+ Write-Warning "$(Get-TS): Failed with error 0x8007007e. This failure is a known issue with combined cumulative update, we can ignore."
}
- else {
+ else
+ {
throw
}
}
- # The second approach for Step 9 is for Windows releases that have not adopted the combined cumulative update
- # but instead continue to have a separate servicing stack update published. In this case, we'll install the SSU
- # update. This second approach is commented out below.
-
- # Write-Output "$(Get-TS): Adding package $SSU_PATH"
- # Add-WindowsPackage -Path $WINPE_MOUNT -PackagePath $SSU_PATH | Out-Null
-
# Install lp.cab cab
Write-Output "$(Get-TS): Adding package $WINPE_OC_LP_PATH to WinPE, image index $($IMAGE.ImageIndex)"
Add-WindowsPackage -Path $WINPE_MOUNT -PackagePath $WINPE_OC_LP_PATH -ErrorAction stop | Out-Null
# Install language cabs for each optional package installed
$WINPE_INSTALLED_OC = Get-WindowsPackage -Path $WINPE_MOUNT
- Foreach ($PACKAGE in $WINPE_INSTALLED_OC) {
-
- if ( ($PACKAGE.PackageState -eq "Installed") -and ($PACKAGE.PackageName.startsWith("WinPE-")) -and ($PACKAGE.ReleaseType -eq "FeaturePack") ) {
-
+ Foreach ($PACKAGE in $WINPE_INSTALLED_OC)
+ {
+ if ( ($PACKAGE.PackageState -eq "Installed") -and ($PACKAGE.PackageName.startsWith("WinPE-")) -and ($PACKAGE.ReleaseType -eq "FeaturePack") )
+ {
$INDEX = $PACKAGE.PackageName.IndexOf("-Package")
- if ($INDEX -ge 0) {
-
+ if ($INDEX -ge 0)
+ {
$OC_CAB = $PACKAGE.PackageName.Substring(0, $INDEX) + "_" + $LANG + ".cab"
- if ($WINPE_OC_LANG_CABS.Contains($OC_CAB)) {
+ if ($WINPE_OC_LANG_CABS.Contains($OC_CAB))
+ {
$OC_CAB_PATH = Join-Path $WINPE_OC_LANG_PATH $OC_CAB
+
Write-Output "$(Get-TS): Adding package $OC_CAB_PATH to WinPE, image index $($IMAGE.ImageIndex)"
Add-WindowsPackage -Path $WINPE_MOUNT -PackagePath $OC_CAB_PATH -ErrorAction stop | Out-Null
}
@@ -558,15 +535,17 @@ Foreach ($IMAGE in $WINPE_IMAGES) {
}
# Add font support for the new language
- if ( (Test-Path -Path $WINPE_FONT_SUPPORT_PATH) ) {
+ if ( (Test-Path -Path $WINPE_FONT_SUPPORT_PATH) )
+ {
Write-Output "$(Get-TS): Adding package $WINPE_FONT_SUPPORT_PATH to WinPE, image index $($IMAGE.ImageIndex)"
Add-WindowsPackage -Path $WINPE_MOUNT -PackagePath $WINPE_FONT_SUPPORT_PATH -ErrorAction stop | Out-Null
}
# Add TTS support for the new language
- if (Test-Path -Path $WINPE_SPEECH_TTS_PATH) {
- if ( (Test-Path -Path $WINPE_SPEECH_TTS_LANG_PATH) ) {
-
+ if (Test-Path -Path $WINPE_SPEECH_TTS_PATH)
+ {
+ if ( (Test-Path -Path $WINPE_SPEECH_TTS_LANG_PATH) )
+ {
Write-Output "$(Get-TS): Adding package $WINPE_SPEECH_TTS_PATH to WinPE, image index $($IMAGE.ImageIndex)"
Add-WindowsPackage -Path $WINPE_MOUNT -PackagePath $WINPE_SPEECH_TTS_PATH -ErrorAction stop | Out-Null
@@ -576,9 +555,14 @@ Foreach ($IMAGE in $WINPE_IMAGES) {
}
# Generates a new Lang.ini file which is used to define the language packs inside the image
- if ( (Test-Path -Path $WINPE_MOUNT"\sources\lang.ini") ) {
+ if ( (Test-Path -Path $WINPE_MOUNT"\sources\lang.ini") )
+ {
Write-Output "$(Get-TS): Updating lang.ini"
DISM /image:$WINPE_MOUNT /Gen-LangINI /distribution:$WINPE_MOUNT | Out-Null
+ if ($LastExitCode -ne 0)
+ {
+ throw "Error: Failed to update lang.ini. Exit code: $LastExitCode"
+ }
}
# Add latest cumulative update
@@ -588,28 +572,31 @@ Foreach ($IMAGE in $WINPE_IMAGES) {
# Perform image cleanup
Write-Output "$(Get-TS): Performing image cleanup on WinPE, image index $($IMAGE.ImageIndex)"
DISM /image:$WINPE_MOUNT /cleanup-image /StartComponentCleanup /ResetBase /Defer | Out-Null
+ if ($LastExitCode -ne 0)
+ {
+ throw "Error: Failed to perform image cleanup on WinPE, image index $($IMAGE.ImageIndex). Exit code: $LastExitCode"
+ }
- if ($IMAGE.ImageIndex -eq "2") {
-
+ if ($IMAGE.ImageIndex -eq "2")
+ {
# Save setup.exe for later use. This will address possible binary mismatch with the version in the main OS \sources folder
Copy-Item -Path $WINPE_MOUNT"\sources\setup.exe" -Destination $WORKING_PATH"\setup.exe" -Force -ErrorAction stop | Out-Null
# Save setuphost.exe for later use. This will address possible binary mismatch with the version in the main OS \sources folder
# This is only required starting with Windows 11 version 24H2
$TEMP = Get-WindowsImage -ImagePath $MEDIA_NEW_PATH"\sources\boot.wim" -Index $IMAGE.ImageIndex
- if ([System.Version]$TEMP.Version -ge [System.Version]"10.0.26100") {
-
+ if ([System.Version]$TEMP.Version -ge [System.Version]"10.0.26100")
+ {
Copy-Item -Path $WINPE_MOUNT"\sources\setuphost.exe" -Destination $WORKING_PATH"\setuphost.exe" -Force -ErrorAction stop | Out-Null
}
- else {
-
+ else
+ {
Write-Output "$(Get-TS): Skipping copy of setuphost.exe; image version $($TEMP.Version)"
}
# Save serviced boot manager files later copy to the root media.
Copy-Item -Path $WINPE_MOUNT"\Windows\boot\efi\bootmgfw.efi" -Destination $WORKING_PATH"\bootmgfw.efi" -Force -ErrorAction stop | Out-Null
Copy-Item -Path $WINPE_MOUNT"\Windows\boot\efi\bootmgr.efi" -Destination $WORKING_PATH"\bootmgr.efi" -Force -ErrorAction stop | Out-Null
-
}
# Dismount
@@ -618,15 +605,15 @@ Foreach ($IMAGE in $WINPE_IMAGES) {
#Export WinPE
Write-Output "$(Get-TS): Exporting image to $WORKING_PATH\boot2.wim"
Export-WindowsImage -SourceImagePath $MEDIA_NEW_PATH"\sources\boot.wim" -SourceIndex $IMAGE.ImageIndex -DestinationImagePath $WORKING_PATH"\boot2.wim" -ErrorAction stop | Out-Null
-
}
Move-Item -Path $WORKING_PATH"\boot2.wim" -Destination $MEDIA_NEW_PATH"\sources\boot.wim" -Force -ErrorAction stop | Out-Null
+
```
### Update remaining media files
-This part of the script updates the Setup files. It simply copies the individual files in the Setup Dynamic Update package to the new media. This step brings in updated Setup files as needed, along with the latest compatibility database, and replacement component manifests. This script also does a final replacement of setup.exe, setuphost.exe and boot manager files using the previously saved versions from WinPE.
+This part of the script updates the Setup files. It simply copies the individual files in the Setup Dynamic Update package to the new media. This step brings in updated Setup files as needed, along with the latest compatibility database, and replacement component manifests. This script also does a final replacement of setup.exe, setuphost.exe, and boot manager files using the previously saved versions from WinPE.
```powershell
#
@@ -636,14 +623,18 @@ This part of the script updates the Setup files. It simply copies the individual
# Add Setup DU by copy the files from the package into the newMedia
Write-Output "$(Get-TS): Adding package $SETUP_DU_PATH"
cmd.exe /c $env:SystemRoot\System32\expand.exe $SETUP_DU_PATH -F:* $MEDIA_NEW_PATH"\sources" | Out-Null
+if ($LastExitCode -ne 0)
+{
+ throw "Error: Failed to expand $SETUP_DU_PATH. Exit code: $LastExitCode"
+}
# Copy setup.exe from boot.wim, saved earlier.
Write-Output "$(Get-TS): Copying $WORKING_PATH\setup.exe to $MEDIA_NEW_PATH\sources\setup.exe"
Copy-Item -Path $WORKING_PATH"\setup.exe" -Destination $MEDIA_NEW_PATH"\sources\setup.exe" -Force -ErrorAction stop | Out-Null
# Copy setuphost.exe from boot.wim, saved earlier.
-if (Test-Path -Path $WORKING_PATH"\setuphost.exe") {
-
+if (Test-Path -Path $WORKING_PATH"\setuphost.exe")
+{
Write-Output "$(Get-TS): Copying $WORKING_PATH\setuphost.exe to $MEDIA_NEW_PATH\sources\setuphost.exe"
Copy-Item -Path $WORKING_PATH"\setuphost.exe" -Destination $MEDIA_NEW_PATH"\sources\setuphost.exe" -Force -ErrorAction stop | Out-Null
}
@@ -651,16 +642,15 @@ if (Test-Path -Path $WORKING_PATH"\setuphost.exe") {
# Copy bootmgr files from boot.wim, saved earlier.
$MEDIA_NEW_FILES = Get-ChildItem $MEDIA_NEW_PATH -Force -Recurse -Filter b*.efi
-Foreach ($File in $MEDIA_NEW_FILES){
+Foreach ($File in $MEDIA_NEW_FILES)
+{
if (($File.Name -ieq "bootmgfw.efi") -or ($File.Name -ieq "bootx64.efi") -or ($File.Name -ieq "bootia32.efi") -or ($File.Name -ieq "bootaa64.efi"))
{
-
Write-Output "$(Get-TS): Copying $WORKING_PATH\bootmgfw.efi to $($File.FullName)"
Copy-Item -Path $WORKING_PATH"\bootmgfw.efi" -Destination $File.FullName -Force -ErrorAction stop | Out-Null
}
elseif ($File.Name -ieq "bootmgr.efi")
{
-
Write-Output "$(Get-TS): Copying $WORKING_PATH\bootmgr.efi to $($File.FullName)"
Copy-Item -Path $WORKING_PATH"\bootmgr.efi" -Destination $File.FullName -Force -ErrorAction stop | Out-Null
}
@@ -685,4 +675,5 @@ Write-Output "$(Get-TS): Dismounting ISO images"
Dismount-DiskImage -ImagePath $FOD_ISO_PATH -ErrorAction stop | Out-Null
Write-Output "$(Get-TS): Media refresh completed!"
+
```
diff --git a/windows/deployment/update/release-cycle.md b/windows/deployment/update/release-cycle.md
index 2df0fe24ef..ef01bc96d7 100644
--- a/windows/deployment/update/release-cycle.md
+++ b/windows/deployment/update/release-cycle.md
@@ -1,6 +1,6 @@
---
title: Update release cycle for Windows clients
-description: Learn about the release cycle for updates so Windows clients in your organization stay productive and protected.
+description: Learn about the release cycle for updates so Windows clients in your organization stay productive and protected.
ms.service: windows-client
ms.subservice: itpro-updates
ms.topic: conceptual
@@ -11,7 +11,7 @@ ms.localizationpriority: medium
appliesto:
- ✅ Windows 11
- ✅ Windows 10
-ms.date: 06/04/2024
+ms.date: 01/31/2025
---
# Update release cycle for Windows clients
@@ -54,6 +54,9 @@ Monthly security update releases are available through the following channels:
Many update management tools, such as [Microsoft Configuration Manager](/mem/configmgr/) and [Microsoft Intune](/mem/intune/), rely on these channels for update deployment.
+
+[!INCLUDE [Checkpoint cumulative updates](./includes/checkpoint-cumulative-updates.md)]
+
## Optional nonsecurity preview release
**Optional nonsecurity preview releases** provide IT admins an opportunity for early validation of that content prior to the **monthly security update release**. Admins can test and validate production-quality releases ahead of the planned monthly security update release for the following month. These updates are optional, cumulative, nonsecurity preview releases. New features might initially be deployed in the prior month's **optional nonsecurity preview release**, then ship in the following **monthly security update release**. **Optional nonsecurity preview releases** are typically released on the fourth Tuesday of the month at 10:00 AM Pacific Time (PST/PDT). These releases are only offered to the most recent, supported versions of Windows.
@@ -66,10 +69,14 @@ Many update management tools, such as [Microsoft Configuration Manager](/mem/con
- LCU preview
To access the optional nonsecurity preview release:
-- Navigate to **Settings** > **Update & Security** > **Windows Update** and select **Check for updates**.
+- Navigate to **Settings** > **Update & Security** > **Windows Update** and select **Check for updates**.
- Use [Windows Insider Program for Business](https://insider.windows.com/for-business)
- Use the [Microsoft Update Catalog](https://www.catalog.update.microsoft.com/Home.aspx).
+
+[!INCLUDE [Checkpoint cumulative updates](./includes/checkpoint-cumulative-updates.md)]
+
+
## OOB releases
**Out-of-band (OOB) releases** might be provided to fix a recently identified issue or vulnerability. They're used in atypical cases when an issue is detected and can't wait for the next monthly release, because devices must be updated immediately to address security vulnerabilities or to resolve a quality issue impacting many devices. **Out-of-band (OOB) releases** are provided outside of the monthly schedule when there's an exceptional need.
@@ -83,6 +90,9 @@ Some key considerations about OOB releases include:
- Critical OOB releases are automatically available to WSUS and Windows Update for Business, just like the monthly security update releases.
- Some OOB releases are classified as noncritical.
- Noncritical releases only go to the Microsoft Update Catalog for users or organizations to voluntarily obtain the update.
+
+
+[!INCLUDE [Checkpoint cumulative updates](./includes/checkpoint-cumulative-updates.md)]
## Continuous innovation for Windows 11
diff --git a/windows/deployment/upgrade/log-files.md b/windows/deployment/upgrade/log-files.md
index 5da693649e..78f9f1690b 100644
--- a/windows/deployment/upgrade/log-files.md
+++ b/windows/deployment/upgrade/log-files.md
@@ -11,7 +11,7 @@ ms.collection:
- highpri
- tier2
ms.subservice: itpro-deploy
-ms.date: 01/18/2024
+ms.date: 01/29/2025
appliesto:
- ✅ Windows 11
- ✅ Windows 10
@@ -51,13 +51,13 @@ A `setupact.log` or `setuperr.log` entry includes the following elements:
1. **The date and time** - 2023-09-08 09:20:05
-1. **The log level** - Info, Warning, Error, Fatal Error
+2. **The log level** - Info, Warning, Error, Fatal Error
-1. **The logging component** - CONX, MOUPG, PANTHR, SP, IBSLIB, MIG, DISM, CSI, CBS
+3. **The logging component** - CONX, MOUPG, PANTHR, SP, IBSLIB, MIG, DISM, CSI, CBS
The logging components SP (setup platform), MIG (migration engine), and CONX (compatibility information) are useful for troubleshooting Windows Setup errors.
-1. **The message** - Operation completed successfully.
+4. **The message** - Operation completed successfully.
See the following example:
diff --git a/windows/deployment/upgrade/resolve-windows-upgrade-errors.md b/windows/deployment/upgrade/resolve-windows-upgrade-errors.md
index da72341ab0..444ff9cf37 100644
--- a/windows/deployment/upgrade/resolve-windows-upgrade-errors.md
+++ b/windows/deployment/upgrade/resolve-windows-upgrade-errors.md
@@ -8,7 +8,7 @@ ms.localizationpriority: medium
ms.topic: conceptual
ms.service: windows-client
ms.subservice: itpro-deploy
-ms.date: 01/18/2024
+ms.date: 01/29/2025
appliesto:
- ✅ Windows 11
- ✅ Windows 10
diff --git a/windows/deployment/upgrade/setupdiag.md b/windows/deployment/upgrade/setupdiag.md
index 00ae1403ff..c66b48114b 100644
--- a/windows/deployment/upgrade/setupdiag.md
+++ b/windows/deployment/upgrade/setupdiag.md
@@ -12,7 +12,7 @@ ms.topic: troubleshooting
ms.collection:
- highpri
- tier2
-ms.date: 01/18/2024
+ms.date: 01/29/2025
appliesto:
- ✅ Windows 11
- ✅ Windows 10
@@ -479,7 +479,7 @@ Refer to "https://learn.microsoft.com/windows/desktop/Debug/system-error-codes"
"FailureDetails":"Err = 0x00000057, LastOperation = Gather data, scope: EVERYTHING, LastPhase = Downlevel",
"DeviceDriverInfo":null,
"Remediation":[
-
+
],
"SetupPhaseInfo":null,
"SetupOperationInfo":null
diff --git a/windows/deployment/upgrade/submit-errors.md b/windows/deployment/upgrade/submit-errors.md
index 48726194a2..5caad8feef 100644
--- a/windows/deployment/upgrade/submit-errors.md
+++ b/windows/deployment/upgrade/submit-errors.md
@@ -8,7 +8,7 @@ author: frankroj
ms.localizationpriority: medium
ms.topic: conceptual
ms.subservice: itpro-deploy
-ms.date: 01/18/2024
+ms.date: 01/29/2025
appliesto:
- ✅ Windows 11
- ✅ Windows 10
diff --git a/windows/deployment/upgrade/windows-error-reporting.md b/windows/deployment/upgrade/windows-error-reporting.md
index c7251d75b2..34c5e47773 100644
--- a/windows/deployment/upgrade/windows-error-reporting.md
+++ b/windows/deployment/upgrade/windows-error-reporting.md
@@ -8,7 +8,7 @@ author: frankroj
ms.localizationpriority: medium
ms.topic: conceptual
ms.subservice: itpro-deploy
-ms.date: 01/18/2024
+ms.date: 01/29/2025
appliesto:
- ✅ Windows 11
- ✅ Windows 10
@@ -18,7 +18,7 @@ appliesto:
> [!NOTE]
>
-> This article is a 300 level article (moderately advanced).
+> This article is a 300 level article (moderately advanced).
>
> See [Resolve Windows upgrade errors](resolve-windows-upgrade-errors.md) for a full list of articles in this section.
diff --git a/windows/deployment/upgrade/windows-upgrade-paths.md b/windows/deployment/upgrade/windows-upgrade-paths.md
index 1033866907..4d1dcd205e 100644
--- a/windows/deployment/upgrade/windows-upgrade-paths.md
+++ b/windows/deployment/upgrade/windows-upgrade-paths.md
@@ -11,7 +11,7 @@ ms.collection:
- highpri
- tier2
ms.subservice: itpro-deploy
-ms.date: 02/13/2024
+ms.date: 01/29/2025
appliesto:
- ✅ Windows 10
- ✅ Windows 11
diff --git a/windows/deployment/usmt/getting-started-with-the-user-state-migration-tool.md b/windows/deployment/usmt/getting-started-with-the-user-state-migration-tool.md
index 9e1d97ccac..3a2a091e06 100644
--- a/windows/deployment/usmt/getting-started-with-the-user-state-migration-tool.md
+++ b/windows/deployment/usmt/getting-started-with-the-user-state-migration-tool.md
@@ -8,7 +8,7 @@ ms.service: windows-client
author: frankroj
ms.topic: conceptual
ms.subservice: itpro-deploy
-ms.date: 08/30/2024
+ms.date: 01/29/2025
appliesto:
- ✅ Windows 11
- ✅ Windows 10
diff --git a/windows/deployment/usmt/migrate-application-settings.md b/windows/deployment/usmt/migrate-application-settings.md
index d189141607..563fffa13b 100644
--- a/windows/deployment/usmt/migrate-application-settings.md
+++ b/windows/deployment/usmt/migrate-application-settings.md
@@ -6,7 +6,7 @@ manager: aaroncz
ms.author: frankroj
ms.service: windows-client
author: frankroj
-ms.date: 08/30/2024
+ms.date: 01/29/2025
ms.topic: conceptual
ms.subservice: itpro-deploy
appliesto:
diff --git a/windows/deployment/usmt/migration-store-types-overview.md b/windows/deployment/usmt/migration-store-types-overview.md
index f0fdf74531..e69fa2a0eb 100644
--- a/windows/deployment/usmt/migration-store-types-overview.md
+++ b/windows/deployment/usmt/migration-store-types-overview.md
@@ -6,7 +6,7 @@ manager: aaroncz
ms.author: frankroj
ms.service: windows-client
author: frankroj
-ms.date: 01/09/2024
+ms.date: 01/29/2025
ms.topic: conceptual
ms.subservice: itpro-deploy
appliesto:
diff --git a/windows/deployment/usmt/offline-migration-reference.md b/windows/deployment/usmt/offline-migration-reference.md
index 8e72361a5d..631c7b6aa6 100644
--- a/windows/deployment/usmt/offline-migration-reference.md
+++ b/windows/deployment/usmt/offline-migration-reference.md
@@ -6,7 +6,7 @@ manager: aaroncz
ms.author: frankroj
ms.service: windows-client
author: frankroj
-ms.date: 01/09/2024
+ms.date: 01/29/2025
ms.topic: conceptual
ms.subservice: itpro-deploy
appliesto:
@@ -50,7 +50,7 @@ For exceptions to what can be migrated offline, see [What Does USMT Migrate?](us
## What offline environments are supported?
-All currently supported
+All currently supported
The following table defines the supported combination of online and offline operating systems in USMT.
