deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-12 13:27:23 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Merge branch 'main' into dep-wordpad-8254696

Browse Source
This commit is contained in:
Aaron Czechowski 2023-09-01 06:50:08 -07:00 committed by GitHub
commit 94046f29a5
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
73 changed files with 1214 additions and 1511 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
.openpublishing.redirection.windows-application-management.json
View File

@ -7,17 +7,22 @@
},
{
"source_path": "windows/application-management/msix-app-packaging-tool.md",
"redirect_url": "/windows/application-management/apps-in-windows-10",
"redirect_url": "/windows/application-management/overview-windows-apps",
"redirect_document_id": false
},
{
"source_path": "windows/application-management/provisioned-apps-windows-client-os.md",
"redirect_url": "/windows/application-management/apps-in-windows-10",
"redirect_url": "/windows/application-management/overview-windows-apps#windows-apps",
"redirect_document_id": false
},
{
"source_path": "windows/application-management/system-apps-windows-client-os.md",
"redirect_url": "/windows/application-management/apps-in-windows-10",
"redirect_url": "/windows/application-management/overview-windows-apps#windows-apps",
"redirect_document_id": false
},
{
"source_path": "windows/application-management/apps-in-windows-10.md",
"redirect_url": "/windows/application-management/overview-windows-apps",
"redirect_document_id": false
}
]

5
.openpublishing.redirection.windows-deployment.json
View File

@ -750,6 +750,11 @@
"redirect_url": "/windows/deployment/windows-10-subscription-activation",
"redirect_document_id": false
},
{
"source_path": "windows/deployment/do/mcc-enterprise-portal-deploy.md",
"redirect_url": "/windows/deployment/do/mcc-enterprise-deploy",
"redirect_document_id": false
},
{
"source_path": "windows/deployment/windows-autopatch/deploy/index.md",
"redirect_url": "/windows/deployment/windows-autopatch/deploy/windows-autopatch-admin-contacts",

45
.openpublishing.redirection.windows-security.json
View File

@ -7334,6 +7334,51 @@
"source_path": "windows/security/zero-trust-windows-device-health.md",
"redirect_url": "/windows/security/security-foundations/zero-trust-windows-device-health",
"redirect_document_id": false
},
{
"source_path": "windows/security/operating-system-security/data-protection/personal-data-encryption/configure-pde-in-intune.md",
"redirect_url": "/windows/security/operating-system-security/data-protection/personal-data-encryption/configure",
"redirect_document_id": false
},
{
"source_path": "windows/security/operating-system-security/data-protection/personal-data-encryption/intune-disable-arso.md",
"redirect_url": "/windows/security/operating-system-security/data-protection/personal-data-encryption/configure",
"redirect_document_id": false
},
{
"source_path": "windows/security/operating-system-security/data-protection/personal-data-encryption/intune-disable-hibernation.md",
"redirect_url": "/windows/security/operating-system-security/data-protection/personal-data-encryption/configure",
"redirect_document_id": false
},
{
"source_path": "windows/security/operating-system-security/data-protection/personal-data-encryption/intune-disable-memory-dumps.md",
"redirect_url": "/windows/security/operating-system-security/data-protection/personal-data-encryption/configure",
"redirect_document_id": false
},
{
"source_path": "windows/security/operating-system-security/data-protection/personal-data-encryption/intune-disable-password-connected-standby.md",
"redirect_url": "/windows/security/operating-system-security/data-protection/personal-data-encryption/configure",
"redirect_document_id": false
},
{
"source_path": "windows/security/operating-system-security/data-protection/personal-data-encryption/intune-disable-wer.md",
"redirect_url": "/windows/security/operating-system-security/data-protection/personal-data-encryption/configure",
"redirect_document_id": false
},
{
"source_path": "windows/security/operating-system-security/data-protection/personal-data-encryption/intune-enable-pde.md",
"redirect_url": "/windows/security/operating-system-security/data-protection/personal-data-encryption/configure",
"redirect_document_id": false
},
{
"source_path": "windows/security/operating-system-security/data-protection/personal-data-encryption/includes/pde-description.md",
"redirect_url": "/windows/security/operating-system-security/data-protection/personal-data-encryption",
"redirect_document_id": false
},
{
"source_path": "windows/security/operating-system-security/data-protection/personal-data-encryption/faq-pde.yml",
"redirect_url": "/windows/security/operating-system-security/data-protection/personal-data-encryption/faq",
"redirect_document_id": false
}
]
}

160
windows/application-management/apps-in-windows-10.md
View File

@ -1,160 +0,0 @@
---
title: Overview of apps on Windows client devices
description: Learn more and understand the different types of apps that run on Windows 10 and Windows 11. For example, learn more about UWP, WPF, Win32, and Windows Forms apps, including the best way to install these apps.
author: aczechowski
ms.author: aaroncz
manager: aaroncz
ms.date: 02/09/2023
ms.topic: overview
ms.prod: windows-client
ms.technology: itpro-apps
ms.localizationpriority: medium
ms.collection: tier2
appliesto:
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10</a>
---
# Overview of apps on Windows client devices
## Before you begin
As organizations become more global, and to support employees working from anywhere, it's recommended to use a Mobile Device Management (MDM) provider. MDM providers help manage your devices, and help manage apps on your devices. You can use the Microsoft Intune family of products. This family includes Microsoft Intune, which is a cloud service, and Configuration Manager, which is on-premises.
In this article, we mention these services. If you're not managing your devices using an MDM provider, the following resources may help you get started:
- [Endpoint Management at Microsoft](/mem/endpoint-manager-overview)
- [What is Microsoft Intune](/mem/intune/fundamentals/what-is-intune) and [Microsoft Intune planning guide](/mem/intune/fundamentals/intune-planning-guide)
- [What is Configuration Manager?](/mem/configmgr/core/understand/introduction)
## App types
There are different types of apps that can run on your Windows client devices. This section lists some of the common apps used on Windows devices.
- **Microsoft 365 apps**: These apps are used for business and productivity, and include Outlook, Word, Teams, OneNote, and more. Depending on the licenses your organization has, you may already have these apps. When you use an MDM provider, these apps can also be deployed to mobile devices, including smartphones.
For more information on the Microsoft 365 license options, and what you get, see [Transform your enterprise with Microsoft 365](https://www.microsoft.com/microsoft-365/compare-microsoft-365-enterprise-plans).
- **Power Apps**: These apps connect to business data available online and on-premises, and can run in a web browser, and on mobile devices. They can be created by business analysts and professional developers. For more information, see [What is Power Apps?](/powerapps/powerapps-overview).
- **.NET apps**: These apps can be desktop apps that run on the device, or web apps. Some common .NET apps include:
- **Windows Presentation Foundation (WPF)**: Using .NET, you can create a WPF desktop app that runs on the device, or create a WPF web app. This app is commonly used by organizations that create line of business (LOB) desktop apps. For more information, see [WPF Application Development](/dotnet/desktop/wpf/app-development).
- **Windows Forms (WinForm)**: Using .NET, you can create a Windows Forms desktop app that runs on the device, and doesn't require a web browser or internet access. Just like Win32 apps, WinForm apps can access the local hardware and file system of the computer where the app is running. For more information, see [Desktop Guide (Windows Forms .NET)](/dotnet/desktop/winforms/overview).
- **Windows apps**:
> [!TIP]
> Starting with Windows 10, you can use the **Windows UI Library (WinUI 3)** to create .NET, Win32 desktop, and UWP apps. This library includes native Windows UI controls and other user interface elements familiar to Windows users. For more information, see [Windows UI Library (WinUI)](/windows/apps/winui/).
- **Apps**: All apps installed in `C:\Program Files\WindowsApps`. There are two classes of apps:
- **Provisioned**: Installed in user account the first time you sign in with a new user account. To get a list of all the provisioned apps, use Windows PowerShell: `Get-AppxProvisionedPackage -Online | Format-Table DisplayName, PackageName` The output lists all the provisioned apps, and their package names. For more information, see [Get-AppxProvisionedPackage](/powershell/module/dism/get-appxprovisionedpackage).
- **Installed**: Installed as part of the OS.
- **Universal Windows Platform (UWP) apps**: These apps run and can be installed on many Windows platforms, including tablets, Microsoft HoloLens, Xbox, and more. All UWP apps are Windows apps. Not all Windows apps are UWP apps.
For more information, see [What's a Universal Windows Platform (UWP) app?](/windows/uwp/get-started/universal-application-platform-guide).
- **Win32 apps**: These apps are traditional Windows apps that run on the device, and are often called desktop apps. They require direct access to Windows and the device hardware, and typically don't require a web browser. These apps run in 32-bit mode on 64-bit devices, and don't depend on a managed runtime environment, like .NET.
For more information, see [Get started developing apps for Windows desktop](/windows/apps/get-started) and [Make your apps great on Windows 11](/windows/apps/get-started/make-apps-great-for-windows).
- **System apps**: Apps installed in the `C:\Windows\` directory. These apps are part of the Windows OS. To get a list of all the system apps, use Windows PowerShell: `Get-AppxPackage -PackageTypeFilter Main | ? { $_.SignatureKind -eq "System" } | Sort Name | Format-Table Name, InstallLocation` The output lists all the system apps, and their installation location. For more information, see [Get-AppxPackage](/powershell/module/appx/get-appxpackage).
- **Web apps** and **Progressive web apps (PWA)**: These apps run on a server, and don't run on the end user device. To use these apps, users must use a web browser and have internet access. **Progressive web apps** are designed to work for all users, work with any browser, and work on any platform.
Web apps are typically created in Visual Studio, and can be created with different languages. For more information, see [Create a Web App](https://azure.microsoft.com/get-started/web-app/). When the app is created and ready to be used, you deploy the web app to a web server. Using Azure, you can host your web apps in the cloud, instead of on-premises. For more information, see [App Service overview](/azure/app-service/overview).
Using an MDM provider, you can create shortcuts to your web apps and progressive web apps on devices.
## Android&trade; apps
Starting with Windows 11, users in the [Windows Insider program](https://insider.windows.com/) can use the Microsoft Store to search, download, and install Android&trade; apps. This feature uses the Windows Subsystem for Android, and allows users to interact with Android apps, just like others apps installed from the Microsoft Store.
For more information, see:
- [Windows Subsystem for Android](https://support.microsoft.com/windows/abed2335-81bf-490a-92e5-fe01b66e5c48)
- [Windows Subsystem for Android developer information](/windows/android/wsa)
## Add or deploy apps to devices
When your apps are ready, you can add or deploy these apps to your Windows devices. This section lists some common options.
> [!NOTE]
> The retirement of Microsoft Store for Business and Microsoft Store for Education has been postponed. We will update this notice when a new retirement date is announced. Customers may continue to use the current capabilities for free apps until that time. There will be no support for Microsoft Store for Business and Education for Windows 11.
>Visit [Evolving the Microsoft Store for Business and Education](https://aka.ms/windows/msfb_evolution) for more information about the new Microsoft Store experience for both Windows 11 and Windows 10, and learn about other options for getting and managing apps.
- **Manually install**: On your devices, users can install apps from the Microsoft Store, from the internet, and from an organization shared drive. These apps, and more, are listed in **Settings** > **Apps** > **Apps and Features**.
If you want to prevent users from downloading apps on organization owned devices, use an MDM provider, like Microsoft Intune. For example, you can create a policy that allows or prevents users from sideloading apps, only allow the private store, and more. For more information on the features you can restrict, see [Windows client device settings to allow or restrict features using Intune](/mem/intune/configuration/device-restrictions-windows-10).
For an overview of the different types of device policies you can create, see [Apply features and settings on your devices using device profiles in Microsoft Intune](/mem/intune/configuration/device-profiles).
- **Mobile device management (MDM)**: Use an MDM provider, like Microsoft Intune (cloud) or Configuration Manager (on-premises), to deploy apps. For example, you can create app policies that deploy Microsoft 365 apps, deploy Win32 apps, create shortcuts to web apps, add Store apps, and more.
For more information, see:
- [Add apps to Microsoft Intune](/mem/intune/apps/apps-add)
- [Application management in Configuration Manager](/mem/configmgr/apps/understand/introduction-to-application-management)
- **Microsoft Store**: When you use the Microsoft Store app, Windows users can download apps from the public store. And, they can download apps provided by your organization, which is called the "private store". If your organization creates its own apps, you can use **[Windows Package Manager](/windows/package-manager)** to add apps to the private store.
To help manage the Microsoft Store on your devices, you can use policies:
- On premises, you can use Administrative Templates in Group Policy to control access to the Microsoft Store app:
- `User Configuration\Administrative Templates\Windows Components\Store`
- `Computer Configuration\Administrative Templates\Windows Components\Store`
- Using Microsoft Intune, you can use [Administrative Templates](/mem/intune/configuration/administrative-templates-windows) (opens another Microsoft web site) or the [Settings Catalog](/mem/intune/configuration/settings-catalog) (opens another Microsoft web site) to control access to the Microsoft Store app.
For more information, see:
- [Microsoft Store for Business and Education](/microsoft-store/)
- [Evolving the Microsoft Store for Business and Education](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/evolving-the-microsoft-store-for-business-and-education/ba-p/2569423)
- **MSIX for desktop apps**: MSIX packages your UWP, Win32, WPF, and WinForm desktop application files. MSIX reliably installs apps, helps optimize disk storage space, and reduces duplicate files. If your organization typically uses `.EXE` or `.MSI` files to install desktop apps, then you should look into MSIX.
To deploy MSIX packages and their apps, you can:
- Use an MDM provider, like Microsoft Intune and Configuration Manager.
- Use an App Installer. User users double-click an installer file, or select a link on a web page.
- And more.
For more information, see:
- [What is MSIX?](/windows/msix/overview)
- [MSIX app distribution for enterprises](/windows/msix/desktop/managing-your-msix-deployment-enterprise)
- **Windows Package Manager**: Windows Package Manager is a command line tool commonly used by developers to install Windows apps. Using the command line, you can get apps from the Microsoft Store or from GitHub (and more), and install these apps on Windows devices. It's helpful if you want to bypass user interfaces for getting apps from organizations and from developers.
If your organization uses `.EXE`, `.MSIX`, or `.MSI` files, then Windows Package Manager might be the right deployment option for your organization.
For more information, see [Windows Package Manager](/windows/package-manager).
- **Azure Virtual desktop with MSIX app attach**: With Azure virtual desktop, you can virtualize the Windows client OS desktop, and use virtual apps on this desktop. With MSIX app attach, you dynamically deliver MSIX packaged apps to users and user groups.
The benefit is to use the cloud to deliver virtual apps in real time, and as-needed. Users use the apps as if they're installed locally.
If you currently use App-V, and want to reduce your on-premises footprint, then **Azure Virtual desktop with MSIX app attach** might be the right deployment for your organization.
For more information, see:
- [What is Azure Virtual Desktop?](/azure/virtual-desktop/overview)
- [Set up MSIX app attach with the Azure portal](/azure/virtual-desktop/app-attach-azure-portal)
- **Application Virtualization (App-V)**: App-V allows Win32 apps to be used as virtual apps.
> [!NOTE]
> [!INCLUDE [Application Virtualization will be end of life in April 2026](./includes/app-v-end-life-statement.md)]
On an on-premises server, you install and configure the App-V server components, and then install your Win32 apps. On Windows Enterprise client devices, you use the App-V client components to run the virtualized apps. They allow users to open the virtual apps using the icons and file names they're familiar with. Users use the apps as if they're installed locally.
The benefit is to deliver virtual apps in real time, and as-needed. For more information, see [Application Virtualization (App-V) for Windows overview](./app-v/appv-for-windows.md).
To help manage App-V on your devices, you can use policies:
- On premises, you can use Administrative Templates in Group Policy to deploy App-V policies (`Computer Configuration\Administrative Templates\System\App-V`).
- Using Microsoft Intune, you can use [Administrative Templates](/mem/intune/configuration/administrative-templates-windows) (opens another Microsoft web site) or the [Settings Catalog](/mem/intune/configuration/settings-catalog) (opens another Microsoft web site) to deploy App-V policies.

2
windows/application-management/index.yml
View File

@ -24,7 +24,7 @@ landingContent:
- linkListType: how-to-guide
links:
- text: Overview of apps in Windows
url: apps-in-windows-10.md
url: overview-windows-apps.md
- text: Add or hide Windows features
url: add-apps-and-features.md
- text: Sideload LOB apps

200
windows/application-management/overview-windows-apps.md Normal file
View File

@ -0,0 +1,200 @@
---
title: Overview of apps on Windows client devices
description: Learn about the different types of apps that run on Windows. For example, Universal Windows Platform (UWP), Windows Presentation Foundation (WPF), Win32, and Windows Forms apps. This article also includes the best way to install these apps.
author: aczechowski
ms.author: aaroncz
manager: aaroncz
ms.date: 08/28/2023
ms.topic: overview
ms.prod: windows-client
ms.technology: itpro-apps
ms.localizationpriority: medium
ms.collection: tier2
appliesto:
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10</a>
---
# Overview of apps on Windows client devices
There are different types of apps that can run on your Windows client devices. This article provides an overview of some of the common apps used on Windows devices. It also explains the basics of how to install these apps.
## Windows app types
### Microsoft 365 apps
These apps are used for business and productivity, and include Outlook, Word, Teams, OneNote, and more. Depending on the licenses your organization has, you may already have these apps. When you use an MDM provider, these apps can also be deployed to mobile devices, including smartphones.
For more information on the Microsoft 365 license options, and what you get, see [Find the right Microsoft 365 enterprise plan for your organization](https://www.microsoft.com/microsoft-365/enterprise/microsoft365-plans-and-pricing).
For more information on deploying Microsoft 365 apps, see the [Deployment guide for Microsoft 365 Apps](/DeployOffice/deployment-guide-microsoft-365-apps).
### Power Apps
These apps are custom, low-code apps to connect to business data, modernize processes, and solve unique challenges. Power Apps are available online and on-premises, can run in a web browser, and on mobile devices. They can be created by business analysts and professional developers.
For more information, see [What is Power Apps?](/power-apps/powerapps-overview).
### .NET apps
These apps can be desktop apps that run on the device, or web apps. Some common .NET apps include:
- **Windows Presentation Foundation (WPF)**: Using .NET, you can create a WPF desktop app that runs on the device, or create a WPF web app. This app is commonly used by organizations that create line of business (LOB) desktop apps. For more information, see [WPF application development](/dotnet/desktop/wpf/app-development).
- **Windows Forms (WinForm)**: Using .NET, you can create a Windows Forms desktop app that runs on the device, and doesn't require a web browser or internet access. Just like Win32 apps, WinForm apps can access the local hardware and file system of the computer where the app is running. For more information, see [Desktop Guide (Windows Forms .NET)](/dotnet/desktop/winforms/overview).
### Windows apps
> [!TIP]
> Starting with Windows 10, you can use the **Windows UI Library (WinUI 3)** to create .NET, Win32 desktop, and UWP apps. This library includes native Windows UI controls and other user interface elements familiar to Windows users. For more information, see [Windows UI Library (WinUI)](/windows/apps/winui/).
- **Apps**: All apps installed in the protected directory `C:\Program Files\WindowsApps`. There are two classes of these apps:
- **Installed**: Installed as part of the OS.
- **Provisioned**: Installed the first time you sign in with a new user account.
> [!TIP]
> To get a list of all provisioned apps, use Windows PowerShell:
>
> ```powershell
> Get-AppxProvisionedPackage -Online | Format-Table DisplayName, PackageName
> ```
>
> The output lists all the provisioned apps, and their package names. For more information, see [Get-AppxProvisionedPackage](/powershell/module/dism/get-appxprovisionedpackage).
- **Universal Windows Platform (UWP) apps**: These apps run and can be installed on many Windows platforms, including tablets, Microsoft HoloLens, Xbox, and more. All UWP apps are Windows apps. Not all Windows apps are UWP apps.
For more information, see [What's a Universal Windows Platform (UWP) app?](/windows/uwp/get-started/universal-application-platform-guide).
- **Win32 apps**: These apps are traditional Windows apps that run on the device, and are often called desktop apps. They require direct access to Windows and the device hardware, and typically don't require a web browser. These apps run in 32-bit mode on 64-bit devices, and don't depend on a managed runtime environment, like .NET.
For more information, see [Get started developing apps for Windows desktop](/windows/apps/get-started) and [Top 11 things you can do to make your app great on Windows 11](/windows/apps/get-started/make-apps-great-for-windows).
- **System apps**: Apps installed in the system root directory `C:\Windows\`. These apps are part of the Windows OS.
> [!TIP]
> To get a list of all the system apps, use Windows PowerShell:
>
> ```powershell
> `Get-AppxPackage -PackageTypeFilter Main | ? { $_.SignatureKind -eq "System" } | Sort Name | Format-Table Name, InstallLocation
> ```
>
> The output lists all the system apps, and their installation location. For more information, see [Get-AppxPackage](/powershell/module/appx/get-appxpackage).
### Web apps
Web apps and progressive web apps (PWA) run on a server, and don't run on the end user device. To use these apps, users must use a web browser and have network access. **Progressive web apps** are designed to work for all users, work with any browser, and work on any platform.
Web apps are typically created in Visual Studio, and can be created with different languages. For more information, see [Create a web app](/visualstudio/get-started/csharp/tutorial-aspnet-core). When the app is created and ready to be used, you deploy the web app to a web server. Using Azure, you can host your web apps in the cloud, instead of on-premises. For more information, see [App Service overview](/azure/app-service/overview).
When you use an MDM provider like Microsoft Intune, you can create shortcuts to your web apps and progressive web apps on devices. For more information, see [Add web apps to Microsoft Intune](/mem/intune/apps/web-app).
## Android&trade; apps
Starting with Windows 11, you can install Android&trade; apps. This feature uses the Windows Subsystem for Android, and allows users to interact with mobile apps just like others apps.
For more information, see the following articles:
- [Apps from the Amazon Appstore](https://support.microsoft.com/windows/apps-from-the-amazon-appstore-abed2335-81bf-490a-92e5-fe01b66e5c48)
- [Windows Subsystem for Android developer information](/windows/android/wsa)
## Add or deploy apps to devices
When your apps are ready, you can add or deploy these apps to your Windows devices. This section lists some common options.
### Manually install
On your devices, users can install apps from the Microsoft Store, from the internet, and from an organization shared drive. These apps, and more, are listed in **Settings** > **Apps** > **Apps and Features**.
If you want to prevent users from downloading apps on organization owned devices, use an MDM provider, like Microsoft Intune. For example, you can create a policy that allows or prevents users from sideloading apps, only allow the private store, and more. For more information on the features you can restrict, see [Windows client device settings to allow or restrict features using Intune](/mem/intune/configuration/device-restrictions-windows-10).
For an overview of the different types of device policies you can create, see [Apply features and settings on your devices using device profiles in Microsoft Intune](/mem/intune/configuration/device-profiles).
### Management service
Use an MDM provider like Microsoft Intune, or an on-premises solution like Configuration Manager. For example, you can create app policies that deploy Microsoft 365 apps, deploy Win32 apps, create shortcuts to web apps, or add Store apps.
For more information, see:
- [Add apps to Microsoft Intune](/mem/intune/apps/apps-add)
- [Application management in Configuration Manager](/mem/configmgr/apps/understand/introduction-to-application-management)
### Microsoft Store
When you use the Microsoft Store app, Windows users can download apps from the public store. They can also download apps provided by your organization, which is called the *private store*. If your organization creates its own apps, you can use [Windows Package Manager](/windows/package-manager) to add apps to the private store.
> [!NOTE]
> Retirement of the Microsoft Store for Business and Microsoft Store for Education has been postponed. We will update this notice when a new retirement date is announced. Customers may continue to use the current capabilities for free apps until that time. There will be no support for Microsoft Store for Business and Education for Windows 11.
>
> For more information, see [Evolving the Microsoft Store for Business and Education](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/evolving-the-microsoft-store-for-business-and-education/bc-p/3771217). This blog post describes the new Microsoft Store experience for both Windows 11 and Windows 10. To learn about other options for getting and managing apps, see [Add Microsoft Store apps to Microsoft Intune](/mem/intune/apps/store-apps-microsoft).
To help manage the Microsoft Store on your devices, you can use policies:
- On premises, you can use administrative templates in group policy to control access to the Microsoft Store app:
- `User Configuration\Administrative Templates\Windows Components\Store`
- `Computer Configuration\Administrative Templates\Windows Components\Store`
- Using Microsoft Intune, you can use [administrative templates](/mem/intune/configuration/administrative-templates-windows) or the [Settings Catalog](/mem/intune/configuration/settings-catalog) to control access to the Microsoft Store app.
### MSIX for desktop apps
MSIX packages your UWP, Win32, WPF, and WinForm desktop application files. MSIX reliably installs apps, helps optimize disk storage space, and reduces duplicate files. If your organization typically uses `.EXE` or `.MSI` files to install desktop apps, then you should look into MSIX.
To deploy MSIX packages and their apps, you can:
- Use a management service, like Microsoft Intune and Configuration Manager.
- Use an App Installer. User users double-click an installer file, or select a link on a web page.
For more information, see the following articles:
- [What is MSIX?](/windows/msix/overview)
- [MSIX app distribution for enterprises](/windows/msix/desktop/managing-your-msix-deployment-enterprise)
### Windows Package Manager
Windows Package Manager is a command line tool commonly used by developers to install Windows apps. Using the command line, you can get apps from services like the Microsoft Store or GitHub, and install these apps on Windows devices. It's helpful if you want to bypass user interfaces for getting apps from organizations and from developers.
If your organization uses `.EXE`, `.MSIX`, or `.MSI` files, then Windows Package Manager might be the right deployment option.
For more information, see [Windows Package Manager](/windows/package-manager).
### Azure Virtual desktop with MSIX app attach
With Azure virtual desktop, you can virtualize the Windows client OS desktop, and use virtual apps on this desktop. With MSIX app attach, you dynamically deliver MSIX packaged apps to users and user groups.
The benefit is to use the cloud to deliver virtual apps in real time, and as-needed. Users use the apps as if they're installed locally.
If you currently use App-V, and want to reduce your on-premises footprint, then **Azure Virtual desktop with MSIX app attach** might be the right deployment for your organization.
For more information, see the following articles:
- [What is Azure Virtual Desktop?](/azure/virtual-desktop/overview)
- [Set up MSIX app attach with the Azure portal](/azure/virtual-desktop/app-attach-azure-portal)
### Application Virtualization (App-V)
App-V allows Win32 apps to be used as virtual apps.
> [!NOTE]
> [!INCLUDE [Application Virtualization will be end of life in April 2026](./includes/app-v-end-life-statement.md)]
On an on-premises server, you install and configure the App-V server components, and then install your Win32 apps. On Windows Enterprise client devices, you use the App-V client components to run the virtualized apps. They allow users to open the virtual apps using the icons and file names they're familiar with. Users use the apps as if they're installed locally.
The benefit is to deliver virtual apps in real time, and as-needed. For more information, see [Application Virtualization (App-V) for Windows overview](./app-v/appv-for-windows.md).
## Manage apps
To help manage your devices, and help manage apps on your devices, use a management service like Microsoft Intune and Configuration Manager. For more information, see the following articles:
- [Overview of endpoint management](/mem/endpoint-manager-overview)
- [Manage your apps and app data in Microsoft Intune](/mem/intune/fundamentals/manage-apps)
- [Introduction to application management in Configuration Manager](/mem/configmgr/apps/understand/introduction-to-application-management)
## Application compatibility
Microsoft is committed to making sure your business-critical apps work on the latest versions of Windows. For more information, see the following articles:
- [Compatibility for Windows 11](/windows/compatibility/windows-11/)
- [FastTrack App Assure program](/windows/compatibility/app-assure)