@@ -183,9 +183,9 @@ The following XML example illustrates some of the elements discussed earlier in
```xml
- C:\Windows
- D:\Windows
- E:\
+ C:\Windows
+ D:\Windows
+ E:\
1
diff --git a/windows/deployment/usmt/understanding-migration-xml-files.md b/windows/deployment/usmt/understanding-migration-xml-files.md
index 3adb68387b..2994c4a929 100644
--- a/windows/deployment/usmt/understanding-migration-xml-files.md
+++ b/windows/deployment/usmt/understanding-migration-xml-files.md
@@ -6,7 +6,7 @@ manager: aaroncz
ms.author: frankroj
ms.service: windows-client
author: frankroj
-ms.date: 01/09/2024
+ms.date: 01/29/2025
ms.topic: conceptual
ms.subservice: itpro-deploy
appliesto:
diff --git a/windows/deployment/usmt/usmt-best-practices.md b/windows/deployment/usmt/usmt-best-practices.md
index 4ebf6ff55f..fe77583153 100644
--- a/windows/deployment/usmt/usmt-best-practices.md
+++ b/windows/deployment/usmt/usmt-best-practices.md
@@ -6,7 +6,7 @@ manager: aaroncz
ms.author: frankroj
ms.service: windows-client
author: frankroj
-ms.date: 01/09/2024
+ms.date: 01/29/2025
ms.topic: conceptual
ms.subservice: itpro-deploy
appliesto:
diff --git a/windows/deployment/usmt/usmt-choose-migration-store-type.md b/windows/deployment/usmt/usmt-choose-migration-store-type.md
index 1847cce5d9..e8a0d69a2f 100644
--- a/windows/deployment/usmt/usmt-choose-migration-store-type.md
+++ b/windows/deployment/usmt/usmt-choose-migration-store-type.md
@@ -6,7 +6,7 @@ manager: aaroncz
ms.author: frankroj
ms.service: windows-client
author: frankroj
-ms.date: 01/09/2024
+ms.date: 01/29/2025
ms.topic: conceptual
ms.subservice: itpro-deploy
appliesto:
diff --git a/windows/deployment/usmt/usmt-command-line-syntax.md b/windows/deployment/usmt/usmt-command-line-syntax.md
index 4844937b52..71da51bdda 100644
--- a/windows/deployment/usmt/usmt-command-line-syntax.md
+++ b/windows/deployment/usmt/usmt-command-line-syntax.md
@@ -6,7 +6,7 @@ manager: aaroncz
ms.author: frankroj
ms.service: windows-client
author: frankroj
-ms.date: 01/09/2024
+ms.date: 01/29/2025
ms.topic: conceptual
ms.subservice: itpro-deploy
appliesto:
diff --git a/windows/deployment/usmt/usmt-common-migration-scenarios.md b/windows/deployment/usmt/usmt-common-migration-scenarios.md
index 1685667185..d618b669c3 100644
--- a/windows/deployment/usmt/usmt-common-migration-scenarios.md
+++ b/windows/deployment/usmt/usmt-common-migration-scenarios.md
@@ -6,7 +6,7 @@ manager: aaroncz
ms.author: frankroj
ms.service: windows-client
author: frankroj
-ms.date: 01/09/2024
+ms.date: 01/29/2025
ms.topic: conceptual
ms.subservice: itpro-deploy
appliesto:
diff --git a/windows/deployment/usmt/usmt-configxml-file.md b/windows/deployment/usmt/usmt-configxml-file.md
index c0e4682965..f77777e41f 100644
--- a/windows/deployment/usmt/usmt-configxml-file.md
+++ b/windows/deployment/usmt/usmt-configxml-file.md
@@ -6,7 +6,7 @@ manager: aaroncz
ms.author: frankroj
ms.service: windows-client
author: frankroj
-ms.date: 01/09/2024
+ms.date: 01/29/2025
ms.topic: conceptual
ms.subservice: itpro-deploy
appliesto:
@@ -496,7 +496,7 @@ The following sample `Config.xml` file contains detailed examples about items th
-
+
-->
diff --git a/windows/deployment/usmt/usmt-conflicts-and-precedence.md b/windows/deployment/usmt/usmt-conflicts-and-precedence.md
index f9874a4d2f..c2a0454e4b 100644
--- a/windows/deployment/usmt/usmt-conflicts-and-precedence.md
+++ b/windows/deployment/usmt/usmt-conflicts-and-precedence.md
@@ -6,7 +6,7 @@ manager: aaroncz
ms.author: frankroj
ms.service: windows-client
author: frankroj
-ms.date: 01/09/2024
+ms.date: 01/29/2025
ms.topic: conceptual
ms.subservice: itpro-deploy
appliesto:
@@ -79,7 +79,7 @@ Specifying `migrate="no"` in the `Config.xml` file is the same as deleting the c
%CSIDL_PERSONAL%\* [*.doc]
-
+
```
### How does USMT process each component in an .xml file with multiple components?
@@ -116,7 +116,7 @@ In the following example, mp3 files aren't excluded from the migration. The mp3
C:\* [*.mp3]
-
+
```
### \ and \ rules precedence examples
@@ -185,11 +185,11 @@ The destination computer contains the following files:
A custom **.xml** file contains the following code:
```xml
-
-
- c:\data\* [*]
-
-
+
+
+ c:\data\* [*]
+
+
```
For this example, the following information describes the resulting behavior if the code is added to the custom **.xml** file.
diff --git a/windows/deployment/usmt/usmt-custom-xml-examples.md b/windows/deployment/usmt/usmt-custom-xml-examples.md
index 130f3031c8..c398822c63 100644
--- a/windows/deployment/usmt/usmt-custom-xml-examples.md
+++ b/windows/deployment/usmt/usmt-custom-xml-examples.md
@@ -8,7 +8,7 @@ ms.service: windows-client
author: frankroj
ms.topic: conceptual
ms.subservice: itpro-deploy
-ms.date: 01/09/2024
+ms.date: 01/29/2025
appliesto:
- ✅ Windows 11
- ✅ Windows 10
@@ -120,7 +120,7 @@ The following sample is a custom **.xml** file named `CustomFile.xml` that migra
My Video
-
+
MigXmlHelper.DoesObjectExist("File","%CSIDL_MYVIDEO%")
@@ -251,8 +251,8 @@ The behavior for this custom **.xml** file is described within the `
-
-
+
+
@@ -264,7 +264,7 @@ The behavior for this custom **.xml** file is described within the `
-
+
C:\*\Presentations\* [*]
C:\Presentations\* [*]
diff --git a/windows/deployment/usmt/usmt-customize-xml-files.md b/windows/deployment/usmt/usmt-customize-xml-files.md
index 8eefa733d4..00a902de28 100644
--- a/windows/deployment/usmt/usmt-customize-xml-files.md
+++ b/windows/deployment/usmt/usmt-customize-xml-files.md
@@ -6,7 +6,7 @@ manager: aaroncz
ms.author: frankroj
ms.service: windows-client
author: frankroj
-ms.date: 01/09/2024
+ms.date: 01/29/2025
ms.topic: conceptual
ms.subservice: itpro-deploy
appliesto:
diff --git a/windows/deployment/usmt/usmt-determine-what-to-migrate.md b/windows/deployment/usmt/usmt-determine-what-to-migrate.md
index bad57314e9..098c1a8a45 100644
--- a/windows/deployment/usmt/usmt-determine-what-to-migrate.md
+++ b/windows/deployment/usmt/usmt-determine-what-to-migrate.md
@@ -6,7 +6,7 @@ manager: aaroncz
ms.author: frankroj
ms.service: windows-client
author: frankroj
-ms.date: 01/09/2024
+ms.date: 01/29/2025
ms.topic: conceptual
ms.subservice: itpro-deploy
appliesto:
diff --git a/windows/deployment/usmt/usmt-estimate-migration-store-size.md b/windows/deployment/usmt/usmt-estimate-migration-store-size.md
index 014e48a76e..ae5b4e142e 100644
--- a/windows/deployment/usmt/usmt-estimate-migration-store-size.md
+++ b/windows/deployment/usmt/usmt-estimate-migration-store-size.md
@@ -6,7 +6,7 @@ manager: aaroncz
ms.author: frankroj
ms.service: windows-client
author: frankroj
-ms.date: 01/09/2024
+ms.date: 01/29/2025
ms.topic: conceptual
ms.subservice: itpro-deploy
appliesto:
diff --git a/windows/deployment/usmt/usmt-exclude-files-and-settings.md b/windows/deployment/usmt/usmt-exclude-files-and-settings.md
index 354badb01a..72388d511e 100644
--- a/windows/deployment/usmt/usmt-exclude-files-and-settings.md
+++ b/windows/deployment/usmt/usmt-exclude-files-and-settings.md
@@ -6,7 +6,7 @@ manager: aaroncz
ms.author: frankroj
ms.service: windows-client
author: frankroj
-ms.date: 01/09/2024
+ms.date: 01/29/2025
ms.topic: conceptual
ms.subservice: itpro-deploy
appliesto:
diff --git a/windows/deployment/usmt/usmt-extract-files-from-a-compressed-migration-store.md b/windows/deployment/usmt/usmt-extract-files-from-a-compressed-migration-store.md
index 59234776e5..9fefd6f0b4 100644
--- a/windows/deployment/usmt/usmt-extract-files-from-a-compressed-migration-store.md
+++ b/windows/deployment/usmt/usmt-extract-files-from-a-compressed-migration-store.md
@@ -6,7 +6,7 @@ manager: aaroncz
ms.author: frankroj
ms.service: windows-client
author: frankroj
-ms.date: 01/09/2024
+ms.date: 01/29/2025
ms.topic: conceptual
ms.subservice: itpro-deploy
appliesto:
diff --git a/windows/deployment/usmt/usmt-faq.yml b/windows/deployment/usmt/usmt-faq.yml
index 666888f9d3..fb9a10a99e 100644
--- a/windows/deployment/usmt/usmt-faq.yml
+++ b/windows/deployment/usmt/usmt-faq.yml
@@ -11,12 +11,12 @@ metadata:
ms.mktglfcycl: deploy
ms.sitesec: library
audience: itpro
- ms.date: 01/09/2024
+ ms.date: 01/29/2025
ms.topic: faq
title: Frequently Asked Questions
summary: |
**Applies to:**
-
+
- Windows 11
- Windows 10
@@ -30,13 +30,13 @@ sections:
How much space is needed on the destination computer?
answer: |
The destination computer needs enough available space for the following items:
-
+
- Operating system
-
+
- Applications
-
+
- Uncompressed store
-
+
- question: |
Can the files and settings be stored directly on the destination computer or is a server needed?
answer: |
@@ -47,13 +47,13 @@ sections:
- Directly on the destination computer.
To store it directly on the destination computer:
-
+
1. Create and share the directory `C:\store` on the destination computer.
-
+
1. Run the **ScanState** tool on the source computer and save the files and settings to `\\\store`
-
+
1. Run the **LoadState** tool on the destination computer and specify `C:\store` as the store location.
-
+
- question: |
Can data be migrated between operating systems with different languages?
answer: |
@@ -80,7 +80,7 @@ sections:
How can a folder or a certain type of file be excluded from the migration?
answer: |
The **\** element can be used to globally exclude data from the migration. For example, this element can be used to exclude all MP3 files on the computer or to exclude all files from `C:\UserData`. This element excludes objects regardless of any other **\** rules that are in the **.xml** files. For an example, see **\** in the [Exclude files and settings](usmt-exclude-files-and-settings.md) article. For the syntax of this element, see [XML elements library](usmt-xml-elements-library.md).
-
+
- question: |
What happens to files that were located on a drive that don't exist on the destination computer?
answer: |
@@ -91,22 +91,22 @@ sections:
- C:\\ is the system drive on the destination computer.
the file is migrated to `C:\data\File.pst`. This behavior holds true even when **\** rules attempt to move data to a drive that doesn't exist on the destination computer.
-
+
- name: USMT .xml Files
questions:
- question: |
Where are there examples of USMT **.xml** files?
answer: |
The following articles include examples of USMT **.xml** files:
-
+
- [Exclude files and settings](usmt-exclude-files-and-settings.md)
-
+
- [Reroute files and settings](usmt-reroute-files-and-settings.md)
-
+
- [Include files and settings](usmt-include-files-and-settings.md)
-
+
- [Custom XML examples](usmt-custom-xml-examples.md)
-
+
- question: |
Can custom **.xml** files that were written for USMT 5.0 be used?
answer: |
@@ -121,9 +121,9 @@ sections:
Why must the **.xml** files be included with both the `ScanState.exe` and `LoadState.exe` commands?
answer: |
The **.xml** files aren't copied to the store as in previous versions of USMT. Because the **ScanState** and **LoadState** tools need the **.xml** files to control the migration, the same set of **.xml** files must be specified for the `ScanState.exe` and `LoadState.exe` commands. If a particular set of mig\*.xml files were used in the **ScanState** tool, either called through the `/auto` option, or individually through the `/i` option, then the same option should be used to call the exact same mig\*.xml files in the **LoadState** tool. However, the `Config.xml` file doesn't need to be specified, unless files and settings that were migrated to the store need to be excluded. For example, the **Documents** folder might be migrated to the store, but not to the destination computer. To do this type of migration, modify the `Config.xml` file and specify the updated file with the `LoadState.exe` command. **LoadState** migrates only the desired files and settings.
-
+
If an **.xml** file is excluded from the `LoadState.exe` command, then all of the data in the store that was migrated with the missing **.xml** files are migrated. However, the migration rules that were specified for the `ScanState.exe` command don't apply. For example, if a `MigApp.xml` file that has a rerouting rule such as `MigsysHelperFunction.RelativeMove("c:\data", "%CSIDL_PERSONAL%")` is excluded, USMT doesn't reroute the files. Instead, it migrates them to `C:\data`.
-
+
- question: |
Which files can be modified and specified on the command line?
answer: |
@@ -133,20 +133,20 @@ sections:
What happens if the **.xml** files aren't specified on the command line?
answer: |
- **ScanState**
-
+
If no files are specified with the `ScanState.exe` command, all user accounts and default operating system components are migrated.
-
+
- **LoadState**
-
+
If no files are specified with the `LoadState.exe` command, all data that is in the store is migrated. However, any target-specific migration rules that were specified in **.xml** files with the `ScanState.exe` command doesn't apply. For example, if a `MigApp.xml` file that has a rerouting rule such as `MigsysHelperFunction.RelativeMove("c:\data", "%CSIDL_PERSONAL%")` is excluded, USMT doesn't reroute the files. Instead, it migrates them to `C:\data`.
-
+
- name: Conflicts and Precedence
questions:
- question: |
What happens when there are conflicting XML rules or conflicting objects on the destination computer?
answer: |
For more information, see [Conflicts and precedence](usmt-conflicts-and-precedence.md).
-
+
additionalContent: |
diff --git a/windows/deployment/usmt/usmt-general-conventions.md b/windows/deployment/usmt/usmt-general-conventions.md
index 38b66a02b6..950371b73e 100644
--- a/windows/deployment/usmt/usmt-general-conventions.md
+++ b/windows/deployment/usmt/usmt-general-conventions.md
@@ -6,7 +6,7 @@ manager: aaroncz
ms.author: frankroj
ms.service: windows-client
author: frankroj
-ms.date: 01/09/2024
+ms.date: 01/29/2025
ms.topic: conceptual
ms.subservice: itpro-deploy
appliesto:
@@ -73,21 +73,21 @@ The XML helper functions in the [XML elements library](usmt-xml-elements-library
The encoded location is composed of the node part, optionally followed by the leaf enclosed in square brackets. This format makes a clear distinction between nodes and leaves.
For example, specify the file
-
+
`C:\Windows\Notepad.exe`
-
+
as
-
+
**c:\\Windows\[Notepad.exe\]**
-
+
Similarly, specify the directory
-
+
`C:\Windows\System32`
-
+
as
-
+
**c:\\Windows\\System32**
-
+
Note the absence of the **\[\]** characters in second example.
The registry is represented in a similar way. The default value of a registry key is represented as an empty **\[\]** construct. For example, the default value for the `HKLM\SOFTWARE\MyKey` registry key is **HKLM\\SOFTWARE\\MyKey\[\]**.
diff --git a/windows/deployment/usmt/usmt-hard-link-migration-store.md b/windows/deployment/usmt/usmt-hard-link-migration-store.md
index d2cae89bc7..7c21f7e783 100644
--- a/windows/deployment/usmt/usmt-hard-link-migration-store.md
+++ b/windows/deployment/usmt/usmt-hard-link-migration-store.md
@@ -6,7 +6,7 @@ manager: aaroncz
ms.author: frankroj
ms.service: windows-client
author: frankroj
-ms.date: 01/09/2024
+ms.date: 01/29/2025
ms.topic: conceptual
ms.subservice: itpro-deploy
appliesto:
diff --git a/windows/deployment/usmt/usmt-how-it-works.md b/windows/deployment/usmt/usmt-how-it-works.md
index 591b1d3804..0da69dfec4 100644
--- a/windows/deployment/usmt/usmt-how-it-works.md
+++ b/windows/deployment/usmt/usmt-how-it-works.md
@@ -8,7 +8,7 @@ ms.service: windows-client
author: frankroj
ms.topic: conceptual
ms.subservice: itpro-deploy
-ms.date: 01/09/2024
+ms.date: 01/29/2025
appliesto:
- ✅ Windows 11
- ✅ Windows 10
@@ -33,7 +33,7 @@ When the **ScanState** tool runs on the source computer, it goes through the fol
There are three types of components:
- Components that migrate the operating system settings.
-
+
- Components that migrate application settings.
- Components that migrate users' files.
diff --git a/windows/deployment/usmt/usmt-how-to.md b/windows/deployment/usmt/usmt-how-to.md
index c3589124d1..72231c5f35 100644
--- a/windows/deployment/usmt/usmt-how-to.md
+++ b/windows/deployment/usmt/usmt-how-to.md
@@ -6,7 +6,7 @@ manager: aaroncz
ms.author: frankroj
ms.service: windows-client
author: frankroj
-ms.date: 01/09/2024
+ms.date: 01/29/2025
ms.topic: conceptual
ms.subservice: itpro-deploy
appliesto:
diff --git a/windows/deployment/usmt/usmt-identify-application-settings.md b/windows/deployment/usmt/usmt-identify-application-settings.md
index feca874008..41d2a4f881 100644
--- a/windows/deployment/usmt/usmt-identify-application-settings.md
+++ b/windows/deployment/usmt/usmt-identify-application-settings.md
@@ -6,7 +6,7 @@ manager: aaroncz
ms.author: frankroj
ms.service: windows-client
author: frankroj
-ms.date: 01/09/2024
+ms.date: 01/29/2025
ms.topic: conceptual
ms.subservice: itpro-deploy
appliesto:
diff --git a/windows/deployment/usmt/usmt-identify-file-types-files-and-folders.md b/windows/deployment/usmt/usmt-identify-file-types-files-and-folders.md
index e5b15c352d..e46ff9f218 100644
--- a/windows/deployment/usmt/usmt-identify-file-types-files-and-folders.md
+++ b/windows/deployment/usmt/usmt-identify-file-types-files-and-folders.md
@@ -6,7 +6,7 @@ manager: aaroncz
ms.author: frankroj
ms.service: windows-client
author: frankroj
-ms.date: 01/09/2024
+ms.date: 01/29/2025
ms.topic: conceptual
ms.subservice: itpro-deploy
appliesto:
diff --git a/windows/deployment/usmt/usmt-identify-operating-system-settings.md b/windows/deployment/usmt/usmt-identify-operating-system-settings.md
index cedbe8d1f9..941df2cced 100644
--- a/windows/deployment/usmt/usmt-identify-operating-system-settings.md
+++ b/windows/deployment/usmt/usmt-identify-operating-system-settings.md
@@ -6,7 +6,7 @@ manager: aaroncz
ms.author: frankroj
ms.service: windows-client
author: frankroj
-ms.date: 01/09/2024
+ms.date: 01/29/2025
ms.topic: conceptual
ms.subservice: itpro-deploy
appliesto:
diff --git a/windows/deployment/usmt/usmt-identify-users.md b/windows/deployment/usmt/usmt-identify-users.md
index 736881d3b3..314590b2b7 100644
--- a/windows/deployment/usmt/usmt-identify-users.md
+++ b/windows/deployment/usmt/usmt-identify-users.md
@@ -9,7 +9,7 @@ author: frankroj
ms.topic: conceptual
ms.localizationpriority: medium
ms.subservice: itpro-deploy
-ms.date: 01/09/2024
+ms.date: 01/29/2025
appliesto:
- ✅ Windows 11
- ✅ Windows 10
diff --git a/windows/deployment/usmt/usmt-include-files-and-settings.md b/windows/deployment/usmt/usmt-include-files-and-settings.md
index f4d79a27f2..6ff87626e6 100644
--- a/windows/deployment/usmt/usmt-include-files-and-settings.md
+++ b/windows/deployment/usmt/usmt-include-files-and-settings.md
@@ -6,7 +6,7 @@ manager: aaroncz
ms.author: frankroj
ms.service: windows-client
author: frankroj
-ms.date: 01/09/2024
+ms.date: 01/29/2025
ms.topic: conceptual
ms.subservice: itpro-deploy
appliesto:
@@ -25,12 +25,12 @@ The following **.xml** file migrates a single registry key.
```xml
- Component to migrate only registry value string
+ Component to migrate only registry value string
- HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache [Persistent]
+ HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache [Persistent]
@@ -95,8 +95,8 @@ The following **.xml** file migrates all files and subfolders of the `Engineerin
-
-
+
+
@@ -114,7 +114,7 @@ The following **.xml** file migrates all files and subfolders of the `Engineerin
-
+
C:\*\EngineeringDrafts\* [*]
C:\EngineeringDrafts\* [*]
@@ -149,7 +149,7 @@ The following **.xml** file migrates `.mp3` files located in the specified drive
-
+
```
## Migrate a specific file
diff --git a/windows/deployment/usmt/usmt-loadstate-syntax.md b/windows/deployment/usmt/usmt-loadstate-syntax.md
index a4bf1f2eeb..30667f7873 100644
--- a/windows/deployment/usmt/usmt-loadstate-syntax.md
+++ b/windows/deployment/usmt/usmt-loadstate-syntax.md
@@ -6,7 +6,7 @@ manager: aaroncz
ms.author: frankroj
ms.service: windows-client
author: frankroj
-ms.date: 04/30/2024
+ms.date: 01/29/2025
ms.topic: conceptual
ms.subservice: itpro-deploy
appliesto:
diff --git a/windows/deployment/usmt/usmt-log-files.md b/windows/deployment/usmt/usmt-log-files.md
index 70f159b544..27e897b01d 100644
--- a/windows/deployment/usmt/usmt-log-files.md
+++ b/windows/deployment/usmt/usmt-log-files.md
@@ -6,7 +6,7 @@ manager: aaroncz
ms.author: frankroj
ms.service: windows-client
author: frankroj
-ms.date: 01/09/2024
+ms.date: 01/29/2025
ms.topic: conceptual
ms.subservice: itpro-deploy
appliesto:
diff --git a/windows/deployment/usmt/usmt-migrate-efs-files-and-certificates.md b/windows/deployment/usmt/usmt-migrate-efs-files-and-certificates.md
index 39944f9a6a..8d146557a2 100644
--- a/windows/deployment/usmt/usmt-migrate-efs-files-and-certificates.md
+++ b/windows/deployment/usmt/usmt-migrate-efs-files-and-certificates.md
@@ -6,7 +6,7 @@ manager: aaroncz
ms.author: frankroj
ms.service: windows-client
author: frankroj
-ms.date: 01/09/2024
+ms.date: 01/29/2025
ms.topic: conceptual
ms.subservice: itpro-deploy
appliesto:
diff --git a/windows/deployment/usmt/usmt-migrate-user-accounts.md b/windows/deployment/usmt/usmt-migrate-user-accounts.md
index 41f319446d..2e82b3db4e 100644
--- a/windows/deployment/usmt/usmt-migrate-user-accounts.md
+++ b/windows/deployment/usmt/usmt-migrate-user-accounts.md
@@ -6,7 +6,7 @@ manager: aaroncz
ms.author: frankroj
ms.service: windows-client
author: frankroj
-ms.date: 01/09/2024
+ms.date: 01/29/2025
ms.topic: conceptual
ms.subservice: itpro-deploy
appliesto:
diff --git a/windows/deployment/usmt/usmt-migration-store-encryption.md b/windows/deployment/usmt/usmt-migration-store-encryption.md
index b5dc3eb5fe..2084dbdd22 100644
--- a/windows/deployment/usmt/usmt-migration-store-encryption.md
+++ b/windows/deployment/usmt/usmt-migration-store-encryption.md
@@ -6,7 +6,7 @@ manager: aaroncz
ms.author: frankroj
ms.service: windows-client
author: frankroj
-ms.date: 01/09/2024
+ms.date: 01/29/2025
ms.topic: conceptual
ms.subservice: itpro-deploy
appliesto:
diff --git a/windows/deployment/usmt/usmt-overview.md b/windows/deployment/usmt/usmt-overview.md
index f0023bfc0b..0e8726cf9a 100644
--- a/windows/deployment/usmt/usmt-overview.md
+++ b/windows/deployment/usmt/usmt-overview.md
@@ -7,7 +7,7 @@ author: frankroj
ms.reviewer: kevinmi,warrenw
manager: aaroncz
ms.author: frankroj
-ms.date: 01/09/2024
+ms.date: 01/29/2025
ms.topic: overview
ms.collection:
- highpri
diff --git a/windows/deployment/usmt/usmt-plan-your-migration.md b/windows/deployment/usmt/usmt-plan-your-migration.md
index 20bbc09ad5..6fbc90a488 100644
--- a/windows/deployment/usmt/usmt-plan-your-migration.md
+++ b/windows/deployment/usmt/usmt-plan-your-migration.md
@@ -6,7 +6,7 @@ manager: aaroncz
ms.author: frankroj
ms.service: windows-client
author: frankroj
-ms.date: 01/09/2024
+ms.date: 01/29/2025
ms.topic: conceptual
ms.subservice: itpro-deploy
appliesto:
diff --git a/windows/deployment/usmt/usmt-recognized-environment-variables.md b/windows/deployment/usmt/usmt-recognized-environment-variables.md
index 0d2153bbaa..74170fceed 100644
--- a/windows/deployment/usmt/usmt-recognized-environment-variables.md
+++ b/windows/deployment/usmt/usmt-recognized-environment-variables.md
@@ -7,7 +7,7 @@ ms.reviewer: kevinmi,warrenw
manager: aaroncz
ms.author: frankroj
author: frankroj
-ms.date: 01/09/2024
+ms.date: 01/29/2025
ms.topic: conceptual
ms.collection:
- highpri
diff --git a/windows/deployment/usmt/usmt-reference.md b/windows/deployment/usmt/usmt-reference.md
index 9581170803..adeaf3c10e 100644
--- a/windows/deployment/usmt/usmt-reference.md
+++ b/windows/deployment/usmt/usmt-reference.md
@@ -6,7 +6,7 @@ manager: aaroncz
ms.author: frankroj
ms.service: windows-client
author: frankroj
-ms.date: 01/09/2024
+ms.date: 01/29/2025
ms.topic: conceptual
ms.subservice: itpro-deploy
appliesto:
diff --git a/windows/deployment/usmt/usmt-requirements.md b/windows/deployment/usmt/usmt-requirements.md
index 26b5f86f7a..438b71d40b 100644
--- a/windows/deployment/usmt/usmt-requirements.md
+++ b/windows/deployment/usmt/usmt-requirements.md
@@ -6,7 +6,7 @@ manager: aaroncz
ms.author: frankroj
ms.service: windows-client
author: frankroj
-ms.date: 04/30/2024
+ms.date: 01/29/2025
ms.topic: conceptual
ms.subservice: itpro-deploy
appliesto:
diff --git a/windows/deployment/usmt/usmt-reroute-files-and-settings.md b/windows/deployment/usmt/usmt-reroute-files-and-settings.md
index f002c6d337..e7a5305f00 100644
--- a/windows/deployment/usmt/usmt-reroute-files-and-settings.md
+++ b/windows/deployment/usmt/usmt-reroute-files-and-settings.md
@@ -6,7 +6,7 @@ manager: aaroncz
ms.author: frankroj
ms.service: windows-client
author: frankroj
-ms.date: 01/09/2024
+ms.date: 01/29/2025
ms.topic: conceptual
ms.subservice: itpro-deploy
appliesto:
@@ -70,7 +70,7 @@ The following custom **.xml** file reroutes **.mp3** files located in the fixed
-
+
```
## Reroute a specific file
@@ -83,8 +83,8 @@ The following custom **.xml** file migrates the `Sample.doc` file from `C:\Engin
Sample.doc into the Documents folder
-
-
+
+
C:\EngineeringDrafts\ [Sample.doc]
diff --git a/windows/deployment/usmt/usmt-resources.md b/windows/deployment/usmt/usmt-resources.md
index 239d7be582..6e81c92b9a 100644
--- a/windows/deployment/usmt/usmt-resources.md
+++ b/windows/deployment/usmt/usmt-resources.md
@@ -6,7 +6,7 @@ manager: aaroncz
ms.author: frankroj
ms.service: windows-client
author: frankroj
-ms.date: 01/09/2024
+ms.date: 01/29/2025
ms.topic: conceptual
ms.subservice: itpro-deploy
appliesto:
@@ -23,7 +23,7 @@ appliesto:
- Microsoft Visual Studio
- The User State Migration Tool (USMT) XML schema (the `MigXML.xsd` file) can be used to validate the migration **.xml** files using an XML authoring tool such as Microsoft Visual Studio.
-
+
For more information about how to use the schema with an XML authoring environment, see the environment's documentation.
- [Ask the Directory Services Team blog](https://techcommunity.microsoft.com/t5/ask-the-directory-services-team/bg-p/AskDS).
diff --git a/windows/deployment/usmt/usmt-scanstate-syntax.md b/windows/deployment/usmt/usmt-scanstate-syntax.md
index 24f73b72d1..a25a4bde8e 100644
--- a/windows/deployment/usmt/usmt-scanstate-syntax.md
+++ b/windows/deployment/usmt/usmt-scanstate-syntax.md
@@ -6,7 +6,7 @@ manager: aaroncz
ms.author: frankroj
ms.service: windows-client
author: frankroj
-ms.date: 04/30/2024
+ms.date: 01/29/2025
ms.topic: conceptual
ms.subservice: itpro-deploy
appliesto:
diff --git a/windows/deployment/usmt/usmt-technical-reference.md b/windows/deployment/usmt/usmt-technical-reference.md
index 1254f4fef0..d269cd7597 100644
--- a/windows/deployment/usmt/usmt-technical-reference.md
+++ b/windows/deployment/usmt/usmt-technical-reference.md
@@ -6,7 +6,7 @@ manager: aaroncz
ms.author: frankroj
ms.service: windows-client
author: frankroj
-ms.date: 01/09/2024
+ms.date: 01/29/2025
ms.topic: conceptual
ms.subservice: itpro-deploy
appliesto:
diff --git a/windows/deployment/usmt/usmt-test-your-migration.md b/windows/deployment/usmt/usmt-test-your-migration.md
index 57767aecf4..4b1d005a41 100644
--- a/windows/deployment/usmt/usmt-test-your-migration.md
+++ b/windows/deployment/usmt/usmt-test-your-migration.md
@@ -6,7 +6,7 @@ manager: aaroncz
ms.author: frankroj
ms.service: windows-client
author: frankroj
-ms.date: 01/09/2024
+ms.date: 01/29/2025
ms.topic: conceptual
ms.subservice: itpro-deploy
appliesto:
diff --git a/windows/deployment/usmt/usmt-topics.md b/windows/deployment/usmt/usmt-topics.md
index e3be3d8fd0..56ee8a1868 100644
--- a/windows/deployment/usmt/usmt-topics.md
+++ b/windows/deployment/usmt/usmt-topics.md
@@ -6,7 +6,7 @@ manager: aaroncz
ms.author: frankroj
ms.service: windows-client
author: frankroj
-ms.date: 01/09/2024
+ms.date: 01/29/2025
ms.topic: conceptual
ms.subservice: itpro-deploy
appliesto:
diff --git a/windows/deployment/usmt/usmt-troubleshooting.md b/windows/deployment/usmt/usmt-troubleshooting.md
index 3e85b84a37..3ca79322a4 100644
--- a/windows/deployment/usmt/usmt-troubleshooting.md
+++ b/windows/deployment/usmt/usmt-troubleshooting.md
@@ -6,7 +6,7 @@ manager: aaroncz
ms.author: frankroj
ms.service: windows-client
author: frankroj
-ms.date: 01/09/2024
+ms.date: 01/29/2025
ms.topic: conceptual
ms.subservice: itpro-deploy
appliesto:
diff --git a/windows/deployment/usmt/usmt-utilities.md b/windows/deployment/usmt/usmt-utilities.md
index 20c70db094..bef1f41088 100644
--- a/windows/deployment/usmt/usmt-utilities.md
+++ b/windows/deployment/usmt/usmt-utilities.md
@@ -6,7 +6,7 @@ manager: aaroncz
ms.author: frankroj
ms.service: windows-client
author: frankroj
-ms.date: 01/09/2024
+ms.date: 01/29/2025
ms.topic: conceptual
ms.subservice: itpro-deploy
appliesto:
diff --git a/windows/deployment/usmt/usmt-what-does-usmt-migrate.md b/windows/deployment/usmt/usmt-what-does-usmt-migrate.md
index e03e8db9c0..56cee12f98 100644
--- a/windows/deployment/usmt/usmt-what-does-usmt-migrate.md
+++ b/windows/deployment/usmt/usmt-what-does-usmt-migrate.md
@@ -6,7 +6,7 @@ manager: aaroncz
ms.author: frankroj
ms.service: windows-client
author: frankroj
-ms.date: 01/18/2024
+ms.date: 01/29/2025
ms.topic: conceptual
ms.subservice: itpro-deploy
appliesto:
diff --git a/windows/deployment/usmt/usmt-xml-elements-library.md b/windows/deployment/usmt/usmt-xml-elements-library.md
index a4694c75a9..fc41899980 100644
--- a/windows/deployment/usmt/usmt-xml-elements-library.md
+++ b/windows/deployment/usmt/usmt-xml-elements-library.md
@@ -6,7 +6,7 @@ manager: aaroncz
ms.author: frankroj
ms.service: windows-client
author: frankroj
-ms.date: 01/09/2024
+ms.date: 01/29/2025
ms.topic: conceptual
ms.subservice: itpro-deploy
appliesto:
@@ -95,7 +95,7 @@ The following example is from the `MigApp.xml` file:
%HklmWowSoftware%\Microsoft\Office\16.0\Common\Migration\Office [Lang]
DWORD
00000000
-
+
```
## \
@@ -127,7 +127,7 @@ The following example is from the `MigApp.xml` file:
%HklmWowSoftware%\Microsoft\Office\16.0\Common\Migration\Office [Lang]
DWORD
00000000
-
+
```
## \
@@ -1070,10 +1070,10 @@ Example:
-
DOC
@@ -1126,18 +1126,18 @@ Syntax:
For example, to migrate all \*.doc files from the source computer, specifying the following code under the **\** element:
```xml
-
- doc
-
+
+ doc
+
```
is the same as specifying the following code below the **\** element:
```xml
-
-
-
-
+
+
+
+
```
@@ -1202,7 +1202,7 @@ The following example is from the `MigUser.xml` file:
%CSIDL_MYVIDEO%
-
+
MigXmlHelper.DoesObjectExist("File","%CSIDL_MYVIDEO%")
@@ -1702,11 +1702,11 @@ The following example is from the `MigUser.xml` file:
%CSIDL_MYMUSIC%
-
+
MigXmlHelper.DoesObjectExist("File","%CSIDL_MYMUSIC%")
-
+
@@ -1846,11 +1846,11 @@ The following example is from the `MigUser.xml` file. For more examples, see the
%CSIDL_STARTMENU%
-
+
MigXmlHelper.DoesObjectExist("File","%CSIDL_STARTMENU%")
-
+
@@ -1901,11 +1901,11 @@ The following example is from the `MigUser.xml` file:
%CSIDL_MYMUSIC%
-
+
MigXmlHelper.DoesObjectExist("File","%CSIDL_MYMUSIC%")
-
+
@@ -1969,7 +1969,7 @@ Examples:
To migrate the Sample.doc file from any drive on the source computer, use **\** as follows. If multiple files exist with the same name, all such files get migrated.
```xml
-
+
```
For more examples of how to use this element, see [Exclude Files and Settings](usmt-exclude-files-and-settings.md), [Reroute Files and Settings](usmt-reroute-files-and-settings.md), and [Custom XML Examples](usmt-custom-xml-examples.md).
@@ -2171,7 +2171,7 @@ For example:
```xml
- %CSIDL_COMMON_APPDATA%\QuickTime
+ %CSIDL_COMMON_APPDATA%\QuickTime
```
@@ -2204,7 +2204,7 @@ The following **.xml** file excludes all `.mp3` files from migration. For additi
-
+
diff --git a/windows/deployment/usmt/usmt-xml-reference.md b/windows/deployment/usmt/usmt-xml-reference.md
index 3b1f32fc27..21d2195393 100644
--- a/windows/deployment/usmt/usmt-xml-reference.md
+++ b/windows/deployment/usmt/usmt-xml-reference.md
@@ -6,7 +6,7 @@ manager: aaroncz
ms.author: frankroj
ms.service: windows-client
author: frankroj
-ms.date: 01/09/2024
+ms.date: 01/29/2025
ms.topic: conceptual
ms.subservice: itpro-deploy
appliesto:
diff --git a/windows/deployment/usmt/verify-the-condition-of-a-compressed-migration-store.md b/windows/deployment/usmt/verify-the-condition-of-a-compressed-migration-store.md
index 818a24659e..f611d55175 100644
--- a/windows/deployment/usmt/verify-the-condition-of-a-compressed-migration-store.md
+++ b/windows/deployment/usmt/verify-the-condition-of-a-compressed-migration-store.md
@@ -6,7 +6,7 @@ manager: aaroncz
ms.author: frankroj
ms.service: windows-client
author: frankroj
-ms.date: 01/09/2024
+ms.date: 01/29/2025
ms.topic: conceptual
ms.subservice: itpro-deploy
appliesto:
diff --git a/windows/deployment/usmt/xml-file-requirements.md b/windows/deployment/usmt/xml-file-requirements.md
index 7d1969ad11..8b1d97b433 100644
--- a/windows/deployment/usmt/xml-file-requirements.md
+++ b/windows/deployment/usmt/xml-file-requirements.md
@@ -6,7 +6,7 @@ manager: aaroncz
ms.author: frankroj
ms.service: windows-client
author: frankroj
-ms.date: 01/09/2024
+ms.date: 01/29/2025
ms.topic: conceptual
ms.subservice: itpro-deploy
appliesto:
diff --git a/windows/deployment/windows-autopatch/manage/windows-autopatch-hotpatch-updates.md b/windows/deployment/windows-autopatch/manage/windows-autopatch-hotpatch-updates.md
index 026f05bd13..0cf0c9260b 100644
--- a/windows/deployment/windows-autopatch/manage/windows-autopatch-hotpatch-updates.md
+++ b/windows/deployment/windows-autopatch/manage/windows-autopatch-hotpatch-updates.md
@@ -1,7 +1,7 @@
---
title: Hotpatch updates
description: Use Hotpatch updates to receive security updates without restarting your device
-ms.date: 11/19/2024
+ms.date: 02/03/2025
ms.service: windows-client
ms.subservice: autopatch
ms.topic: how-to
@@ -22,7 +22,12 @@ ms.collection:
> [!IMPORTANT]
> This feature is in public preview. It's being actively developed and might not be complete. They're made available on a "Preview" basis. You can test and use these features in production environments and scenarios and provide feedback.
-Hotpatch updates are [Monthly B release security updates](/windows/deployment/update/release-cycle#monthly-security-update-release) that can be installed without requiring you to restart the device. Hotpatch updates are designed to reduce downtime and disruptions. By minimizing the need to restart, these updates help ensure faster compliance, making it easier for organizations to maintain security while keeping workflows uninterrupted.
+Hotpatch updates are designed to reduce downtime and disruptions. Hotpatch updates are [Monthly B release security updates](/windows/deployment/update/release-cycle#monthly-security-update-release) that install and take effect without requiring you to restart the device. By minimizing the need to restart, these updates help ensure faster compliance, making it easier for organizations to maintain security while keeping workflows uninterrupted.
+
+Hotpatch is an extension of Windows Update and requires Autopatch to create and deploy hotpatches to devices enrolled in the Autopatch quality update policy.
+
+> [!NOTE]
+> Hotpatch is also available on Windows Server and Windows 365. For more information, see [Hotpatch for Windows Server Azure Edition](/windows-server/get-started/enable-hotpatch-azure-edition).
## Key benefits
@@ -30,7 +35,18 @@ Hotpatch updates are [Monthly B release security updates](/windows/deployment/up
- No changes are required to your existing update ring configurations. Your existing ring configurations are honored alongside Hotpatch policies.
- The [Hotpatch quality update report](../monitor/windows-autopatch-hotpatch-quality-update-report.md) provides a per policy level view of the current update statuses for all devices that receive Hotpatch updates.
-## Operating system configuration prerequisites
+## Release cycles
+
+For more information about the release calendar for Hotpatch updates, see [Release notes for Hotpatch](https://support.microsoft.com/topic/release-notes-for-hotpatch-public-preview-on-windows-11-version-24h2-enterprise-clients-c117ee02-fd35-4612-8ea9-949c5d0ba6d1).
+
+| Quarter | Baseline updates (requires restart) | Hotpatch (no restart required) |
+| ----- | ----- | ----- |
+| 1 | January | February and March |
+| 2 | April | May and June |
+| 3 | July | August and September |
+| 4 | October | November and December |
+
+## Operating system configuration prerequisites
To prepare a device to receive Hotpatch updates, configure the following operating system settings on the device. You must configure these settings for the device to be offered the Hotpatch update and to apply all Hotpatch updates.
@@ -40,9 +56,9 @@ VBS must be turned on for a device to be offered Hotpatch updates. For informati
### Arm 64 devices must disable compiled hybrid PE usage (CHPE) (Arm 64 CPU Only)
-This requirement only applies to Arm 64 CPU devices when using Hotpatch updates. Hotpatch updates aren't compatible with servicing CHPE OS binaries located in the `%SystemRoot%\SyChpe32` folder. To ensure all the Hotpatch updates are applied, you must set the CHPE disable flag and restart the device to disable CHPE usage. You only need to set this flag one time. The registry setting remains applied through updates. To disable CHPE, set the following registry key:
-Path: `**HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management**`
-Key value: `**HotPatchRestrictions=1**`
+This requirement only applies to Arm 64 CPU devices when using Hotpatch updates. Hotpatch updates aren't compatible with servicing CHPE OS binaries located in the `%SystemRoot%\SyChpe32` folder. To ensure all the Hotpatch updates are applied, you must set the CHPE disable flag and restart the device to disable CHPE usage. You only need to set this flag one time. The registry setting remains applied through updates. To disable CHPE, create and/or set the following DWORD registry key:
+Path: `HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management`
+DWORD key value: HotPatchRestrictions=1
> [!IMPORTANT]
> This setting is required because it forces the operating system to use the emulation x86-only binaries instead of CHPE binaries on Arm 64 devices. CHPE binaries include native Arm 64 code to improve performance, excluding the CHPE binaries might affect performance or compatibility. Be sure to test application compatibility and performance before rolling out Hotpatch updates widely on Arm 64 CPU based devices.
@@ -66,13 +82,6 @@ LCUs requires you to restart the device, but the LCU ensures that the device rem
> [!NOTE]
> If devices aren't eligible for Hotpatch updates, these devices are offered the LCU. The LCU keeps your configured Update ring settings, it doesn't change the settings.
-## Release cycles
-
-For more information about the release calendar for Hotpatch updates, see [Release notes for Hotpatch](https://support.microsoft.com/topic/release-notes-for-hotpatch-in-azure-automanage-for-windows-server-2022-4e234525-5bd5-4171-9886-b475dabe0ce8?preview=true).
-
-- Baseline Release Months: January, April, July, October
-- Hotpatch Release Months: February, March, May, June, August, September, November, December
-
## Enroll devices to receive Hotpatch updates
> [!NOTE]
@@ -95,3 +104,7 @@ These steps ensure that targeted devices, which are [eligible](#eligible-devices
> [!NOTE]
> Turning on Hotpatch updates doesn't change the existing deadline-driven or scheduled install configurations on your managed devices. Deferral and active hour settings still apply.
+
+## Roll back a hotpatch update
+
+Automatic rollback of a Hotpatch update isn’t supported but you can uninstall them. If you experience an unexpected issue with hotpatch updates, you can investigate by uninstalling the hotpatch update and installing the latest standard cumulative update (LCU) and restart. Uninstalling a hotpatch update is quick, however, it does require a device restart.
diff --git a/windows/deployment/windows-autopatch/overview/windows-autopatch-overview.md b/windows/deployment/windows-autopatch/overview/windows-autopatch-overview.md
index 97d26c798d..78bb2e7125 100644
--- a/windows/deployment/windows-autopatch/overview/windows-autopatch-overview.md
+++ b/windows/deployment/windows-autopatch/overview/windows-autopatch-overview.md
@@ -18,7 +18,7 @@ ms.reviewer: hathind
# What is Windows Autopatch?
> [!IMPORTANT]
-> In September, Windows Update for Business deployment service unified under Windows Autopatch. Unification is going through a gradual rollout over the next several weeks. If your experience looks different from the documentation, you didn't receive the unified experience yet. Review [Prerequisites](../prepare/windows-autopatch-prerequisites.md) and [Features and capabilities](#features-and-capabilities) to understand licensing and feature entitlement.
+> In September 2024, Windows Update for Business deployment service unified under Windows Autopatch. Unification is going through a gradual rollout over the next several weeks. If your experience looks different from the documentation, you didn't receive the unified experience yet. Review [Prerequisites](../prepare/windows-autopatch-prerequisites.md) and [Features and capabilities](#features-and-capabilities) to understand licensing and feature entitlement.
Windows Autopatch is a cloud service that automates Windows, Microsoft 365 Apps for enterprise, Microsoft Edge, and Microsoft Teams updates to improve security and productivity across your organization.
diff --git a/windows/deployment/windows-autopatch/prepare/windows-autopatch-configure-network.md b/windows/deployment/windows-autopatch/prepare/windows-autopatch-configure-network.md
index 8ba74fe797..7778e7edf0 100644
--- a/windows/deployment/windows-autopatch/prepare/windows-autopatch-configure-network.md
+++ b/windows/deployment/windows-autopatch/prepare/windows-autopatch-configure-network.md
@@ -63,7 +63,7 @@ The following URLs must be on the allowed list of your proxy and firewall so tha
| Microsoft service | URLs required on allowlist |
| ----- | ----- |
-| Windows Autopatch | - mmdcustomer.microsoft.com
- mmdls.microsoft.com
- logcollection.mmd.microsoft.com
- support.mmd.microsoft.com
- devicelistenerprod.microsoft.com
- login.windows.net
- payloadprod*.blob.core.windows.net
- device.autopatch.microsoft.com
|
+| Windows Autopatch | - mmdcustomer.microsoft.com
- mmdls.microsoft.com
- devicelistenerprod.microsoft.com
- login.windows.net
- device.autopatch.microsoft.com
|
## Delivery Optimization
diff --git a/windows/privacy/manage-windows-11-endpoints.md b/windows/privacy/manage-windows-11-endpoints.md
index 7c41ff3d2a..4bf198648c 100644
--- a/windows/privacy/manage-windows-11-endpoints.md
+++ b/windows/privacy/manage-windows-11-endpoints.md
@@ -174,6 +174,7 @@ To view endpoints for non-Enterprise Windows 11 editions, see [Windows 11 connec
|||TLSv1.2/HTTPS/HTTP|*.update.microsoft.com|
||The following endpoint is used for compatibility database updates for Windows.|HTTPS|adl.windows.com|
||The following endpoint is used for content regulation. If you turn off traffic for this endpoint, the Windows Update Agent will be unable to contact the endpoint, and fallback behavior will be used. This may result in content being either incorrectly downloaded or not downloaded at all.|TLSv1.2/HTTPS/HTTP|tsfe.trafficshaping.dsp.mp.microsoft.com|
+||The following endpoint is for a public web API used by Windows and other OS-agnostic products to check for new updates. If you disable this endpoint, these products won't be able to check for and apply software updates.|TLSv1.2/HTTPS/HTTP|*.api.cdp.microsoft.com|
|Xbox Live|||[Learn how to turn off traffic to all of the following endpoint(s) for Xbox Live.](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#26-microsoft-store)|
||The following endpoints are used for Xbox Live.|HTTPS|dlassets-ssl.xboxlive.com|
|||TLSv1.2|da.xboxservices.com|
diff --git a/windows/security/application-security/application-control/app-control-for-business/design/applications-that-can-bypass-appcontrol.md b/windows/security/application-security/application-control/app-control-for-business/design/applications-that-can-bypass-appcontrol.md
index 23d40c8440..f2ebb636f5 100644
--- a/windows/security/application-security/application-control/app-control-for-business/design/applications-that-can-bypass-appcontrol.md
+++ b/windows/security/application-security/application-control/app-control-for-business/design/applications-that-can-bypass-appcontrol.md
@@ -49,7 +49,7 @@ Unless your use scenarios explicitly require them, Microsoft recommends that you
- texttransform.exe
- visualuiaverifynative.exe
- system.management.automation.dll
-- webclnt.dll/davsvc.dll
+- webclnt.dll/davsvc.dll3
- wfc.exe
- windbg.exe
- wmic.exe
@@ -62,6 +62,8 @@ Unless your use scenarios explicitly require them, Microsoft recommends that you
2 If you're using your reference system in a development context and use msbuild.exe to build managed applications, we recommend that you allow msbuild.exe in your code integrity policies. Otherwise, we recommend that you block msbuild.exe.