2
windows/application-management/toc.yml
View File

@ -4,7 +4,7 @@ items:
- name: Application management
items:
- name: Overview of apps in Windows
href: apps-in-windows-10.md
href: overview-windows-apps.md
- name: Add or hide Windows features
href: add-apps-and-features.md
- name: Sideload line of business (LOB) apps

2
windows/client-management/client-tools/mandatory-user-profile.md
View File

@ -51,7 +51,7 @@ First, you create a default user profile with the customizations that you want,
1. [Create an answer file (Unattend.xml)](/windows-hardware/customize/desktop/wsim/create-or-open-an-answer-file) that sets the [CopyProfile](/windows-hardware/customize/desktop/unattend/microsoft-windows-shell-setup-copyprofile) parameter to **True**. The CopyProfile parameter causes Sysprep to copy the currently signed-on user's profile folder to the default user profile. You can use [Windows System Image Manager](/windows-hardware/customize/desktop/wsim/windows-system-image-manager-technical-reference), which is part of the Windows Assessment and Deployment Kit (ADK) to create the Unattend.xml file.
1. Uninstall any application you don't need or want from the PC. For examples on how to uninstall Windows Application see [Remove-AppxProvisionedPackage](/powershell/module/dism/remove-appxprovisionedpackage?view=win10-ps&preserve-view=true). For a list of uninstallable applications, see [Understand the different apps included in Windows](/windows/application-management/apps-in-windows-10).
1. Uninstall any application you don't need or want from the PC. For examples on how to uninstall Windows Application see [Remove-AppxProvisionedPackage](/powershell/module/dism/remove-appxprovisionedpackage?view=win10-ps&preserve-view=true). For a list of uninstallable applications, see [Understand the different apps included in Windows](/windows/application-management/overview-windows-apps).
> [!NOTE]
> It is highly recommended to uninstall unwanted or unneeded apps as it will speed up user sign-in times.

123
windows/client-management/mdm/policy-csp-update.md
View File

@ -4,7 +4,7 @@ description: Learn more about the Update Area in Policy CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
ms.date: 08/10/2023
ms.date: 08/28/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@ -25,11 +25,11 @@ ms.topic: reference
Update CSP policies are listed below based on the group policy area:
- [Windows Insider Preview](#windows-insider-preview)
- [AllowOptionalContent](#allowoptionalcontent)
- [ConfigureDeadlineNoAutoRebootForFeatureUpdates](#configuredeadlinenoautorebootforfeatureupdates)
- [ConfigureDeadlineNoAutoRebootForQualityUpdates](#configuredeadlinenoautorebootforqualityupdates)
- [Manage updates offered from Windows Update](#manage-updates-offered-from-windows-update)
- [AllowNonMicrosoftSignedUpdate](#allownonmicrosoftsignedupdate)
- [AllowOptionalContent](#allowoptionalcontent)
- [AutomaticMaintenanceWakeUp](#automaticmaintenancewakeup)
- [BranchReadinessLevel](#branchreadinesslevel)
- [DeferFeatureUpdatesPeriodInDays](#deferfeatureupdatesperiodindays)
@ -107,65 +107,6 @@ Update CSP policies are listed below based on the group policy area:
## Windows Insider Preview
<!-- AllowOptionalContent-Begin -->
### AllowOptionalContent
<!-- AllowOptionalContent-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
<!-- AllowOptionalContent-Applicability-End -->
<!-- AllowOptionalContent-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/Update/AllowOptionalContent
```
<!-- AllowOptionalContent-OmaUri-End -->
<!-- AllowOptionalContent-Description-Begin -->
<!-- Description-Source-DDF -->
This policy enables devices to get offered optional updates and users interact with the 'Get the latest updates as soon as they're available' toggle on the Windows Update Settings page.
<!-- AllowOptionalContent-Description-End -->
<!-- AllowOptionalContent-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- AllowOptionalContent-Editable-End -->
<!-- AllowOptionalContent-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `int` |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 0 |
<!-- AllowOptionalContent-DFProperties-End -->
<!-- AllowOptionalContent-AllowedValues-Begin -->
**Allowed values**:
| Value | Description |
|:--|:--|
| 0 (Default) | Device doesn't receive optional updates. |
| 1 | Device receives optional updates and user can install from WU Settings page. |
| 2 | Device receives optional updates and install them as soon as they're available. |
<!-- AllowOptionalContent-AllowedValues-End -->
<!-- AllowOptionalContent-GpMapping-Begin -->
**Group policy mapping**:
| Name | Value |
|:--|:--|
| Name | AllowOptionalContent |
| Path | WindowsUpdate > AT > WindowsComponents > WindowsUpdateCat |
<!-- AllowOptionalContent-GpMapping-End -->
<!-- AllowOptionalContent-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- AllowOptionalContent-Examples-End -->
<!-- AllowOptionalContent-End -->
<!-- ConfigureDeadlineNoAutoRebootForFeatureUpdates-Begin -->
### ConfigureDeadlineNoAutoRebootForFeatureUpdates
@ -335,6 +276,66 @@ Allows the IT admin to manage whether Automatic Updates accepts updates signed b
<!-- AllowNonMicrosoftSignedUpdate-End -->
<!-- AllowOptionalContent-Begin -->
### AllowOptionalContent
<!-- AllowOptionalContent-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 22H2 [10.0.22621] and later |
<!-- AllowOptionalContent-Applicability-End -->
<!-- AllowOptionalContent-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/Update/AllowOptionalContent
```
<!-- AllowOptionalContent-OmaUri-End -->
<!-- AllowOptionalContent-Description-Begin -->
<!-- Description-Source-DDF -->
This policy enables devices to get offered optional updates and users interact with the 'Get the latest updates as soon as they're available' toggle on the Windows Update Settings page.
<!-- AllowOptionalContent-Description-End -->
<!-- AllowOptionalContent-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- AllowOptionalContent-Editable-End -->
<!-- AllowOptionalContent-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `int` |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 0 |
<!-- AllowOptionalContent-DFProperties-End -->
<!-- AllowOptionalContent-AllowedValues-Begin -->
**Allowed values**:
| Value | Description |
|:--|:--|
| 0 (Default) | Don't receive optional updates. |
| 1 | Automatically receive optional updates (including CFRs). |
| 2 | Automatically receive optional updates. |
| 3 | Users can select which optional updates to receive. |
<!-- AllowOptionalContent-AllowedValues-End -->
<!-- AllowOptionalContent-GpMapping-Begin -->
**Group policy mapping**:
| Name | Value |
|:--|:--|
| Name | AllowOptionalContent |
| Path | WindowsUpdate > AT > WindowsComponents > WindowsUpdateCat |
<!-- AllowOptionalContent-GpMapping-End -->
<!-- AllowOptionalContent-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- AllowOptionalContent-Examples-End -->
<!-- AllowOptionalContent-End -->
<!-- AutomaticMaintenanceWakeUp-Begin -->
### AutomaticMaintenanceWakeUp

4
windows/deployment/do/TOC.yml
View File

@ -38,13 +38,11 @@
- name: Requirements
href: mcc-enterprise-prerequisites.md
- name: Deploy Microsoft Connected Cache
href: mcc-enterprise-portal-deploy.md
href: mcc-enterprise-deploy.md
- name: Update or uninstall MCC
href: mcc-enterprise-update-uninstall.md
- name: Appendix
href: mcc-enterprise-appendix.md
- name: MCC for Enterprise and Education (early preview)
href: mcc-enterprise-deploy.md
- name: MCC for ISPs
items:
- name: MCC for ISPs Overview

6
windows/deployment/do/mcc-enterprise-deploy.md
View File

@ -1,5 +1,5 @@
---
title: MCC for Enterprise and Education (early preview)
title: Deploying your cache node
manager: aaroncz
description: How to deploy a Microsoft Connected Cache (MCC) for Enterprise and Education cache node
ms.prod: windows-client
@ -12,7 +12,7 @@ ms.technology: itpro-updates
ms.collection: tier3
---
# Deploying your enterprise cache node
# Deploying your cache node
**Applies to**
@ -130,7 +130,7 @@ Installing MCC on your Windows device is a simple process. A PowerShell script p
- Downloads, installs, and deploys EFLOW
- Enables Microsoft Update so EFLOW can stay up to date
- Creates a virtual machine
- Enables the firewall and opens ports 80 for inbound and outbound traffic. Port 80 is used by MCC.
- Enables the firewall and opens ports 80 and 22 for inbound and outbound traffic. Port 80 is used by MCC, and port 22 is used for SSH communications.
- Configures Connected Cache tuning settings.
- Creates the necessary *FREE* Azure resource - IoT Hub/IoT Edge.
- Deploys the MCC container to server.

145
windows/deployment/do/mcc-enterprise-portal-deploy.md
View File

@ -1,145 +0,0 @@
---
title: Deploying your cache node
manager: aaroncz
description: How to deploy Microsoft Connected Cache (MCC) for Enterprise and Education cache node
ms.prod: windows-client
ms.author: carmenf
author: cmknox
ms.reviewer: mstewart
ms.topic: article
ms.date: 12/31/2017
ms.technology: itpro-updates
ms.collection: tier3
---
# Deploying your cache node
**Applies to**
- Windows 10
- Windows 11
## Create the Microsoft Connected Cache resource
1. Navigate to Azure portal by using the [following link](https://aka.ms/mcc-enterprise-preview):
> [!IMPORTANT]
> You must access Azure portal using this link (https://aka.ms/mcc-enterprise-preview) in order to find the correct Microsoft Connected Cache resource.
![Screenshot of Azure portal "Create a resource" page, where you search for the Microsoft Connected Cache resource](images/ent-mcc-portal-create.png)
1. In the search bar by **Get Started**, search for `Microsoft Connected Cache for Enterprise`.
![Screenshot of Azure portal after searching for the Microsoft Connected Cache resource](images/ent-mcc-portal-resource.png)
1. Select **Create** to create your Microsoft Connected Cache resource. When prompted, choose the subscription, resource group, and location of your cache node. Also, enter a name for your cache node.
1. The creation of the cache node may take a few minutes. After a successful creation, you'll see a “Deployment complete” page as below. Select **Go to resource**.
![Screenshot of Azure portal after the deployment is complete](images/ent-mcc-deployment-complete.png)
## Create, provision, and deploy the cache node in Azure portal
To create, provision, and deploy the cache node in Azure portal, follow these steps:
1. Open Azure portal and navigate to the Microsoft Connected Cache for Enterprise (preview) resource.
1. Navigate to **Settings** > **Cache nodes** and select **Create Cache Node**.
1. Provide a name for your cache node and select **Create** to create your cache node.
1. You may need to refresh to see the cache node. Select the cache node to configure it.
1. Fill out the Basics and Storage fields. Enter the cache drive size in GB - this has a minimum size of 50 GB.
![Screenshot of Azure portal on the Provisioning page, where the user can configure their cache node.](images/ent-mcc-provisioning.png)
Once complete, select **Save** at the top of the page and select **Provision server**.
1. To deploy your cache node, download the installer by selecting **Download provisioning package**.
1. Run the provided provisioning script - note that this is unique to each cache node.
## Verify proper functioning MCC server
#### Verify client side
Connect to the EFLOW VM and check if MCC is properly running:
1. Open PowerShell as an Administrator.
2. Enter the following commands:
```powershell
Connect-EflowVm
sudo -s
iotedge list
```
:::image type="content" source="./images/ent-mcc-connect-eflowvm.png" alt-text="Screenshot of running connect-EflowVm, sudo -s, and iotedge list from PowerShell." lightbox="./images/ent-mcc-connect-eflowvm.png":::
You should see MCC, edgeAgent, and edgeHub running. If you see edgeAgent or edgeHub but not MCC, try this command in a few minutes. The MCC container can take a few minutes to deploy.
#### Verify server side
For a validation of properly functioning MCC, execute the following command in the EFLOW VM or any device in the network. Replace <CacheServerIP\> with the IP address of the cache server.
```powershell
wget [http://<CacheServerIP>/mscomtest/wuidt.gif?cacheHostOrigin=au.download.windowsupdate.com]
```
A successful test result will display a status code of 200 along with additional information.
:::image type="content" source="./images/ent-mcc-verify-server-ssh.png" alt-text="Screenshot of a successful wget with an SSH client." lightbox="./images/ent-mcc-verify-server-ssh.png":::
:::image type="content" source="./images/ent-mcc-verify-server-powershell.png" alt-text="Screenshot of a successful wget using PowerShell." lightbox="./images/ent-mcc-verify-server-powershell.png":::
Similarly, enter the following URL from a browser in the network:
`http://<YourCacheServerIP>/mscomtest/wuidt.gif?cacheHostOrigin=au.download.windowsupdate.com`
If the test fails, see the [common issues](#common-issues) section for more information.
### Monitoring your metrics
To view the metrics associated with your cache nodes, navigate to the **Overview** > **Monitoring** tab within the Azure portal.
:::image type="content" source="./images/mcc-isp-metrics.png" alt-text="Screenshot of the Azure portal displaying the metrics view in the Overview tab.":::
You can choose to monitor the health and performance of all cache nodes or one at a time by using the dropdown menu. The **Egress bits per second** graph shows your inbound and outbound traffic of your cache nodes over time. You can change the time range (1 hour, 12 hours, 1 day, 7 days, 14 days, and 30 days) by selecting the time range of choice on the top bar.
If you're unable to view metrics for your cache node, it may be that your cache node is unhealthy, inactive, or hasn't been fully configured.
### Intune (or other management software) configuration for MCC
For an [Intune](/mem/intune/) deployment, create a **Configuration Profile** and include the Cache Host eFlow IP Address or FQDN:
:::image type="content" source="./images/ent-mcc-intune-do.png" alt-text="Screenshot of Intune showing the Delivery Optimization cache server host names.":::
## Common Issues
#### PowerShell issues
If you're seeing errors similar to this error: `The term Get-<Something> isn't recognized as the name of a cmdlet, function, script file, or operable program.`
1. Ensure you're running Windows PowerShell version 5.x.
1. Run \$PSVersionTable and ensure you're running version 5.x and *not version 6 or 7*.
1. Ensure you have Hyper-V enabled:
**Windows 10:** [Enable Hyper-V on Windows 10](/virtualization/hyper-v-on-windows/quick-start/enable-hyper-v)
**Windows Server:** [Install the Hyper-V role on Windows Server](/windows-server/virtualization/hyper-v/get-started/install-the-hyper-v-role-on-windows-server)
#### Verify Running MCC Container
Connect to the Connected Cache server and check the list of running IoT Edge modules using the following commands:
```bash
Connect-EflowVm
sudo iotedge list
```
:::image type="content" source="./images/ent-mcc-iotedge-list.png" alt-text="Screenshot of the iotedge list command." lightbox="./images/ent-mcc-iotedge-list.png":::
If edgeAgent and edgeHub containers are listed, but not "MCC", you may view the status of the IoT Edge security manager by using the command:
```bash
sudo journalctl -u iotedge -f
```
This command will provide the current status of the starting, stopping of a container, or the container pull and start.
:::image type="content" source="./images/ent-mcc-journalctl.png" alt-text="Screenshot of the output from journalctl -u iotedge -f." lightbox="./images/ent-mcc-journalctl.png":::
> [!NOTE]
> You should consult the IoT Edge troubleshooting guide ([Common issues and resolutions for Azure IoT Edge](/azure/iot-edge/troubleshoot)) for any issues you may encounter configuring IoT Edge, but we've listed a few issues that we encountered during our internal validation.

4
windows/deployment/do/waas-delivery-optimization-reference.md
View File

@ -276,9 +276,7 @@ Starting in Windows 10, version 1803, allows you to delay the use of an HTTP sou
MDM Setting: **DelayCacheServerFallbackForeground**
Starting in Windows 10, version 1903, allows you to delay the fallback from cache server to the HTTP source for foreground content download by X seconds. If the 'Delay foreground download from HTTP' policy is set, it will apply first (to allow downloads from peers) and then this policy will be applied. **By default, this policy isn't set.**
By default this policy isn't set. So,
Starting in Windows 10, version 1903, allows you to delay the fallback from cache server to the HTTP source for foreground content download by X seconds. If the 'Delay foreground download from HTTP policy is set, it will apply first (to allow downloads from peers) and then this policy will be applied. **By default, this policy isn't set.**
### Delay Background Download Cache Server Fallback (in secs)

2
windows/deployment/update/deployment-service-drivers.md
View File

@ -1,6 +1,6 @@
---
title: Deploy drivers and firmware updates
titlesuffix: Windows Update for Business deployment service
titleSuffix: Windows Update for Business deployment service
description: Use Windows Update for Business deployment service to deploy driver and firmware updates to devices.
ms.prod: windows-client
ms.technology: itpro-updates