+3 If you block WebDAV DLLs, we recommend that you also disable the **WebClient** service using a group policy or MDM policies.
+
* Microsoft recognizes the efforts of people in the security community who help us protect customers through responsible vulnerability disclosure, and extends thanks to the following people:
diff --git a/windows/security/application-security/application-control/app-control-for-business/design/select-types-of-rules-to-create.md b/windows/security/application-security/application-control/app-control-for-business/design/select-types-of-rules-to-create.md
index 8cdfe418ba..0c9fb3469f 100644
--- a/windows/security/application-security/application-control/app-control-for-business/design/select-types-of-rules-to-create.md
+++ b/windows/security/application-security/application-control/app-control-for-business/design/select-types-of-rules-to-create.md
@@ -130,7 +130,9 @@ There's a defined list of SIDs that App Control recognizes as admins. If a filep
App Control's list of well-known admin SIDs are:
+```
S-1-3-0; S-1-5-18; S-1-5-19; S-1-5-20; S-1-5-32-544; S-1-5-32-549; S-1-5-32-550; S-1-5-32-551; S-1-5-32-577; S-1-5-32-559; S-1-5-32-568; S-1-15-2-1430448594-2639229838-973813799-439329657-1197984847-4069167804-1277922394; S-1-15-2-95739096-486727260-2033287795-3853587803-1685597119-444378811-2746676523.
+```
When filepath rules are generated using [New-CIPolicy](/powershell/module/configci/new-cipolicy), a unique, fully qualified path rule is generated for every file discovered in the scanned path(s). To create rules that instead allow all files under a specified folder path, use [New-CIPolicyRule](/powershell/module/configci/new-cipolicyrule) to define rules containing wildcards, using the [-FilePathRules](/powershell/module/configci/new-cipolicyrule#parameters) switch.
@@ -140,8 +142,8 @@ The following wildcards can be used in App Control filepath rules:
| Wildcard character | Meaning | Supported operating systems |
|------------ | ----------- | ----------- |
-| **`*`** | Matches zero or more characters. | Windows 11, Windows 10, and Windows Server 2022 |
-| **`?`** | Matches a single character. | Windows 11 only |
+| **`*`** | Matches zero or more characters. | Windows 10, Windows 11 and later, or Windows Server 2022 and later |
+| **`?`** | Matches a single character. | Windows 11 and later, or Windows Server 2025 and later |
You can also use the following macros when the exact volume may vary: `%OSDRIVE%`, `%WINDIR%`, `%SYSTEM32%`. These macros can be used in combination with the wildcards above.
@@ -154,9 +156,9 @@ You can also use the following macros when the exact volume may vary: `%OSDRIVE%
| Examples | Description | Supported operating systems |
|------------ | ----------- | ----------- |
-| **C:\\Windows\\\***
**D:\\EnterpriseApps\\MyApp\\\***
**%OSDRIVE%\\Windows\\\*** | Wildcards placed at the end of a path authorize all files in the immediate path and its subdirectories recursively. | Windows 11, Windows 10, and Windows Server 2022 |
-| **\*\\bar.exe** | Wildcards placed at the beginning of a path allow the exact specified filename in any location. | Windows 11, Windows 10, and Windows Server 2022 |
-| **C:\\\*\\CCMCACHE\\\*\\7z????-x64.exe**
**%OSDRIVE%\\\*\\CCMCACHE\\\*\\7z????-x64.exe** | Wildcards used in the middle of a path allow all files that match that pattern. Consider carefully all the possible matches, particularly if your policy disables the admin-writeable check with the **Disabled:Runtime FilePath Rule Protection** option. In this example, both of these hypothetical paths would match:
*`C:\WINDOWS\CCMCACHE\12345\7zabcd-x64.exe`*
*`C:\USERS\AppControlUSER\Downloads\Malware\CCMCACHE\Pwned\7zhaha-x64.exe`* | Windows 11 only |
+| **C:\\Windows\\\***
**D:\\EnterpriseApps\\MyApp\\\***
**%OSDRIVE%\\Windows\\\*** | Wildcards placed at the end of a path authorize all files in the immediate path and its subdirectories recursively. | Windows 10, Windows 11 and later, or Windows Server 2022 and later |
+| **\*\\bar.exe** | Wildcards placed at the beginning of a path allow the exact specified filename in any location. | Windows 10, Windows 11 and later, or Windows Server 2022 and later |
+| **C:\\\*\\CCMCACHE\\\*\\7z????-x64.exe**
**%OSDRIVE%\\\*\\CCMCACHE\\\*\\7z????-x64.exe** | Wildcards used in the middle of a path allow all files that match that pattern. Consider carefully all the possible matches, particularly if your policy disables the admin-writeable check with the **Disabled:Runtime FilePath Rule Protection** option. In this example, both of these hypothetical paths would match:
*`C:\WINDOWS\CCMCACHE\12345\7zabcd-x64.exe`*
*`C:\USERS\AppControlUSER\Downloads\Malware\CCMCACHE\Pwned\7zhaha-x64.exe`* | Windows 11 and later, or Windows Server 2025 and later |
Without a wildcard, the filepath rule allows only a specific file (ex. `C:\foo\bar.exe`).
diff --git a/windows/security/application-security/application-isolation/toc.yml b/windows/security/application-security/application-isolation/toc.yml
index c8ed951135..c2de68aab3 100644
--- a/windows/security/application-security/application-isolation/toc.yml
+++ b/windows/security/application-security/application-isolation/toc.yml
@@ -1,20 +1,16 @@
items:
- name: Microsoft Defender Application Guard (MDAG)
href: microsoft-defender-application-guard/md-app-guard-overview.md
-- name: MDAG for Edge standalone mode
- href: microsoft-defender-application-guard/md-app-guard-overview.md
-- name: MDAG for Edge enterprise mode and enterprise management 🔗
- href: /deployedge/microsoft-edge-security-windows-defender-application-guard
-- name: MDAG for Microsoft Office
- href: https://support.microsoft.com/office/application-guard-for-office-9e0fb9c2-ffad-43bf-8ba3-78f785fdba46
-- name: MDAG configure via MDM 🔗
- href: /windows/client-management/mdm/windowsdefenderapplicationguard-csp
+ items:
+ - name: MDAG for Microsoft Edge standalone mode
+ href: microsoft-defender-application-guard/md-app-guard-overview.md
+ - name: MDAG for Microsoft Edge enterprise mode and enterprise management 🔗
+ href: /deployedge/microsoft-edge-security-windows-defender-application-guard
+ - name: MDAG for Microsoft Office
+ href: https://support.microsoft.com/office/application-guard-for-office-9e0fb9c2-ffad-43bf-8ba3-78f785fdba46
+ - name: Configure MDAG via MDM 🔗
+ href: /windows/client-management/mdm/windowsdefenderapplicationguard-csp
- name: App containers 🔗
href: /virtualization/windowscontainers/about
- name: Windows Sandbox
- href: windows-sandbox/windows-sandbox-overview.md
- items:
- - name: Windows Sandbox architecture
- href: windows-sandbox/windows-sandbox-architecture.md
- - name: Windows Sandbox configuration
- href: windows-sandbox/windows-sandbox-configure-using-wsb-file.md
+ href: windows-sandbox/index.md
\ No newline at end of file
diff --git a/windows/security/application-security/application-isolation/windows-sandbox/index.md b/windows/security/application-security/application-isolation/windows-sandbox/index.md
new file mode 100644
index 0000000000..90957adc4b
--- /dev/null
+++ b/windows/security/application-security/application-isolation/windows-sandbox/index.md
@@ -0,0 +1,43 @@
+---
+title: Windows Sandbox
+description: Windows Sandbox overview
+ms.topic: overview
+ms.date: 09/09/2024
+---
+
+# Windows Sandbox
+
+Windows Sandbox (WSB) offers a lightweight, isolated desktop environment for safely running applications. It's ideal for testing, debugging, exploring unknown files, and experimenting with tools. Applications installed within the sandbox remain isolated from the host machine using hypervisor-based virtualization. As a disposable virtual machine (VM), Windows Sandbox ensures reboot persistence, quick launch times, and a lower memory footprint compared to full VMs. Its one-click setup simplifies the user experience.
+
+The sandbox is temporary; closing it deletes all software, files, and state. Each launch provides a fresh instance. Host-installed software isn't available in the sandbox. Applications needed within the sandbox must be installed there explicitly.
+
+> [!NOTE]
+> Starting with Windows 11, version 22H2, data persists through restarts initiated within the sandbox, useful for applications requiring a reboot.
+
+Windows Sandbox offers the following features:
+
+- **Part of Windows**: Everything required for this feature is included in the supported Windows editions like Pro, Enterprise, and Education. There's no need to maintain a separate VM installation.
+- **Disposable**: Nothing persists on the device. Everything is discarded when the user closes the application.
+- **Pristine**: Every time Windows Sandbox runs, it's as clean as a brand-new installation of Windows.
+- **Secure**: Uses hardware-based virtualization for kernel isolation. It relies on the Microsoft hypervisor to run a separate kernel that isolates Windows Sandbox from the host.
+- **Efficient**: Takes a few seconds to launch, supports virtual GPU, and has smart memory management that optimizes memory footprint.
+
+> [!IMPORTANT]
+> Windows Sandbox enables network connection by default. It can be disabled using the [Windows Sandbox configuration file](windows-sandbox-configure-using-wsb-file.md#networking). Enabling networking can expose untrusted applications to the internal network.
+
+WSB can be used without any technical skills in various scenarios where users need a secure, clean environment for testing or running potentially harmful software. Here are some ways in which you can use WSB:
+
+- **Clean environment for software testing**: Test or debug your applications in WSB's clean environment to identify and resolve bugs or compatibility issues.
+- **Secure web browsing**: Use WSB for secure web browsing, especially when accessing unfamiliar or potentially dangerous websites without putting your system at risk of malware infection.
+- **Running Untrusted Applications**: Mitigate security risks by opening untrusted applications or files, such as email attachments in WSB. Improve your safety and security by opening a sandbox with networking disabled and mapping the folder with the application or file you want to open to the sandbox in read-only mode. Check [Sample configuration files](windows-sandbox-sample-configuration.md) for more details.
+- **Testing or demoing new software for the first time**: Test drive or demo new software, preview versions, extensions, or add-ons without the hassle of installing and then uninstalling on your host machine.
+- **Maintaining multiple dev environments**: Streamline your development process by utilizing WSB to maintain multiple sandboxes for different development environments. For example, maintain a sandbox for each python version and its dependencies!
+
+> [!NOTE]
+> Windows Sandbox currently doesn't allow multiple instances to run simultaneously.
+
+
+[!INCLUDE [windows-sandbox](../../../../../includes/licensing/windows-sandbox.md)]
+
+> [!NOTE]
+> Windows Sandbox is currently not supported on Windows Home edition.
diff --git a/windows/security/application-security/application-isolation/windows-sandbox/toc.yml b/windows/security/application-security/application-isolation/windows-sandbox/toc.yml
new file mode 100644
index 0000000000..9654e55dcd
--- /dev/null
+++ b/windows/security/application-security/application-isolation/windows-sandbox/toc.yml
@@ -0,0 +1,26 @@
+items:
+- name: Windows Sandbox
+ href: index.md
+- name: Overview
+ expanded: true
+ items:
+ - name: Windows Sandbox versions
+ href: windows-sandbox-versions.md
+ - name: Architecture
+ href: windows-sandbox-architecture.md
+- name: Install Windows Sandbox
+ href: windows-sandbox-install.md
+- name: Use & configure Windows Sandbox
+ href: windows-sandbox-configure-using-wsb-file.md
+- name: Windows Sandbox command line interface
+ href: windows-sandbox-cli.md
+- name: Tutorials
+ items:
+ - name: Sample configuration files
+ href: windows-sandbox-sample-configuration.md
+- name: WindowsSandbox Policy CSP 🔗
+ href: /windows/client-management/mdm/policy-csp-windowssandbox
+- name: Frequently asked questions
+ href: windows-sandbox-faq.yml
+- name: Troubleshooting
+ href: windows-sandbox-troubleshoot.md
\ No newline at end of file
diff --git a/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-architecture.md b/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-architecture.md
index 0da205053a..fcb9b56ddc 100644
--- a/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-architecture.md
+++ b/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-architecture.md
@@ -2,7 +2,7 @@
title: Windows Sandbox architecture
description: Windows Sandbox architecture
ms.topic: conceptual
-ms.date: 03/26/2024
+ms.date: 09/09/2024
---
# Windows Sandbox architecture
@@ -27,18 +27,10 @@ Traditional VMs apportion statically sized allocations of host memory. When reso
## Memory sharing
-Because Windows Sandbox runs the same operating system image as the host, it's enhanced to use the same physical memory pages as the host for operating system binaries via a technology referred to as "direct map." For example, when *ntdll.dll* is loaded into memory in the sandbox, it uses the same physical pages as those pages of the binary when loaded on the host. Memory sharing between the host and the sandbox results in a smaller memory footprint when compared to traditional VMs, without compromising valuable host secrets.
+Because Windows Sandbox runs the same operating system image as the host, it's enhanced to use the same physical memory pages as the host for operating system binaries via a technology referred to as "direct map." For example, when `ntdll.dll` is loaded into memory in the sandbox, it uses the same physical pages as those pages of the binary when loaded on the host. Memory sharing between the host and the sandbox results in a smaller memory footprint when compared to traditional VMs, without compromising valuable host secrets.
-## Integrated kernel scheduler
-
-With ordinary virtual machines, the Microsoft hypervisor controls the scheduling of the virtual processors running in the VMs. Windows Sandbox uses a new technology called "integrated scheduling," which allows the host scheduler to decide when the sandbox gets CPU cycles.
-
-
-
-Windows Sandbox employs a unique policy that allows the virtual processors of the Sandbox to be scheduled like host threads. Under this scheme, high-priority tasks on the host can preempt less important work in the Sandbox. This preemption means that the most important work is prioritized, whether it's on the host or in the container.
-
## WDDM GPU virtualization
Hardware accelerated rendering is key to a smooth and responsive user experience, especially for graphics-intensive use cases. Microsoft works with its graphics ecosystem partners to integrate modern graphics virtualization capabilities directly into DirectX and Windows Display Driver Model (WDDM), the driver model used by Windows.
diff --git a/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-cli.md b/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-cli.md
new file mode 100644
index 0000000000..c181a80a91
--- /dev/null
+++ b/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-cli.md
@@ -0,0 +1,101 @@
+---
+title: Windows Sandbox command line
+description: Windows Sandbox command line interface
+ms.topic: how-to
+ms.date: 10/22/2024
+---
+
+# Windows Sandbox command line interface
+
+Starting with Windows 11, version 24H2, the Windows Command Line Interface (CLI) offers powerful tools for creating, managing, and controlling sandboxes, executing commands, and sharing folders within sandbox sessions. This functionality is especially valuable for scripting, task automation, and improving development workflows. In this section, you'll explore how the Windows Sandbox CLI operates, with examples demonstrating how to use each command to enhance your development process.
+
+**Common parameters**:
+
+- `--raw`: Formats all outputs in JSON format.
+- `-?, -h, --help`: Show help and usage information
+
+## Start
+
+The start command creates and launches a new sandbox. The command returns the sandbox ID, which is a unique identifier for the sandbox. The sandbox ID can be used to refer to the sandbox in other commands.
+
+- `--id `: ID of the Windows Sandbox environment.
+- `--c, --config `: Formatted string with the settings that should be used to create the Windows Sandbox environment.
+
+**Examples**:
+
+- Create a Windows Sandbox environment with the default settings:
+
+ ```cmd
+ wsb start
+ ```
+
+- Create a Windows Sandbox environment with a custom configuration:
+
+ ```cmd
+ wsb start --config "Disabled"
+ ```
+
+## List
+
+The list command displays a table that shows the information the running Windows Sandbox sessions for the current user. The table includes the sandbox ID. The status can be either running or stopped. The uptime is the duration that the sandbox has been running.
+
+```cmd
+wsb list
+```
+
+## Exec
+
+The exec command executes a command in the sandbox. The command takes two arguments: the sandbox ID and the command to execute. The command can be either a built-in command or an executable file. The exec command runs the command in the sandbox and returns the exit code. The exec command can also take optional arguments that are passed to the process started in the sandbox.
+
+> [!NOTE]
+> Currently, there is no support for process I/O meaning that there is no way to retrieve the output of a command run in Sandbox.
+
+An active user session is required to execute a command in the context of the currently logged on user. Therefore, before running this command a remote desktop connection should be established. This can be done using the [connect](#connect) command.
+
+- `--id ` (REQUIRED): ID of the Windows Sandbox environment.
+- `-c, --command ` (REQUIRED): The command to execute within Windows Sandbox.
+- `-r, --run-as ` (REQUIRED): Specifies the user context to execute the command within. If the System option is selected, the command runs in the system context. If the ExistingLogin option is selected, the command runs in the currently active user session or fails if there's no active user session.
+- `-d, --working-directory `: Directory to execute command in.
+
+```cmd
+wsb exec –-id 12345678-1234-1234-1234-1234567890AB -c app.exe -r System
+```
+
+## Stop
+
+The stop command stops a running Windows Sandbox session. The command takes the sandbox ID as an argument.
+
+The stop command terminates the sandbox process and releases the resources allocated to the sandbox. The stop command also closes the window that shows the sandbox desktop.
+
+```cmd
+wsb stop --id 12345678-1234-1234-1234-1234567890AB
+```
+
+## Share
+
+The share command shares a host folder with the sandbox. The command takes three arguments: the sandbox ID, the host path, and the sandbox path. The host path should be a folder. The sandbox path can be either an existing or a new folder. An Additional, `--allow-write` option can be used to allow or disallow the Windows Sandbox environment to write to the folder.
+
+- `--id ` (REQUIRED): ID of the Windows Sandbox environment.
+- `-f, --host-path ` (REQUIRED): Path to folder that is shared from the host.
+- `-s, --sandbox-path ` (REQUIRED): Path to the folder within the Windows Sandbox.
+- `-w, --allow-write`: If specified, the Windows Sandbox environment is allowed to write to the shared folder.
+
+```cmd
+wsb share --id 12345678-1234-1234-1234-1234567890AB -f C:\host\folder -s C:\sandbox\folder --allow-write
+```
+
+## Connect
+
+The connect command starts a remote session within the sandbox. The command takes the sandbox ID as an argument. The connect command opens a new window with a remote desktop session. The connect command allows the user to interact with the sandbox using the mouse and keyboard.
+
+```cmd
+wsb connect --id 12345678-1234-1234-1234-1234567890AB
+```
+
+## IP
+
+The ip command displays the IP address of the sandbox. The command takes the sandbox ID as an argument.
+
+```cmd
+wsb ip --id 12345678-1234-1234-1234-1234567890AB
+```
diff --git a/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-configure-using-wsb-file.md b/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-configure-using-wsb-file.md
index 0de253e2e9..f1a42226e3 100644
--- a/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-configure-using-wsb-file.md
+++ b/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-configure-using-wsb-file.md
@@ -1,11 +1,32 @@
---
-title: Windows Sandbox configuration
-description: Windows Sandbox configuration
+title: Use and configure Windows Sandbox
+description: Use and configure Windows Sandbox
ms.topic: how-to
-ms.date: 03/26/2024
+ms.date: 09/09/2024
---
-# Windows Sandbox configuration
+# Use and configure Windows Sandbox
+
+To launch a Windows Sandbox with default settings, locate and select Windows Sandbox on the Start menu or search for 'Windows Sandbox'. This launches a basic Sandbox with maximum capacity of 4GB memory with the following properties:
+
+- **vGPU (virtualized GPU)**: Enabled on non-Arm64 devices.
+- **Networking**: Enabled. The sandbox uses the Hyper-V default switch.
+- **Audio input**: Enabled. The sandbox shares the host's microphone input into the sandbox.
+- **Video input**: Disabled. The sandbox doesn't share the host's video input into the sandbox.
+- **Protected client**: Disabled. The sandbox doesn't use increased security settings on the Remote Desktop Protocol (RDP) session.
+- **Printer redirection**: Disabled. The sandbox doesn't share printers with the host.
+- **Clipboard redirection**: Enabled. The sandbox shares the host clipboard with the sandbox so that text and files can be pasted back and forth.
+
+> [!IMPORTANT]
+>
+> - Networking is enabled by default. This can expose untrusted applications to the internal network. To launch a Sandbox with networking disabled, use a custom .wsb file.
+> - With Clipboard redirection automatically enabled, you can easily copy files from the host and paste them into the Windows Sandbox window.
+
+You have the freedom to open files, install applications from the web, and perform various other tasks that benefit from an isolated clean environment.
+
+When you're finished experimenting, close the sandbox. A dialog box prompts you to confirm the deletion of all sandbox content. Select **Ok** to proceed. Confirm that your host machine doesn't exhibit any of the modifications that you made in Windows Sandbox.
+
+## Configure a custom Windows Sandbox
Windows Sandbox supports simple configuration files, which provide a minimal set of customization parameters for Sandbox. This feature can be used with Windows 10 build 18342 or Windows 11. Windows Sandbox configuration files are formatted as XML and are associated with Sandbox via the `.wsb` file extension.
@@ -14,7 +35,7 @@ A configuration file enables the user to control the following aspects of Window
- **vGPU (virtualized GPU)**: Enable or disable the virtualized GPU. If vGPU is disabled, the sandbox uses Windows Advanced Rasterization Platform (WARP).
- **Networking**: Enable or disable network access within the sandbox.
- **Mapped folders**: Share folders from the host with *read* or *write* permissions. Exposing host directories might allow malicious software to affect the system or steal data.
-- **Logon command**: A command that's executed when Windows Sandbox starts.
+- **Logon command**: A command to execute when Windows Sandbox starts.
- **Audio input**: Shares the host's microphone input into the sandbox.
- **Video input**: Shares the host's webcam input into the sandbox.
- **Protected client**: Places increased security settings on the Remote Desktop Protocol (RDP) session to the sandbox.
@@ -25,7 +46,7 @@ A configuration file enables the user to control the following aspects of Window
> [!NOTE]
> The size of the sandbox window currently isn't configurable.
-## Creating a configuration file
+## Create a configuration file
To create a configuration file:
@@ -37,10 +58,8 @@ To create a configuration file:
```
-3. Add appropriate configuration text between the two lines. For details, see [examples](#examples).
-4. Save the file with the desired name, but make sure its filename extension is `.wsb`. In Notepad, you should enclose the filename and the extension inside double quotation marks, for example, `"My config file.wsb"`.
-
-## Using a configuration file
+3. Add appropriate configuration text between the two lines. For details, see [examples](windows-sandbox-sample-configuration.md).
+4. Save the file with the desired name, but make sure its filename extension is `.wsb`. In Notepad, you should enclose the filename and the extension inside double quotation marks, for example, `"MyConfigFile.wsb"`.
To use a configuration file, double-click it to start Windows Sandbox according to its settings. You can also invoke it via the command line as shown here:
@@ -48,19 +67,21 @@ To use a configuration file, double-click it to start Windows Sandbox according
C:\Temp> MyConfigFile.wsb
```
-## Keywords, values, and limits
+## Configuration options
### vGPU
Enables or disables GPU sharing.
-`value`
+```xml
+value
+```
Supported values:
-- *Enable*: Enables vGPU support in the sandbox.
-- *Disable*: Disables vGPU support in the sandbox. If this value is set, the sandbox uses software rendering, which might be slower than virtualized GPU.
-- *Default* This value is the default value for vGPU support. Currently, this default value denotes that vGPU is enabled.
+- **Enable**: Enables vGPU support in the sandbox.
+- **Disable**: Disables vGPU support in the sandbox. If this value is set, the sandbox uses software rendering, which might be slower than virtualized GPU.
+- **Default**: This value is the default value for vGPU support. Currently, this default value denotes that vGPU is enabled.
> [!NOTE]
> Enabling virtualized GPU can potentially increase the attack surface of the sandbox.
@@ -69,20 +90,24 @@ Supported values:
Enables or disables networking in the sandbox. You can disable network access to decrease the attack surface exposed by the sandbox.
-`value`
+```xml
+value
+```
Supported values:
-- *Enable*: Enables networking in the sandbox.
-- *Disable*: Disables networking in the sandbox.
-- *Default*: This value is the default value for networking support. This value enables networking by creating a virtual switch on the host and connects the sandbox to it via a virtual NIC.
+- **Enable**: Enables networking in the sandbox.
+- **Disable**: Disables networking in the sandbox.
+- **Default**: This value is the default value for networking support. This value enables networking by creating a virtual switch on the host and connects the sandbox to it via a virtual NIC.
> [!NOTE]
> Enabling networking can expose untrusted applications to the internal network.
### Mapped folders
-An array of folders, each representing a location on the host machine that is shared with the sandbox at the specified path. At this time, relative paths aren't supported. If no path is specified, the folder is mapped to the container user's desktop.
+An array of folders, each representing a location on the host machine that is shared with the sandbox at the specified path. Currently, relative paths aren't supported.
+
+When using `` to map folders, the folders are mapped before the execution of the [Logon command](#logon-command). Beginning in Windows 11, version 23H2, you can use environment variables in the path.
```xml
@@ -97,12 +122,12 @@ An array of folders, each representing a location on the host machine that is sh
```
-- *HostFolder*: Specifies the folder on the host machine to share into the sandbox. The folder must already exist on the host, or the container fails to start.
-- *SandboxFolder*: Specifies the destination in the sandbox to map the folder to. If the folder doesn't exist, it is created. If no sandbox folder is specified, the folder is mapped to the container desktop.
-- *ReadOnly*: If *true*, enforces read-only access to the shared folder from within the container. Supported values: *true*/*false*. Defaults to *false*.
+- **HostFolder**: Specifies the folder on the host machine to share into the sandbox. The folder must already exist on the host, or the container fails to start.
+- **SandboxFolder**: Specifies the destination in the sandbox to map the folder to. If the folder doesn't exist, it gets created. If no sandbox folder is specified, the folder is mapped to the container user's desktop. The default user of Sandbox is `WDAGUtilityAccount`.
+- **ReadOnly**: If *true*, enforces read-only access to the shared folder from within the container. Supported values: *true*/*false*. Defaults to *false*.
> [!NOTE]
-> Files and folders mapped in from the host can be compromised by apps in the sandbox or potentially affect the host.
+> Files and folders mapped from the host can be compromised by apps in the sandbox or potentially affect the host. Changes made during a Sandbox session to a mapped folder with write-permissions will persist after a Sandbox is disposed.
### Logon command
@@ -114,22 +139,24 @@ Specifies a single command that will be invoked automatically after the sandbox
```
-*Command*: A path to an executable or script inside the container that will be executed after signing in.
+**Command**: A path to an executable or script inside the container that will be executed after signing in.
> [!NOTE]
-> Although very simple commands will work (such as launching an executable or script), more complicated scenarios involving multiple steps should be placed into a script file. This script file may be mapped into the container via a shared folder, and then executed via the *LogonCommand* directive.
+> Although very simple commands will work (such as launching an executable or script), more complicated scenarios involving multiple steps should be placed into a script file. This script file may be mapped into the container via a shared folder, and then executed via ``.
### Audio input
Enables or disables audio input to the sandbox.
-`value`
+```xml
+value
+```
Supported values:
-- *Enable*: Enables audio input in the sandbox. If this value is set, the sandbox can receive audio input from the user. Applications that use a microphone may require this capability.
-- *Disable*: Disables audio input in the sandbox. If this value is set, the sandbox can't receive audio input from the user. Applications that use a microphone may not function properly with this setting.
-- *Default*: This value is the default value for audio input support. Currently, this default value denotes that audio input is enabled.
+- **Enable**: Enables audio input in the sandbox. If this value is set, the sandbox can receive audio input from the user. Applications that use a microphone might require this capability.
+- **Disable**: Disables audio input in the sandbox. If this value is set, the sandbox can't receive audio input from the user. Applications that use a microphone might not function properly with this setting.
+- **Default**: This value is the default value for audio input support. Currently, this default value denotes that audio input is enabled.
> [!NOTE]
> There may be security implications of exposing host audio input to the container.
@@ -138,30 +165,32 @@ Supported values:
Enables or disables video input to the sandbox.
-`value`
+```xml
+value
+```
Supported values:
-- *Enable*: Enables video input in the sandbox.
-- *Disable*: Disables video input in the sandbox. Applications that use video input may not function properly in the sandbox.
-- *Default*: This value is the default value for video input support. Currently, this default value denotes that video input is disabled. Applications that use video input may not function properly in the sandbox.
+- **Enable**: Enables video input in the sandbox.
+- **Disable**: Disables video input in the sandbox. Applications that use video input might not function properly in the sandbox.
+- **Default**: This value is the default value for video input support. Currently, this default value denotes that video input is disabled. Applications that use video input might not function properly in the sandbox.
> [!NOTE]
> There may be security implications of exposing host video input to the container.
### Protected client
-When Protected Client mode is enabled, Sandbox adds a new layer of security boundary by running inside an [AppContainer Isolation](/windows/win32/secauthz/appcontainer-isolation) execution environment.
+When Protected Client mode is enabled, Sandbox adds a new layer of security boundary by running inside an [AppContainer Isolation](/windows/win32/secauthz/appcontainer-isolation) execution environment. AppContainer Isolation provides Credential, Device, File, Network, Process, and Window isolation.
-AppContainer Isolation provides Credential, Device, File, Network, Process, and Window isolation.
-
-`value`
+```xml
+value
+```
Supported values:
-- *Enable*: Runs Windows sandbox in Protected Client mode. If this value is set, the Sandbox runs in AppContainer Isolation.
-- *Disable*: Runs the Sandbox in the standard mode without extra security mitigations.
-- *Default*: This value is the default value for Protected Client mode. Currently, this default value denotes that the sandbox doesn't run in Protected Client mode.
+- **Enable**: Runs Windows sandbox in Protected Client mode. If this value is set, the Sandbox runs in AppContainer Isolation.
+- **Disable**: Runs the Sandbox in the standard mode without extra security mitigations.
+- **Default**: This value is the default value for Protected Client mode. Currently, this default value denotes that the sandbox doesn't run in Protected Client mode.
> [!NOTE]
> This setting may restrict the user's ability to copy/paste files in and out of the sandbox.
@@ -170,135 +199,36 @@ Supported values:
Enables or disables printer sharing from the host into the sandbox.
-`value`
+```xml
+value
+```
Supported values:
-- *Enable*: Enables sharing of host printers into the sandbox.
-- *Disable*: Disables printer redirection in the sandbox. If this value is set, the sandbox can't view printers from the host.
-- *Default*: This value is the default value for printer redirection support. Currently, this default value denotes that printer redirection is disabled.
+- **Enable**: Enables sharing of host printers into the sandbox.
+- **Disable**: Disables printer redirection in the sandbox. If this value is set, the sandbox can't view printers from the host.
+- **Default**: This value is the default value for printer redirection support. Currently, this default value denotes that printer redirection is disabled.
### Clipboard redirection
Enables or disables sharing of the host clipboard with the sandbox.
-`value`
+```xml
+value
+```
Supported values:
-- *Enable*: Enables sharing of the host clipboard with the sandbox.
-- *Disable*: Disables clipboard redirection in the sandbox. If this value is set, copy/paste in and out of the sandbox is restricted.
-- *Default*: This value is the default value for clipboard redirection. Currently, copy/paste between the host and sandbox are permitted under *Default*.
+- **Enable**: Enables sharing of the host clipboard with the sandbox.
+- **Disable**: Disables clipboard redirection in the sandbox. If this value is set, copy/paste in and out of the sandbox is restricted.
+- **Default**: This value is the default value for clipboard redirection. Currently, copy/paste between the host and sandbox are permitted under *Default*.
### Memory in MB
Specifies the amount of memory that the sandbox can use in megabytes (MB).
-`value`
-
-If the memory value specified is insufficient to boot a sandbox, it is automatically increased to the required minimum amount.
-
-## Examples
-
-### Example 1
-
-The following config file can be used to easily test the downloaded files inside the sandbox. To achieve this testing, networking and vGPU are disabled, and the sandbox is allowed read-only access to the shared downloads folder. For convenience, the logon command opens the downloads folder inside the sandbox when it's started.
-
-#### Downloads.wsb
-
```xml
-
- Disable
- Disable
-
-
- C:\Users\Public\Downloads
- C:\Users\WDAGUtilityAccount\Downloads
- true
-
-
-
- explorer.exe C:\users\WDAGUtilityAccount\Downloads
-
-
+value
```
-### Example 2
-
-The following config file installs Visual Studio Code in the sandbox, which requires a slightly more complicated LogonCommand setup.
-
-Two folders are mapped into the sandbox; the first (SandboxScripts) contains VSCodeInstall.cmd, which installs and runs Visual Studio Code. The second folder (CodingProjects) is assumed to contain project files that the developer wants to modify using Visual Studio Code.
-
-With the Visual Studio Code installer script already mapped into the sandbox, the LogonCommand can reference it.
-
-#### VSCodeInstall.cmd
-
-Downloads VS Code to `downloads` folder and runs installation from `downloads` folder.
-
-```batch
-REM Download Visual Studio Code
-curl -L "https://update.code.visualstudio.com/latest/win32-x64-user/stable" --output C:\users\WDAGUtilityAccount\Downloads\vscode.exe
-
-REM Install and run Visual Studio Code
-C:\users\WDAGUtilityAccount\Downloads\vscode.exe /verysilent /suppressmsgboxes
-```
-
-#### VSCode.wsb
-
-```xml
-
-
-
- C:\SandboxScripts
- C:\Users\WDAGUtilityAccount\Downloads\sandbox
- true
-
-
- C:\CodingProjects
- C:\Users\WDAGUtilityAccount\Documents\Projects
- false
-
-
-
- C:\Users\WDAGUtilityAccount\Downloads\sandbox\VSCodeInstall.cmd
-
-
-```
-
-### Example 3
-
-The following config file runs a PowerShell script as a logon command to swap the primary mouse button for left-handed users.
-
-`C:\sandbox` folder on the host is mapped to the `C:\sandbox` folder in the sandbox, so the `SwapMouse.ps1` script can be referenced in the sandbox configuration file.
-
-#### SwapMouse.ps1
-
-Create a PowerShell script using the following code, and save it in the `C:\sandbox` directory as `SwapMouse.ps1`.
-
-```powershell
-[Reflection.Assembly]::LoadWithPartialName("System.Windows.Forms") | Out-Null
-
-$SwapButtons = Add-Type -MemberDefinition @'
-[DllImport("user32.dll")]
-public static extern bool SwapMouseButton(bool swap);
-'@ -Name "NativeMethods" -Namespace "PInvoke" -PassThru
-
-$SwapButtons::SwapMouseButton(!([System.Windows.Forms.SystemInformation]::MouseButtonsSwapped))
-```
-
-### SwapMouse.wsb
-
-```xml
-
-
-
- C:\sandbox
- C:\sandbox
- True
-
-
-
- powershell.exe -ExecutionPolicy Bypass -File C:\sandbox\SwapMouse.ps1
-
-
-```
+If the memory value specified is insufficient to boot a sandbox, it's automatically increased to the required minimum amount of 2048 MB.
diff --git a/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-faq.yml b/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-faq.yml
new file mode 100644
index 0000000000..ca1408a957
--- /dev/null
+++ b/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-faq.yml
@@ -0,0 +1,107 @@
+### YamlMime:FAQ
+metadata:
+ title: Windows Sandbox frequently asked questions (FAQ)
+ description: Use these frequently asked questions (FAQ) to learn important details about Windows Sandbox.
+ author: vinaypamnani-msft
+ ms.author: vinpa
+ ms.topic: faq
+ ms.date: 10/23/2024
+
+title: Common questions about Windows Sandbox
+summary: Windows Sandbox (WSB) provides a lightweight desktop environment to safely run applications in isolation. This Frequently Asked Questions (FAQ) article is intended to help you learn more about Windows Sandbox.
+
+sections:
+
+ - name: Concepts
+ questions:
+
+ - question: Who can use WSB?
+ answer: |
+ WSB can be used in various scenarios by anyone without any technical skills. Here are some ways in which you can use WSB:
+
+ - **Clean environment for software testing**: Test or debug your applications in WSB's clean environment to identify and resolve bugs or compatibility issues.
+ - **Secure web browsing**: Use WSB for secure web browsing, especially when accessing unfamiliar or potentially dangerous websites without putting your system at risk of malware infection.
+ - **Running Untrusted Applications**: Mitigate security risks by running untrusted applications or files, such as email attachments in WSB.
+ - **Test software features risk-free**: Easily test out software without the need for installing or uninstalling on your host machine.
+ - **Maintaining multiple dev environments**: Streamline your development process by utilizing WSB to maintain multiple sandboxes for different development environments.
+ - **Privacy Protection**: Users concerned about online privacy can use Windows Sandbox for activities like social media browsing or online shopping to prevent tracking cookies and other privacy-invading techniques.
+
+ - question: What's the difference between a Hyper-V virtual machine (VM) and Windows Sandbox?
+ answer: |
+ 1. **Lightweight and Temporary**:
+ - Windows Sandbox: It's a lightweight, disposable environment that runs within your existing Windows installation. You can quickly launch it, test applications, and discard it without affecting your main system.
+ - Hyper-V VMs: Hyper-V VMs are more heavyweight. They require dedicated resources (CPU, memory, disk space) and take longer to set up.
+ 1. **Security Isolation**:
+ - Windows Sandbox: Provides a secure, isolated environment for testing untrusted software. Any changes made within the sandbox are discarded when you close it.
+ - Hyper-V VMs: While VMs also offer isolation, they persistently store changes unless you revert them manually.
+ 1. **Resource Efficiency**:
+ - Windows Sandbox: More resource efficient than a full VM. It adjusts memory usage according to the demand. It also reuses many of the host's read only OS files.
+ - Hyper-V VMs: VMs have fixed resource allocations, which can impact overall system performance.
+ 1. **Ease of Use**:
+ - Windows Sandbox: Simple to use—just open it, test your software, and close it. No complex setup or management.
+ - Hyper-V VMs: Require more configuration, including setting up virtual switches, network adapters, and managing VM snapshots.
+
+ - question: What applications aren't supported inside a Windows Sandbox?
+ answer: |
+ Inbox apps (for example, Store, Notepad) and Optional features turned on via 'Turn Windows Features On or Off' aren't supported.
+ While Store apps can be installed, you can't download them directly from the Store since the Store app isn't available in the Sandbox. However, if you have an `.appx` package, you can still install those apps.
+
+ - name: Usage
+ questions:
+
+ - question: Why can I not change certain settings using a config file?
+ answer: |
+ You can't make changes to properties if they're controlled by Group Policy. Contact your IT Administrator for more details.
+
+ - question: How do I open multiple Sandbox instances?
+ answer: |
+ Today, Windows Sandbox only allows users to launch one Sandbox instance at a time.
+
+ - question: Installing the latest version of Windows Sandbox fails. How do I fix this?
+ answer: |
+ Ensure that your device has access to the Internet, Windows Update, and Microsoft Store. Beginning from Windows 11 24H2, the old Windows Sandbox app attempts to download the latest version from the Store. If the upgrade fails on the first attempt, subsequent attempts continue in the background. Meanwhile, the app can still be used. Additionally, the update is queued in the "Updates & Downloads" section of the Microsoft Store app for users who wish to manually install.
+
+
+ - question: How do I know which version of Windows Sandbox am I running?
+ answer: |
+ Run `Get-AppxPackage -Name WindowsSandbox | Select-Object Version` in a PowerShell prompt. If the version is empty, you're running an older version of Windows Sandbox. If it returns a version number, you're running the newer version.
+ Alternatively, you can run `wsb --version`. If `wsb` is not available, you're running an older version of Windows Sandbox.
+ The new version of Windows Sandbox also appears in Windows Settings under **System** > **System components**.
+
+ - question: How do I save the Sandbox state?
+ answer: |
+ Windows Sandbox is temporary; closing it deletes all software, files, and state.
+
+ - question: How can I open Windows Sandbox with a different OS version?
+ answer: |
+ Windows Sandbox only allows you to use the same build as your host OS. This allows us to keep Windows Sandbox 'lightweight'.
+
+ - question: How do I uninstall Windows Sandbox?
+ answer: |
+ To remove Windows Sandbox, and all its components, navigate to **Settings > System > Optional features**, then select **More Windows features**, scroll down and unselect Windows Sandbox, then select OK.
+
+ - name: Feedback
+ questions:
+
+ - question: Where can I provide feedback?
+ answer: |
+ You can file a bug in Feedback Hub by:
+
+ 1. Open the Feedback Hub app.
+ 1. Select **Report a problem** or **Suggest a feature**.
+ 1. Fill in the **Summarize your feedback** and **Explain in more details** boxes with a detailed description of the issue or suggestion. A useful feedback item includes:
+ - Short and descriptive issue title.
+ - Windows version and build number, which can be gathered from a command prompt using the `cmd.exe --version` command.
+ - Device information (including CPU type, memory, disk etc.)
+ - Detailed repro steps. What steps do we need to take to reproduce the issue? Provide as much detail as you can. Provide error message text where possible or screenshots of errors if text can't be captured.
+ - Behavior you were expecting.
+ 1. Select an appropriate category and subcategory by using the dropdown menus. There's a dedicated option in Feedback Hub to file **Windows Sandbox** bugs and feedback. It's located under **Security and Privacy** category.
+ 1. Select **Next**.
+ 1. If you are able to reproduce the issue, please collect traces as follows: Select the Recreate my problem tile, then select Start capture, reproduce the issue, and then select **Stop capture**.
+ 1. Attach any relevant screenshots or files for the problem, then select **Submit**.
+
+ Alternatively, you can also use the [Windows Sandbox GitHub repository](https://github.com/microsoft/Windows-Sandbox) to:
+
+ - **Search existing issues** to see if there are any associated with a problem that you're having. In the search bar, you can remove "is:open" to include resolved issues in your search. Consider commenting or giving a thumbs up to any open issues that you would like to express your interest in moving forward as a priority.
+ - **File a new issue**: If you have found a problem with WSB or WSB documentation and there doesn't appear to be an existing issue, you can select the green **New issue** button and then choose **WSB - Bug Report**. Provide a title for the issue, your Windows build number, whether you're running inbox or undocked Windows Sandbox, any other software versions involved, the repro steps, expected behavior, actual behavior, and diagnostic logs if available and appropriate.
+ - **File a feature request** by selecting the green **New issue** button and then select **Feature request**, then answer the questions describing your request.
diff --git a/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-install.md b/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-install.md
new file mode 100644
index 0000000000..32b1aee636
--- /dev/null
+++ b/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-install.md
@@ -0,0 +1,59 @@
+---
+title: Install Windows Sandbox
+description: Install Windows Sandbox
+ms.topic: how-to
+ms.date: 09/09/2024
+---
+
+# Install Windows Sandbox
+
+## Prerequisites
+
+- Arm64 (for Windows 11, version 22H2 and later) or AMD64 architecture
+- Virtualization capabilities enabled in BIOS
+- At least 4 GB of RAM (8 GB recommended)
+- At least 1 GB of free disk space (SSD recommended)
+- At least two CPU cores (four cores with hyper-threading recommended)
+
+> [!NOTE]
+> Beginning in Windows 11, version 24H2, inbox store apps like Calculator, Photos, Notepad and Terminal are not available inside Windows Sandbox. Ability to use these apps will be added soon.
+
+## Installation
+
+1. Ensure that your machine is using Windows 11 or Windows 10, version 1903 or later.
+
+2. Enable virtualization on the machine.
+
+ - If you're using a physical machine, make sure virtualization capabilities are enabled in the BIOS.
+ - If you're using a virtual machine, you need to enable nested virtualization. If needed, also update the VM to support nested virtualization. Run the following PowerShell commands on the host:
+
+ ```powershell
+ Set-VMProcessor -VMName -ExposeVirtualizationExtensions $true
+ Update-VMVersion -VMName
+ ```
+
+3. Use the search bar on the task bar and type **Turn Windows Features on or off** to access the Windows Optional Features tool. Select **Windows Sandbox** and then **OK**. Restart the computer if you're prompted.
+
+ If the **Windows Sandbox** option is unavailable, your computer doesn't meet the requirements to run Windows Sandbox. If you think this analysis is incorrect, review the prerequisite list and steps 1 and 2.
+
+ > [!NOTE]
+ > To enable Sandbox using PowerShell, open PowerShell as Administrator and run the following command:
+ >
+ > ```powershell
+ > Enable-WindowsOptionalFeature -FeatureName "Containers-DisposableClientVM" -All -Online
+ > ```
+
+4. Locate and select **Windows Sandbox** on the Start menu to run it for the first time.
+
+ > [!NOTE]
+ > Beginning in Windows 11, version 24H2, Windows Sandbox adheres to the mouse settings of the host system.
+ >
+ > If you are on an older build and if the host system is set to use a left-handed mouse, you must apply these settings in Windows Sandbox manually when Windows Sandbox starts. Alternatively, you can use a sandbox configuration file to run a logon command to swap the mouse setting. For an example, see [Example 3](windows-sandbox-sample-configuration.md#example-3---mapping-folders-and-running-a-powershell-script-as-a-logon-command).