124
windows/deployment/update/deployment-service-expedited-updates.md
View File

@ -1,6 +1,6 @@
---
title: Deploy expedited updates
titlesuffix: Windows Update for Business deployment service
titleSuffix: Windows Update for Business deployment service
description: Learn how to use Windows Update for Business deployment service to deploy expedited updates to devices in your organization.
ms.prod: windows-client
ms.technology: itpro-updates
@ -14,7 +14,7 @@ ms.localizationpriority: medium
appliesto:
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
ms.date: 02/14/2023
ms.date: 08/29/2023
---
# Deploy expedited updates with Windows Update for Business deployment service
@ -51,13 +51,13 @@ All of the [prerequisites for the Windows Update for Business deployment service
## List catalog entries for expedited updates
Each update is associated with a unique [catalog entry](/graph/api/resources/windowsupdates-catalogentry). You can query the catalog to find updates that can be expedited. The `id` returned is the **Catalog ID** and is used to create a deployment. The following query lists all security updates that can be deployed as expedited updates by the deployment service. Using `$top=3` and ordering by `ReleaseDateTimeshows` displays the three most recent updates.
Each update is associated with a unique [catalog entry](/graph/api/resources/windowsupdates-catalogentry). You can query the catalog to find updates that can be expedited. The `id` returned is the **Catalog ID** and is used to create a deployment. The following query lists all security updates that can be deployed as expedited updates by the deployment service. Using `$top=1` and ordering by `ReleaseDateTimeshows` displays the most recent update that can be deployed as expedited.
```msgraph-interactive
GET https://graph.microsoft.com/beta/admin/windows/updates/catalog/entries?$filter=isof('microsoft.graph.windowsUpdates.qualityUpdateCatalogEntry') and microsoft.graph.windowsUpdates.qualityUpdateCatalogEntry/isExpeditable eq true&$orderby=releaseDateTime desc&$top=3
GET https://graph.microsoft.com/beta/admin/windows/updates/catalog/entries?$filter=isof('microsoft.graph.windowsUpdates.qualityUpdateCatalogEntry') and microsoft.graph.windowsUpdates.qualityUpdateCatalogEntry/isExpeditable eq true&$orderby=releaseDateTime desc&$top=1
```
The following truncated response displays a **Catalog ID** of `693fafea03c24cca819b3a15123a8880f217b96a878b6d6a61be021d476cc432` for the `01/10/2023 - 2023.01 B Security Updates for Windows 10 and later` security update:
The following truncated response displays a **Catalog ID** of `e317aa8a0455ca604de95329b524ec921ca57f2e6ed3ff88aac757a7468998a5` for the `08/08/2023 - 2023.08 B SecurityUpdate for Windows 10 and later` security update:
```json
{
@ -65,21 +65,119 @@ The following truncated response displays a **Catalog ID** of `693fafea03c24cca
"value": [
{
"@odata.type": "#microsoft.graph.windowsUpdates.qualityUpdateCatalogEntry",
"id": "693fafea03c24cca819b3a15123a8880f217b96a878b6d6a61be021d476cc432",
"displayName": "01/10/2023 - 2023.01 B Security Updates for Windows 10 and later",
"id": "e317aa8a0455ca604de95329b524ec921ca57f2e6ed3ff88aac757a7468998a5",
"displayName": "08/08/2023 - 2023.08 B SecurityUpdate for Windows 10 and later",
"deployableUntilDateTime": null,
"releaseDateTime": "2023-01-10T00:00:00Z",
"releaseDateTime": "2023-08-08T00:00:00Z",
"isExpeditable": true,
"qualityUpdateClassification": "security"
},
...
"qualityUpdateClassification": "security",
"catalogName": "2023-08 Cumulative Update for Windows 10 and later",
"shortName": "2023.08 B",
"qualityUpdateCadence": "monthly",
"cveSeverityInformation": {
"maxSeverity": "critical",
"maxBaseScore": 9.8,
"exploitedCves@odata.context": "https://graph.microsoft.com/$metadata#admin/windows/updates/catalog/entries('e317aa8a0455ca604de95329b524ec921ca57f2e6ed3ff88aac757a7468998a5')/microsoft.graph.windowsUpdates.qualityUpdateCatalogEntry/cveSeverityInformation/exploitedCves",
"exploitedCves": [
{
"number": "ADV230003",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/ADV230003"
},
{
"number": "CVE-2023-38180",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-38180"
}
]
}
}
]
}
```
The deployment service can display more information about updates that were released on or after January 2023. Using [product revision](/graph/api/resources/windowsupdates-productrevision) gives you additional information about the updates, such as the KB numbers, and the `MajorVersion.MinorVersion.BuildNumber.UpdateBuildRevision`. Windows 10 and 11 share the same major and minor versions, but have different build numbers.
<!--8092737-->
Use the following to display the product revision information for the most recent quality update:
```msgraph-interactive
GET https://graph.microsoft.com/beta/admin/windows/updates/catalog/entries?$expand=microsoft.graph.windowsUpdates.qualityUpdateCatalogEntry/productRevisions&$orderby=releaseDateTime desc&$top=1
```
The following truncated response displays information about KB5029244 for Windows 10, version 22H2, and KB5029263 for Windows 11, version 22H2:
```json
{
"@odata.context": "https://graph.microsoft.com/beta/$metadata#admin/windows/updates/catalog/entries(microsoft.graph.windowsUpdates.qualityUpdateCatalogEntry/productRevisions())",
"value": [
{
"@odata.type": "#microsoft.graph.windowsUpdates.qualityUpdateCatalogEntry",
"id": "e317aa8a0455ca604de95329b524ec921ca57f2e6ed3ff88aac757a7468998a5",
"displayName": "08/08/2023 - 2023.08 B SecurityUpdate for Windows 10 and later",
"deployableUntilDateTime": null,
"releaseDateTime": "2023-08-08T00:00:00Z",
"isExpeditable": true,
"qualityUpdateClassification": "security",
"catalogName": "2023-08 Cumulative Update for Windows 10 and later",
"shortName": "2023.08 B",
"qualityUpdateCadence": "monthly",
"cveSeverityInformation": {
"maxSeverity": "critical",
"maxBaseScore": 9.8,
"exploitedCves@odata.context": "https://graph.microsoft.com/beta/$metadata#admin/windows/updates/catalog/entries('e317aa8a0455ca604de95329b524ec921ca57f2e6ed3ff88aac757a7468998a5')/microsoft.graph.windowsUpdates.qualityUpdateCatalogEntry/cveSeverityInformation/exploitedCves",
"exploitedCves": [
{
"number": "ADV230003",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/ADV230003"
},
{
"number": "CVE-2023-38180",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-38180"
}
]
},
"productRevisions@odata.context": "https://graph.microsoft.com/beta/$metadata#admin/windows/updates/catalog/entries('e317aa8a0455ca604de95329b524ec921ca57f2e6ed3ff88aac757a7468998a5')/microsoft.graph.windowsUpdates.qualityUpdateCatalogEntry/microsoft.graph.windowsUpdates.qualityUpdateCatalogEntry/productRevisions",
"productRevisions": [
{
"id": "10.0.19045.3324",
"displayName": "Windows 10, version 22H2, build 19045.3324",
"releaseDateTime": "2023-08-08T00:00:00Z",
"version": "22H2",
"product": "Windows 10",
"osBuild": {
"majorVersion": 10,
"minorVersion": 0,
"buildNumber": 19045,
"updateBuildRevision": 3324
},
"knowledgeBaseArticle@odata.context": "https://graph.microsoft.com/beta/$metadata#admin/windows/updates/catalog/entries('e317aa8a0455ca604de95329b524ec921ca57f2e6ed3ff88aac757a7468998a5')/microsoft.graph.windowsUpdates.qualityUpdateCatalogEntry/microsoft.graph.windowsUpdates.qualityUpdateCatalogEntry/productRevisions('10.0.19045.3324')/knowledgeBaseArticle/$entity",
"knowledgeBaseArticle": {
"id": "KB5029244",
"url": "https://support.microsoft.com/help/5029244"
}
},
{
"id": "10.0.22621.2134",
"displayName": "Windows 11, version 22H2, build 22621.2134",
"releaseDateTime": "2023-08-08T00:00:00Z",
"version": "22H2",
"product": "Windows 11",
"osBuild": {
"majorVersion": 10,
"minorVersion": 0,
"buildNumber": 22621,
"updateBuildRevision": 2134
},
"knowledgeBaseArticle@odata.context": "https://graph.microsoft.com/beta/$metadata#admin/windows/updates/catalog/entries('e317aa8a0455ca604de95329b524ec921ca57f2e6ed3ff88aac757a7468998a5')/microsoft.graph.windowsUpdates.qualityUpdateCatalogEntry/microsoft.graph.windowsUpdates.qualityUpdateCatalogEntry/productRevisions('10.0.22621.2134')/knowledgeBaseArticle/$entity",
"knowledgeBaseArticle": {
"id": "KB5029263",
"url": "https://support.microsoft.com/help/5029263"
}
},
```
## Create a deployment
When creating a deployment, there are [multiple options](/graph/api/resources/windowsupdates-deploymentsettings) available to define how the deployment behaves. The following example creates a deployment for the `01/10/2023 - 2023.01 B Security Updates for Windows 10 and later` security update with catalog entry ID `693fafea03c24cca819b3a15123a8880f217b96a878b6d6a61be021d476cc432`, and defines the `expedite` and `userExperience` deployment options in the request body.
When creating a deployment, there are [multiple options](/graph/api/resources/windowsupdates-deploymentsettings) available to define how the deployment behaves. The following example creates a deployment for the `08/08/2023 - 2023.08 B SecurityUpdate for Windows 10 and later` security update with catalog entry ID `e317aa8a0455ca604de95329b524ec921ca57f2e6ed3ff88aac757a7468998a5`, and defines the `expedite` and `userExperience` deployment options in the request body.
```msgraph-interactive
POST https://graph.microsoft.com/beta/admin/windows/updates/deployments
@ -91,7 +189,7 @@ content-type: application/json
"@odata.type": "#microsoft.graph.windowsUpdates.catalogContent",
"catalogEntry": {
"@odata.type": "#microsoft.graph.windowsUpdates.qualityUpdateCatalogEntry",
"id": "693fafea03c24cca819b3a15123a8880f217b96a878b6d6a61be021d476cc432"
"id": "e317aa8a0455ca604de95329b524ec921ca57f2e6ed3ff88aac757a7468998a5"
}
},
"settings": {

7
windows/deployment/update/deployment-service-feature-updates.md
View File

@ -1,6 +1,6 @@
---
title: Deploy feature updates
titlesuffix: Windows Update for Business deployment service
titleSuffix: Windows Update for Business deployment service
description: Use Windows Update for Business deployment service to deploy feature updates to devices in your organization.
ms.prod: windows-client
ms.technology: itpro-updates
@ -14,7 +14,7 @@ ms.localizationpriority: medium
appliesto:
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
ms.date: 02/14/2023
ms.date: 08/29/2023
---
# Deploy feature updates with Windows Update for Business deployment service
@ -86,7 +86,8 @@ The following truncated response displays a **Catalog ID** of `d9049ddb-0ca8-4b
"displayName": "Windows 11, version 22H2",
"deployableUntilDateTime": "2025-10-14T00:00:00Z",
"releaseDateTime": "2022-09-20T00:00:00Z",
"version": "Windows 11, version 22H2"
"version": "Windows 11, version 22H2",
"buildNumber": "22621"
}
]
}

2
windows/deployment/update/deployment-service-overview.md
View File

@ -1,6 +1,6 @@
---
title: Overview of the deployment service
titlesuffix: Windows Update for Business deployment service
titleSuffix: Windows Update for Business deployment service
description: Overview of deployment service to control approval, scheduling, and safeguarding of Windows updates with the deployment service.
ms.prod: windows-client
ms.technology: itpro-updates

2
windows/deployment/update/deployment-service-prerequisites.md
View File

@ -1,6 +1,6 @@
---
title: Prerequisites for the deployment service
titlesuffix: Windows Update for Business deployment service
titleSuffix: Windows Update for Business deployment service
description: Prerequisites for using the Windows Update for Business deployment service for updating devices in your organization.
ms.prod: windows-client
ms.technology: itpro-updates

2
windows/deployment/update/deployment-service-troubleshoot.md
View File

@ -1,6 +1,6 @@
---
title: Troubleshoot the deployment service
titlesuffix: Windows Update for Business deployment service
titleSuffix: Windows Update for Business deployment service
description: Solutions to commonly encountered problems when using the Windows Update for Business deployment service.
ms.prod: windows-client
ms.technology: itpro-updates

17
windows/deployment/update/includes/wufb-reports-endpoints.md
View File

@ -5,7 +5,7 @@ manager: aaroncz
ms.technology: itpro-updates
ms.prod: windows-client
ms.topic: include
ms.date: 04/06/2022
ms.date: 08/21/2023
ms.localizationpriority: medium
---
<!--This file is shared by updates/wufb-reports-prerequisites.md and the update/update-compliance-configuration-manual.md articles. Headings are driven by article context. -->
@ -14,10 +14,11 @@ Devices must be able to contact the following endpoints in order to authenticate
| **Endpoint** | **Function** |
|---------------------------------------------------------|-----------|
| `https://v10c.events.data.microsoft.com` | Connected User Experience and Diagnostic component endpoint for Windows 10, version 1803 and later. DeviceCensus.exe must run on a regular cadence and contact this endpoint in order to receive most information for Windows Update for Business reports. |
| `https://v10.vortex-win.data.microsoft.com` | Connected User Experience and Diagnostic component endpoint for Windows 10, version 1709 or earlier. |
| `https://settings-win.data.microsoft.com` | Required for Windows Update functionality. |
| `https://adl.windows.com` | Required for Windows Update functionality. |
| `https://watson.telemetry.microsoft.com` | Windows Error Reporting (WER), used to provide more advanced error reporting if certain Feature Update deployment failures occur. |
| `https://oca.telemetry.microsoft.com` | Online Crash Analysis, used to provide device-specific recommendations and detailed errors if there are certain crashes. |
| `https://login.live.com` | This endpoint facilitates your Microsoft account access and is required to create the primary identifier we use for devices. Without this service, devices won't be visible in the solution. The Microsoft Account Sign-in Assistant service must also be running (wlidsvc). |
| `*v10c.events.data.microsoft.com` </br> </br> `eu-v10c.events.data.microsoft.com` for tenants with billing address in the [EU Data Boundary](/privacy/eudb/eu-data-boundary-learn) <!--8141818--> | Connected User Experience and Diagnostic component endpoint for Windows 10, version 1803 and later. DeviceCensus.exe must run on a regular cadence and contact this endpoint in order to receive most information for Windows Update for Business reports. |
| `umwatsonc.events.data.microsoft.com` </br> </br> `eu-watsonc.events.data.microsoft.com` for tenants with billing address in the [EU Data Boundary](/privacy/eudb/eu-data-boundary-learn) | Windows Error Reporting (WER), used to provide more advanced error reporting if certain Feature Update deployment failures occur. |
| `v10.vortex-win.data.microsoft.com` | Connected User Experience and Diagnostic component endpoint for Windows 10, version 1709 or earlier. |
| `settings-win.data.microsoft.com` | Used by Windows components and applications to dynamically update their configuration. Required for Windows Update functionality. |
| `adl.windows.com` | Required for Windows Update functionality. |
| `oca.telemetry.microsoft.com` | Online Crash Analysis, used to provide device-specific recommendations and detailed errors if there are certain crashes. |
| `login.live.com` | This endpoint facilitates your Microsoft account access and is required to create the primary identifier we use for devices. Without this service, devices won't be visible in the solution. The Microsoft Account Sign-in Assistant service must also be running (wlidsvc). |
| `*.blob.core.windows.net` | Azure blob data storage.|

13
windows/deployment/update/waas-wu-settings.md
View File

@ -1,23 +1,24 @@
---
title: Manage additional Windows Update settings
description: In this article, learn about additional settings to control the behavior of Windows Update.
description: In this article, learn about additional settings to control the behavior of Windows Update in your organization.
ms.prod: windows-client
ms.localizationpriority: medium
ms.technology: itpro-updates
ms.topic: conceptual
author: mestew
ms.author: mstewart
manager: aaroncz
ms.topic: how-to
ms.collection:
- highpri
- tier2
ms.technology: itpro-updates
ms.localizationpriority: medium
appliesto:
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
ms.date: 04/25/2023
---
# Manage additional Windows Update settings
***(Applies to: Windows 11 & Windows 10)***
> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq)
You can use Group Policy settings or mobile device management (MDM) to configure the behavior of Windows Update on your Windows 10 devices. You can configure the update detection frequency, select when updates are received, specify the update service location and more.

21
windows/deployment/update/waas-wufb-csp-mdm.md
View File

@ -2,23 +2,20 @@
title: Configure Windows Update for Business by using CSPs and MDM
description: Walk through demonstration of how to configure Windows Update for Business settings using Configuration Service Providers and MDM.
ms.prod: windows-client
ms.technology: itpro-updates
ms.topic: conceptual
author: mestew
ms.localizationpriority: medium
ms.author: mstewart
manager: aaroncz
ms.topic: article
ms.technology: itpro-updates
ms.localizationpriority: medium
appliesto:
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
ms.date: 02/28/2023
---
# Walkthrough: Use CSPs and MDMs to configure Windows Update for Business
**Applies to**
- Windows 10
- Windows 11
> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq)
@ -176,9 +173,9 @@ There are additional settings that affect the notifications.
We recommend that you use the default notifications as they aim to provide the best user experience while adjusting for the compliance policies that you have set. If you do have further needs that aren't met by the default notification settings, you can use the [Update/UpdateNotificationLevel](/windows/client-management/mdm/policy-csp-update#update-updatenotificationlevel) policy with these values:
**0** (default) Use the default Windows Update notifications<br/>
**1** Turn off all notifications, excluding restart warnings<br/>
**2** Turn off all notifications, including restart warnings
**0** (default) - Use the default Windows Update notifications<br/>
**1** - Turn off all notifications, excluding restart warnings<br/>
**2** - Turn off all notifications, including restart warnings
> [!NOTE]
> Option **2** creates a poor experience for personal devices; it's only recommended for kiosk devices where automatic restarts have been disabled.

2
windows/deployment/update/waas-wufb-group-policy.md
View File

@ -195,7 +195,7 @@ Still more options are available in **Computer Configuration > Administrative Te
Every Windows device provides users with various controls they can use to manage Windows Updates. They can access these controls by Search to find Windows Updates or by going selecting **Updates and Security** in **Settings**. We provide the ability to disable a variety of these controls that are accessible to users.
Users with access to update pause settings can prevent both feature and quality updates for 7 days. You can prevent users from pausing updates through the Windows Update settings page by using **Computer Configuration > Administrative Templates > Windows Components > Windows Update > Remove access to Pause updates**.
Users with access to update pause settings can prevent both feature and quality updates for 7 days. You can prevent users from pausing updates through the Windows Update settings page by using **Computer Configuration > Administrative Templates > Windows Components > Windows Update > Remove access to Pause updates**.
When you disable this setting, users will see **Some settings are managed by your organization** and the update pause settings are greyed out.
If you use Windows Server Update Server (WSUS), you can prevent users from scanning Windows Update. To do this, use **Computer Configuration > Administrative Templates > Windows Components > Windows Update > Remove access to use all Windows Update features**.

541
windows/deployment/update/windows-update-error-reference.md
View File

@ -2,95 +2,92 @@
title: Windows Update error code list by component
description: Learn about reference information for Windows Update error codes, including automatic update errors, UI errors, and reporter errors.
ms.prod: windows-client
ms.technology: itpro-updates
ms.topic: reference
author: mestew
ms.author: mstewart
manager: aaroncz
ms.localizationpriority: medium
appliesto:
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
ms.date: 09/18/2018
ms.topic: article
ms.technology: itpro-updates
---
# Windows Update error codes by component
**Applies to**
- Windows 10
- Windows 11
This section lists the error codes for Microsoft Windows Update.
## Automatic Update Errors
| Error code | Message | Description |
|------------|---------------------------------|--------------------------------------------------------------------------------------------------------|
| 0x80243FFF | `WU_E_AUCLIENT_UNEXPECTED` | There was a user interface error not covered by another `WU_E_AUCLIENT_*` error code. |
| 0x8024A000 | `WU_E_AU_NOSERVICE` | Automatic Updates was unable to service incoming requests. |
| 0x8024A002 | `WU_E_AU_NONLEGACYSERVER` | The old version of the Automatic Updates client has stopped because the WSUS server has been upgraded. |
| 0x8024A003 | `WU_E_AU_LEGACYCLIENTDISABLED` | The old version of the Automatic Updates client was disabled. |
| 0x8024A004 | `WU_E_AU_PAUSED` | Automatic Updates was unable to process incoming requests because it was paused. |
| 0x8024A005 | `WU_E_AU_NO_REGISTERED_SERVICE` | No unmanaged service is registered with `AU`. |
| 0x8024AFFF | `WU_E_AU_UNEXPECTED` | An Automatic Updates error not covered by another `WU_E_AU*` code. |
| `0x80243FFF` | `WU_E_AUCLIENT_UNEXPECTED` | There was a user interface error not covered by another `WU_E_AUCLIENT_*` error code. |
| `0x8024A000` | `WU_E_AU_NOSERVICE` | Automatic Updates was unable to service incoming requests. |
| `0x8024A002` | `WU_E_AU_NONLEGACYSERVER` | The old version of the Automatic Updates client has stopped because the WSUS server has been upgraded. |
| `0x8024A003` | `WU_E_AU_LEGACYCLIENTDISABLED` | The old version of the Automatic Updates client was disabled. |
| `0x8024A004` | `WU_E_AU_PAUSED` | Automatic Updates was unable to process incoming requests because it was paused. |
| `0x8024A005` | `WU_E_AU_NO_REGISTERED_SERVICE` | No unmanaged service is registered with `AU`. |
| `0x8024AFFF` | `WU_E_AU_UNEXPECTED` | An Automatic Updates error not covered by another `WU_E_AU*` code. |
## Windows Update UI errors
| Error code | Message | Description |
|------------|---------------------------------------------|--------------------------------------------------------------------------------------------------------------------------|
| 0x80243001 | `WU_E_INSTALLATION_RESULTS_UNKNOWN_VERSION` | The results of download and installation could not be read from the registry due to an unrecognized data format version. |
| 0x80243002 | `WU_E_INSTALLATION_RESULTS_INVALID_DATA` | The results of download and installation could not be read from the registry due to an invalid data format. |
| 0x80243003 | `WU_E_INSTALLATION_RESULTS_NOT_FOUND` | The results of download and installation are not available; the operation may have failed to start. |
| 0x80243004 | `WU_E_TRAYICON_FAILURE` | A failure occurred when trying to create an icon in the taskbar notification area. |
| 0x80243FFD | `WU_E_NON_UI_MODE` | Unable to show UI when in non-UI mode; Windows Update client UI modules may not be installed. |
| 0x80243FFE | `WU_E_WUCLTUI_UNSUPPORTED_VERSION` | Unsupported version of Windows Update client UI exported functions. |
| 0x80243FFF | `WU_E_AUCLIENT_UNEXPECTED` | There was a user interface error not covered by another `WU_E_AUCLIENT_*` error code. |
| 0x8024043D | `WU_E_SERVICEPROP_NOTAVAIL` | The requested service property is not available. |
| `0x80243001` | `WU_E_INSTALLATION_RESULTS_UNKNOWN_VERSION` | The results of download and installation couldn't be read from the registry due to an unrecognized data format version. |
| `0x80243002` | `WU_E_INSTALLATION_RESULTS_INVALID_DATA` | The results of download and installation couldn't be read from the registry due to an invalid data format. |
| `0x80243003` | `WU_E_INSTALLATION_RESULTS_NOT_FOUND` | The results of download and installation aren't available; the operation may have failed to start. |
| `0x80243004` | `WU_E_TRAYICON_FAILURE` | A failure occurred when trying to create an icon in the taskbar notification area. |
| `0x80243FFD` | `WU_E_NON_UI_MODE` | Unable to show UI when in non-UI mode; Windows Update client UI modules may not be installed. |
| `0x80243FFE` | `WU_E_WUCLTUI_UNSUPPORTED_VERSION` | Unsupported version of Windows Update client UI exported functions. |
| `0x80243FFF` | `WU_E_AUCLIENT_UNEXPECTED` | There was a user interface error not covered by another `WU_E_AUCLIENT_*` error code. |
| `0x8024043D` | `WU_E_SERVICEPROP_NOTAVAIL` | The requested service property isn't available. |
## Inventory errors
| Error code | Message | Description |
|------------|--------------------------------------------|-------------------------------------------------------------------------------|
| 0x80249001 | `WU_E_INVENTORY_PARSEFAILED` | Parsing of the rule file failed. |
| 0x80249002 | `WU_E_INVENTORY_GET_INVENTORY_TYPE_FAILED` | Failed to get the requested inventory type from the server. |
| 0x80249003 | `WU_E_INVENTORY_RESULT_UPLOAD_FAILED` | Failed to upload inventory result to the server. |
| 0x80249004 | `WU_E_INVENTORY_UNEXPECTED` | There was an inventory error not covered by another error code. |
| 0x80249005 | `WU_E_INVENTORY_WMI_ERROR` | A WMI error occurred when enumerating the instances for a particular class. |
| `0x80249001` | `WU_E_INVENTORY_PARSEFAILED` | Parsing of the rule file failed. |
| `0x80249002` | `WU_E_INVENTORY_GET_INVENTORY_TYPE_FAILED` | Failed to get the requested inventory type from the server. |
| `0x80249003` | `WU_E_INVENTORY_RESULT_UPLOAD_FAILED` | Failed to upload inventory result to the server. |
| `0x80249004` | `WU_E_INVENTORY_UNEXPECTED` | There was an inventory error not covered by another error code. |
| `0x80249005` | `WU_E_INVENTORY_WMI_ERROR` | A WMI error occurred when enumerating the instances for a particular class. |
## Expression evaluator errors
| Error code | Message | Description |
|------------|---------------------------------|--------------------------------------------------------------------------------------------------------------------------------|
| 0x8024E001 | `WU_E_EE_UNKNOWN_EXPRESSION` | An expression evaluator operation could not be completed because an expression was unrecognized. |
| 0x8024E002 | `WU_E_EE_INVALID_EXPRESSION` | An expression evaluator operation could not be completed because an expression was invalid. |
| 0x8024E003 | `WU_E_EE_MISSING_METADATA` | An expression evaluator operation could not be completed because an expression contains an incorrect number of metadata nodes. |
| 0x8024E004 | `WU_E_EE_INVALID_VERSION` | An expression evaluator operation could not be completed because the version of the serialized expression data is invalid. |
| 0x8024E005 | `WU_E_EE_NOT_INITIALIZED` | The expression evaluator could not be initialized. |
| 0x8024E006 | `WU_E_EE_INVALID_ATTRIBUTEDATA` | An expression evaluator operation could not be completed because there was an invalid attribute. |
| 0x8024E007 | `WU_E_EE_CLUSTER_ERROR` | An expression evaluator operation could not be completed because the cluster state of the computer could not be determined. |
| 0x8024EFFF | `WU_E_EE_UNEXPECTED` | There was an expression evaluator error not covered by another `WU_E_EE_*` error code. |
| `0x8024E001` | `WU_E_EE_UNKNOWN_EXPRESSION` | An expression evaluator operation couldn't be completed because an expression was unrecognized. |
| `0x8024E002` | `WU_E_EE_INVALID_EXPRESSION` | An expression evaluator operation couldn't be completed because an expression was invalid. |
| `0x8024E003` | `WU_E_EE_MISSING_METADATA` | An expression evaluator operation couldn't be completed because an expression contains an incorrect number of metadata nodes. |
| `0x8024E004` | `WU_E_EE_INVALID_VERSION` | An expression evaluator operation couldn't be completed because the version of the serialized expression data is invalid. |
| `0x8024E005` | `WU_E_EE_NOT_INITIALIZED` | The expression evaluator couldn't be initialized. |
| `0x8024E006` | `WU_E_EE_INVALID_ATTRIBUTEDATA` | An expression evaluator operation couldn't be completed because there was an invalid attribute. |
| `0x8024E007` | `WU_E_EE_CLUSTER_ERROR` | An expression evaluator operation couldn't be completed because the cluster state of the computer couldn't be determined. |
| `0x8024EFFF` | `WU_E_EE_UNEXPECTED` | There was an expression evaluator error not covered by another `WU_E_EE_*` error code. |
## Reporter errors
| Error code | Message | Description |
|------------|-------------------------------------------|----------------------------------------------------------------------------------------------------------------------|
| 0x80247001 | `WU_E_OL_INVALID_SCANFILE` | An operation could not be completed because the scan package was invalid. |
| 0x80247002 | `WU_E_OL_NEWCLIENT_REQUIRED` | An operation could not be completed because the scan package requires a greater version of the Windows Update Agent. |
| 0x80247FFF | `WU_E_OL_UNEXPECTED` | Search using the scan package failed. |
| 0x8024F001 | `WU_E_REPORTER_EVENTCACHECORRUPT` | The event cache file was defective. |
| 0x8024F002 | `WU_E_REPORTER_EVENTNAMESPACEPARSEFAILED` | The XML in the event namespace descriptor could not be parsed. |
| 0x8024F003 | `WU_E_INVALID_EVENT` | The XML in the event namespace descriptor could not be parsed. |
| 0x8024F004 | `WU_E_SERVER_BUSY` | The server rejected an event because the server was too busy. |
| 0x8024FFFF | `WU_E_REPORTER_UNEXPECTED` | There was a reporter error not covered by another error code. |
| `0x80247001` | `WU_E_OL_INVALID_SCANFILE` | An operation couldn't be completed because the scan package was invalid. |
| `0x80247002` | `WU_E_OL_NEWCLIENT_REQUIRED` | An operation couldn't be completed because the scan package requires a greater version of the Windows Update Agent. |
| `0x80247FFF` | `WU_E_OL_UNEXPECTED` | Search using the scan package failed. |
| `0x8024F001` | `WU_E_REPORTER_EVENTCACHECORRUPT` | The event cache file was defective. |
| `0x8024F002` | `WU_E_REPORTER_EVENTNAMESPACEPARSEFAILED` | The XML in the event namespace descriptor couldn't be parsed. |
| `0x8024F003` | `WU_E_INVALID_EVENT` | The XML in the event namespace descriptor couldn't be parsed. |
| `0x8024F004` | `WU_E_SERVER_BUSY` | The server rejected an event because the server was too busy. |
| `0x8024FFFF` | `WU_E_REPORTER_UNEXPECTED` | There was a reporter error not covered by another error code. |
## Redirector errors
The components that download the `Wuredir.cab` file and then parse the `Wuredir.cab` file generate the following errors.
| Error code | Message | Description |
|----------- |------------------------------|------------------------------------------------------------------------------------------|
| 0x80245001 | `WU_E_REDIRECTOR_LOAD_XML` | The redirector XML document could not be loaded into the DOM class. |
| 0x80245002 | `WU_E_REDIRECTOR_S_FALSE` | The redirector XML document is missing some required information. |
| 0x80245003 | `WU_E_REDIRECTOR_ID_SMALLER` | The redirectorId in the downloaded redirector cab is less than in the cached cab. |
| 0x80245FFF | `WU_E_REDIRECTOR_UNEXPECTED` | The redirector failed for reasons not covered by another `WU_E_REDIRECTOR_*` error code. |
| `0x80245001` | `WU_E_REDIRECTOR_LOAD_XML` | The redirector XML document couldn't be loaded into the DOM class. |
| `0x80245002` | `WU_E_REDIRECTOR_S_FALSE` | The redirector XML document is missing some required information. |
| `0x80245003` | `WU_E_REDIRECTOR_ID_SMALLER` | The redirectorId in the downloaded redirector cab is less than in the cached cab. |
| `0x80245FFF` | `WU_E_REDIRECTOR_UNEXPECTED` | The redirector failed for reasons not covered by another `WU_E_REDIRECTOR_*` error code. |
## Protocol Talker errors
The following errors map to `SOAPCLIENT_ERROR`s through the `Atlsoap.h` file. These errors are obtained when the `CClientWebService` object calls the `GetClientError()` method.
@ -98,271 +95,271 @@ The following errors map to `SOAPCLIENT_ERROR`s through the `Atlsoap.h` file. Th
| Error code | Message | Description |
|------------|----------------------------------|---------------------------------------------------------------------------------------------------------------------------------------|
| 0x80244000 | `WU_E_PT_SOAPCLIENT_BASE` | `WU_E_PT_SOAPCLIENT_*` error codes map to the `SOAPCLIENT_ERROR` enum of the ATL Server Library. |
| 0x80244001 | `WU_E_PT_SOAPCLIENT_INITIALIZE` | Same as `SOAPCLIENT_INITIALIZE_ERROR` - initialization of the `SOAP` client failed possibly because of an MSXML installation failure. |
| 0x80244002 | `WU_E_PT_SOAPCLIENT_OUTOFMEMORY` | Same as `SOAPCLIENT_OUTOFMEMORY` - `SOAP` client failed because it ran out of memory. |
| 0x80244003 | `WU_E_PT_SOAPCLIENT_GENERATE` | Same as `SOAPCLIENT_GENERATE_ERROR` - `SOAP` client failed to generate the request. |
| 0x80244004 | `WU_E_PT_SOAPCLIENT_CONNECT` | Same as `SOAPCLIENT_CONNECT_ERROR` - `SOAP` client failed to connect to the server. |
| 0x80244005 | `WU_E_PT_SOAPCLIENT_SEND` | Same as `SOAPCLIENT_SEND_ERROR` - `SOAP` client failed to send a message for reasons of `WU_E_WINHTTP_*` error codes. |
| 0x80244006 | `WU_E_PT_SOAPCLIENT_SERVER` | Same as `SOAPCLIENT_SERVER_ERROR` - `SOAP` client failed because there was a server error. |
| 0x80244007 | `WU_E_PT_SOAPCLIENT_SOAPFAULT` | Same as `SOAPCLIENT_SOAPFAULT` - `SOAP` client failed because there was a SOAP fault for reasons of `WU_E_PT_SOAP_*` error codes. |
| 0x80244008 | `WU_E_PT_SOAPCLIENT_PARSEFAULT` | Same as `SOAPCLIENT_PARSEFAULT_ERROR` - `SOAP` client failed to parse a `SOAP` fault. |
| 0x80244009 | `WU_E_PT_SOAPCLIENT_READ` | Same as `SOAPCLIENT_READ_ERROR` - `SOAP` client failed while reading the response from the server. |
| 0x8024400A | `WU_E_PT_SOAPCLIENT_PARSE` | Same as `SOAPCLIENT_PARSE_ERROR` - `SOAP` client failed to parse the response from the server. |
| `0x80244000` | `WU_E_PT_SOAPCLIENT_BASE` | `WU_E_PT_SOAPCLIENT_*` error codes map to the `SOAPCLIENT_ERROR` enum of the ATL Server Library. |
| `0x80244001` | `WU_E_PT_SOAPCLIENT_INITIALIZE` | Same as `SOAPCLIENT_INITIALIZE_ERROR` - initialization of the `SOAP` client failed possibly because of an MSXML installation failure. |
| `0x80244002` | `WU_E_PT_SOAPCLIENT_OUTOFMEMORY` | Same as `SOAPCLIENT_OUTOFMEMORY` - `SOAP` client failed because it ran out of memory. |
| `0x80244003` | `WU_E_PT_SOAPCLIENT_GENERATE` | Same as `SOAPCLIENT_GENERATE_ERROR` - `SOAP` client failed to generate the request. |
| `0x80244004` | `WU_E_PT_SOAPCLIENT_CONNECT` | Same as `SOAPCLIENT_CONNECT_ERROR` - `SOAP` client failed to connect to the server. |
| `0x80244005` | `WU_E_PT_SOAPCLIENT_SEND` | Same as `SOAPCLIENT_SEND_ERROR` - `SOAP` client failed to send a message for reasons of `WU_E_WINHTTP_*` error codes. |
| `0x80244006` | `WU_E_PT_SOAPCLIENT_SERVER` | Same as `SOAPCLIENT_SERVER_ERROR` - `SOAP` client failed because there was a server error. |
| `0x80244007` | `WU_E_PT_SOAPCLIENT_SOAPFAULT` | Same as `SOAPCLIENT_SOAPFAULT` - `SOAP` client failed because there was a SOAP fault for reasons of `WU_E_PT_SOAP_*` error codes. |
| `0x80244008` | `WU_E_PT_SOAPCLIENT_PARSEFAULT` | Same as `SOAPCLIENT_PARSEFAULT_ERROR` - `SOAP` client failed to parse a `SOAP` fault. |
| `0x80244009` | `WU_E_PT_SOAPCLIENT_READ` | Same as `SOAPCLIENT_READ_ERROR` - `SOAP` client failed while reading the response from the server. |
| `x8024400A` | `WU_E_PT_SOAPCLIENT_PARSE` | Same as `SOAPCLIENT_PARSE_ERROR` - `SOAP` client failed to parse the response from the server. |
## Other Protocol Talker errors
The following errors map to `SOAP_ERROR_CODE`s from the `Atlsoap.h` file. These errors are obtained from the `m_fault.m_soapErrCode` member of the `CClientWebService` object when `GetClientError()` returns `SOAPCLIENT_SOAPFAULT`.
The following errors map to `SOAP_ERROR_CODE`s from the `Atlsoap.h` file. These errors are obtained from the `m_fault.m_soapErrCode` member of the `CClientWebService` object when `GetClientError()` returns `SOAPCLIENT_SOAPFAULT`.
| Error code | Message | Description |
|------------|----------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| 0x8024400B | `WU_E_PT_SOAP_VERSION` | Same as `SOAP_E_VERSION_MISMATCH` - `SOAP` client found an unrecognizable namespace for the `SOAP` envelope. |
| 0x8024400C | `WU_E_PT_SOAP_MUST_UNDERSTAND` | Same as `SOAP_E_MUST_UNDERSTAND` - `SOAP` client was unable to understand a header. |
| 0x8024400D | `WU_E_PT_SOAP_CLIENT` | Same as `SOAP_E_CLIENT` - `SOAP` client found the message was malformed; fix before resending. |
| 0x8024400E | `WU_E_PT_SOAP_SERVER` | Same as `SOAP_E_SERVER` - The `SOAP` message could not be processed due to a server error; resend later. |
| 0x8024400F | `WU_E_PT_WMI_ERROR` | There was an unspecified Windows Management Instrumentation (WMI) error. |
| 0x80244010 | `WU_E_PT_EXCEEDED_MAX_SERVER_TRIPS` | The number of round trips to the server exceeded the maximum limit. |
| 0x80244011 | `WU_E_PT_SUS_SERVER_NOT_SET` | WUServer policy value is missing in the registry. |
| 0x80244012 | `WU_E_PT_DOUBLE_INITIALIZATION` | Initialization failed because the object was already initialized. |
| 0x80244013 | `WU_E_PT_INVALID_COMPUTER_NAME` | The computer name could not be determined. |
| 0x80244015 | `WU_E_PT_REFRESH_CACHE_REQUIRED` | The reply from the server indicates that the server was changed or the cookie was invalid; refresh the state of the internal cache and retry. |
| 0x80244016 | `WU_E_PT_HTTP_STATUS_BAD_REQUEST` | Same as HTTP status 400 - the server could not process the request due to invalid syntax. |
| 0x80244017 | `WU_E_PT_HTTP_STATUS_DENIED` | Same as HTTP status 401 - the requested resource requires user authentication. |
| 0x80244018 | `WU_E_PT_HTTP_STATUS_FORBIDDEN` | Same as HTTP status 403 - server understood the request but declined to fulfill it. |
| 0x80244019 | `WU_E_PT_HTTP_STATUS_NOT_FOUND` | Same as HTTP status 404 - the server cannot find the requested URI (Uniform Resource Identifier). |
| 0x8024401A | `WU_E_PT_HTTP_STATUS_BAD_METHOD` | Same as HTTP status 405 - the HTTP method is not allowed. |
| 0x8024401B | `WU_E_PT_HTTP_STATUS_PROXY_AUTH_REQ` | Same as HTTP status 407 - proxy authentication is required. |
| 0x8024401C | `WU_E_PT_HTTP_STATUS_REQUEST_TIMEOUT` | Same as HTTP status 408 - the server timed out waiting for the request. |
| 0x8024401D | `WU_E_PT_HTTP_STATUS_CONFLICT` | Same as HTTP status 409 - the request was not completed due to a conflict with the current state of the resource. |
| 0x8024401E | `WU_E_PT_HTTP_STATUS_GONE` | Same as HTTP status 410 - requested resource is no longer available at the server. |
| 0x8024401F | `WU_E_PT_HTTP_STATUS_SERVER_ERROR` | Same as HTTP status 500 - an error internal to the server prevented fulfilling the request. |
| 0x80244020 | `WU_E_PT_HTTP_STATUS_NOT_SUPPORTED` | Same as HTTP status 500 - server does not support the functionality required to fulfill the request. |
| 0x80244021 | `WU_E_PT_HTTP_STATUS_BAD_GATEWAY` | Same as HTTP status 502 - the server while acting as a gateway or a proxy received an invalid response from the upstream server it accessed in attempting to fulfill the request. |
| 0x80244022 | `WU_E_PT_HTTP_STATUS_SERVICE_UNAVAIL` | Same as HTTP status 503 - the service is temporarily overloaded. |
| 0x80244023 | `WU_E_PT_HTTP_STATUS_GATEWAY_TIMEOUT` | Same as HTTP status 503 - the request was timed out waiting for a gateway. |
| 0x80244024 | `WU_E_PT_HTTP_STATUS_VERSION_NOT_SUP` | Same as HTTP status 505 - the server does not support the HTTP protocol version used for the request. |
| 0x80244025 | `WU_E_PT_FILE_LOCATIONS_CHANGED` | Operation failed due to a changed file location; refresh internal state and resend. |
| 0x80244026 | `WU_E_PT_REGISTRATION_NOT_SUPPORTED` | Operation failed because Windows Update Agent does not support registration with a non-WSUS server. |
| 0x80244027 | `WU_E_PT_NO_AUTH_PLUGINS_REQUESTED` | The server returned an empty authentication information list. |
| 0x80244028 | `WU_E_PT_NO_AUTH_COOKIES_CREATED` | Windows Update Agent was unable to create any valid authentication cookies. |
| 0x80244029 | `WU_E_PT_INVALID_CONFIG_PROP` | A configuration property value was wrong. |
| 0x8024402A | `WU_E_PT_CONFIG_PROP_MISSING` | A configuration property value was missing. |
| 0x8024402B | `WU_E_PT_HTTP_STATUS_NOT_MAPPED` | The HTTP request could not be completed and the reason did not correspond to any of the `WU_E_PT_HTTP_*` error codes. |
| 0x8024402C | `WU_E_PT_WINHTTP_NAME_NOT_RESOLVED` | Same as ERROR_WINHTTP_NAME_NOT_RESOLVED - the proxy server or target server name cannot be resolved. |
| 0x8024402F | `WU_E_PT_ECP_SUCCEEDED_WITH_ERRORS` | External cab file processing completed with some errors. |
| 0x80244030 | `WU_E_PT_ECP_INIT_FAILED` | The external cab processor initialization did not complete. |
| 0x80244031 | `WU_E_PT_ECP_INVALID_FILE_FORMAT` | The format of a metadata file was invalid. |
| 0x80244032 | `WU_E_PT_ECP_INVALID_METADATA` | External cab processor found invalid metadata. |
| 0x80244033 | `WU_E_PT_ECP_FAILURE_TO_EXTRACT_DIGEST` | The file digest could not be extracted from an external cab file. |
| 0x80244034 | `WU_E_PT_ECP_FAILURE_TO_DECOMPRESS_CAB_FILE` | An external cab file could not be decompressed. |
| 0x80244035 | `WU_E_PT_ECP_FILE_LOCATION_ERROR` | External cab processor was unable to get file locations. |
| 0x80244FFF | `WU_E_PT_UNEXPECTED` | A communication error not covered by another `WU_E_PT_*` error code. |
| 0x8024502D | `WU_E_PT_SAME_REDIR_ID` | Windows Update Agent failed to download a redirector cabinet file with a new redirectorId value from the server during the recovery. |
| 0x8024502E | `WU_E_PT_NO_MANAGED_RECOVER` | A redirector recovery action did not complete because the server is managed. |
| Error code | Message | Description |
|------------|----------------------------------|---------------------------------------------------------------------------------------------------------------------------------------|
| `0x8024400B` | `WU_E_PT_SOAP_VERSION` | Same as `SOAP_E_VERSION_MISMATCH` - `SOAP` client found an unrecognizable namespace for the `SOAP` envelope. |
| `0x8024400C` | `WU_E_PT_SOAP_MUST_UNDERSTAND` | Same as `SOAP_E_MUST_UNDERSTAND` - `SOAP` client was unable to understand a header. |
| `0x8024400D` | `WU_E_PT_SOAP_CLIENT` | Same as `SOAP_E_CLIENT` - `SOAP` client found the message was malformed; fix before resending. |
|`0x8024400E` | `WU_E_PT_SOAP_SERVER` | Same as `SOAP_E_SERVER` - The `SOAP` message couldn't be processed due to a server error; resend later. |
| `0x8024400F` | `WU_E_PT_WMI_ERROR` | There was an unspecified Windows Management Instrumentation (WMI) error. |
| `0x80244010` | `WU_E_PT_EXCEEDED_MAX_SERVER_TRIPS` | The number of round trips to the server exceeded the maximum limit. |
| `0x80244011` | `WU_E_PT_SUS_SERVER_NOT_SET` | WUServer policy value is missing in the registry. |
| `0x80244012` | `WU_E_PT_DOUBLE_INITIALIZATION` | Initialization failed because the object was already initialized. |
| `0x80244013` | `WU_E_PT_INVALID_COMPUTER_NAME` | The computer name couldn't be determined. |
| `0x80244015` | `WU_E_PT_REFRESH_CACHE_REQUIRED` | The reply from the server indicates that the server was changed or the cookie was invalid; refresh the state of the internal cache and retry. |
| `0x80244016` | `WU_E_PT_HTTP_STATUS_BAD_REQUEST` | Same as HTTP status 400 - the server couldn't process the request due to invalid syntax. |
| `0x80244017` | `WU_E_PT_HTTP_STATUS_DENIED` | Same as HTTP status 401 - the requested resource requires user authentication. |
| `0x80244018` | `WU_E_PT_HTTP_STATUS_FORBIDDEN` | Same as HTTP status 403 - server understood the request but declined to fulfill it. |
| `0x80244019` | `WU_E_PT_HTTP_STATUS_NOT_FOUND` | Same as HTTP status 404 - the server can't find the requested URI (Uniform Resource Identifier). |
| `0x8024401A` | `WU_E_PT_HTTP_STATUS_BAD_METHOD` | Same as HTTP status 405 - the HTTP method isn't allowed. |
| `0x8024401B` | `WU_E_PT_HTTP_STATUS_PROXY_AUTH_REQ` | Same as HTTP status 407 - proxy authentication is required. |
| `0x8024401C` | `WU_E_PT_HTTP_STATUS_REQUEST_TIMEOUT` | Same as HTTP status 408 - the server timed out waiting for the request. |
| `0x8024401D` | `WU_E_PT_HTTP_STATUS_CONFLICT` | Same as HTTP status 409 - the request wasn't completed due to a conflict with the current state of the resource. |
| `0x8024401E` | `WU_E_PT_HTTP_STATUS_GONE` | Same as HTTP status 410 - requested resource is no longer available at the server. |
| `0x8024401F` | `WU_E_PT_HTTP_STATUS_SERVER_ERROR` | Same as HTTP status 500 - an error internal to the server prevented fulfilling the request. |
| `0x80244020` | `WU_E_PT_HTTP_STATUS_NOT_SUPPORTED` | Same as HTTP status 500 - server doesn't support the functionality required to fulfill the request. |
|`0x80244021` | `WU_E_PT_HTTP_STATUS_BAD_GATEWAY` | Same as HTTP status 502 - the server while acting as a gateway or a proxy received an invalid response from the upstream server it accessed in attempting to fulfill the request. |
| `0x80244022` | `WU_E_PT_HTTP_STATUS_SERVICE_UNAVAIL` | Same as HTTP status 503 - the service is temporarily overloaded. |
| `0x80244023` | `WU_E_PT_HTTP_STATUS_GATEWAY_TIMEOUT` | Same as HTTP status 503 - the request was timed out waiting for a gateway. |
| `0x80244024` | `WU_E_PT_HTTP_STATUS_VERSION_NOT_SUP` | Same as HTTP status 505 - the server doesn't support the HTTP protocol version used for the request. |
| `0x80244025` | `WU_E_PT_FILE_LOCATIONS_CHANGED` | Operation failed due to a changed file location; refresh internal state and resend. |
| `0x80244026` | `WU_E_PT_REGISTRATION_NOT_SUPPORTED` | Operation failed because Windows Update Agent doesn't support registration with a non-WSUS server. |
| `0x80244027` | `WU_E_PT_NO_AUTH_PLUGINS_REQUESTED` | The server returned an empty authentication information list. |
| `0x80244028` | `WU_E_PT_NO_AUTH_COOKIES_CREATED` | Windows Update Agent was unable to create any valid authentication cookies. |
| `0x80244029` | `WU_E_PT_INVALID_CONFIG_PROP` | A configuration property value was wrong. |
| `0x8024402A` | `WU_E_PT_CONFIG_PROP_MISSING` | A configuration property value was missing. |
| `0x8024402B` | `WU_E_PT_HTTP_STATUS_NOT_MAPPED` | The HTTP request couldn't be completed and the reason didn't correspond to any of the `WU_E_PT_HTTP_*` error codes. |
| `0x8024402C` | `WU_E_PT_WINHTTP_NAME_NOT_RESOLVED` | Same as ERROR_WINHTTP_NAME_NOT_RESOLVED - the proxy server or target server name can't be resolved. |
| `0x8024402F` | `WU_E_PT_ECP_SUCCEEDED_WITH_ERRORS` | External cab file processing completed with some errors. |
| `0x80244030` | `WU_E_PT_ECP_INIT_FAILED` | The external cab processor initialization didn't complete. |
| `0x80244031` | `WU_E_PT_ECP_INVALID_FILE_FORMAT` | The format of a metadata file was invalid. |
| `0x80244032` | `WU_E_PT_ECP_INVALID_METADATA` | External cab processor found invalid metadata. |
| `0x80244033` | `WU_E_PT_ECP_FAILURE_TO_EXTRACT_DIGEST` | The file digest couldn't be extracted from an external cab file. |
| `0x80244034` | `WU_E_PT_ECP_FAILURE_TO_DECOMPRESS_CAB_FILE` | An external cab file couldn't be decompressed. |
| `0x80244035` | `WU_E_PT_ECP_FILE_LOCATION_ERROR` | External cab processor was unable to get file locations. |
| `0x80244FFF` | `WU_E_PT_UNEXPECTED` | A communication error not covered by another `WU_E_PT_*` error code. |
| `0x8024502D` | `WU_E_PT_SAME_REDIR_ID` | Windows Update Agent failed to download a redirector cabinet file with a new redirectorId value from the server during the recovery. |
| `0x8024502E` | `WU_E_PT_NO_MANAGED_RECOVER` | A redirector recovery action didn't complete because the server is managed. |
## Download Manager errors
| Error code | Message | Description |