+
+## Try WSB preview features by joining the Windows Insider Program
+
+To try the most recent features or updates to WSB, join the [Windows Insiders Program](https://insider.windows.com/getting-started). After joining the Windows Insiders Program, you can choose the channel you would like to receive preview builds from inside the Windows settings menu. You can choose from:
+
+- **Dev channel**: Most recent updates, but low stability.
+- **Beta channel**: Ideal for early adopters, more reliable builds than the Dev channel.
+- **Release Preview channel**: Preview fixes and key features on the next version of Windows just before its available to the general public.
diff --git a/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-overview.md b/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-overview.md
deleted file mode 100644
index 8d8f873a38..0000000000
--- a/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-overview.md
+++ /dev/null
@@ -1,75 +0,0 @@
----
-title: Windows Sandbox
-description: Windows Sandbox overview
-ms.topic: conceptual
-ms.date: 03/26/2024
----
-
-# Windows Sandbox
-
-Windows Sandbox provides a lightweight desktop environment to safely run applications in isolation. Software installed inside the Windows Sandbox environment remains "sandboxed" and runs separately from the host machine.
-
-A sandbox is temporary. When it's closed, all the software and files and the state are deleted. You get a brand-new instance of the sandbox every time you open the application. Note, however, that as of Windows 11, version 22H2, your data persists through a restart initiated from inside the virtualized environment—useful for installing applications that require the OS to reboot.
-
-Software and applications installed on the host aren't directly available in the sandbox. If you need specific applications available inside the Windows Sandbox environment, they must be explicitly installed within the environment.
-
-Windows Sandbox has the following properties:
-
-- **Part of Windows**: Everything required for this feature is included in Windows 10 Pro and Enterprise. There's no need to download a Virtual Hard Disk (VHD).
-- **Pristine**: Every time Windows Sandbox runs, it's as clean as a brand-new installation of Windows.
-- **Disposable**: Nothing persists on the device. Everything is discarded when the user closes the application.
-- **Secure**: Uses hardware-based virtualization for kernel isolation. It relies on the Microsoft hypervisor to run a separate kernel that isolates Windows Sandbox from the host.
-- **Efficient:** Uses the integrated kernel scheduler, smart memory management, and virtual GPU.
-
-> [!IMPORTANT]
-> Windows Sandbox enables network connection by default. It can be disabled using the [Windows Sandbox configuration file](/windows/security/threat-protection/windows-sandbox/windows-sandbox-configure-using-wsb-file#networking).
-
-[!INCLUDE [windows-sandbox](../../../../../includes/licensing/windows-sandbox.md)]
-
-## Prerequisites
-
-- ARM64 (for Windows 11, version 22H2 and later) or AMD64 architecture
-- Virtualization capabilities enabled in BIOS
-- At least 4 GB of RAM (8 GB recommended)
-- At least 1 GB of free disk space (SSD recommended)
-- At least two CPU cores (four cores with hyper-threading recommended)
-
-> [!NOTE]
-> Windows Sandbox is currently not supported on Windows Home edition.
-> Beginning in Windows 11, version 24H2, all inbox store apps like calculator, photos, notepad and terminal are not available inside Windows Sandbox. Ability to use these apps will be added soon.
-## Installation
-
-1. Ensure that your machine is using Windows 10 Pro or Enterprise, build version 18305 or Windows 11.
-
-2. Enable virtualization on the machine.
-
- - If you're using a physical machine, make sure virtualization capabilities are enabled in the BIOS.
- - If you're using a virtual machine, you need to enable nested virtualization. If needed, also update the VM to support nested virtualization. Run the following PowerShell commands on the host:
-
- ```powershell
- Set-VMProcessor -VMName -ExposeVirtualizationExtensions $true
- Update-VMVersion -VMName
- ```
-
-3. Use the search bar on the task bar and type **Turn Windows Features on or off** to access the Windows Optional Features tool. Select **Windows Sandbox** and then **OK**. Restart the computer if you're prompted.
-
- If the **Windows Sandbox** option is unavailable, your computer doesn't meet the requirements to run Windows Sandbox. If you think this analysis is incorrect, review the prerequisite list and steps 1 and 2.
-
- > [!NOTE]
- > To enable Sandbox using PowerShell, open PowerShell as Administrator and run the following command:
- >
- > ```powershell
- > Enable-WindowsOptionalFeature -FeatureName "Containers-DisposableClientVM" -All -Online
- > ```
-
-4. Locate and select **Windows Sandbox** on the Start menu to run it for the first time.
-
- > [!NOTE]
- > Windows Sandbox does not adhere to the mouse settings of the host system, so if the host system is set to use a left-handed mouse, you must apply these settings in Windows Sandbox manually when Windows Sandbox starts. Alternatively, you can use a sandbox configuration file to run a logon command to swap the mouse setting. For an example, see [Example 3](windows-sandbox-configure-using-wsb-file.md#example-3).
-
-## Usage
-
-1. Copy an executable file (and any other files needed to run the application) from the host and paste them into the **Windows Sandbox** window.
-2. Run the executable file or installer inside the sandbox.
-3. When you're finished experimenting, close the sandbox. A dialog box will state that all sandbox content will be discarded and permanently deleted. Select **Ok**.
-4. Confirm that your host machine doesn't exhibit any of the modifications that you made in Windows Sandbox.
diff --git a/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-sample-configuration.md b/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-sample-configuration.md
new file mode 100644
index 0000000000..8d1a0ca697
--- /dev/null
+++ b/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-sample-configuration.md
@@ -0,0 +1,112 @@
+---
+title: Windows Sandbox sample configuration files
+description: Windows Sandbox sample configuration files
+ms.topic: how-to
+ms.date: 09/09/2024
+---
+
+# Windows Sandbox sample configuration files
+
+## Example 1 - Mapping Folders and testing an unknown downloaded file in a Sandbox
+
+The following config file can be used to easily test unknown downloaded files inside a sandbox. To achieve this testing, networking and vGPU are disabled, and the sandbox is allowed read-only access to the downloads folder from the host and is placed inside a 'temp' folder in the sandbox. For convenience, the logon command opens the downloads folder inside the sandbox when it's started.
+
+### Downloads.wsb
+
+```xml
+
+ Disable
+ Disable
+
+
+ C:\Users\Public\Downloads
+ C:\temp
+ true
+
+
+
+ explorer.exe C:\temp
+
+
+
+```
+
+## Example 2 - Installing Visual Studio Code at launch in a Sandbox
+
+The following config file installs Visual Studio Code in the sandbox, which requires a slightly more complicated LogonCommand setup.
+
+Two folders are mapped into the sandbox; the first (`SandboxScripts`) contains VSCodeInstall.cmd, which installs and runs Visual Studio Code. The second folder (`CodingProjects`) is assumed to contain project files that the developer wants to modify using Visual Studio Code.
+
+With the Visual Studio Code installer script already mapped into the sandbox, the `` can reference it.
+
+### VSCodeInstall.cmd
+
+This batch file should be created in the `C:\SandboxScripts` directory on the host. It downloads VS Code to `temp` folder inside the sandbox and runs installation from `temp` folder.
+
+```batch
+REM Download Visual Studio Code
+curl -L "https://update.code.visualstudio.com/latest/win32-x64-user/stable" --output C:\temp\vscode.exe
+
+REM Install and run Visual Studio Code
+C:\temp\vscode.exe /verysilent /suppressmsgboxes
+```
+
+### VSCode.wsb
+
+```xml
+
+
+
+ C:\SandboxScripts
+ C:\temp\sandbox
+ true
+
+
+ C:\CodingProjects
+ C:\temp\Projects
+ false
+
+
+
+ C:\temp\sandbox\VSCodeInstall.cmd
+
+
+```
+
+## Example 3 - Mapping Folders and running a PowerShell script as a Logon Command
+
+Beginning in Windows 11, version 24H2, Windows Sandbox adheres to the mouse settings of the host system. If you are on an older build and if the host system is set to use a left-handed mouse, you must apply these settings in Windows Sandbox manually when Windows Sandbox starts. Alternatively, you can use a sandbox configuration file to run a logon command to swap the mouse setting.
+
+In this example, the `C:\sandbox` folder on the host is mapped to the `C:\sandbox` folder in the sandbox, so the `SwapMouse.ps1` script can be referenced in the sandbox configuration file.
+
+### SwapMouse.ps1
+
+Create a PowerShell script using the following code, and save it in the `C:\sandbox` directory as `SwapMouse.ps1`.
+
+```powershell
+[Reflection.Assembly]::LoadWithPartialName("System.Windows.Forms") | Out-Null
+
+$SwapButtons = Add-Type -MemberDefinition @'
+[DllImport("user32.dll")]
+public static extern bool SwapMouseButton(bool swap);
+'@ -Name "NativeMethods" -Namespace "PInvoke" -PassThru
+
+$SwapButtons::SwapMouseButton(!([System.Windows.Forms.SystemInformation]::MouseButtonsSwapped))
+```
+
+### SwapMouse.wsb
+
+```xml
+
+
+
+ C:\sandbox
+ C:\sandbox
+ True
+
+
+
+ powershell.exe -ExecutionPolicy Bypass -File C:\sandbox\SwapMouse.ps1
+
+
+```
\ No newline at end of file
diff --git a/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-troubleshoot.md b/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-troubleshoot.md
new file mode 100644
index 0000000000..a908b5875c
--- /dev/null
+++ b/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-troubleshoot.md
@@ -0,0 +1,21 @@
+---
+title: Troubleshoot Windows Sandbox
+description: Troubleshoot Windows Sandbox
+ms.topic: troubleshooting
+ms.date: 09/09/2024
+---
+
+# Troubleshoot Windows Sandbox
+
+This article lists some common issues with Windows Sandbox and possible solutions. To submit feedback about Windows Sandbox, see [Where can I provide feedback?](windows-sandbox-faq.yml#where-can-i-provide-feedback)
+
+| Error | Possible Solution |
+|--|--|
+| `WININET_E_NAME_NOT_RESOLVED`
`WU_E_PT_ENDPOINT_UNREACHABLE` | Upgrade to Windows Sandbox app fails because user isn't connected to internet or network adapter is connected but no internet connection. Check your internet connection. |
+| `ERROR_FILE_NOT_FOUND` | `.wsb` config file provided by the user doesn't exist. Make sure that the path to the `.wsb` file is correct. |
+| `E_INVALIDARG` | The `.wsb` file provided by the user is invalid or has errors. Check the `.wsb` file. |
+| `REGDB_E_IIDNOTREG` | Verify if Windows Sandbox component is enabled under 'Turn Windows features on or off'. For more information, see [Install Windows Sandbox](windows-sandbox-install.md) |
+| `The following settings are enforced by your IT administrator.` | `.wsb` file has a setting enabled that is controlled via group policy. |
+| `No hypervisor was found. Please enable hypervisor support.` | Windows Sandbox only supports Hyper-V Hypervisor. Third-party hypervisors are not supported. Ensure that Hyper-V is enabled. |
+| `Cannot upgrade to the latest version of Windows Sandbox` | Ensure that your device has access to the Internet, Windows Update and Microsoft Store. Beginning with Windows 11, version 24H2, the old Windows Sandbox app attempts to download the latest version from the Store. If the upgrade fails initially, installation continues in the background while the user can still use the app. Additionally, the app is queued in the "Updates & downloads" section of the Microsoft Store app for users who wish to install it manually. |
+| `E_FAIL`, or `E_UNEXPECTED` or general failure during installation. | Possible causes:
- Installing Windows Sandbox is disabled via group policy. Check with your IT Admin.
- Timeout error where we can't reach the Microsoft Store. Try again later. |
diff --git a/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-versions.md b/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-versions.md
new file mode 100644
index 0000000000..42ffe331cc
--- /dev/null
+++ b/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-versions.md
@@ -0,0 +1,32 @@
+---
+title: Windows Sandbox versions
+description: Windows Sandbox versions
+ms.topic: conceptual
+ms.date: 10/22/2024
+---
+
+# Windows Sandbox versions
+
+Starting with Windows 11, version 24H2, a newer version of Windows Sandbox is available from the Microsoft Store, featuring an improved user experience and new command line functionality.
+
+- **Faster Updates**: With the app now being updated through the Microsoft Store, you can install the bug fixes and new features as soon as they're available, rather than needing to wait for an update of the Windows operating system.
+- **Revamped UI**: The app now features WinUI 3, a modern and sleek user interface built on the Fluent design system.
+- **New Runtime Features**: Users can now access clipboard redirection, audio/video input control, and folder sharing directly during runtime using the "…" icon in the top-right corner without needing a preconfigured `.wsb` file.
+- **Command Line Preview**: An early version of [command line support](windows-sandbox-cli.md) for Windows Sandbox is now available.
+
+## Upgrading to the newer version
+
+### Prerequisites
+
+- Windows Sandbox must already be installed. If it isn't already installed, [install Windows Sandbox](windows-sandbox-install.md).
+- Device must be running Windows 11, version 24H2, with KB10D or later.
+- Internet access for Microsoft Store and Windows Update.
+
+### Upgrade
+
+- Launch **Windows Sandbox** from the Start menu.
+- If the app isn't upgraded to the latest version, a progress dialog appears as it automatically attempts to update. This process typically takes 30 seconds to 2 minutes.
+- Once the installation is complete, you're directed to the updated version of the app.
+
+> [!NOTE]
+> If the upgrade fails on the first try, the installation continues in the background while you use the older version of the app. Additionally, the app is queued in the "Updates & downloads" section of the Microsoft Store app for users who wish to install it manually.
\ No newline at end of file
diff --git a/windows/security/book/includes/windows-sandbox.md b/windows/security/book/includes/windows-sandbox.md
index 8e2f55f747..d8d6385b3f 100644
--- a/windows/security/book/includes/windows-sandbox.md
+++ b/windows/security/book/includes/windows-sandbox.md
@@ -14,4 +14,4 @@ Once Windows Sandbox is closed, nothing persists on the device. All the software
[!INCLUDE [learn-more](learn-more.md)]
-- [Windows Sandbox](/windows/security/threat-protection/windows-sandbox/windows-sandbox-overview)
+- [Windows Sandbox](/windows/security/application-security/application-isolation/windows-sandbox)
diff --git a/windows/security/docfx.json b/windows/security/docfx.json
index e0cd0064c8..eebfabaaa0 100644
--- a/windows/security/docfx.json
+++ b/windows/security/docfx.json
@@ -142,9 +142,10 @@
"✅ Windows Server 2019",
"✅ Windows Server 2016"
],
- "application-security/application-control/windows-defender-application-control/**/*.md": [
+ "application-security/application-control/app-control-for-business/**/*.md": [
"✅ Windows 11",
"✅ Windows 10",
+ "✅ Windows Server 2025",
"✅ Windows Server 2022",
"✅ Windows Server 2019",
"✅ Windows Server 2016"
diff --git a/windows/security/identity-protection/hello-for-business/faq.yml b/windows/security/identity-protection/hello-for-business/faq.yml
index 26e30724a9..3a5d20bea8 100644
--- a/windows/security/identity-protection/hello-for-business/faq.yml
+++ b/windows/security/identity-protection/hello-for-business/faq.yml
@@ -210,9 +210,9 @@ sections:
- question: Does Windows Hello for Business cloud Kerberos trust work in my on-premises environment?
answer: |
This feature doesn't work in a pure on-premises AD domain services environment.
- - question: Does Windows Hello for Business cloud Kerberos trust work in a Windows sign-in with RODC present in the hybrid environment?
+ - question: Does Windows Hello for Business cloud Kerberos trust work with RODC present in the hybrid environment?
answer: |
- Windows Hello for Business cloud Kerberos trust looks for a writeable DC to exchange the partial TGT. As long as you have at least one writeable DC per site, login with cloud Kerberos trust will work.
+ Windows Hello for Business cloud Kerberos trust functions correctly when the client authenticates directly to a writable domain controller or to a Read-Only Domain Controller (RODC) that doesn't cache the user's credentials, in accordance with the Password Replication Policy. If the client attempts to authenticate to an RODC that can cache the user's credentials, cloud Kerberos trust authentication might fail. To mitigate this, deploy KDC certificates to all RODCs to support Windows Hello for Business key trust authentication, which is also required for those RODCs to support LDAP over SSL. This configuration ensures that authentication can seamlessly failover to Windows Hello for Business key trust authentication, thereby guaranteeing successful user authentication.
- question: Do I need line of sight to a domain controller to use Windows Hello for Business cloud Kerberos trust?
answer: |
Windows Hello for Business cloud Kerberos trust requires line of sight to a domain controller when:
diff --git a/windows/security/identity-protection/hello-for-business/images/pin-reset/pin-reset-client-prompt.png b/windows/security/identity-protection/hello-for-business/images/pin-reset/pin-reset-client-prompt.png
index d5c3416a67..fffcd5b0f2 100644
Binary files a/windows/security/identity-protection/hello-for-business/images/pin-reset/pin-reset-client-prompt.png and b/windows/security/identity-protection/hello-for-business/images/pin-reset/pin-reset-client-prompt.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/pin-reset/pin-reset-service-prompt-2.png b/windows/security/identity-protection/hello-for-business/images/pin-reset/pin-reset-service-prompt-2.png
index 86d43fcb2c..882c46356a 100644
Binary files a/windows/security/identity-protection/hello-for-business/images/pin-reset/pin-reset-service-prompt-2.png and b/windows/security/identity-protection/hello-for-business/images/pin-reset/pin-reset-service-prompt-2.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/pin-reset/pin-reset-service-prompt.png b/windows/security/identity-protection/hello-for-business/images/pin-reset/pin-reset-service-prompt.png
index 755c1b66e0..295580ed83 100644
Binary files a/windows/security/identity-protection/hello-for-business/images/pin-reset/pin-reset-service-prompt.png and b/windows/security/identity-protection/hello-for-business/images/pin-reset/pin-reset-service-prompt.png differ
diff --git a/windows/security/identity-protection/hello-for-business/rdp-sign-in.md b/windows/security/identity-protection/hello-for-business/rdp-sign-in.md
index bc28fecee5..305932af9b 100644
--- a/windows/security/identity-protection/hello-for-business/rdp-sign-in.md
+++ b/windows/security/identity-protection/hello-for-business/rdp-sign-in.md
@@ -1,7 +1,7 @@
---
title: Remote Desktop sign-in with Windows Hello for Business
description: Learn how to configure Remote Desktop (RDP) sign-in with Windows Hello for Business.
-ms.date: 06/11/2024
+ms.date: 01/27/2025
ms.topic: how-to
---
diff --git a/windows/security/identity-protection/passwordless-strategy/journey-step-3.md b/windows/security/identity-protection/passwordless-strategy/journey-step-3.md
index 9bc006a4e0..3d3f9622e0 100644
--- a/windows/security/identity-protection/passwordless-strategy/journey-step-3.md
+++ b/windows/security/identity-protection/passwordless-strategy/journey-step-3.md
@@ -2,7 +2,7 @@
title: Transition into a passwordless deployment
description: Learn about how to transition into a passwordless deployment, the third step of the Microsoft passwordless journey.
ms.topic: concept-article
-ms.date: 10/29/2024
+ms.date: 01/30/2025
---
# Transition into a passwordless deployment
@@ -123,7 +123,7 @@ function Generate-RandomPassword{
$NewPassword = ConvertTo-SecureString -String (Generate-RandomPassword) -AsPlainText -Force
-Set-ADAccountPassword -identity $userId -NewPassword $NewPassword -Reset
+Set-ADAccountPassword -identity $samAccountName -NewPassword $NewPassword -Reset
```
If your organizational policies allow it, you can configure the randomized passwords to never expire, or use a long expiration period. This configuration prevents the user from being prompted to change their password.
diff --git a/windows/security/index.yml b/windows/security/index.yml
index 43817f6227..7b2cccd5ae 100644
--- a/windows/security/index.yml
+++ b/windows/security/index.yml
@@ -131,7 +131,7 @@ landingContent:
- text: Microsoft Defender Application Guard (MDAG)
url: /windows/security/application-security/application-isolation/microsoft-defender-application-guard/md-app-guard-overview
- text: Windows Sandbox
- url: /windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-overview
+ url: /windows/security/application-security/application-isolation/windows-sandbox/
- linkListType: how-to-guide
links:
- text: Configure Windows Sandbox
diff --git a/windows/security/operating-system-security/data-protection/bitlocker/includes/choose-how-bitlocker-protected-operating-system-drives-can-be-recovered.md b/windows/security/operating-system-security/data-protection/bitlocker/includes/choose-how-bitlocker-protected-operating-system-drives-can-be-recovered.md
index b0ff6c39b5..45ad55ad06 100644
--- a/windows/security/operating-system-security/data-protection/bitlocker/includes/choose-how-bitlocker-protected-operating-system-drives-can-be-recovered.md
+++ b/windows/security/operating-system-security/data-protection/bitlocker/includes/choose-how-bitlocker-protected-operating-system-drives-can-be-recovered.md
@@ -19,6 +19,8 @@ If this policy setting is disabled or not configured, the default recovery optio
For Microsoft Entra hybrid joined devices, the BitLocker recovery password is backed up to both Active Directory and Entra ID.
+For Microsoft Entra joined devices, the BitLocker recovery password is backed up to Entra ID.
+
| | Path |
|--|--|
| **CSP** | `./Device/Vendor/MSFT/BitLocker/`[SystemDrivesRecoveryOptions](/windows/client-management/mdm/bitlocker-csp#systemdrivesrecoveryoptions)|
diff --git a/windows/security/operating-system-security/data-protection/bitlocker/recovery-process.md b/windows/security/operating-system-security/data-protection/bitlocker/recovery-process.md
index 421165a49b..9da8c4e609 100644
--- a/windows/security/operating-system-security/data-protection/bitlocker/recovery-process.md
+++ b/windows/security/operating-system-security/data-protection/bitlocker/recovery-process.md
@@ -2,7 +2,7 @@
title: BitLocker recovery process
description: Learn how to obtain BitLocker recovery information for Microsoft Entra joined, Microsoft Entra hybrid joined, and Active Directory joined devices, and how to restore access to a locked drive.
ms.topic: how-to
-ms.date: 12/05/2024
+ms.date: 02/11/2025
---
# BitLocker recovery process
@@ -75,7 +75,7 @@ The following list can be used as a template for creating a recovery process for
There are a few Microsoft Entra ID roles that allow a delegated administrator to read BitLocker recovery passwords from the devices in the tenant. While it's common for organizations to use the existing Microsoft Entra ID *[Cloud Device Administrator][ENTRA-2]* or *[Helpdesk Administrator][ENTRA-3]* built-in roles, you can also [create a custom role][ENTRA-5], delegating access to BitLocker keys using the `microsoft.directory/bitlockerKeys/key/read` permission. Roles can be delegated to access BitLocker recovery passwords for devices in specific Administrative Units.
> [!NOTE]
-> When devices that utilize [Windows Autopilot](/mem/autopilot/windows-autopilot) are reused to join to Entra, **and there is a new device owner**, that new device owner must contact an administrator to acquire the BitLocker recovery key for that device. Custom role or administrative unit scoped administrators will lose access to BitLocker recovery keys for those devices that have undergone device ownership changes. These scoped administrators will need to contact a non-scoped administrator for the recovery keys. For more information, see the article [Find the primary user of an Intune device](/mem/intune/remote-actions/find-primary-user#change-a-devices-primary-user).