|------------|-----------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------|
| 0x80246001 | `WU_E_DM_URLNOTAVAILABLE` | A download manager operation could not be completed because the requested file does not have a URL. |
| 0x80246002 | `WU_E_DM_INCORRECTFILEHASH` | A download manager operation could not be completed because the file digest was not recognized. |
| 0x80246003 | `WU_E_DM_UNKNOWNALGORITHM` | A download manager operation could not be completed because the file metadata requested an unrecognized hash algorithm. |
| 0x80246004 | `WU_E_DM_NEEDDOWNLOADREQUEST` | An operation could not be completed because a download request is required from the download handler. |
| 0x80246005 | `WU_E_DM_NONETWORK` | A download manager operation could not be completed because the network connection was unavailable. |
| 0x80246006 | `WU_E_DM_WRONGBITSVERSION` | A download manager operation could not be completed because the version of Background Intelligent Transfer Service (BITS) is incompatible. |
| 0x80246007 | `WU_E_DM_NOTDOWNLOADED` | The update has not been downloaded. |
| 0x80246008 | `WU_E_DM_FAILTOCONNECTTOBITS` | A download manager operation failed because the download manager was unable to connect the Background Intelligent Transfer Service (BITS). |
| 0x80246009 | `WU_E_DM_BITSTRANSFERERROR` | A download manager operation failed because there was an unspecified Background Intelligent Transfer Service (BITS) transfer error. |
| 0x8024600A | `WU_E_DM_DOWNLOADLOCATIONCHANGED` | A download must be restarted because the location of the source of the download has changed. |
| 0x8024600B | `WU_E_DM_CONTENTCHANGED` | A download must be restarted because the update content changed in a new revision. |
| 0x80246FFF | `WU_E_DM_UNEXPECTED` | There was a download manager error not covered by another `WU_E_DM_*` error code. |
| `0x80246001` | `WU_E_DM_URLNOTAVAILABLE` | A download manager operation couldn't be completed because the requested file doesn't have a URL. |
| `0x80246002` | `WU_E_DM_INCORRECTFILEHASH` | A download manager operation couldn't be completed because the file digest wasn't recognized. |
| `0x80246003` | `WU_E_DM_UNKNOWNALGORITHM` | A download manager operation couldn't be completed because the file metadata requested an unrecognized hash algorithm. |
| `0x80246004` | `WU_E_DM_NEEDDOWNLOADREQUEST` | An operation couldn't be completed because a download request is required from the download handler. |
| `0x80246005` | `WU_E_DM_NONETWORK` | A download manager operation couldn't be completed because the network connection was unavailable. |
| `0x80246006` | `WU_E_DM_WRONGBITSVERSION` | A download manager operation couldn't be completed because the version of Background Intelligent Transfer Service (BITS) is incompatible. |
| `0x80246007` | `WU_E_DM_NOTDOWNLOADED` | The update hasn't been downloaded. |
| `0x80246008` | `WU_E_DM_FAILTOCONNECTTOBITS` | A download manager operation failed because the download manager was unable to connect the Background Intelligent Transfer Service (BITS). |
| `0x80246009` | `WU_E_DM_BITSTRANSFERERROR` | A download manager operation failed because there was an unspecified Background Intelligent Transfer Service (BITS) transfer error. |
| `0x8024600A` | `WU_E_DM_DOWNLOADLOCATIONCHANGED` | A download must be restarted because the location of the source of the download has changed. |
| `0x8024600B` | `WU_E_DM_CONTENTCHANGED` | A download must be restarted because the update content changed in a new revision. |
| `0x80246FFF` | `WU_E_DM_UNEXPECTED` | There was a download manager error not covered by another `WU_E_DM_*` error code. |
## Update Handler errors
| Error code | Message | Description |
|------------|----------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------|
| 0x80242000 | `WU_E_UH_REMOTEUNAVAILABLE` | A request for a remote update handler could not be completed because no remote process is available. |
| 0x80242001 | `WU_E_UH_LOCALONLY` | A request for a remote update handler could not be completed because the handler is local only. |
| 0x80242002 | `WU_E_UH_UNKNOWNHANDLER` | A request for an update handler could not be completed because the handler could not be recognized. |
| 0x80242003 | `WU_E_UH_REMOTEALREADYACTIVE` | A remote update handler could not be created because one already exists. |
| 0x80242004 | `WU_E_UH_DOESNOTSUPPORTACTION` | A request for the handler to install (uninstall) an update could not be completed because the update does not support install (uninstall). |
| 0x80242005 | `WU_E_UH_WRONGHANDLER` | An operation did not complete because the wrong handler was specified. |
| 0x80242006 | `WU_E_UH_INVALIDMETADATA` | A handler operation could not be completed because the update contains invalid metadata. |
| 0x80242007 | `WU_E_UH_INSTALLERHUNG` | An operation could not be completed because the installer exceeded the time limit. |
| 0x80242008 | `WU_E_UH_OPERATIONCANCELLED` | An operation being done by the update handler was canceled. |
| 0x80242009 | `WU_E_UH_BADHANDLERXML` | An operation could not be completed because the handler-specific metadata is invalid. |
| 0x8024200A | `WU_E_UH_CANREQUIREINPUT` | A request to the handler to install an update could not be completed because the update requires user input. |
| 0x8024200B | `WU_E_UH_INSTALLERFAILURE` | The installer failed to install (uninstall) one or more updates. |
| 0x8024200C | `WU_E_UH_FALLBACKTOSELFCONTAINED` | The update handler should download self-contained content rather than delta-compressed content for the update. |
| 0x8024200D | `WU_E_UH_NEEDANOTHERDOWNLOAD` | The update handler did not install the update because it needs to be downloaded again. |
| 0x8024200E | `WU_E_UH_NOTIFYFAILURE` | The update handler failed to send notification of the status of the install (uninstall) operation. |
| 0x8024200F | `WU_E_UH_INCONSISTENT_FILE_NAMES` | The file names contained in the update metadata and in the update package are inconsistent. |
| 0x80242010 | `WU_E_UH_FALLBACKERROR` | The update handler failed to fall back to the self-contained content. |
| 0x80242011 | `WU_E_UH_TOOMANYDOWNLOADREQUESTS` | The update handler has exceeded the maximum number of download requests. |
| 0x80242012 | `WU_E_UH_UNEXPECTEDCBSRESPONSE` | The update handler has received an unexpected response from CBS. |
| 0x80242013 | `WU_E_UH_BADCBSPACKAGEID` | The update metadata contains an invalid CBS package identifier. |
| 0x80242014 | `WU_E_UH_POSTREBOOTSTILLPENDING` | The post-reboot operation for the update is still in progress. |
| 0x80242015 | `WU_E_UH_POSTREBOOTRESULTUNKNOWN` | The result of the post-reboot operation for the update could not be determined. |
| 0x80242016 | `WU_E_UH_POSTREBOOTUNEXPECTEDSTATE` | The state of the update after its post-reboot operation has completed is unexpected. |
| 0x80242017 | `WU_E_UH_NEW_SERVICING_STACK_REQUIRED` | The OS servicing stack must be updated before this update is downloaded or installed. |
| 0x80242FFF | `WU_E_UH_UNEXPECTED` | An update handler error not covered by another `WU_E_UH_*` code. |
| `0x80242000` | `WU_E_UH_REMOTEUNAVAILABLE` | A request for a remote update handler couldn't be completed because no remote process is available. |
| `0x80242001`| `WU_E_UH_LOCALONLY` | A request for a remote update handler couldn't be completed because the handler is local only. |
| `0x80242002` | `WU_E_UH_UNKNOWNHANDLER` | A request for an update handler couldn't be completed because the handler couldn't be recognized. |
| `0x80242003` | `WU_E_UH_REMOTEALREADYACTIVE` | A remote update handler couldn't be created because one already exists. |
| `0x80242004` | `WU_E_UH_DOESNOTSUPPORTACTION` | A request for the handler to install (uninstall) an update couldn't be completed because the update doesn't support install (uninstall). |
|`0x80242005` | `WU_E_UH_WRONGHANDLER` | An operation didn't complete because the wrong handler was specified. |
| `0x80242006` | `WU_E_UH_INVALIDMETADATA` | A handler operation couldn't be completed because the update contains invalid metadata. |
| `0x80242007` | `WU_E_UH_INSTALLERHUNG` | An operation couldn't be completed because the installer exceeded the time limit. |
| `0x80242008` | `WU_E_UH_OPERATIONCANCELLED` | An operation being done by the update handler was canceled. |
| `0x80242009` | `WU_E_UH_BADHANDLERXML` | An operation couldn't be completed because the handler-specific metadata is invalid. |
| `0x8024200A` | `WU_E_UH_CANREQUIREINPUT` | A request to the handler to install an update couldn't be completed because the update requires user input. |
| `0x8024200B` | `WU_E_UH_INSTALLERFAILURE` | The installer failed to install (uninstall) one or more updates. |
| `0x8024200C` | `WU_E_UH_FALLBACKTOSELFCONTAINED` | The update handler should download self-contained content rather than delta-compressed content for the update. |
| `0x8024200D` | `WU_E_UH_NEEDANOTHERDOWNLOAD` | The update handler didn't install the update because it needs to be downloaded again. |
| `0x8024200E` | `WU_E_UH_NOTIFYFAILURE` | The update handler failed to send notification of the status of the install (uninstall) operation. |
| `0x8024200F` | `WU_E_UH_INCONSISTENT_FILE_NAMES` | The file names contained in the update metadata and in the update package are inconsistent. |
| `0x80242010` | `WU_E_UH_FALLBACKERROR` | The update handler failed to fall back to the self-contained content. |
| `0x80242011` | `WU_E_UH_TOOMANYDOWNLOADREQUESTS` | The update handler has exceeded the maximum number of download requests. |
| `0x80242012` | `WU_E_UH_UNEXPECTEDCBSRESPONSE` | The update handler has received an unexpected response from CBS. |
| `0x80242013` | `WU_E_UH_BADCBSPACKAGEID` | The update metadata contains an invalid CBS package identifier. |
| `0x80242014` | `WU_E_UH_POSTREBOOTSTILLPENDING` | The post-reboot operation for the update is still in progress. |
| `0x80242015` | `WU_E_UH_POSTREBOOTRESULTUNKNOWN` | The result of the post-reboot operation for the update couldn't be determined. |
| `0x80242016` | `WU_E_UH_POSTREBOOTUNEXPECTEDSTATE` | The state of the update after its post-reboot operation has completed is unexpected. |
| `0x80242017` | `WU_E_UH_NEW_SERVICING_STACK_REQUIRED` | The OS servicing stack must be updated before this update is downloaded or installed. |
| `0x80242FFF` | `WU_E_UH_UNEXPECTED` | An update handler error not covered by another `WU_E_UH_*` code. |
## Data Store errors
| Error code | Message | Description |
|------------|--------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| 0x80248000 | `WU_E_DS_SHUTDOWN` | An operation failed because Windows Update Agent is shutting down. |
| 0x80248001 | `WU_E_DS_INUSE` | An operation failed because the data store was in use. |
| 0x80248002 | `WU_E_DS_INVALID` | The current and expected states of the data store do not match. |
| 0x80248003 | `WU_E_DS_TABLEMISSING` | The data store is missing a table. |
| 0x80248004 | `WU_E_DS_TABLEINCORRECT` | The data store contains a table with unexpected columns. |
| 0x80248005 | `WU_E_DS_INVALIDTABLENAME` | A table could not be opened because the table is not in the data store. |
| 0x80248006 | `WU_E_DS_BADVERSION` | The current and expected versions of the data store do not match. |
| 0x80248007 | `WU_E_DS_NODATA` | The information requested is not in the data store. |
| 0x80248008 | `WU_E_DS_MISSINGDATA` | The data store is missing required information or has a NULL in a table column that requires a non-null value. |
| 0x80248009 | `WU_E_DS_MISSINGREF` | The data store is missing required information or has a reference to missing license terms file localized property or linked row. |
| 0x8024800A | `WU_E_DS_UNKNOWNHANDLER` | The update was not processed because its update handler could not be recognized. |
| 0x8024800B | `WU_E_DS_CANTDELETE` | The update was not deleted because it is still referenced by one or more services. |
| 0x8024800C | `WU_E_DS_LOCKTIMEOUTEXPIRED` | The data store section could not be locked within the allotted time. |
| 0x8024800D | `WU_E_DS_NOCATEGORIES` | The category was not added because it contains no parent categories and is not a top-level category itself. |
| 0x8024800E | `WU_E_DS_ROWEXISTS` | The row was not added because an existing row has the same primary key. |
| 0x8024800F | `WU_E_DS_STOREFILELOCKED` | The data store could not be initialized because it was locked by another process. |
| 0x80248010 | `WU_E_DS_CANNOTREGISTER` | The data store is not allowed to be registered with COM in the current process. |
| 0x80248011 | `WU_E_DS_UNABLETOSTART` | Could not create a data store object in another process. |
| 0x80248013 | `WU_E_DS_DUPLICATEUPDATEID` | The server sent the same update to the client with two different revision IDs. |
| 0x80248014 | `WU_E_DS_UNKNOWNSERVICE` | An operation did not complete because the service is not in the data store. |
| 0x80248015 | `WU_E_DS_SERVICEEXPIRED` | An operation did not complete because the registration of the service has expired. |
| 0x80248016 | `WU_E_DS_DECLINENOTALLOWED` | A request to hide an update was declined because it is a mandatory update or because it was deployed with a deadline. |
| 0x80248017 | `WU_E_DS_TABLESESSIONMISMATCH` | A table was not closed because it is not associated with the session. |
| 0x80248018 | `WU_E_DS_SESSIONLOCKMISMATCH` | A table was not closed because it is not associated with the session. |
| 0x80248019 | `WU_E_DS_NEEDWINDOWSSERVICE` | A request to remove the Windows Update service or to unregister it with Automatic Updates was declined because it is a built-in service and/or Automatic Updates cannot fall back to another service. |
| 0x8024801A | `WU_E_DS_INVALIDOPERATION` | A request was declined because the operation is not allowed. |
| 0x8024801B | `WU_E_DS_SCHEMAMISMATCH` | The schema of the current data store and the schema of a table in a backup XML document do not match. |
| 0x8024801C | `WU_E_DS_RESETREQUIRED` | The data store requires a session reset; release the session and retry with a new session. |
| 0x8024801D | `WU_E_DS_IMPERSONATED` | A data store operation did not complete because it was requested with an impersonated identity. |
| 0x80248FFF | `WU_E_DS_UNEXPECTED` | A data store error not covered by another `WU_E_DS_*` code. |
| `0x80248000` | `WU_E_DS_SHUTDOWN` | An operation failed because Windows Update Agent is shutting down. |
| `0x80248001` | `WU_E_DS_INUSE` | An operation failed because the data store was in use. |
| `0x80248002` | `WU_E_DS_INVALID` | The current and expected states of the data store don't match. |
| `0x80248003` | `WU_E_DS_TABLEMISSING` | The data store is missing a table. |
| `0x80248004` | `WU_E_DS_TABLEINCORRECT` | The data store contains a table with unexpected columns. |
| `0x80248005` | `WU_E_DS_INVALIDTABLENAME` | A table couldn't be opened because the table isn't in the data store. |
| `0x80248006` | `WU_E_DS_BADVERSION` | The current and expected versions of the data store don't match. |
| `0x80248007` | `WU_E_DS_NODATA` | The information requested isn't in the data store. |
| `0x80248008` | `WU_E_DS_MISSINGDATA` | The data store is missing required information or has a NULL in a table column that requires a non-null value. |
| `0x80248009` | `WU_E_DS_MISSINGREF` | The data store is missing required information or has a reference to missing license terms file localized property or linked row. |
| `0x8024800A` | `WU_E_DS_UNKNOWNHANDLER` | The update wasn't processed because its update handler couldn't be recognized. |
| `0x8024800B` | `WU_E_DS_CANTDELETE` | The update wasn't deleted because it's still referenced by one or more services. |
| `0x8024800C` | `WU_E_DS_LOCKTIMEOUTEXPIRED` | The data store section couldn't be locked within the allotted time. |
| `0x8024800D` | `WU_E_DS_NOCATEGORIES` | The category wasn't added because it contains no parent categories and isn't a top-level category itself. |
| `0x8024800E` | `WU_E_DS_ROWEXISTS` | The row wasn't added because an existing row has the same primary key. |
| `0x8024800F` | `WU_E_DS_STOREFILELOCKED` | The data store couldn't be initialized because it was locked by another process. |
| `0x80248010` | `WU_E_DS_CANNOTREGISTER` | The data store isn't allowed to be registered with COM in the current process. |
| `0x80248011` | `WU_E_DS_UNABLETOSTART` | Couldn't create a data store object in another process. |
| `0x80248013` | `WU_E_DS_DUPLICATEUPDATEID` | The server sent the same update to the client with two different revision IDs. |
| `0x80248014` | `WU_E_DS_UNKNOWNSERVICE` | An operation didn't complete because the service isn't in the data store. |
| `0x80248015` | `WU_E_DS_SERVICEEXPIRED` | An operation didn't complete because the registration of the service has expired. |
| `0x80248016` | `WU_E_DS_DECLINENOTALLOWED` | A request to hide an update was declined because it's a mandatory update or because it was deployed with a deadline. |
| `0x80248017` | `WU_E_DS_TABLESESSIONMISMATCH` | A table wasn't closed because it isn't associated with the session. |
| `0x80248018` | `WU_E_DS_SESSIONLOCKMISMATCH` | A table wasn't closed because it isn't associated with the session. |
| `0x80248019` | `WU_E_DS_NEEDWINDOWSSERVICE` | A request to remove the Windows Update service or to unregister it with Automatic Updates was declined because it's a built-in service and/or Automatic Updates can't fall back to another service. |
| `0x8024801A` | `WU_E_DS_INVALIDOPERATION` | A request was declined because the operation isn't allowed. |
| `0x8024801B` | `WU_E_DS_SCHEMAMISMATCH` | The schema of the current data store and the schema of a table in a backup XML document don't match. |
| `0x8024801C` | `WU_E_DS_RESETREQUIRED` | The data store requires a session reset; release the session and retry with a new session. |
| `0x8024801D` | `WU_E_DS_IMPERSONATED` | A data store operation didn't complete because it was requested with an impersonated identity. |
| `0x80248FFF` | `WU_E_DS_UNEXPECTED` | A data store error not covered by another `WU_E_DS_*` code. |
## Driver Util errors
The PnP enumerated device is removed from the System Spec because one of the hardware IDs or the compatible IDs matches an installed printer driver. This is not a fatal error, and the device is merely skipped.
The PnP enumerated device is removed from the System Spec because one of the hardware IDs or the compatible IDs matches an installed printer driver. This isn't a fatal error, and the device is merely skipped.
| Error code | Message | Description |
|------------|-------------------------------|------------------------------------------------------------------------------------------------|
| 0x8024C001 | `WU_E_DRV_PRUNED` | A driver was skipped. |
| 0x8024C002 | `WU_E_DRV_NOPROP_OR_LEGACY` | A property for the driver could not be found. It may not conform with required specifications. |
| 0x8024C003 | `WU_E_DRV_REG_MISMATCH` | The registry type read for the driver does not match the expected type. |
| 0x8024C004 | `WU_E_DRV_NO_METADATA` | The driver update is missing metadata. |
| 0x8024C005 | `WU_E_DRV_MISSING_ATTRIBUTE` | The driver update is missing a required attribute. |
| 0x8024C006 | `WU_E_DRV_SYNC_FAILED` | Driver synchronization failed. |
| 0x8024C007 | `WU_E_DRV_NO_PRINTER_CONTENT` | Information required for the synchronization of applicable printers is missing. |
| 0x8024CFFF | `WU_E_DRV_UNEXPECTED` | A driver error not covered by another `WU_E_DRV_*` code. |
| `0x8024C001` | `WU_E_DRV_PRUNED` | A driver was skipped. |
| `0x8024C002` | `WU_E_DRV_NOPROP_OR_LEGACY` | A property for the driver couldn't be found. It may not conform with required specifications. |
| `0x8024C003` | `WU_E_DRV_REG_MISMATCH` | The registry type read for the driver doesn't match the expected type. |
| `0x8024C004` | `WU_E_DRV_NO_METADATA` | The driver update is missing metadata. |
| `0x8024C005` | `WU_E_DRV_MISSING_ATTRIBUTE` | The driver update is missing a required attribute. |
| `0x8024C006` | `WU_E_DRV_SYNC_FAILED` | Driver synchronization failed. |
| `0x8024C007` | `WU_E_DRV_NO_PRINTER_CONTENT` | Information required for the synchronization of applicable printers is missing. |
| `0x8024CFFF` | `WU_E_DRV_UNEXPECTED` | A driver error not covered by another `WU_E_DRV_*` code. |
## Windows Update error codes
| Error code | Message | Description |
|------------|-----------------------------------|--------------------------------------------------------------|
| 0x80240001 | `WU_E_NO_SERVICE` | Windows Update Agent was unable to provide the service.
| 0x80240002 | `WU_E_MAX_CAPACITY_REACHED` | The maximum capacity of the service was exceeded.
| 0x80240003 | `WU_E_UNKNOWN_ID` | An ID cannot be found.
| 0x80240004 | `WU_E_NOT_INITIALIZED` | The object could not be initialized.
| 0x80240005 | `WU_E_RANGEOVERLAP` | The update handler requested a byte range overlapping a previously requested range.
| 0x80240006 | `WU_E_TOOMANYRANGES` | The requested number of byte ranges exceeds the maximum number (2^31 - 1).
| 0x80240007 | `WU_E_INVALIDINDEX` | The index to a collection was invalid.
| 0x80240008 | `WU_E_ITEMNOTFOUND` | The key for the item queried could not be found.
| 0x80240009 | `WU_E_OPERATIONINPROGRESS` | Another conflicting operation was in progress. Some operations such as installation cannot be performed twice simultaneously.
| 0x8024000A | `WU_E_COULDNOTCANCEL` | Cancellation of the operation was not allowed.
| 0x8024000B | `WU_E_CALL_CANCELLED` | Operation was canceled.
| 0x8024000C | `WU_E_NOOP` | No operation was required.
| 0x8024000D | `WU_E_XML_MISSINGDATA` | Windows Update Agent could not find required information in the update's XML data.
| 0x8024000E | `WU_E_XML_INVALID` | Windows Update Agent found invalid information in the update's XML data.
| 0x8024000F | `WU_E_CYCLE_DETECTED` | Circular update relationships were detected in the metadata.
| 0x80240010 | `WU_E_TOO_DEEP_RELATION` | Update relationships too deep to evaluate were evaluated.
| 0x80240011 | `WU_E_INVALID_RELATIONSHIP` | An invalid update relationship was detected.
| 0x80240012 | `WU_E_REG_VALUE_INVALID` | An invalid registry value was read.
| 0x80240013 | `WU_E_DUPLICATE_ITEM` | Operation tried to add a duplicate item to a list.
| 0x80240016 | `WU_E_INSTALL_NOT_ALLOWED` | Operation tried to install while another installation was in progress or the system was pending a mandatory restart.
| 0x80240017 | `WU_E_NOT_APPLICABLE` | Operation was not performed because there are no applicable updates.
| 0x80240018 | `WU_E_NO_USERTOKEN` | Operation failed because a required user token is missing.
| 0x80240019 | `WU_E_EXCLUSIVE_INSTALL_CONFLICT` | An exclusive update cannot be installed with other updates at the same time.
| 0x8024001A | `WU_E_POLICY_NOT_SET` | A policy value was not set.
| 0x8024001B | `WU_E_SELFUPDATE_IN_PROGRESS` | The operation could not be performed because the Windows Update Agent is self-updating.
| 0x8024001D | `WU_E_INVALID_UPDATE` | An update contains invalid metadata.
| 0x8024001E | `WU_E_SERVICE_STOP` | Operation did not complete because the service or system was being shut down.
| 0x8024001F | `WU_E_NO_CONNECTION` | Operation did not complete because the network connection was unavailable.
| 0x80240020 | `WU_E_NO_INTERACTIVE_USER` | Operation did not complete because there is no logged-on interactive user.
| 0x80240021 | `WU_E_TIME_OUT` | Operation did not complete because it timed out.
| 0x80240022 | `WU_E_ALL_UPDATES_FAILED` | Operation failed for all the updates.
| 0x80240023 | `WU_E_EULAS_DECLINED` | The license terms for all updates were declined.
| 0x80240024 | `WU_E_NO_UPDATE` | There are no updates.
| 0x80240025 | `WU_E_USER_ACCESS_DISABLED` | Group Policy settings prevented access to Windows Update.
| 0x80240026 | `WU_E_INVALID_UPDATE_TYPE` | The type of update is invalid.
| 0x80240027 | `WU_E_URL_TOO_LONG` | The URL exceeded the maximum length.
| 0x80240028 | `WU_E_UNINSTALL_NOT_ALLOWED` | The update could not be uninstalled because the request did not originate from a WSUS server.
| 0x80240029 | `WU_E_INVALID_PRODUCT_LICENSE` | Search may have missed some updates before there is an unlicensed application on the system.