+> When devices that utilize [Windows Autopilot](/mem/autopilot/windows-autopilot) are reused to join to Entra, **and there is a new device owner**, that new device owner must contact an administrator to acquire the BitLocker recovery key for that device. Custom role or administrative unit scoped administrators will continue to have access to BitLocker recovery keys for those devices that have undergone device ownership changes, unless the new device owner belongs to a custom role or adminstrative unit scope. In such an instance, the user will need to contact other scoped administrator for the recovery keys. For more information, see the article [Find the primary user of an Intune device](/mem/intune/remote-actions/find-primary-user#change-a-devices-primary-user).
The [Microsoft Entra admin center][ENTRA] allows administrators to retrieve BitLocker recovery passwords. To learn more about the process, see [View or copy BitLocker keys][ENTRA-4]. Another option to access BitLocker recovery passwords is to use the Microsoft Graph API, which might be useful for integrated or scripted solutions. For more information about this option, see [Get bitlockerRecoveryKey][GRAPH-1].
diff --git a/windows/security/operating-system-security/device-management/windows-security-configuration-framework/get-support-for-security-baselines.md b/windows/security/operating-system-security/device-management/windows-security-configuration-framework/get-support-for-security-baselines.md
index 05f61ccf78..75939e36c9 100644
--- a/windows/security/operating-system-security/device-management/windows-security-configuration-framework/get-support-for-security-baselines.md
+++ b/windows/security/operating-system-security/device-management/windows-security-configuration-framework/get-support-for-security-baselines.md
@@ -16,16 +16,7 @@ The Security Compliance Manager (SCM) is now retired and is no longer supported.
More information about this change can be found on the [Microsoft Security Guidance blog](/archive/blogs/secguide/security-compliance-manager-scm-retired-new-tools-and-procedures).
-### Where can I get an older version of a Windows baseline?
-
-Any version of Windows baseline before Windows 10, version 1703, can still be downloaded using SCM. Any future versions of Windows baseline will be available through SCT. See the version matrix in this article to see if your version of Windows baseline is available on SCT.
-
-- [SCM 4.0 Download](/previous-versions/tn-archive/cc936627(v=technet.10))
-- [SCM Frequently Asked Questions (FAQ)](https://social.technet.microsoft.com/wiki/contents/articles/1836.microsoft-security-compliance-manager-scm-frequently-asked-questions-faq.aspx)
-- [SCM Release Notes](https://social.technet.microsoft.com/wiki/contents/articles/1864.microsoft-security-compliance-manager-scm-release-notes.aspx)
-- [SCM baseline download help](https://social.technet.microsoft.com/wiki/contents/articles/1865.microsoft-security-compliance-manager-scm-baseline-download-help.aspx)
-
-### What file formats are supported by the new SCT?
+### What file formats are supported by the SCT?
The toolkit supports formats created by the Windows GPO backup feature (`.pol`, `.inf`, and `.csv`). Policy Analyzer saves its data in XML files with a `.PolicyRules` file extension. LGPO also supports its own LGPO text file format as a text-based analog for the binary registry.pol file format. For more information, see the LGPO documentation. Keep in mind that SCMs' `.cab` files are no longer supported.
@@ -56,16 +47,16 @@ No. SCM supported only SCAP 1.0, which wasn't updated as SCAP evolved. The new t
| Name | Build | Baseline Release Date | Security Tools |
|--|--|--|--|
+| Windows Server 2025 | [SecGuide](https://techcommunity.microsoft.com/blog/microsoft-security-baselines/windows-server-2025-security-baseline/4358733) | January 2025 | [SCT 1.0](https://www.microsoft.com/download/details.aspx?id=55319) |
| Windows Server 2022 | [SecGuide](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/windows-server-2022-security-baseline/ba-p/2724685) | September 2021 | [SCT 1.0](https://www.microsoft.com/download/details.aspx?id=55319) |
| Windows Server 2019 | [SecGuide](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/security-baseline-final-for-windows-10-v1809-and-windows-server/ba-p/701082) | November 2018 | [SCT 1.0](https://www.microsoft.com/download/details.aspx?id=55319) |
| Windows Server 2016 | [SecGuide](/archive/blogs/secguide/security-baseline-for-windows-10-v1607-anniversary-edition-and-windows-server-2016) | October 2016 | [SCT 1.0](https://www.microsoft.com/download/details.aspx?id=55319) |
-| Windows Server 2012 R2 | [SecGuide](/archive/blogs/secguide/security-baseline-for-windows-10-v1607-anniversary-edition-and-windows-server-2016) | August 2014 | [SCT 1.0](https://www.microsoft.com/download/details.aspx?id=55319) |
### Microsoft products
| Name | Details | Security Tools |
|--|--|--|
-| Microsoft 365 Apps for enterprise, version 2306 | [SecGuide](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/security-baseline-for-m365-apps-for-enterprise-v2306/ba-p/3858702) | [SCT 1.0](https://www.microsoft.com/download/details.aspx?id=55319) |
+| Microsoft 365 Apps for enterprise, version 2412 | [SecGuide](https://techcommunity.microsoft.com/blog/microsoft-security-baselines/security-baseline-for-m365-apps-for-enterprise-v2412/4357320) | [SCT 1.0](https://www.microsoft.com/download/details.aspx?id=55319) |
| Microsoft Edge, version 128 | [SecGuide](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/security-baseline-for-microsoft-edge-version-128/ba-p/4237524) | [SCT 1.0](https://www.microsoft.com/download/details.aspx?id=55319) |
## Related articles
diff --git a/windows/security/operating-system-security/device-management/windows-security-configuration-framework/security-compliance-toolkit-10.md b/windows/security/operating-system-security/device-management/windows-security-configuration-framework/security-compliance-toolkit-10.md
index ced5288d21..3556919a26 100644
--- a/windows/security/operating-system-security/device-management/windows-security-configuration-framework/security-compliance-toolkit-10.md
+++ b/windows/security/operating-system-security/device-management/windows-security-configuration-framework/security-compliance-toolkit-10.md
@@ -23,18 +23,16 @@ The Security Compliance Toolkit consists of:
- Windows 10 security baselines
- Windows 10, version 22H2
- Windows 10, version 21H2
- - Windows 10, version 20H2
- Windows 10, version 1809
- Windows 10, version 1607
- Windows 10, version 1507
- Windows Server security baselines
+ - Windows Server 2025
- Windows Server 2022
- Windows Server 2019
- Windows Server 2016
- - Windows Server 2012 R2
- Microsoft Office security baseline
- - Office 2016
- - Microsoft 365 Apps for Enterprise Version 2206
+ - Microsoft 365 Apps for Enterprise Version 2412
- Microsoft Edge security baseline
- Microsoft Edge version 128
- Tools
diff --git a/windows/security/operating-system-security/network-security/vpn/how-to-configure-diffie-hellman-protocol-over-ikev2-vpn-connections.md b/windows/security/operating-system-security/network-security/vpn/how-to-configure-diffie-hellman-protocol-over-ikev2-vpn-connections.md
index c2a7ae57a8..2fc0efca6e 100644
--- a/windows/security/operating-system-security/network-security/vpn/how-to-configure-diffie-hellman-protocol-over-ikev2-vpn-connections.md
+++ b/windows/security/operating-system-security/network-security/vpn/how-to-configure-diffie-hellman-protocol-over-ikev2-vpn-connections.md
@@ -1,7 +1,7 @@
---
title: How to configure cryptographic settings for IKEv2 VPN connections
description: Learn how to update the IKEv2 cryptographic settings of VPN servers and clients by running VPN cmdlets to secure connections.
-ms.date: 05/06/2024
+ms.date: 01/27/2025
ms.topic: how-to
---
diff --git a/windows/security/operating-system-security/network-security/vpn/how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md b/windows/security/operating-system-security/network-security/vpn/how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md
index daf7f89f5d..9a4865a98c 100644
--- a/windows/security/operating-system-security/network-security/vpn/how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md
+++ b/windows/security/operating-system-security/network-security/vpn/how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md
@@ -1,7 +1,7 @@
---
title: How to use single sign-on (SSO) over VPN and Wi-Fi connections
description: Explains requirements to enable single sign-on (SSO) to on-premises domain resources over WiFi or VPN connections.
-ms.date: 05/06/2024
+ms.date: 01/27/2025
ms.topic: how-to
---
diff --git a/windows/security/operating-system-security/network-security/vpn/vpn-authentication.md b/windows/security/operating-system-security/network-security/vpn/vpn-authentication.md
index 539eeaeda6..26a2c22a06 100644
--- a/windows/security/operating-system-security/network-security/vpn/vpn-authentication.md
+++ b/windows/security/operating-system-security/network-security/vpn/vpn-authentication.md
@@ -1,7 +1,7 @@
---
title: VPN authentication options
description: Learn about the EAP authentication methods that Windows supports in VPNs to provide secure authentication using username/password and certificate-based methods.
-ms.date: 05/06/2024
+ms.date: 01/27/2025
ms.topic: concept-article
---
@@ -80,14 +80,3 @@ The following image shows the field for EAP XML in a Microsoft Intune VPN profil
:::image type="content" source="images/vpn-eap-xml.png" alt-text="Screenshot showing EAP XML configuration in Intune profile.":::
-## Related topics
-
-- [VPN technical guide](vpn-guide.md)
-- [VPN connection types](vpn-connection-type.md)
-- [VPN routing decisions](vpn-routing.md)
-- [VPN and conditional access](vpn-conditional-access.md)
-- [VPN name resolution](vpn-name-resolution.md)
-- [VPN auto-triggered profile options](vpn-auto-trigger-profile.md)
-- [VPN security features](vpn-security-features.md)
-- [VPN profile options](vpn-profile-options.md)
-- [Extensible Authentication Protocol (EAP) for network access](/windows-server/networking/technologies/extensible-authentication-protocol/network-access)
diff --git a/windows/security/operating-system-security/network-security/vpn/vpn-auto-trigger-profile.md b/windows/security/operating-system-security/network-security/vpn/vpn-auto-trigger-profile.md
index 85b51dd4d1..53c870afc0 100644
--- a/windows/security/operating-system-security/network-security/vpn/vpn-auto-trigger-profile.md
+++ b/windows/security/operating-system-security/network-security/vpn/vpn-auto-trigger-profile.md
@@ -1,7 +1,7 @@
---
title: VPN auto-triggered profile options
description: With auto-triggered VPN profile options, Windows can automatically establish a VPN connection based on IT admin-defined rules. Learn about the types of auto-trigger rules that you can create for VPN connections.
-ms.date: 05/06/2024
+ms.date: 01/27/2025
ms.topic: how-to
---
@@ -77,14 +77,3 @@ See [VPN profile options](vpn-profile-options.md) and [VPNv2 CSP](/windows/clien
The following image shows associating apps to a VPN connection in a VPN Profile configuration policy using Microsoft Intune.
:::image type="content" source="images/vpn-app-trigger.png" alt-text="Creation of VPN profile in Intune: application association options." lightbox="images/vpn-app-trigger.png":::
-
-## Related articles
-
-- [VPN technical guide](vpn-guide.md)
-- [VPN connection types](vpn-connection-type.md)
-- [VPN routing decisions](vpn-routing.md)
-- [VPN authentication options](vpn-authentication.md)
-- [VPN and conditional access](vpn-conditional-access.md)
-- [VPN name resolution](vpn-name-resolution.md)
-- [VPN security features](vpn-security-features.md)
-- [VPN profile options](vpn-profile-options.md)
diff --git a/windows/security/operating-system-security/network-security/vpn/vpn-conditional-access.md b/windows/security/operating-system-security/network-security/vpn/vpn-conditional-access.md
index 8fa4ab6725..9702c4afee 100644
--- a/windows/security/operating-system-security/network-security/vpn/vpn-conditional-access.md
+++ b/windows/security/operating-system-security/network-security/vpn/vpn-conditional-access.md
@@ -1,7 +1,7 @@
---
title: VPN and conditional access
description: Learn how to integrate the VPN client with the Conditional Access platform, and how to create access rules for Microsoft Entra connected apps.
-ms.date: 05/06/2024
+ms.date: 01/27/2025
ms.topic: how-to
---
@@ -19,7 +19,7 @@ Conditional Access Platform components used for Device Compliance include the fo
- [Windows Health Attestation Service](../../system-security/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md) (optional)
- Microsoft Entra Certificate Authority - It's a requirement that the client certificate used for the cloud-based device compliance solution be issued by a Microsoft Entra ID-based Certificate Authority (CA). A Microsoft Entra CA is essentially a mini-CA cloud tenant in Azure. The Microsoft Entra CA can't be configured as part of an on-premises Enterprise CA.
See also [Always On VPN deployment for Windows Server and Windows 10](/windows-server/remote/remote-access/vpn/always-on-vpn/deploy/always-on-vpn-deploy).
-- Microsoft Entra ID-issued short-lived certificates - When a VPN connection attempt is made, the Microsoft Entra Token Broker on the local device communicates with Microsoft Entra ID, which then checks for health based on compliance rules. If compliant, Microsoft Entra ID sends back a short-lived certificate that is used to authenticate the VPN. Note that certificate authentication methods such as EAP-TLS can be used. When the client reconnects and determines that the certificate has expired, the client will again check with Microsoft Entra ID for health validation before a new certificate is issued.
+- Microsoft Entra ID-issued short-lived certificates - When a VPN connection attempt is made, the Microsoft Entra Token Broker on the local device communicates with Microsoft Entra ID, which then checks for health based on compliance rules. If compliant, Microsoft Entra ID sends back a short-lived certificate that is used to authenticate the VPN. Certificate authentication methods such as EAP-TLS can be used. When the client reconnects and determines that the certificate has expired, the client will again check with Microsoft Entra ID for health validation before a new certificate is issued.
- [Microsoft Intune device compliance policies](/mem/intune/protect/device-compliance-get-started): Cloud-based device compliance uses Microsoft Intune Compliance Policies, which are capable of querying the device state and define compliance rules for the following, among other things.
- Antivirus status
- Auto-update status and update compliance
@@ -35,7 +35,7 @@ The following client-side components are also required:
## VPN device compliance
-At this time, the Microsoft Entra certificates issued to users don't contain a CRL Distribution Point (CDP) and aren't suitable for Key Distribution Centers (KDCs) to issue Kerberos tokens. For users to gain access to on-premises resources such as files on a network share, client authentication certificates must be deployed to the Windows profiles of the users, and their VPNv2 profiles must contain the <SSO> section.
+At this time, the Microsoft Entra certificates issued to users don't contain a CRL Distribution Point (CDP) and aren't suitable for Key Distribution Centers (KDCs) to issue Kerberos tokens. For users to gain access to on-premises resources such as files on a network share, client authentication certificates must be deployed to the Windows profiles of the users, and their VPNv2 profiles must contain the `` section.
Server-side infrastructure requirements to support VPN device compliance include:
@@ -60,8 +60,8 @@ Two client-side configuration service providers are leveraged for VPN device com
- Upon request, forward the Health Attestation Certificate (received from HAS) and related runtime information to the MDM server for verification
> [!NOTE]
-> It's required that certificates used for obtaining Kerberos tickets to be issued from an on-premises CA, and that SSO to be enabled in the user's VPN profile. This will enable the user to access on-premises resources.
-> In the case of AzureAD-only joined devices (not hybrid joined devices), if the user certificate issued by the on-premises CA has the user UPN from AzureAD in Subject and SAN (Subject Alternative Name), the VPN profile must be modified to ensure that the client does not cache the credentials used for VPN authentication. To do this, after deploying the VPN profile to the client, modify the *Rasphone.pbk* on the client by changing the entry **UseRasCredentials** from 1 (default) to 0 (zero).
+> It's required that certificates used for obtaining Kerberos tickets to be issued from an on-premises CA, and that SSO to be enabled in the user's VPN profile. This allows the user to access on-premises resources.
+> In the case of Microsoft Entra joined devices (not hybrid joined devices), if the user certificate issued by the on-premises CA has the user UPN from Microsoft Entra in Subject and SAN (Subject Alternative Name), the VPN profile must be modified to ensure that the client doesn't cache the credentials used for VPN authentication. To do this, after deploying the VPN profile to the client, modify the *Rasphone.pbk* on the client by changing the entry **UseRasCredentials** from 1 (default) to 0 (zero).
## Client connection flow
@@ -71,7 +71,7 @@ The VPN client side connection flow works as follows:
When a VPNv2 Profile is configured with \ \true<\/Enabled> the VPN client uses this connection flow:
-1. The VPN client calls into Windows 10's or Windows 11's Microsoft Entra Token Broker, identifying itself as a VPN client.
+1. The VPN client calls into Windows 10 or Windows 11 Microsoft Entra Token Broker, identifying itself as a VPN client.
1. The Microsoft Entra Token Broker authenticates to Microsoft Entra ID and provides it with information about the device trying to connect. The Microsoft Entra Server checks if the device is in compliance with the policies.
1. If compliant, Microsoft Entra ID requests a short-lived certificate.
1. Microsoft Entra ID pushes down a short-lived certificate to the Certificate Store via the Token Broker. The Token Broker then returns control back over to the VPN client for further connection processing.
@@ -92,14 +92,3 @@ See [VPN profile options](vpn-profile-options.md) and [VPNv2 CSP](/windows/clien
- [Tip of the Day: The Conditional Access Framework and Device Compliance for VPN (Part 2)](/archive/blogs/tip_of_the_day/tip-of-the-day-the-conditional-access-framework-and-device-compliance-for-vpn-part-2)
- [Tip of the Day: The Conditional Access Framework and Device Compliance for VPN (Part 3)](/archive/blogs/tip_of_the_day/tip-of-the-day-the-conditional-access-framework-and-device-compliance-for-vpn-part-3)
- [Tip of the Day: The Conditional Access Framework and Device Compliance for VPN (Part 4)](/archive/blogs/tip_of_the_day/tip-of-the-day-the-conditional-access-framework-and-device-compliance-for-vpn-part-4)
-
-## Related articles
-
-- [VPN technical guide](vpn-guide.md)
-- [VPN connection types](vpn-connection-type.md)
-- [VPN routing decisions](vpn-routing.md)
-- [VPN authentication options](vpn-authentication.md)
-- [VPN name resolution](vpn-name-resolution.md)
-- [VPN auto-triggered profile options](vpn-auto-trigger-profile.md)
-- [VPN security features](vpn-security-features.md)
-- [VPN profile options](vpn-profile-options.md)
diff --git a/windows/security/operating-system-security/network-security/vpn/vpn-connection-type.md b/windows/security/operating-system-security/network-security/vpn/vpn-connection-type.md
index 7199978f6c..0c0b47c65c 100644
--- a/windows/security/operating-system-security/network-security/vpn/vpn-connection-type.md
+++ b/windows/security/operating-system-security/network-security/vpn/vpn-connection-type.md
@@ -1,7 +1,7 @@
---
title: VPN connection types
description: Learn about Windows VPN platform clients and the VPN connection-type features that can be configured.
-ms.date: 05/06/2024
+ms.date: 01/27/2025
ms.topic: concept-article
---
@@ -46,13 +46,3 @@ In Intune, you can also include custom XML for non-Microsoft plug-in profiles:
> [!div class="mx-imgBorder"]
> 
-## Related articles
-
-- [VPN technical guide](vpn-guide.md)
-- [VPN routing decisions](vpn-routing.md)
-- [VPN authentication options](vpn-authentication.md)
-- [VPN and conditional access](vpn-conditional-access.md)
-- [VPN name resolution](vpn-name-resolution.md)
-- [VPN auto-triggered profile options](vpn-auto-trigger-profile.md)
-- [VPN security features](vpn-security-features.md)
-- [VPN profile options](vpn-profile-options.md)
diff --git a/windows/security/operating-system-security/network-security/vpn/vpn-guide.md b/windows/security/operating-system-security/network-security/vpn/vpn-guide.md
index 3233517baa..c1c9ac3826 100644
--- a/windows/security/operating-system-security/network-security/vpn/vpn-guide.md
+++ b/windows/security/operating-system-security/network-security/vpn/vpn-guide.md
@@ -1,7 +1,7 @@
---
title: Windows VPN technical guide
description: Learn how to plan and configure Windows devices for your organization's VPN solution.
-ms.date: 05/06/2024
+ms.date: 01/27/2025
ms.topic: overview
---
diff --git a/windows/security/operating-system-security/network-security/vpn/vpn-name-resolution.md b/windows/security/operating-system-security/network-security/vpn/vpn-name-resolution.md
index 666f60d6c1..36074af74a 100644
--- a/windows/security/operating-system-security/network-security/vpn/vpn-name-resolution.md
+++ b/windows/security/operating-system-security/network-security/vpn/vpn-name-resolution.md
@@ -1,7 +1,7 @@
---
title: VPN name resolution
description: Learn how name resolution works when using a VPN connection.
-ms.date: 05/06/2024
+ms.date: 01/27/2025
ms.topic: concept-article
---
@@ -58,14 +58,3 @@ The fields in **Add or edit DNS rule** in the Intune profile correspond to the X
| **Name** | **VPNv2/*ProfileName*/DomainNameInformationList/*dniRowId*/DomainName** |
| **Servers (comma separated)** | **VPNv2/*ProfileName*/DomainNameInformationList/*dniRowId*/DnsServers** |
| **Proxy server** | **VPNv2/*ProfileName*/DomainNameInformationList/*dniRowId*/WebServers** |
-
-## Related articles
-
-- [VPN technical guide](vpn-guide.md)
-- [VPN connection types](vpn-connection-type.md)
-- [VPN routing decisions](vpn-routing.md)
-- [VPN authentication options](vpn-authentication.md)
-- [VPN and conditional access](vpn-conditional-access.md)
-- [VPN auto-triggered profile options](vpn-auto-trigger-profile.md)
-- [VPN security features](vpn-security-features.md)
-- [VPN profile options](vpn-profile-options.md)
\ No newline at end of file
diff --git a/windows/security/operating-system-security/network-security/vpn/vpn-office-365-optimization.md b/windows/security/operating-system-security/network-security/vpn/vpn-office-365-optimization.md
index aced17dd8e..02b7c5daff 100644
--- a/windows/security/operating-system-security/network-security/vpn/vpn-office-365-optimization.md
+++ b/windows/security/operating-system-security/network-security/vpn/vpn-office-365-optimization.md
@@ -2,7 +2,7 @@
title: Optimize Microsoft 365 traffic for remote workers with the Windows VPN client
description: Learn how to optimize Microsoft 365 traffic for remote workers with the Windows VPN client
ms.topic: how-to
-ms.date: 05/06/2024
+ms.date: 01/27/2025
---
# Optimize Microsoft 365 traffic for remote workers with the Windows VPN client
diff --git a/windows/security/operating-system-security/network-security/vpn/vpn-profile-options.md b/windows/security/operating-system-security/network-security/vpn/vpn-profile-options.md
index 4fdbb86971..43f5802163 100644
--- a/windows/security/operating-system-security/network-security/vpn/vpn-profile-options.md
+++ b/windows/security/operating-system-security/network-security/vpn/vpn-profile-options.md
@@ -1,7 +1,7 @@
---
title: VPN profile options
description: Windows adds Virtual Private Network (VPN) profile options to help manage how users connect. VPNs give users secure remote access to the company network.