| 0x8024002A | `WU_E_MISSING_HANDLER` | A component required to detect applicable updates was missing.
| 0x8024002B | `WU_E_LEGACYSERVER` | An operation did not complete because it requires a newer version of server.
| 0x8024002C | `WU_E_BIN_SOURCE_ABSENT` | A delta-compressed update could not be installed because it required the source.
| 0x8024002D | `WU_E_SOURCE_ABSENT` | A full-file update could not be installed because it required the source.
| 0x8024002E | `WU_E_WU_DISABLED` | Access to an unmanaged server is not allowed.
| 0x8024002F | `WU_E_CALL_CANCELLED_BY_POLICY` | Operation did not complete because the DisableWindowsUpdateAccess policy was set.
| 0x80240030 | `WU_E_INVALID_PROXY_SERVER` | The format of the proxy list was invalid.
| 0x80240031 | `WU_E_INVALID_FILE` | The file is in the wrong format.
| 0x80240032 | `WU_E_INVALID_CRITERIA` | The search criteria string was invalid.
| 0x80240033 | `WU_E_EULA_UNAVAILABLE` | License terms could not be downloaded.
| 0x80240034 | `WU_E_DOWNLOAD_FAILED` | Update failed to download.
| 0x80240035 | `WU_E_UPDATE_NOT_PROCESSED` | The update was not processed.
| 0x80240036 | `WU_E_INVALID_OPERATION` | The object's current state did not allow the operation.
| 0x80240037 | `WU_E_NOT_SUPPORTED` | The functionality for the operation is not supported.
| 0x80240038 | `WU_E_WINHTTP_INVALID_FILE` | The downloaded file has an unexpected content type.
| 0x80240039 | `WU_E_TOO_MANY_RESYNC` | Agent is asked by server to resync too many times.
| 0x80240040 | `WU_E_NO_SERVER_CORE_SUPPORT` | `WUA API` method does not run on Server Core installation.
| 0x80240041 | `WU_E_SYSPREP_IN_PROGRESS` | Service is not available while sysprep is running.
| 0x80240042 | `WU_E_UNKNOWN_SERVICE` | The update service is no longer registered with `AU`.
| 0x80240043 | `WU_E_NO_UI_SUPPORT` | There is no support for `WUA UI`.
| 0x80240FFF | `WU_E_UNEXPECTED` | An operation failed due to reasons not covered by another error code.
| 0x80070422 | | Windows Update service stopped working or is not running.
| `0x80240001` | `WU_E_NO_SERVICE` | Windows Update Agent was unable to provide the service.
| `0x80240002` | `WU_E_MAX_CAPACITY_REACHED` | The maximum capacity of the service was exceeded.
| `0x80240003` | `WU_E_UNKNOWN_ID` | An ID can't be found.
| `0x80240004` | `WU_E_NOT_INITIALIZED` | The object couldn't be initialized.
| `0x80240005` | `WU_E_RANGEOVERLAP` | The update handler requested a byte range overlapping a previously requested range.
| `0x80240006` | `WU_E_TOOMANYRANGES` | The requested number of byte ranges exceeds the maximum number (2^31 - 1).
| `0x80240007` | `WU_E_INVALIDINDEX` | The index to a collection was invalid.
| `0x80240008` | `WU_E_ITEMNOTFOUND` | The key for the item queried couldn't be found.
| `0x80240009` | `WU_E_OPERATIONINPROGRESS` | Another conflicting operation was in progress. Some operations such as installation can't be performed twice simultaneously.
| `0x8024000A` | `WU_E_COULDNOTCANCEL` | Cancellation of the operation wasn't allowed.
| `0x8024000B` | `WU_E_CALL_CANCELLED` | Operation was canceled.
| `0x8024000C` | `WU_E_NOOP` | No operation was required.
| `0x8024000D` | `WU_E_XML_MISSINGDATA` | Windows Update Agent couldn't find required information in the update's XML data.
| `0x8024000E` | `WU_E_XML_INVALID` | Windows Update Agent found invalid information in the update's XML data.
| `0x8024000F` | `WU_E_CYCLE_DETECTED` | Circular update relationships were detected in the metadata.
| `0x80240010` | `WU_E_TOO_DEEP_RELATION` | Update relationships too deep to evaluate were evaluated.
| `0x80240011` | `WU_E_INVALID_RELATIONSHIP` | An invalid update relationship was detected.
| `0x80240012` | `WU_E_REG_VALUE_INVALID` | An invalid registry value was read.
| `0x80240013` | `WU_E_DUPLICATE_ITEM` | Operation tried to add a duplicate item to a list.
| `0x80240016` | `WU_E_INSTALL_NOT_ALLOWED` | Operation tried to install while another installation was in progress or the system was pending a mandatory restart.
| `0x80240017` | `WU_E_NOT_APPLICABLE` | Operation wasn't performed because there are no applicable updates.
| `0x80240018` | `WU_E_NO_USERTOKEN` | Operation failed because a required user token is missing.
| `0x80240019` | `WU_E_EXCLUSIVE_INSTALL_CONFLICT` | An exclusive update can't be installed with other updates at the same time.
| `0x8024001A` | `WU_E_POLICY_NOT_SET` | A policy value wasn't set.
| `0x8024001B` | `WU_E_SELFUPDATE_IN_PROGRESS` | The operation couldn't be performed because the Windows Update Agent is self-updating.
| `0x8024001D` | `WU_E_INVALID_UPDATE` | An update contains invalid metadata.
| `0x8024001E` | `WU_E_SERVICE_STOP` | Operation didn't complete because the service or system was being shut down.
| `0x8024001F` | `WU_E_NO_CONNECTION` | Operation didn't complete because the network connection was unavailable.
| `0x80240020` | `WU_E_NO_INTERACTIVE_USER` | Operation didn't complete because there's no logged-on interactive user.
| `0x80240021` | `WU_E_TIME_OUT` | Operation didn't complete because it timed out.
| `0x80240022` | `WU_E_ALL_UPDATES_FAILED` | Operation failed for all the updates.
| `0x80240023` | `WU_E_EULAS_DECLINED` | The license terms for all updates were declined.
| `0x80240024` | `WU_E_NO_UPDATE` | There are no updates.
| `0x80240025` | `WU_E_USER_ACCESS_DISABLED` | Group Policy settings prevented access to Windows Update.
| `0x80240026` | `WU_E_INVALID_UPDATE_TYPE` | The type of update is invalid.
| `0x80240027` | `WU_E_URL_TOO_LONG` | The URL exceeded the maximum length.
| `0x80240028` | `WU_E_UNINSTALL_NOT_ALLOWED` | The update couldn't be uninstalled because the request didn't originate from a WSUS server.
| `0x80240029` | `WU_E_INVALID_PRODUCT_LICENSE` | Search may have missed some updates before there's an unlicensed application on the system.
| `0x8024002A` | `WU_E_MISSING_HANDLER` | A component required to detect applicable updates was missing.
| `0x8024002B` | `WU_E_LEGACYSERVER` | An operation didn't complete because it requires a newer version of server.
| `0x8024002C` | `WU_E_BIN_SOURCE_ABSENT` | A delta-compressed update couldn't be installed because it required the source.
| `0x8024002D` | `WU_E_SOURCE_ABSENT` | A full-file update couldn't be installed because it required the source.
| `0x8024002E` | `WU_E_WU_DISABLED` | Access to an unmanaged server isn't allowed.
| `0x8024002F` | `WU_E_CALL_CANCELLED_BY_POLICY` | Operation didn't complete because the DisableWindowsUpdateAccess policy was set.
| `0x80240030` | `WU_E_INVALID_PROXY_SERVER` | The format of the proxy list was invalid.
| `0x80240031` | `WU_E_INVALID_FILE` | The file is in the wrong format.
| `0x80240032` | `WU_E_INVALID_CRITERIA` | The search criteria string was invalid.
| `0x80240033` | `WU_E_EULA_UNAVAILABLE` | License terms couldn't be downloaded.
| `0x80240034` | `WU_E_DOWNLOAD_FAILED` | Update failed to download.
| `0x80240035` | `WU_E_UPDATE_NOT_PROCESSED` | The update wasn't processed.
| `0x80240036` | `WU_E_INVALID_OPERATION` | The object's current state didn't allow the operation.
| `0x80240037` | `WU_E_NOT_SUPPORTED` | The functionality for the operation isn't supported.
| `0x80240038` | `WU_E_WINHTTP_INVALID_FILE` | The downloaded file has an unexpected content type.
| `0x80240039` | `WU_E_TOO_MANY_RESYNC` | Agent is asked by server to resync too many times.
| `0x80240040` | `WU_E_NO_SERVER_CORE_SUPPORT` | `WUA API` method doesn't run on Server Core installation.
| `0x80240041` | `WU_E_SYSPREP_IN_PROGRESS` | Service isn't available while sysprep is running.
| `0x80240042` | `WU_E_UNKNOWN_SERVICE` | The update service is no longer registered with `AU`.
| `0x80240043` | `WU_E_NO_UI_SUPPORT` | There's no support for `WUA UI`.
| `0x80240FFF` | `WU_E_UNEXPECTED` | An operation failed due to reasons not covered by another error code.
| `0x80070422` | | Windows Update service stopped working or isn't running.
## Windows Update success codes
| Error code | Message | Description |
|------------|------------------------------|-------------------------------------------------------------------------------------------------------------------------------------|
| 0x00240001 | `WU_S_SERVICE_STOP` | Windows Update Agent was stopped successfully. |
| 0x00240002 | `WU_S_SELFUPDATE` | Windows Update Agent updated itself. |
| 0x00240003 | `WU_S_UPDATE_ERROR` | Operation completed successfully but there were errors applying the updates. |
| 0x00240004 | `WU_S_MARKED_FOR_DISCONNECT` | A callback was marked to be disconnected later because the request to disconnect the operation came while a callback was executing. |
| 0x00240005 | `WU_S_REBOOT_REQUIRED` | The system must be restarted to complete installation of the update. |
| 0x00240006 | `WU_S_ALREADY_INSTALLED` | The update to be installed is already installed on the system. |
| 0x00240007 | `WU_S_ALREADY_UNINSTALLED` | The update to be removed is not installed on the system. |
| 0x00240008 | `WU_S_ALREADY_DOWNLOADED` | The update to be downloaded has already been downloaded. |
| `0x00240001` | `WU_S_SERVICE_STOP` | Windows Update Agent was stopped successfully. |
| `0x00240002` | `WU_S_SELFUPDATE` | Windows Update Agent updated itself. |
| `0x00240003` | `WU_S_UPDATE_ERROR` | Operation completed successfully but there were errors applying the updates. |
| `0x00240004` | `WU_S_MARKED_FOR_DISCONNECT` | A callback was marked to be disconnected later because the request to disconnect the operation came while a callback was executing. |
| `0x00240005` | `WU_S_REBOOT_REQUIRED` | The system must be restarted to complete installation of the update. |
| `0x00240006` | `WU_S_ALREADY_INSTALLED` | The update to be installed is already installed on the system. |
| `0x00240007` | `WU_S_ALREADY_UNINSTALLED` | The update to be removed isn't installed on the system. |
| `0x00240008` | `WU_S_ALREADY_DOWNLOADED` | The update to be downloaded has already been downloaded. |
## Windows Installer minor errors
The following errors are used to indicate that part of a search fails because of Windows Installer problems. Another part of the search may successfully return updates. All Windows Installer minor codes must share the same error code range so that the caller can tell that they are related to Windows Installer.
The following errors are used to indicate that part of a search fails because of Windows Installer problems. Another part of the search may successfully return updates. All Windows Installer minor codes must share the same error code range so that the caller can tell that they're related to Windows Installer.
| Error code | Message | Description |
|------------|------------------------------|---------------------------------------------------------------------------------------------|
| 0x80241001 | `WU_E_MSI_WRONG_VERSION` | Search may have missed some updates because the Windows Installer is less than version 3.1. |
| 0x80241002 | `WU_E_MSI_NOT_CONFIGURED` | Search may have missed some updates because the Windows Installer is not configured. |
| 0x80241003 | `WU_E_MSP_DISABLED` | Search may have missed some updates because policy has disabled Windows Installer patching. |
| 0x80241004 | `WU_E_MSI_WRONG_APP_CONTEXT` | An update could not be applied because the application is installed per-user. |
| 0x80241FFF | `WU_E_MSP_UNEXPECTED` | Search may have missed some updates because there was a failure of the Windows Installer. |
| `0x80241001` | `WU_E_MSI_WRONG_VERSION` | Search may have missed some updates because the Windows Installer is less than version 3.1. |
| `0x80241002` | `WU_E_MSI_NOT_CONFIGURED` | Search may have missed some updates because the Windows Installer isn't configured. |
| `0x80241003` | `WU_E_MSP_DISABLED` | Search may have missed some updates because policy has disabled Windows Installer patching. |
| `0x80241004` | `WU_E_MSI_WRONG_APP_CONTEXT` | An update couldn't be applied because the application is installed per-user. |
| `0x80241FFF` | `WU_E_MSP_UNEXPECTED` | Search may have missed some updates because there was a failure of the Windows Installer. |
## Windows Update Agent update and setup errors
| Error code | Message | Description |
|------------|----------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------|
| 0x8024D001 | `WU_E_SETUP_INVALID_INFDATA` | Windows Update Agent could not be updated because an INF file contains invalid information. |
| 0x8024D002 | `WU_E_SETUP_INVALID_IDENTDATA` | Windows Update Agent could not be updated because the `wuident.cab` file contains invalid information. |
| 0x8024D003 | `WU_E_SETUP_ALREADY_INITIALIZED` | Windows Update Agent could not be updated because of an internal error that caused setup initialization to be performed twice. |
| 0x8024D004 | `WU_E_SETUP_NOT_INITIALIZED` | Windows Update Agent could not be updated because setup initialization never completed successfully. |
| 0x8024D005 | `WU_E_SETUP_SOURCE_VERSION_MISMATCH` | Windows Update Agent could not be updated because the versions specified in the INF do not match the actual source file versions. |
| 0x8024D006 | `WU_E_SETUP_TARGET_VERSION_GREATER` | Windows Update Agent could not be updated because a WUA file on the target system is newer than the corresponding source file. |
| 0x8024D007 | `WU_E_SETUP_REGISTRATION_FAILED` | Windows Update Agent could not be updated because `regsvr32.exe` returned an error. |
| 0x8024D009 | `WU_E_SETUP_SKIP_UPDATE` | An update to the Windows Update Agent was skipped due to a directive in the `wuident.cab` file. |
| 0x8024D00A | `WU_E_SETUP_UNSUPPORTED_CONFIGURATION` | Windows Update Agent could not be updated because the current system configuration is not supported. |
| 0x8024D00B | `WU_E_SETUP_BLOCKED_CONFIGURATION` | Windows Update Agent could not be updated because the system is configured to block the update. |
| 0x8024D00C | `WU_E_SETUP_REBOOT_TO_FIX` | Windows Update Agent could not be updated because a restart of the system is required. |
| 0x8024D00D | `WU_E_SETUP_ALREADYRUNNING` | Windows Update Agent setup is already running. |
| 0x8024D00E | `WU_E_SETUP_REBOOTREQUIRED` | Windows Update Agent setup package requires a reboot to complete installation. |
| 0x8024D00F | `WU_E_SETUP_HANDLER_EXEC_FAILURE` | Windows Update Agent could not be updated because the setup handler failed during execution. |
| 0x8024D010 | `WU_E_SETUP_INVALID_REGISTRY_DATA` | Windows Update Agent could not be updated because the registry contains invalid information. |
| 0x8024D013 | `WU_E_SETUP_WRONG_SERVER_VERSION` | Windows Update Agent could not be updated because the server does not contain update information for this version. |
| 0x8024DFFF | `WU_E_SETUP_UNEXPECTED` | Windows Update Agent could not be updated because of an error not covered by another `WU_E_SETUP_*` error code. |
| `0x8024D001` | `WU_E_SETUP_INVALID_INFDATA` | Windows Update Agent couldn't be updated because an INF file contains invalid information. |
| `0x8024D002` | `WU_E_SETUP_INVALID_IDENTDATA` | Windows Update Agent couldn't be updated because the `wuident.cab` file contains invalid information. |
| `0x8024D003` | `WU_E_SETUP_ALREADY_INITIALIZED` | Windows Update Agent couldn't be updated because of an internal error that caused setup initialization to be performed twice. |
| `0x8024D004` | `WU_E_SETUP_NOT_INITIALIZED` | Windows Update Agent couldn't be updated because setup initialization never completed successfully. |
| `0x8024D005` | `WU_E_SETUP_SOURCE_VERSION_MISMATCH` | Windows Update Agent couldn't be updated because the versions specified in the INF don't match the actual source file versions. |
| `0x8024D006` | `WU_E_SETUP_TARGET_VERSION_GREATER` | Windows Update Agent couldn't be updated because a WUA file on the target system is newer than the corresponding source file. |
| `0x8024D007` | `WU_E_SETUP_REGISTRATION_FAILED` | Windows Update Agent couldn't be updated because `regsvr32.exe` returned an error. |
| `0x8024D009` | `WU_E_SETUP_SKIP_UPDATE` | An update to the Windows Update Agent was skipped due to a directive in the `wuident.cab` file. |
| `0x8024D00A` | `WU_E_SETUP_UNSUPPORTED_CONFIGURATION` | Windows Update Agent couldn't be updated because the current system configuration isn't supported. |
| `0x8024D00B` | `WU_E_SETUP_BLOCKED_CONFIGURATION` | Windows Update Agent couldn't be updated because the system is configured to block the update. |
| `0x8024D00C` | `WU_E_SETUP_REBOOT_TO_FIX` | Windows Update Agent couldn't be updated because a restart of the system is required. |
| `0x8024D00D` | `WU_E_SETUP_ALREADYRUNNING` | Windows Update Agent setup is already running. |
| `0x8024D00E` | `WU_E_SETUP_REBOOTREQUIRED` | Windows Update Agent setup package requires a reboot to complete installation. |
| `0x8024D00F` | `WU_E_SETUP_HANDLER_EXEC_FAILURE` | Windows Update Agent couldn't be updated because the setup handler failed during execution. |
| `0x8024D010` | `WU_E_SETUP_INVALID_REGISTRY_DATA` | Windows Update Agent couldn't be updated because the registry contains invalid information. |
| `0x8024D013` | `WU_E_SETUP_WRONG_SERVER_VERSION` | Windows Update Agent couldn't be updated because the server doesn't contain update information for this version. |
| `0x8024DFFF` | `WU_E_SETUP_UNEXPECTED` | Windows Update Agent couldn't be updated because of an error not covered by another `WU_E_SETUP_*` error code. |

8
windows/deployment/update/windows-update-logs.md
View File

@ -2,20 +2,22 @@
title: Windows Update log files
description: Learn about the Windows Update log files and how to merge and convert Windows Update trace files (.etl files) into a single readable WindowsUpdate.log file.
ms.prod: windows-client
ms.technology: itpro-updates
ms.topic: troubleshooting
author: mestew
ms.author: mstewart
manager: aaroncz
ms.topic: troubleshooting
ms.collection:
- highpri
- tier2
ms.technology: itpro-updates
appliesto:
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
ms.date: 12/31/2017
---
# Windows Update log files
>Applies to: Windows 10
The following table describes the log files created by Windows Update.

13
windows/deployment/update/windows-update-overview.md
View File

@ -2,12 +2,15 @@
title: Get started with Windows Update
description: An overview of learning resources for Windows Update, including documents on architecture, log files, and common errors.
ms.prod: windows-client
ms.technology: itpro-updates
ms.topic: conceptual
author: mestew
ms.author: mstewart
manager: aaroncz
appliesto:
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
ms.date: 09/18/2018
ms.topic: article
ms.technology: itpro-updates
---
# Get started with Windows Update
@ -31,7 +34,7 @@ To understand the changes to the Windows Update architecture that UUP introduces
![Windows Update terminology.](images/update-terminology.png)
- **Update UI** The user interface to initiate Windows Update check and history. Available under **Settings --> Update & Security --> Windows Update**.
- **Update UI** - The user interface to initiate Windows Update check and history. Available under **Settings --> Update & Security --> Windows Update**.
- **Update Session Orchestrator (USO)**- A Windows OS component that orchestrates the sequence of downloading and installing various update types from Windows Update.
Update types-
@ -51,5 +54,5 @@ To understand the changes to the Windows Update architecture that UUP introduces
Additional components include the following-
- **CompDB** A generic term to refer to the XML describing information about target build composition, available diff packages, and conditional rules.
- **Action List** The payload and additional information needed to perform an update. The action list is consumed by the UpdateAgent, as well as other installers to determine what payload to download. It's also consumed by the "Install Agent" to determine what actions need to be taken, such as installing or removing packages.
- **CompDB** - A generic term to refer to the XML describing information about target build composition, available diff packages, and conditional rules.
- **Action List** - The payload and additional information needed to perform an update. The action list is consumed by the UpdateAgent, as well as other installers to determine what payload to download. It's also consumed by the "Install Agent" to determine what actions need to be taken, such as installing or removing packages.

11
windows/deployment/update/windows-update-security.md
View File

@ -1,13 +1,16 @@
---
title: Windows Update security
manager: aaroncz
description: Overview of the security for Windows Update.
description: Overview of the security for Windows Update including security for the metadata exchange and content download.
ms.prod: windows-client
ms.technology: itpro-updates
ms.topic: conceptual
author: mestew
ms.author: mstewart
ms.topic: article
ms.date: 10/25/2022
ms.technology: itpro-updates
appliesto:
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
ms.date: 08/28/2023
---
# Windows Update security

19
windows/deployment/update/wufb-compliancedeadlines.md
View File

@ -1,22 +1,21 @@
---
title: Enforce compliance deadlines with policies in Windows Update for Business (Windows 10)
title: Enforce compliance deadlines with policies
titleSuffix: Windows Update for Business
description: This article contains information on how to enforce compliance deadlines using Windows Update for Business.
ms.prod: windows-client
ms.technology: itpro-updates
ms.topic: conceptual
author: mestew
ms.localizationpriority: medium
ms.author: mstewart
manager: aaroncz
ms.topic: article
ms.technology: itpro-updates
appliesto:
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
ms.date: 05/12/2023
---
# Enforcing compliance deadlines for updates
**Applies to**
- Windows 10
- Windows 11
Deploying feature or quality updates for many organizations is only part of the equation for managing their device ecosystem. The ability to enforce update compliance is the next important part. Windows Update for Business provides controls to manage deadlines for when devices should migrate to newer versions.
With a current version, it's best to use the new policy introduced in June 2019 to Windows 10, version 1709 and later: **Specify deadlines for automatic updates and restarts**. In MDM, this policy is available as four separate settings:
@ -26,13 +25,13 @@ With a current version, it's best to use the new policy introduced in June 2019
- Update/ConfigureDeadlineGracePeriod
- Update/ConfigureDeadlineNoAutoReboot
### Policy setting overview
## Policy setting overview
|Policy|Description |
|-|-|
| (Windows 10, version 1709 and later) Specify deadlines for automatic updates and restarts | This policy includes a deadline and a configurable grace period with the option to opt out of automatic restarts until the deadline is reached. This is the recommended policy for Windows 10, version 1709 and later.|
### Suggested configurations
## Suggested configurations
|Policy|Location|Quality update deadline in days|Feature update deadline in days|Grace period in days|
|-|-|-|-|-|

11
windows/deployment/update/wufb-reports-admin-center.md
View File

@ -1,19 +1,24 @@
---
title: Microsoft 365 admin center software updates page
titleSuffix: Windows Update for Business reports
manager: aaroncz
description: Microsoft admin center populates Windows Update for Business reports data into the software updates page.
ms.prod: windows-client
ms.technology: itpro-updates
ms.topic: conceptual
author: mestew
ms.author: mstewart
ms.localizationpriority: medium
ms.topic: article
appliesto:
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows Update for Business reports</a>
- ✅ <a href=https://learn.microsoft.com/microsoft-365/admin/admin-overview/admin-center-overview >Microsoft 365 admin center</a>
ms.date: 04/26/2023
ms.technology: itpro-updates
---
# Microsoft 365 admin center software updates page
<!--37063317, 30141258, 37063041, ID2616577, ID2582518 -->
***(Applies to: Windows 11 & Windows 10 using [Windows Update for Business reports](wufb-reports-overview.md) and the [Microsoft 365 admin center](/microsoft-365/admin/admin-overview/admin-center-overview))***
The **Software updates** page in the [Microsoft 365 admin center](https://admin.microsoft.com) displays a high-level overview of the installation status for Microsoft 365 Apps and Windows updates in your environment. [Quality updates](quality-updates.md) that contain security fixes are typically released on the second Tuesday of each month. Ensuring these updates are installed is important because they help protect you from known vulnerabilities. The **Software updates** page allows you to easily determine the overall update compliance for your devices.

15
windows/deployment/update/wufb-reports-configuration-intune.md
View File

@ -1,20 +1,21 @@
---
title: Configuring Microsoft Intune devices for Windows Update for Business reports
manager: aaroncz
description: Configuring devices that are enrolled in Microsoft Intune for Windows Update for Business reports
title: Configure devices using Microsoft Intune
titleSuffix: Windows Update for Business reports
description: How to configure devices to use Windows Update for Business reports from Microsoft Intune.
ms.prod: windows-client
ms.technology: itpro-updates
ms.topic: conceptual
author: mestew
ms.author: mstewart
manager: aaroncz
ms.localizationpriority: medium
ms.topic: article
appliesto:
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11 and Windows 10</a> devices managed by <a href=https://learn.microsoft.com/mem/intune/fundamentals/what-is-intune target=_blank>Microsoft Intune</a>
ms.date: 03/08/2023
ms.technology: itpro-updates
---
# Configuring Microsoft Intune devices for Windows Update for Business reports
<!--37063317, 30141258, 37063041-->
***(Applies to: Windows 11 & Windows 10 managed by [Microsoft Intune](/mem/intune/fundamentals/what-is-intune)***
This article is targeted at configuring devices enrolled to [Microsoft Intune](/mem/intune/fundamentals/what-is-intune) for Windows Update for Business reports, within Microsoft Intune itself. Configuring devices for Windows Update for Business reports in Microsoft Intune breaks down to the following steps:

15
windows/deployment/update/wufb-reports-configuration-manual.md
View File

@ -1,19 +1,22 @@
---
title: Manually configuring devices for Windows Update for Business reports
manager: aaroncz
description: How to manually configure devices for Windows Update for Business reports
title: Manually configure devices to send data
titleSuffix: Windows Update for Business reports
description: How to manually configure devices for Windows Update for Business reports using a PowerShell script.
ms.prod: windows-client
ms.technology: itpro-updates
ms.topic: conceptual
author: mestew
ms.author: mstewart
manager: aaroncz
ms.localizationpriority: medium
ms.topic: article
appliesto:
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
ms.date: 11/15/2022
ms.technology: itpro-updates
---
# Manually configuring devices for Windows Update for Business reports
<!--37063317, 30141258, 37063041-->
***(Applies to: Windows 11 & Windows 10)***
There are a number of requirements to consider when manually configuring devices for Windows Update for Business reports. These requirements can potentially change with newer versions of Windows client. The [Windows Update for Business reports configuration script](wufb-reports-configuration-script.md) will be updated when any configuration requirements change so only a redeployment of the script will be required.

15
windows/deployment/update/wufb-reports-configuration-script.md
View File

@ -1,19 +1,22 @@
---
title: Windows Update for Business reports configuration script
manager: aaroncz
description: Downloading and using the Windows Update for Business reports configuration script
title: Configure clients with a script
titleSuffix: Windows Update for Business reports
description: How to get and use the Windows Update for Business reports configuration script to configure devices for Windows Update for Business reports.
ms.prod: windows-client
ms.technology: itpro-updates
ms.topic: conceptual
author: mestew
ms.author: mstewart
manager: aaroncz
ms.localizationpriority: medium
ms.topic: article
appliesto:
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
ms.date: 07/11/2023
ms.technology: itpro-updates
---
# Configuring devices through the Windows Update for Business reports configuration script
<!--37063317, 30141258, 37063041-->
***(Applies to: Windows 11 & Windows 10)***
The Windows Update for Business reports configuration script is the recommended method of configuring devices to send data to Microsoft for use with Windows Update for Business reports. The script configures the registry keys backing policies, ensures required services are running, and more. This script is a recommended complement to configuring the required policies documented in [Manually configure devices for Windows Update for Business reports](wufb-reports-configuration-manual.md), as it can provide feedback on whether there are any configuration issues outside of policies being configured.

17
windows/deployment/update/wufb-reports-do.md
View File

@ -1,19 +1,22 @@
---
title: Delivery Optimization data in Windows Update for Business reports
manager: aaroncz
description: Provides information about Delivery Optimization data in Windows Update for Business reports
title: Delivery Optimization data in reports
titleSuffix: Windows Update for Business reports
description: This article provides information about Delivery Optimization data in Windows Update for Business reports.
ms.prod: windows-client
ms.technology: itpro-updates
ms.topic: conceptual
author: mestew
ms.author: mstewart
ms.topic: article
manager: aaroncz
ms.localizationpriority: medium
appliesto:
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
ms.date: 04/12/2023
ms.technology: itpro-updates
---
# Delivery Optimization data in Windows Update for Business reports
<!--7715481-->
***(Applies to: Windows 11 & Windows 10)***
[Delivery Optimization](../do/waas-delivery-optimization.md) (DO) is a Windows feature that can be used to reduce bandwidth consumption by sharing the work of downloading updates among multiple devices in your environment. You can use DO with many other deployment methods, but it's a cloud-managed solution, and access to the DO cloud services is a requirement.

14
windows/deployment/update/wufb-reports-enable.md
View File

@ -1,19 +1,21 @@
---
title: Enable Windows Update for Business reports
manager: aaroncz
description: How to enable Windows Update for Business reports through the Azure portal
titleSuffix: Windows Update for Business reports
description: How to enable the Windows Update for Business reports service through the Azure portal or the Microsoft 365 admin center.
ms.prod: windows-client
ms.technology: itpro-updates
ms.topic: conceptual
author: mestew
ms.author: mstewart
ms.topic: article
manager: aaroncz
appliesto:
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
ms.date: 07/11/2023
ms.technology: itpro-updates
---
# Enable Windows Update for Business reports
<!--37063317, 30141258, 37063041-->
***(Applies to: Windows 11 & Windows 10)***
After verifying the [prerequisites](wufb-reports-prerequisites.md) are met, you can start to set up Windows Update for Business reports. The two main steps for setting up Windows Update for Business reports are:
1. [Add Windows Update for Business reports](#bkmk_add) to your Azure subscription. This step has the following phases:

7
windows/deployment/update/wufb-reports-faq.yml
View File

@ -1,14 +1,15 @@
### YamlMime:FAQ
metadata:
title: Windows Update for Business reports - Frequently Asked Questions (FAQ)
title: Frequently Asked Questions (FAQ)
titleSuffix: Windows Update for Business reports
description: Answers to frequently asked questions about Windows Update for Business reports.
ms.prod: windows-client
ms.technology: itpro-updates
ms.topic: faq
ms.date: 06/20/2023
manager: aaroncz
author: mestew
ms.author: mstewart
ms.technology: itpro-updates
ms.date: 06/20/2023
title: Frequently Asked Questions about Windows Update for Business reports
summary: |
This article answers frequently asked questions about Windows Update for Business reports. <!--7760853-->

17
windows/deployment/update/wufb-reports-help.md
View File

@ -1,20 +1,21 @@
---
title: Windows Update for Business reports feedback, support, and troubleshooting
manager: aaroncz
description: Windows Update for Business reports support information.
title: Feedback, support, and troubleshooting
titleSuffix: Windows Update for Business reports
description: Windows Update for Business reports support, feedback, and troubleshooting information.
ms.prod: windows-client
ms.technology: itpro-updates
ms.topic: article
author: mestew
ms.author: mstewart
ms.topic: article
manager: aaroncz
appliesto:
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
ms.date: 02/10/2023
ms.technology: itpro-updates
---
# Windows Update for Business reports feedback, support, and troubleshooting
<!-- MAX6325272, OS33771278 -->
***(Applies to: Windows 11 & Windows 10)***
There are several resources that you can use to find help with Windows Update for Business reports. Whether you're just getting started or an experienced administrator, use the following resources when you need help with Windows Update for Business reports:
- Send [product feedback about Windows Update for Business reports](#send-product-feedback)

12
windows/deployment/update/wufb-reports-overview.md
View File

@ -1,19 +1,21 @@
---
title: Windows Update for Business reports overview
manager: aaroncz
titleSuffix: Windows Update for Business reports
description: Overview of Windows Update for Business reports to explain what it's used for and the cloud services it relies on.
ms.prod: windows-client
ms.technology: itpro-updates
ms.topic: overview
author: mestew
ms.author: mstewart
ms.topic: article
manager: aaroncz
appliesto:
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
ms.date: 11/15/2022
ms.technology: itpro-updates
---
# Windows Update for Business reports overview
<!--37063317, 30141258, 37063041-->
***(Applies to: Windows 11 & Windows 10)***
Windows Update for Business reports is a cloud-based solution that provides information about your Azure Active Directory-joined devices' compliance with Windows updates. Windows Update for Business reports is offered through the [Azure portal](https://portal.azure.com), and it's included as part of the Windows 10 or Windows 11 prerequisite licenses. Windows Update for Business reports helps you:
- Monitor security, quality, driver, and feature updates for Windows 11 and Windows 10 devices

20
windows/deployment/update/wufb-reports-prerequisites.md
View File

@ -1,19 +1,21 @@
---
title: Windows Update for Business reports prerequisites
manager: aaroncz
description: Prerequisites for Windows Update for Business reports
title: Prerequisites for Windows Update for Business reports
titleSuffix: Windows Update for Business reports
description: List of prerequisites for enabling and using Windows Update for Business reports in your organization.
ms.prod: windows-client
ms.technology: itpro-updates
ms.topic: conceptual
author: mestew
ms.author: mstewart
ms.topic: article
ms.date: 06/27/2023
ms.technology: itpro-updates
manager: aaroncz
appliesto:
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
ms.date: 08/30/2023
---
# Windows Update for Business reports prerequisites
<!--37063317, 30141258, 37063041-->
***(Applies to: Windows 11 & Windows 10)***
Before you begin the process of adding Windows Update for Business reports to your Azure subscription, ensure you meet the prerequisites.
## Azure and Azure Active Directory
@ -68,7 +70,7 @@ Device names don't appear in Windows Update for Business reports unless you indi
Microsoft is committed to providing you with effective controls over your data and ongoing transparency into our data handling practices. For more information about data handling and privacy for Windows diagnostic data, see [Configure Windows diagnostic data in your organization](/windows/privacy/configure-windows-diagnostic-data-in-your-organization) and [Changes to Windows diagnostic data collection](/windows/privacy/changes-to-windows-diagnostic-data-collection#services-that-rely-on-enhanced-diagnostic-data).
## Data transmission requirements
## Endpoints
<!--Using include for endpoint access requirements-->
[!INCLUDE [Endpoints for Windows Update for Business reports](./includes/wufb-reports-endpoints.md)]

18
windows/deployment/update/wufb-reports-schema-ucclient.md
View File

@ -1,21 +1,25 @@
---
title: Windows Update for Business reports Data Schema - UCClient
manager: aaroncz
description: UCClient schema
title: UCClient data schema
titleSuffix: Windows Update for Business reports
description: UCClient schema for Windows Update for Business reports. UCClient acts as an individual device's record.
ms.prod: windows-client
ms.technology: itpro-updates
ms.topic: reference
author: mestew
ms.author: mstewart
ms.topic: reference
manager: aaroncz
appliesto:
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
ms.date: 08/09/2023
ms.technology: itpro-updates
---
# UCClient
<!--37063317, 30141258, 37063041-->
***(Applies to: Windows 11 & Windows 10)***
UCClient acts as an individual device's record. It contains data such as the currently installed build, the device's name, the OS edition, and active hours (quantitative).
## Schema for UCClient
|Field |Type |Example |Description |
|---|---|---|---|
| **AzureADDeviceId** | [string](/azure/kusto/query/scalar-data-types/string) | `71db1a1a-f1a6-4a25-b88f-79c2f513dae0` | Azure AD Device ID |

17
windows/deployment/update/wufb-reports-schema-ucclientreadinessstatus.md
View File

@ -1,21 +1,26 @@
---
title: Windows Update for Business reports Data Schema - UCClientReadinessStatus
manager: aaroncz
description: UCClientReadinessStatus schema
title: UCClientReadinessStatus data schema
titleSuffix: Windows Update for Business reports
description: UCClientReadinessStatus schema for Windows Update for Business reports. UCClientReadinessStatus is an individual device's record about Windows 11 readiness.
ms.prod: windows-client
ms.technology: itpro-updates
ms.topic: reference
author: mestew
ms.author: mstewart
ms.topic: reference
manager: aaroncz
appliesto:
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
ms.date: 06/06/2022
ms.technology: itpro-updates
---
# UCClientReadinessStatus
<!--37063317, 30141258, 37063041-->
***(Applies to: Windows 10)***
UCClientReadinessStatus is an individual device's record about its readiness for updating to Windows 11. If the device isn't capable of running Windows 11, the record includes which Windows 11 [hardware requirements](/windows/whats-new/windows-11-requirements#hardware-requirements) the device doesn't meet.
## Schema for UCClientReadinessStatus
|Field |Type |Example |Description |
|---|---|---|---|
| **DeviceName** | [string](/azure/kusto/query/scalar-data-types/string) | `JohnPC-Contoso` | Client-provided device name |

17
windows/deployment/update/wufb-reports-schema-ucclientupdatestatus.md
View File

@ -1,21 +1,26 @@
---
title: Windows Update for Business reports Data Schema - UCClientUpdateStatus
manager: aaroncz
description: UCClientUpdateStatus schema
title: UCClientUpdateStatus data schema
titleSuffix: Windows Update for Business reports
description: UCClientUpdateStatus schema for Windows Update for Business reports. UCClientUpdateStatus combines the latest client-based data with the latest service data.
ms.prod: windows-client
ms.technology: itpro-updates
ms.topic: reference
author: mestew
ms.author: mstewart
ms.topic: reference
manager: aaroncz
appliesto:
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
ms.date: 06/05/2023
ms.technology: itpro-updates
---
# UCClientUpdateStatus
<!--37063317, 30141258, 37063041-->
***(Applies to: Windows 11 & Windows 10)***
Update Event that combines the latest client-based data with the latest service-based data to create a complete picture for one device (client) and one update.
## Schema for UCClientUpdateStatus
| Field | Type | Example | Description |
|---|---|---|---|
| **AzureADDeviceId** | [string](/azure/kusto/query/scalar-data-types/string) | `71db1a1a-f1a6-4a25-b88f-79c2f513dae0` | A string corresponding to the Azure AD tenant to which the device belongs. |

18
windows/deployment/update/wufb-reports-schema-ucdevicealert.md
View File

@ -1,21 +1,25 @@
---
title: Windows Update for Business reports Data Schema - UCDeviceAlert
manager: aaroncz
description: UCDeviceAlert schema
title: UCDeviceAlert data schema
titleSuffix: Windows Update for Business reports
description: UCDeviceAlert schema for Windows Update for Business reports. UCDeviceAlert is an individual device's record about an alert.
ms.prod: windows-client
ms.technology: itpro-updates
ms.topic: reference
author: mestew
ms.author: mstewart
ms.topic: reference
manager: aaroncz
appliesto:
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
ms.date: 06/06/2022
ms.technology: itpro-updates
---
# UCDeviceAlert
<!--37063317, 30141258, 37063041-->
***(Applies to: Windows 11 & Windows 10)***
These alerts are activated as a result of an issue that is device-specific. It isn't specific to the combination of a specific update and a specific device. Like UpdateAlerts, the AlertType indicates where the Alert comes from (ServiceDeviceAlert, ClientDeviceAlert). For example, an EndOfService alert is a ClientDeviceAlert, as a build no longer being serviced (EOS) is a client-wide state. Meanwhile, DeviceRegistrationIssues in the Windows Update for Business deployment service will be a ServiceDeviceAlert, as it's a device-wide state in the service to not be correctly registered.
## Schema for UCDeviceAlert
|Field |Type |Example |Description |
|---|---|---|---|
| **AlertClassification** | [string](/azure/kusto/query/scalar-data-types/string) | `Error` | Whether this alert is an Error, a Warning, or Informational |

19
windows/deployment/update/wufb-reports-schema-ucdoaggregatedstatus.md
View File

@ -1,22 +1,27 @@
---
title: Windows Update for Business reports Data Schema - UCDOAggregatedStatus
ms.reviewer: carmenf
manager: aaroncz
description: UCDOAggregatedStatus schema
title: UCDOAggregatedStatus data schema
titleSuffix: Windows Update for Business reports
description: UCDOAggregatedStatus schema for Windows Update for Business reports. UCDOAggregatedStatus is an aggregation of all UDDOStatus records across the tenant.
ms.prod: windows-client
ms.technology: itpro-updates
ms.topic: reference
author: mestew
ms.author: mstewart
ms.topic: reference
manager: aaroncz
ms.reviewer: carmenf
appliesto:
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
ms.date: 11/17/2022
ms.technology: itpro-updates
---
# UCDOAggregatedStatus
<!--37063317, 30141258, 37063041-->
***(Applies to: Windows 11 & Windows 10)***
UCDOAggregatedStatus is an aggregation of all individual UDDOStatus records across the tenant and summarizes bandwidth savings across all devices enrolled using [Delivery Optimization and Microsoft Connected Cache](/windows/deployment/do).
## Schema for UCDOAggregatedStatus
|Field |Type |Example |Description |
|---|---|---|---|
| **AzureADDeviceId** | [string](/azure/kusto/query/scalar-data-types/string) | `71db1a1a-f1a6-4a25-b88f-79c2f513dae0` | Azure AD Device ID |

19
windows/deployment/update/wufb-reports-schema-ucdostatus.md
View File

@ -1,22 +1,25 @@
---
title: Windows Update for Business reports Data Schema - UCDOStatus
ms.reviewer: carmenf
manager: aaroncz
description: UCDOStatus schema
title: UCDOStatus data schema
titleSuffix: Windows Update for Business reports
description: UCDOStatus schema for Windows Update for Business reports. UCDOStatus provides information, for a single device, on its DO and MCC bandwidth utilization.
ms.prod: windows-client
ms.topic: reference
author: mestew
ms.author: mstewart
ms.topic: reference
manager: aaroncz
ms.reviewer: carmenf
appliesto:
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
ms.date: 11/17/2022
ms.technology: itpro-updates
---
# UCDOStatus
<!--37063317, 30141258, 37063041-->
***(Applies to: Windows 11 & Windows 10)***
UCDOStatus provides information, for a single device, on its bandwidth utilization across content types in the event they use [Delivery Optimization and Microsoft Connected Cache](/windows/deployment/do).
## Data schema for UCDOStatus
|Field |Type |Example |Description |
|---|---|---|---|
| **AzureADDeviceId** | [string](/azure/kusto/query/scalar-data-types/string) | `71db1a1a-f1a6-4a25-b88f-79c2f513dae0` | Azure AD Device ID |

18
windows/deployment/update/wufb-reports-schema-ucserviceupdatestatus.md
View File

@ -1,21 +1,25 @@
---
title: Windows Update for Business reports Data Schema - UCServiceUpdateStatus
manager: aaroncz
description: UCServiceUpdateStatus schema
title: UCServiceUpdateStatus data schema
titleSuffix: Windows Update for Business reports
description: UCServiceUpdateStatus schema for Windows Update for Business reports. UCServiceUpdateStatus has service-side information for one device and one update.
ms.prod: windows-client
ms.technology: itpro-updates
ms.topic: reference
author: mestew
ms.author: mstewart
ms.topic: reference
manager: aaroncz
appliesto:
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
ms.date: 06/06/2022
ms.technology: itpro-updates
---
# UCServiceUpdateStatus
<!--37063317, 30141258, 37063041-->
***(Applies to: Windows 11 & Windows 10)***
Update Event that comes directly from the service-side. The event has only service-side information for one device (client), and one update, in one deployment. This event has certain fields removed from it in favor of being able to show data in near real time.
## Schema for UCServiceUpdateStatus
| Field | Type | Example | Description |
|---|---|---|---|
| **AzureADDeviceId** | [string](/azure/kusto/query/scalar-data-types/string) | `71db1a1a-f1a6-4a25-b88f-79c2f513dae0` | If this DeviceUpdateEvent is from content deployed by a deployment scheduler service policy, this GUID will map to that policy, otherwise it will be empty. |

18
windows/deployment/update/wufb-reports-schema-ucupdatealert.md
View File

@ -1,21 +1,25 @@
---
title: Windows Update for Business reports Data Schema - UCUpdateAlert
manager: aaroncz
description: UCUpdateAlert schema
title: UCUpdateAlert data schema
titleSuffix: Windows Update for Business reports
description: UCUpdateAlert schema for Windows Update for Business reports. UCUpdateAlert is an alert for both client and service updates.
ms.prod: windows-client
ms.technology: itpro-updates
ms.topic: reference
author: mestew
ms.author: mstewart
ms.topic: reference
manager: aaroncz
appliesto:
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
ms.date: 06/06/2022
ms.technology: itpro-updates
---
# UCUpdateAlert
<!--37063317, 30141258, 37063041-->
***(Applies to: Windows 11 & Windows 10)***
Alert for both client and service updates. Contains information that needs attention, relative to one device (client), one update, and one deployment (if relevant). Certain fields may be blank depending on the UpdateAlert's AlertType field; for example, ServiceUpdateAlert won't necessarily contain client-side statuses.
## Schema for UCUpdateAlert
|Field |Type |Example |Description |
|---|---|---|---|
| **AlertClassification** | [string](/azure/kusto/query/scalar-data-types/string) | `Error` | Whether this alert is an Error, a Warning, or Informational |

18
windows/deployment/update/wufb-reports-schema.md
View File

@ -1,22 +1,24 @@
---
title: Windows Update for Business reports data schema
manager: aaroncz
description: An overview of Windows Update for Business reports data schema
titleSuffix: Windows Update for Business reports
description: An overview of Windows Update for Business reports data schema to power additional dashboards and data analysis tools.
ms.prod: windows-client
ms.technology: itpro-updates
ms.topic: reference
author: mestew
ms.author: mstewart
ms.topic: reference
manager: aaroncz
appliesto:
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
ms.date: 11/15/2022
ms.technology: itpro-updates
---
# Windows Update for Business reports schema
# Windows Update for Business reports schema
<!--37063317, 30141258, 37063041-->