-ms.date: 05/06/2024
+ms.date: 01/27/2025
ms.topic: how-to
---
@@ -316,13 +316,3 @@ After you configure the settings that you want using ProfileXML, you can create
- [VPNv2 configuration service provider (CSP) reference](/windows/client-management/mdm/vpnv2-csp)
- [How to Create VPN Profiles in Configuration Manager](/previous-versions/system-center/system-center-2012-R2/dn261200(v=technet.10))
-## Related articles
-
-- [VPN technical guide](vpn-guide.md)
-- [VPN connection types](vpn-connection-type.md)
-- [VPN routing decisions](vpn-routing.md)
-- [VPN authentication options](vpn-authentication.md)
-- [VPN and conditional access](vpn-conditional-access.md)
-- [VPN name resolution](vpn-name-resolution.md)
-- [VPN auto-triggered profile options](vpn-auto-trigger-profile.md)
-- [VPN security features](vpn-security-features.md)
diff --git a/windows/security/operating-system-security/network-security/vpn/vpn-routing.md b/windows/security/operating-system-security/network-security/vpn/vpn-routing.md
index e5f0bc3f68..6bbae9aa58 100644
--- a/windows/security/operating-system-security/network-security/vpn/vpn-routing.md
+++ b/windows/security/operating-system-security/network-security/vpn/vpn-routing.md
@@ -1,5 +1,5 @@
---
-ms.date: 05/06/2024
+ms.date: 01/27/2025
title: VPN routing decisions
description: Learn about approaches that either send all data through a VPN or only selected data. The one you choose impacts capacity planning and security expectations.
ms.topic: concept-article
@@ -43,14 +43,3 @@ When you configure a VPN profile in Microsoft Intune, you can enable split tunne
Once enabled, you can add the routes that should use the VPN connection.
-
-## Related articles
-
-- [VPN technical guide](vpn-guide.md)
-- [VPN connection types](vpn-connection-type.md)
-- [VPN authentication options](vpn-authentication.md)
-- [VPN and conditional access](vpn-conditional-access.md)
-- [VPN name resolution](vpn-name-resolution.md)
-- [VPN auto-triggered profile options](vpn-auto-trigger-profile.md)
-- [VPN security features](vpn-security-features.md)
-- [VPN profile options](vpn-profile-options.md)
\ No newline at end of file
diff --git a/windows/security/operating-system-security/network-security/vpn/vpn-security-features.md b/windows/security/operating-system-security/network-security/vpn/vpn-security-features.md
index 0ca87d7370..2e53eeeae5 100644
--- a/windows/security/operating-system-security/network-security/vpn/vpn-security-features.md
+++ b/windows/security/operating-system-security/network-security/vpn/vpn-security-features.md
@@ -1,7 +1,7 @@
---
title: VPN security features
description: Learn about security features for VPN, including LockDown VPN and traffic filters.
-ms.date: 05/06/2024
+ms.date: 01/27/2025
ms.topic: concept-article
---
@@ -55,14 +55,3 @@ A VPN profile configured with LockDown secures the device to only allow network
> [!CAUTION]
> Be careful when deploying LockDown VPN, as the resultant connection won't be able to send or receive any network traffic without the VPN connection being established.
-
-## Related articles
-
-- [VPN technical guide](vpn-guide.md)
-- [VPN connection types](vpn-connection-type.md)
-- [VPN routing decisions](vpn-routing.md)
-- [VPN authentication options](vpn-authentication.md)
-- [VPN and conditional access](vpn-conditional-access.md)
-- [VPN name resolution](vpn-name-resolution.md)
-- [VPN auto-triggered profile options](vpn-auto-trigger-profile.md)
-- [VPN profile options](vpn-profile-options.md)
diff --git a/windows/security/operating-system-security/network-security/windows-firewall/configure-with-command-line.md b/windows/security/operating-system-security/network-security/windows-firewall/configure-with-command-line.md
index 85561cf109..b332d7b87d 100644
--- a/windows/security/operating-system-security/network-security/windows-firewall/configure-with-command-line.md
+++ b/windows/security/operating-system-security/network-security/windows-firewall/configure-with-command-line.md
@@ -74,6 +74,10 @@ Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled False
# [:::image type="icon" source="images/cmd.svg"::: **Command Prompt**](#tab/cmd)
+``` cmd
+netsh.exe advfirewall set allprofiles state off
+```
+
---
## Deploy basic firewall rules
diff --git a/windows/security/threat-protection/index.md b/windows/security/threat-protection/index.md
index 68fce9d079..0409ddfbb3 100644
--- a/windows/security/threat-protection/index.md
+++ b/windows/security/threat-protection/index.md
@@ -25,7 +25,7 @@ See the following articles to learn more about the different areas of Windows th
- [Virtualization-Based Protection of Code Integrity](../hardware-security/enable-virtualization-based-protection-of-code-integrity.md)
- [Web Protection](/microsoft-365/security/defender-endpoint/web-protection-overview)
- [Windows Firewall](../operating-system-security/network-security/windows-firewall/index.md)
-- [Windows Sandbox](../application-security/application-isolation/windows-sandbox/windows-sandbox-overview.md)
+- [Windows Sandbox](../application-security/application-isolation/windows-sandbox/index.md)
## Next-generation protection
diff --git a/windows/whats-new/deprecated-features.md b/windows/whats-new/deprecated-features.md
index 568b781fc7..88573222b7 100644
--- a/windows/whats-new/deprecated-features.md
+++ b/windows/whats-new/deprecated-features.md
@@ -1,7 +1,7 @@
---
title: Deprecated features in the Windows client
description: Review the list of features that Microsoft is no longer actively developing in Windows 10 and Windows 11.
-ms.date: 12/12/2024
+ms.date: 02/19/2025
ms.service: windows-client
ms.subservice: itpro-fundamentals
ms.localizationpriority: medium
@@ -21,9 +21,9 @@ appliesto:
Each version of Windows client adds new features and functionality. Occasionally, new versions also remove features and functionality, often because they added a newer option. This article provides details about the features and functionalities that are no longer being developed in Windows client. For more information about features that were removed, see [Windows features removed](removed-features.md).
-For more information about features in Windows 11, see [Feature deprecations and removals](https://www.microsoft.com/windows/windows-11-specifications#table3).
-
-To understand the distinction between *deprecation* and *removal*, see [Windows client features lifecycle](feature-lifecycle.md).
+- To understand the distinction between *deprecation* and *removal*, see [Windows client features lifecycle](feature-lifecycle.md).
+- For more information about how deprecation fits into the Windows lifecycle, see [Deprecation: What it means in the Windows lifecycle](https://techcommunity.microsoft.com/blog/windows-itpro-blog/deprecation-what-it-means-in-the-windows-lifecycle/4372457).
+- For more information about features removed on upgrade to Windows 11 from Windows 10, see [Feature deprecations and removals](https://www.microsoft.com/windows/windows-11-specifications#table3).
The features in this article are no longer being actively developed, and might be removed in a future update. Some features were replaced with other features or functionality and some are now available from other sources.
@@ -47,18 +47,20 @@ The features in this article are no longer being actively developed, and might b
| Feature | Details and mitigation | Deprecation announced |
|---|---|---|
+| Line printer daemon (LPR/LPD) | Deprecation reminder: [The line printer daemon protocol (LPR/LPD) was deprecated](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831568(v=ws.11)#printing) starting in Windows Server 2012. As removal of the line printer daemon protocol nears, we'd like to remind customers to ensure their environments are prepared for removal. When these features are eventually removed, clients that print to a server using this protocol, such as UNIX clients, will not be able to connect or print. Instead, UNIX clients should use IPP. Windows clients can connect to UNIX shared printers using the [Windows Standard Port Monitor](/troubleshoot/windows-server/printing/standard-port-monitor-for-tcpip). | [Original announcement: Windows Server 2012](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831568(v=ws.11)#printing)
Courtesy reminder: February 2025 |
+| Location History | We are deprecating and removing the Location History feature, an [API](/uwp/api/windows.devices.geolocation.geolocator.getgeopositionhistoryasync) that allowed Cortana to access 24 hours of device history when location was enabled. With the removal of the Location History feature, location data will no longer be saved locally and the corresponding settings will also be removed from the **Privacy & Security** > **Location** page in **Settings**. | February 2025 |
| Suggested actions | Suggested actions that appear when you copy a phone number or future date in Windows 11 are deprecated and will be removed in a future Windows 11 update. | December 2024 |
| Legacy DRM services | Legacy DRM services, used by either Windows Media Player, Silverlight clients, Windows 7, or Windows 8 clients are deprecated. The following functionality won't work when these services are fully retired: - Playback of protected content in the legacy Windows Media Player on Windows 7
- Playback of protected content in a Silverlight client and Windows 8 clients
- In-home streaming playback from a Silverlight client or Windows 8 client to an Xbox 360
- Playback of protected content ripped from a personal CD on Windows 7 clients using Windows Media Player
| September 2024 |
| Paint 3D | Paint 3D is deprecated and will be removed from the Microsoft Store on November 4, 2024. To view and edit 2D images, you can use [Paint](https://apps.microsoft.com/detail/9pcfs5b6t72h) or [Photos](https://apps.microsoft.com/detail/9wzdncrfjbh4). For viewing 3D content, you can use [3D Viewer](https://apps.microsoft.com/detail/9nblggh42ths). For more information, see [Resources for deprecated features](deprecated-features-resources.md#paint-3d). | August 2024 |
-| Adobe Type1 fonts | Adobe PostScript Type1 fonts are deprecated and support will be removed in a future release of Windows. In January 2023, Adobe announced the [end of support for PostScript Type1 fonts](https://helpx.adobe.com/fonts/kb/postscript-type-1-fonts-end-of-support.html) for their latest software offerings. Remove any dependencies on this font type by selecting a supported font type. To display currently installed fonts, go to **Settings** > **Personalization** > **Fonts**. Application developers and content owners should test their apps and data files with the Adobe Type1 fonts removed. For more information, contact the application vendor or Adobe. | August 2024 |
+| Adobe Type1 fonts | Adobe PostScript Type1 fonts are deprecated and support will be removed in a future release of Windows. In January 2023, Adobe announced the [end of support for PostScript Type1 fonts](https://helpx.adobe.com/fonts/kb/postscript-type-1-fonts-end-of-support.html) for their latest software offerings. Remove any dependencies on this font type by selecting a supported font type. To display currently installed fonts, go to **Settings** > **Personalization** > **Fonts**. Application developers and content owners should test their apps and data files with the Adobe Type1 fonts removed. For more information, contact the application vendor or Adobe. | August 2024 |
| DirectAccess | DirectAccess is deprecated and will be removed in a future release of Windows. We recommend [migrating from DirectAccess to Always On VPN](/windows-server/remote/remote-access/da-always-on-vpn-migration/da-always-on-migration-overview). | June 2024 |
-| NTLM | All versions of [NTLM](/windows/win32/secauthn/microsoft-ntlm), including LANMAN, NTLMv1, and NTLMv2, are no longer under active feature development and are deprecated. Use of NTLM will continue to work in the next release of Windows Server and the next annual release of Windows. Calls to NTLM should be replaced by calls to Negotiate, which will try to authenticate with Kerberos and only fall back to NTLM when necessary. For more information, see, [Resources for deprecated features](deprecated-features-resources.md). **[Update - November 2024]**: NTLMv1 is [removed](removed-features.md) starting in Windows 11, version 24H2 and Windows Server 2025. | June 2024 |
+| NTLM | All versions of [NTLM](/windows/win32/secauthn/microsoft-ntlm), including LANMAN, NTLMv1, and NTLMv2, are no longer under active feature development and are deprecated. Use of NTLM will continue to work in the next release of Windows Server and the next annual release of Windows. Calls to NTLM should be replaced by calls to Negotiate, which tries to authenticate with Kerberos and only falls back to NTLM when necessary. For more information, see, [Resources for deprecated features](deprecated-features-resources.md). **[Update - November 2024]**: NTLMv1 is [removed](removed-features.md) starting in Windows 11, version 24H2 and Windows Server 2025. | June 2024 |
| Driver Verifier GUI (verifiergui.exe) | Driver Verifier GUI, verifiergui.exe, is deprecated and will be removed in a future version of Windows. You can use the [Verifier Command Line](/windows-hardware/drivers/devtest/verifier-command-line) (verifier.exe) instead of the Driver Verifier GUI.| May 2024 |
-| NPLogonNotify and NPPasswordChangeNotify APIs | Starting in Windows 11, version 24H2, the inclusion of password payload in MPR notifications is set to disabled by default through group policy in [NPLogonNotify](/windows/win32/api/npapi/nf-npapi-nplogonnotify) and [NPPasswordChangeNotify](/windows/win32/api/npapi/nf-npapi-nppasswordchangenotify) APIs. The APIs may be removed in a future release. The primary reason for disabling this feature is to enhance security. When enabled, these APIs allow the caller to retrieve a user's password, presenting potential risks for password exposure and harvesting by malicious users. To include password payload in MPR notifications, set the [EnableMPRNotifications](/windows/client-management/mdm/policy-csp-windowslogon#enablemprnotifications) policy to `enabled`.| March 2024 |
-| TLS server authentication certificates using RSA keys with key lengths shorter than 2048 bits | Support for certificates using RSA keys with key lengths shorter than 2048 bits will be deprecated. Internet standards and regulatory bodies disallowed the use of 1024-bit keys in 2013, recommending specifically that RSA keys should have a key length of 2048 bits or longer. For more information, see [Transitioning of Cryptographic Algorithms and Key Sizes - Discussion Paper (nist.gov)](https://csrc.nist.gov/CSRC/media/Projects/Key-Management/documents/transitions/Transitioning_CryptoAlgos_070209.pdf). This deprecation focuses on ensuring that all RSA certificates used for TLS server authentication must have key lengths greater than or equal to 2048 bits to be considered valid by Windows. TLS certificates issued by enterprise or test certification authorities (CA) aren't impacted with this change. However, we recommend that they be updated to RSA keys greater than or equal to 2048 bits as a security best practice. This change is necessary to preserve security of Windows customers using certificates for authentication and cryptographic purposes.| March 2024|
+| NPLogonNotify and NPPasswordChangeNotify APIs | Starting in Windows 11, version 24H2, the inclusion of password payload in MPR notifications is set to `disabled` by default through group policy in [NPLogonNotify](/windows/win32/api/npapi/nf-npapi-nplogonnotify) and [NPPasswordChangeNotify](/windows/win32/api/npapi/nf-npapi-nppasswordchangenotify) APIs. The APIs may be removed in a future release. The primary reason for disabling this feature is to enhance security. When enabled, these APIs allow the caller to retrieve a user's password, presenting potential risks for password exposure and harvesting by malicious users. To include password payload in MPR notifications, set the [EnableMPRNotifications](/windows/client-management/mdm/policy-csp-windowslogon#enablemprnotifications) policy to `enabled`.| March 2024 |
+| TLS server authentication certificates using RSA keys with key lengths shorter than 2048 bits | Support for certificates using RSA keys with key lengths shorter than 2048 bits is deprecated. Internet standards and regulatory bodies disallowed the use of 1024-bit keys in 2013, recommending specifically that RSA keys should have a key length of 2048 bits or longer. For more information, see [Transitioning of Cryptographic Algorithms and Key Sizes - Discussion Paper (nist.gov)](https://csrc.nist.gov/CSRC/media/Projects/Key-Management/documents/transitions/Transitioning_CryptoAlgos_070209.pdf). This deprecation focuses on ensuring that all RSA certificates used for TLS server authentication must have key lengths greater than or equal to 2048 bits to be considered valid by Windows. TLS certificates issued by enterprise or test certification authorities (CA) aren't impacted with this change. However, we recommend that they be updated to RSA keys greater than or equal to 2048 bits as a security best practice. This change is necessary to preserve security of Windows customers using certificates for authentication and cryptographic purposes.| March 2024|
| Test Base | [Test Base for Microsoft 365](/microsoft-365/test-base/overview), an Azure cloud service for application testing, is deprecated. The service will be retired in the future and will be no longer available for use after retirement. | March 2024 |
-| Windows Mixed Reality | [Windows Mixed Reality](/windows/mixed-reality/enthusiast-guide/before-you-start) is deprecated and will be removed in Windows 11, version 24H2. This deprecation includes the [Mixed Reality Portal](/windows/mixed-reality/enthusiast-guide/install-windows-mixed-reality) app, [Windows Mixed Reality for SteamVR](/windows/mixed-reality/enthusiast-guide/using-steamvr-with-windows-mixed-reality), and Steam VR Beta. Existing Windows Mixed Reality devices will continue to work with Steam through November 2026, if users remain on their current released version of Windows 11, version 23H2. After November 2026, Windows Mixed Reality will no longer receive security updates, nonsecurity updates, bug fixes, technical support, or online technical content updates. This deprecation doesn't affect HoloLens. We remain committed to HoloLens and our enterprise customers. | December 2023 |
-| Microsoft Defender Application Guard for Edge | [Microsoft Defender Application Guard](/windows/security/application-security/application-isolation/microsoft-defender-application-guard/md-app-guard-overview), including the [Windows Isolated App Launcher APIs](/windows/win32/api/isolatedapplauncher/), is deprecated for Microsoft Edge for Business and [will no longer be updated](feature-lifecycle.md). To learn more about Edge for Business security capabilities, see [Microsoft Edge security for your business](/deployedge/ms-edge-security-for-business). **[Update - October 2024]**: Starting with Windows 11, version 24H2, Microsoft Defender Application Guard, including the [Windows Isolated App Launcher APIs](/windows/win32/api/isolatedapplauncher/), is no longer available.
**[Update - April 2024]**: Because Application Guard is deprecated there will not be a migration to Edge Manifest V3. The corresponding extensions and associated Windows Store app will not be available after May 2024. This affects the following browsers: *Application Guard Extension - Chrome* and *Application Guard Extension - Firefox*. If you want to block unprotected browsers until you are ready to retire MDAG usage in your enterprise, we recommend using AppLocker policies or [Microsoft Edge management service](/deployedge/microsoft-edge-management-service). For more information, see [Microsoft Edge and Microsoft Defender Application Guard](/deployedge/microsoft-edge-security-windows-defender-application-guard). | December 2023 |
+| Windows Mixed Reality | [Windows Mixed Reality](/windows/mixed-reality/enthusiast-guide/before-you-start) is deprecated and will be removed in Windows 11, version 24H2. This deprecation includes the [Mixed Reality Portal](/windows/mixed-reality/enthusiast-guide/install-windows-mixed-reality) app, [Windows Mixed Reality for SteamVR](/windows/mixed-reality/enthusiast-guide/using-steamvr-with-windows-mixed-reality), and Steam VR Beta. Existing Windows Mixed Reality devices will continue to work with Steam through November 2026, if users remain on their current released version of Windows 11, version 23H2. After November 2026, Windows Mixed Reality will no longer receive security updates, nonsecurity updates, bug fixes, technical support, or online technical content updates. | December 2023 |
+| Microsoft Defender Application Guard for Edge | [Microsoft Defender Application Guard](/windows/security/application-security/application-isolation/microsoft-defender-application-guard/md-app-guard-overview), including the [Windows Isolated App Launcher APIs](/windows/win32/api/isolatedapplauncher/), is deprecated for Microsoft Edge for Business and [will no longer be updated](feature-lifecycle.md). To learn more about Edge for Business security capabilities, see [Microsoft Edge security for your business](/deployedge/ms-edge-security-for-business). **[Update - October 2024]**: Starting with Windows 11, version 24H2, Microsoft Defender Application Guard, including the [Windows Isolated App Launcher APIs](/windows/win32/api/isolatedapplauncher/), is no longer available.
**[Update - April 2024]**: Because Application Guard is deprecated there won't be a migration to Edge Manifest V3. The corresponding extensions and associated Windows Store app won't be available after May 2024. This change affects the following browsers: *Application Guard Extension - Chrome* and *Application Guard Extension - Firefox*. If you want to block unprotected browsers until you're ready to retire MDAG usage in your enterprise, we recommend using AppLocker policies or [Microsoft Edge management service](/deployedge/microsoft-edge-management-service). For more information, see [Microsoft Edge and Microsoft Defender Application Guard](/deployedge/microsoft-edge-security-windows-defender-application-guard). | December 2023 |
| Legacy console mode | The [legacy console mode](/windows/console/legacymode) is deprecated and no longer being updated. In future Windows releases, it will be available as an optional [Feature on Demand](/windows-hardware/manufacture/desktop/features-on-demand-v2--capabilities). This feature won't be installed by default. | December 2023 |
| Windows speech recognition | [Windows speech recognition](https://support.microsoft.com/windows/83ff75bd-63eb-0b6c-18d4-6fae94050571) is deprecated and is no longer being developed. This feature is being replaced with [voice access](https://support.microsoft.com/topic/4dcd23ee-f1b9-4fd1-bacc-862ab611f55d). Voice access is available for Windows 11, version 22H2, or later devices. Currently, voice access supports five English locales: English - US, English - UK, English - India, English - New Zealand, English - Canada, and English - Australia. For more information, see [Setup voice access](https://support.microsoft.com/topic/set-up-voice-access-9fc44e29-12bf-4d86-bc4e-e9bb69df9a0e). | December 2023 |
| Microsoft Defender Application Guard for Office | [Microsoft Defender Application Guard for Office](/microsoft-365/security/office-365-security/app-guard-for-office-install), including the [Windows Isolated App Launcher APIs](/windows/win32/api/isolatedapplauncher/), is being deprecated and will no longer be updated. We recommend transitioning to Microsoft Defender for Endpoint [attack surface reduction rules](/microsoft-365/security/defender-endpoint/overview-attack-surface-reduction) along with [Protected View](/microsoft-365/security/office-365-security/recommended-settings-for-eop-and-office365#global-settings-for-safe-attachments) and [Windows Defender Application Control](/windows/security/application-security/application-control/windows-defender-application-control/wdac). | November 2023 |
diff --git a/windows/whats-new/extended-security-updates.md b/windows/whats-new/extended-security-updates.md
index 306de5a2a9..e5f8535abe 100644
--- a/windows/whats-new/extended-security-updates.md
+++ b/windows/whats-new/extended-security-updates.md
@@ -8,7 +8,7 @@ author: mestew
manager: aaroncz
ms.localizationpriority: medium
ms.topic: conceptual
-ms.date: 01/21/2025
+ms.date: 02/19/2025
ms.collection:
- highpri
- tier2
@@ -43,7 +43,9 @@ The following are frequently asked questions about the ESU program for Windows 1
### How much does ESU cost?
-Extended Security Updates for Windows 10 can be purchased today through the Microsoft Volume Licensing Program, at $61 USD per device for Year One. For more information, see [When to use Windows 10 Extended Security Updates](https://techcommunity.microsoft.com/blog/windows-itpro-blog/when-to-use-windows-10-extended-security-updates/4102628). The price doubles every consecutive year, for a maximum of three years. ESU is available at no additional cost for Windows 10 virtual machines running in Windows 365 or Azure Virtual Desktop. Additionally, Windows 10 endpoints connecting to Windows 365 Cloud PCs will be entitled to the ESU for up to three years, with an active Windows 365 subscription license. For more information about Windows 365, see [What is Windows 365?](/windows-365/overview).
+Extended Security Updates for organizations and businesses on Windows 10 can be purchased today through the Microsoft Volume Licensing Program, at $61 USD per device for Year One. For more information, see [When to use Windows 10 Extended Security Updates](https://techcommunity.microsoft.com/blog/windows-itpro-blog/when-to-use-windows-10-extended-security-updates/4102628). The price doubles every consecutive year, for a maximum of three years. ESU is available at no additional cost for Windows 10 virtual machines running in Windows 365 or Azure Virtual Desktop. Additionally, Windows 10 endpoints connecting to Windows 365 Cloud PCs will be entitled to the ESU for up to three years, with an active Windows 365 subscription license. For more information about Windows 365, see [What is Windows 365?](/windows-365/overview).
+
+For individuals or Windows 10 Home customers, Extended Security Updates for Windows 10 will be available for purchase at $30 for one year.
### Is there a minimum license purchase requirement for Windows 10 ESU?