***(Applies to: Windows 11 & Windows 10)***
When the visualizations provided in the default experience don't fulfill your reporting needs, or if you need to troubleshoot issues with devices, it's valuable to understand the schema for Windows Update for Business reports and have a high-level understanding of the capabilities of [Azure Monitor log queries](/azure/azure-monitor/log-query/query-language) to power additional dashboards, integration with external data analysis tools, automated alerting, and more.
## Schema
## Schemas for Windows Update for Business reports
The following table summarizes the different tables that are part of the Windows Update for Business reports solution. To learn how to navigate Azure Monitor Logs to find this data, see [Get started with log queries in Azure Monitor](/azure/azure-monitor/log-query/get-started-queries).

12
windows/deployment/update/wufb-reports-use.md
View File

@ -1,19 +1,21 @@
---
title: Use the Windows Update for Business reports data
manager: aaroncz
titleSuffix: Windows Update for Business reports
description: How to use the Windows Update for Business reports data for custom solutions using tools like Azure Monitor Logs.
ms.prod: windows-client
ms.technology: itpro-updates
ms.topic: conceptual
author: mestew
ms.author: mstewart
ms.topic: article
manager: aaroncz
appliesto:
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
ms.date: 11/15/2022
ms.technology: itpro-updates
---
# Use Windows Update for Business reports
<!--37063317, 30141258, 37063041-->
***(Applies to: Windows 11 & Windows 10)***
In this article, you'll learn how to use Windows Update for Business reports to monitor Windows updates for your devices. To configure your environment for use with Windows Update for Business reports, see [Enable Windows Update for Business reports](wufb-reports-enable.md).
## Display Windows Update for Business reports data

15
windows/deployment/update/wufb-reports-workbook.md
View File

@ -1,20 +1,21 @@
---
title: Use the workbook for Windows Update for Business reports
manager: aaroncz
description: How to use the Windows Update for Business reports workbook.
titleSuffix: Windows Update for Business reports
description: How to use the Windows Update for Business reports workbook from the Azure portal.
ms.prod: windows-client
ms.technology: itpro-updates
ms.topic: conceptual
author: mestew
ms.author: mstewart
ms.topic: article
manager: aaroncz
appliesto:
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
ms.date: 06/23/2023
ms.technology: itpro-updates
---
# Windows Update for Business reports workbook
<!-- MAX6325272, OS33771278 -->
***(Applies to: Windows 11 & Windows 10)***
[Windows Update for Business reports](wufb-reports-overview.md) presents information commonly needed by updates administrators in an easy-to-use format. Windows Update for Business reports uses [Azure Workbooks](/azure/azure-monitor/visualize/workbooks-getting-started) to give you a visual representation of your compliance data. The workbook is broken down into tab sections:
- [Summary](#summary-tab)

23
windows/deployment/update/wufb-wsus.md
View File

@ -2,22 +2,20 @@
title: Use Windows Update for Business and Windows Server Update Services (WSUS) together
description: Learn how to use Windows Update for Business and WSUS together using the new scan source policy.
ms.prod: windows-client
ms.technology: itpro-updates
ms.topic: conceptual
author: mestew
ms.localizationpriority: medium
ms.author: mstewart
manager: aaroncz
ms.topic: article
ms.technology: itpro-updates
ms.date: 12/31/2017
ms.localizationpriority: medium
appliesto:
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
ms.date: 01/13/2022
---
# Use Windows Update for Business and WSUS together
**Applies to**
- Windows 10
- Windows 11
> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq)
The Windows update scan source policy enables you to choose what types of updates to get from either [WSUS](waas-manage-updates-wsus.md) or Windows Update for Business service.
@ -70,13 +68,10 @@ The policy can be configured using the following two methods:
2. Configuration Service Provider (CSP) Policies: **SetPolicyDrivenUpdateSourceFor&lt;Update Type>**:
> [!NOTE]
> You should configure **all** of these policies if you are using CSPs.
> - You should configure **all** of these policies if you are using CSPs.
> - Editing the registry to change the behavior of update policies isn't recommended. Use Group Policy or the Configuration Service Provider (CSP) policy instead of directly writing to the registry. However, if you choose to edit the registry, ensure you've configured the `UseUpdateClassPolicySource` registry key too, or the scan source won't be altered.
- [Update/SetPolicyDrivenUpdateSourceForDriverUpdates](/windows/client-management/mdm/policy-csp-update#update-setpolicydrivenupdatesourcefordriver)
- [Update/SetPolicyDrivenUpdateSourceForFeatureUpdates](/windows/client-management/mdm/policy-csp-update#update-setpolicydrivenupdatesourceforfeature)
- [Update/SetPolicyDrivenUpdateSourceForOtherUpdates](/windows/client-management/mdm/policy-csp-update#update-setpolicydrivenupdatesourceforother)
- [Update/SetPolicyDrivenUpdateSourceForQualityUpdates](/windows/client-management/mdm/policy-csp-update#update-setpolicydrivenupdatesourceforquality)
> [!NOTE]
> Editing the registry to change the behavior of update policies isn't recommended. Use Group Policy or the Configuration Service Provider (CSP) policy instead of directly writing to the registry. However, if you choose to edit the registry, ensure you've configured the `UseUpdateClassPolicySource` registry key too, or the scan source won't be alterred.

2
windows/deployment/windows-autopatch/operate/windows-autopatch-exclude-device.md
View File

@ -53,4 +53,4 @@ You can view the excluded devices in the **Not registered** tab to make it easie
1. Select **Windows Autopatch** in the left navigation menu.
1. Select **Devices**.
1. In the **Not registered** tab, select the device(s) you want to restore.
1. Once a device or multiple devices are selected, select **Device actions**. Then, select **Restore device**.
1. Once a device or multiple devices are selected, select **Device actions**. Then, select **Restore excluded device**.

8
windows/deployment/windows-autopatch/overview/windows-autopatch-deployment-guide.md
View File

@ -225,10 +225,10 @@ Any policies, scripts or settings that create or edit values in the following re
| Key | Description |
| ----- | ----- |
| `HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\PolicyState` (Intune MDM only cloud managed)<br><br>`HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate` (If GPO/WSUS/Configuration Manager is deployed) | This key contains general settings for Windows Update, such as the update source, the service branch, and the deferral periods for feature and quality updates. |
| `HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU` (If GPO/WSUS/Configuration Manager is deployed) | This key contains settings for Automatic Updates, such as the schedule, the user interface, and the detection frequency. |
| `HKLM\SOFTWARE\Microsoft\PolicyManager\default\Update` (GPO/WSUS/Configuration Manager/Intune MDM Managed) | This key contains settings for update policies that are managed by Mobile Device Management (MDM) or Group Policy, such as pausing updates, excluding drivers, or configuring delivery optimization. |
| `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\Configuration` (GPO/Configuration Manager/Intune MDM Managed) | This key contains the registry keys for the Update Channel. This is a dynamic key that changes (depending on the configured settings) and the CDNBaseUrl (set when Microsoft 365 installs on the device).<br><br>Look at the `UpdateChannel` value. The value tells you how frequently Office is updated.<br><br>For more information, see [Manage Microsoft 365 Apps with Configuration Manager](/mem/configmgr/sum/deploy-use/manage-office-365-proplus-updates#bkmk_channel) to review the values, and what they're set to. Windows Autopatch currently supports the Monthly Enterprise Channel. If you opt into Office updates, it should be set to the Monthly Enterprise channel. |
| `HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\PolicyState`<br>(Intune MDM only cloud managed)<br><br>`HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate`<br>(If GPO/WSUS/Configuration Manager is deployed) | This key contains general settings for Windows Update, such as the update source, the service branch, and the deferral periods for feature and quality updates. |
| `HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU`<br>(If GPO/WSUS/Configuration Manager is deployed) | This key contains settings for Automatic Updates, such as the schedule, the user interface, and the detection frequency. |
| `HKLM\SOFTWARE\Microsoft\PolicyManager\default\Update`<br>(GPO/WSUS/Configuration Manager/Intune MDM Managed) | This key contains settings for update policies that are managed by Mobile Device Management (MDM) or Group Policy, such as pausing updates, excluding drivers, or configuring delivery optimization. |
| `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\Configuration`<br>(GPO/Configuration Manager/Intune MDM Managed) | This key contains the registry keys for the Update Channel. This is a dynamic key that changes (depending on the configured settings) and the CDNBaseUrl (set when Microsoft 365 installs on the device).<br><br>Look at the `UpdateChannel` value. The value tells you how frequently Office is updated.<br><br>For more information, see [Manage Microsoft 365 Apps with Configuration Manager](/mem/configmgr/sum/deploy-use/manage-office-365-proplus-updates#bkmk_channel) to review the values, and what they're set to. Windows Autopatch currently supports the Monthly Enterprise Channel. If you opt into Office updates, it should be set to the Monthly Enterprise channel. |
> [!NOTE]
> For more information about Windows Update Settings for Group Policy and Mobile Device Management (MDM), see [Manage additional Windows Update settings](/windows/deployment/update/waas-wu-settings).

11
windows/deployment/windows-autopatch/overview/windows-autopatch-roles-responsibilities.md
View File

@ -1,7 +1,7 @@
---
title: Roles and responsibilities
description: This article describes the roles and responsibilities provided by Windows Autopatch and what the customer must do
ms.date: 08/08/2023
ms.date: 08/31/2023
ms.prod: windows-client
ms.technology: itpro-updates
ms.topic: conceptual
@ -30,6 +30,7 @@ This article outlines your responsibilities and Windows Autopatch's responsibili
| Review the [prerequisites](../prepare/windows-autopatch-prerequisites.md) | :heavy_check_mark: | :x: |
| Review the [FAQ](../overview/windows-autopatch-faq.yml) | :heavy_check_mark: | :x: |
| [Review the service data platform and privacy compliance details](../overview/windows-autopatch-privacy.md) | :heavy_check_mark: | :x: |
| Consult the [Deployment guide](../overview/windows-autopatch-deployment-guide.md) | :heavy_check_mark: | :x: |
| Ensure device [prerequisites](../prepare/windows-autopatch-prerequisites.md) are met and in place prior to enrollment | :heavy_check_mark: | :x: |
| Ensure [infrastructure and environment prerequisites](../prepare/windows-autopatch-configure-network.md) are met and in place prior to enrollment | :heavy_check_mark: | :x: |
| Prepare to remove your devices from existing unsupported [Windows update](../references/windows-autopatch-windows-update-unsupported-policies.md) and [Microsoft 365](../references/windows-autopatch-microsoft-365-policies.md) policies | :heavy_check_mark: | :x: |
@ -38,6 +39,8 @@ This article outlines your responsibilities and Windows Autopatch's responsibili
| [Manage and respond to tenant enrollment support requests](../prepare/windows-autopatch-enrollment-support-request.md) | :x: | :heavy_check_mark: |
| Identify stakeholders for deployment communications | :heavy_check_mark: | :x: |
For more information and assistance with preparing for your Windows Autopatch deployment journey, see [Need additional guidance](../overview/windows-autopatch-deployment-guide.md#need-additional-guidance).
## Deploy
| Task | Your responsibility | Windows Autopatch |
@ -46,7 +49,7 @@ This article outlines your responsibilities and Windows Autopatch's responsibili
| [Deploy and configure Windows Autopatch service configuration](../references/windows-autopatch-changes-to-tenant.md) | :x: | :heavy_check_mark: |
| Educate users on the Windows Autopatch end user update experience<ul><li>[Windows quality update end user experience](../operate/windows-autopatch-groups-windows-quality-update-end-user-exp.md)</li><li>[Windows feature update end user experience](../operate/windows-autopatch-groups-manage-windows-feature-update-release.md)</li><li>[Microsoft 365 Apps for enterprise end user experience](../operate/windows-autopatch-microsoft-365-apps-enterprise.md#end-user-experience)</li><li>[Microsoft Edge end user experience](../operate/windows-autopatch-edge.md)</li><li>[Microsoft Teams end user experience](../operate/windows-autopatch-teams.md#end-user-experience)</li></ul> | :heavy_check_mark: | :x: |
| Review network optimization<ul><li>[Prepare your network](../prepare/windows-autopatch-configure-network.md)</li><li>[Delivery Optimization](../prepare/windows-autopatch-configure-network.md#delivery-optimization) | :heavy_check_mark: | :x: |
| Review existing configurations<ul><li>Remove your devices from existing unsupported [Windows Update](../references/windows-autopatch-windows-update-unsupported-policies.md) and [Microsoft 365](../references/windows-autopatch-microsoft-365-policies.md) policies</li></ul>| :heavy_check_mark: | :x: |
| Review existing configurations<ul><li>Remove your devices from existing unsupported [Windows Update](../references/windows-autopatch-windows-update-unsupported-policies.md) and [Microsoft 365](../references/windows-autopatch-microsoft-365-policies.md) policies</li><li>Consult [General considerations](../overview/windows-autopatch-deployment-guide.md#general-considerations)</li></ul>| :heavy_check_mark: | :x: |
| Confirm your update service needs and configure your workloads<ul><li>[Turn on or off expedited Windows quality updates](../operate/windows-autopatch-groups-windows-quality-update-overview.md#expedited-releases)</li><li>[Allow or block Microsoft 365 Apps for enterprise updates](../operate/windows-autopatch-microsoft-365-apps-enterprise.md#allow-or-block-microsoft-365-app-updates)</li><li>[Manage driver and firmware updates](../operate/windows-autopatch-manage-driver-and-firmware-updates.md)</li><li>[Customize Windows Update settings](../operate/windows-autopatch-windows-update.md)</li><li>Decide your [Windows feature update versions(s)](../operate/windows-autopatch-groups-windows-feature-update-overview.md)</li></ul>| :heavy_check_mark: | :x: |
| [Consider your Autopatch groups distribution](../deploy/windows-autopatch-groups-overview.md)<ul><li>[Default Autopatch group](../deploy/windows-autopatch-groups-overview.md#about-the-default-autopatch-group)</li><li>[Custom Autopatch group](../deploy/windows-autopatch-groups-overview.md#about-custom-autopatch-groups)</li></ul> | :heavy_check_mark: | :x: |
| [Register devices](../deploy/windows-autopatch-register-devices.md)<ul><li>[Review your device registration options](../deploy/windows-autopatch-device-registration-overview.md)</li><li>[Register your first devices](../deploy/windows-autopatch-register-devices.md) | :heavy_check_mark: | :x: |
@ -83,11 +86,11 @@ This article outlines your responsibilities and Windows Autopatch's responsibili
| [Pause updates (Windows Autopatch initiated)](../operate/windows-autopatch-groups-windows-quality-update-signals.md) | :x: | :heavy_check_mark: |
| [Pause updates (initiated by you)](../operate/windows-autopatch-groups-windows-quality-update-overview.md#pause-and-resume-a-release) | :heavy_check_mark: | :x: |
| Run [on-going post-registration device readiness checks](../deploy/windows-autopatch-post-reg-readiness-checks.md) | :x: | :heavy_check_mark: |
| Maintain existing configurations<ul><li>Remove your devices from existing and unsupported [Windows update](../references/windows-autopatch-windows-update-unsupported-policies.md) and [Microsoft 365](../references/windows-autopatch-microsoft-365-policies.md) policies</li></ul> | :heavy_check_mark: | :x: |
| Maintain existing configurations<ul><li>Remove your devices from existing and unsupported [Windows update](../references/windows-autopatch-windows-update-unsupported-policies.md) and [Microsoft 365](../references/windows-autopatch-microsoft-365-policies.md) policies</li><li>Consult [General considerations](../overview/windows-autopatch-deployment-guide.md#general-considerations)</ul> | :heavy_check_mark: | :x: |
| Understand the health of [Up to date](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md#up-to-date-devices) devices and investigate devices that are<ul><li>[Not up to date](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md#not-up-to-date-devices)</li><li>[Not ready](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md#not-ready-devices)</li><li>have [Device alerts](../operate/windows-autopatch-device-alerts.md)</li></ul>
| [Raise, manage and resolve a service incident if an update management area isn't meeting the service level objective](windows-autopatch-overview.md#update-management) | :x: | :heavy_check_mark: |
| [Exclude a device](../operate/windows-autopatch-exclude-device.md) | :heavy_check_mark: | :x: |
| [Register a device that was previously excluded (upon customers request)](../operate/windows-autopatch-exclude-device.md) | :x: | :heavy_check_mark: |
| [Register a device that was previously excluded](../operate/windows-autopatch-exclude-device.md#restore-a-device-or-multiple-devices-previously-excluded) | :heavy_check_mark: | :x: |
| [Request unenrollment from Windows Autopatch](../operate/windows-autopatch-unenroll-tenant.md) | :heavy_check_mark: | :x: |
| [Remove Windows Autopatch data from the service and exclude devices](../operate/windows-autopatch-unenroll-tenant.md#microsofts-responsibilities-during-unenrollment) | :x: | :heavy_check_mark: |
| [Maintain update configuration & update devices post unenrollment from Windows Autopatch](../operate/windows-autopatch-unenroll-tenant.md#your-responsibilities-after-unenrolling-your-tenant) | :heavy_check_mark: | :x: |

8
windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2023.md
View File

@ -1,7 +1,7 @@
---
title: What's new 2023
description: This article lists the 2023 feature releases and any corresponding Message center post numbers.
ms.date: 08/23/2023
ms.date: 08/31/2023
ms.prod: windows-client
ms.technology: itpro-updates
ms.topic: whats-new
@ -34,6 +34,12 @@ Minor corrections such as typos, style, or formatting issues aren't listed.
| [Exclude a device](../operate/windows-autopatch-exclude-device.md) | Renamed Deregister a device to [Exclude a device](../operate/windows-autopatch-exclude-device.md). Added the [Restore device](../operate/windows-autopatch-exclude-device.md#restore-a-device-or-multiple-devices-previously-excluded) feature <ul><li>[MC667662](https://admin.microsoft.com/adminportal/home#/MessageCenter)</li></ul> |
| [Device alerts](../operate/windows-autopatch-device-alerts.md) | Added `'InstallSetupBlock'` to the [Alert resolutions section](../operate/windows-autopatch-device-alerts.md#alert-resolutions) |
## August service releases
| Message center post number | Description |
| ----- | ----- |
| [MC671811](https://admin.microsoft.com/adminportal/home#/MessageCenter) | Windows Autopatch Service Improvements |
## July 2023
### July feature releases or updates

14
windows/security/application-security/application-control/windows-defender-application-control/deployment/deploy-wdac-policies-using-intune.md
View File

@ -2,7 +2,7 @@
title: Deploy WDAC policies using Mobile Device Management (MDM)
description: You can use an MDM like Microsoft Intune to configure Windows Defender Application Control (WDAC). Learn how with this step-by-step guide.
ms.localizationpriority: medium
ms.date: 01/23/2023
ms.date: 08/30/2023
ms.topic: how-to
---
@ -28,10 +28,10 @@ Intune's built-in Windows Defender Application Control support allows you to con
- [Optional] Reputable apps as defined by the Intelligent Security Graph (ISG)
> [!NOTE]
> Intune's built-in policies use the pre-1903 single-policy format version of the DefaultWindows policy. You can use Intune's custom OMA-URI feature to deploy your own multiple-policy format WDAC policies and leverage features available on Windows 10 1903+ or Windows 11 as described later in this topic.
> Intune's built-in policies use the pre-1903 single-policy format version of the DefaultWindows policy. Use the [improved Intune WDAC experience](/mem/intune/protect/endpoint-security-app-control-policy), currently in public preview, to create and deploy multiple-policy format files. Or, you can use Intune's custom OMA-URI feature to deploy your own multiple-policy format WDAC policies and leverage features available on Windows 10 1903+ or Windows 11 as described later in this topic.
> [!NOTE]
> Intune currently uses the AppLocker CSP to deploy its built-in policies. The AppLocker CSP always requests a device restart when it applies WDAC policies. You can use Intune's custom OMA-URI feature with the ApplicationControl CSP to deploy your own WDAC policies without a restart.
> Intune currently uses the AppLocker CSP to deploy its built-in policies. The AppLocker CSP always requests a device restart when it applies WDAC policies. Use the [improved Intune WDAC experience](/mem/intune/protect/endpoint-security-app-control-policy), currently in public preview, to deploy your own WDAC policies without a restart. Or, you can use Intune's custom OMA-URI feature with the ApplicationControl CSP.
To use Intune's built-in WDAC policies, configure [Endpoint Protection for Windows 10 (and later)](/mem/intune/protect/endpoint-protection-windows-10?toc=/intune/configuration/toc.json&bc=/intune/configuration/breadcrumb/toc.json).
@ -46,6 +46,9 @@ You should now have one or more WDAC policies converted into binary form. If not
Beginning with Windows 10 1903, custom OMA-URI policy deployment can use the [ApplicationControl CSP](/windows/client-management/mdm/applicationcontrol-csp), which has support for multiple policies and rebootless policies.
> [!NOTE]
> You must convert your custom policy XML to binary form before deploying with OMA-URI.
The steps to use Intune's custom OMA-URI functionality are:
1. Open the Microsoft Intune portal and [create a profile with custom settings](/mem/intune/configuration/custom-settings-windows-10).
@ -53,10 +56,9 @@ The steps to use Intune's custom OMA-URI functionality are:
2. Specify a **Name** and **Description** and use the following values for the remaining custom OMA-URI settings:
- **OMA-URI**: `./Vendor/MSFT/ApplicationControl/Policies/_Policy GUID_/Policy`
- **Data type**: Base64 (file)
- **Certificate file**: Upload your binary format policy file. To do this, change your {GUID}.cip file to {GUID}.bin. You don't need to upload a Base64 file, as Intune will convert the uploaded .bin file to Base64 on your behalf.
- **Certificate file**: Upload your binary format policy file. To do this, change your {GUID}.cip file to {GUID}.bin. You don't need to upload a Base64 file, as Intune converts the uploaded .bin file to Base64 on your behalf.
> [!div class="mx-imgBorder"]
> ![Configure custom WDAC.](../images/wdac-intune-custom-oma-uri.png)
:::image type="content" alt-text="Configure custom WDAC." source="../images/wdac-intune-custom-oma-uri.png" lightbox="../images/wdac-intune-custom-oma-uri.png":::
> [!NOTE]
> For the _Policy GUID_ value, do not include the curly brackets.

2
windows/security/application-security/application-control/windows-defender-application-control/operations/citool-commands.md
View File

@ -3,6 +3,8 @@ title: Managing CI Policies and Tokens with CiTool
description: Learn how to use Policy Commands, Token Commands, and Miscellaneous Commands in CiTool
ms.topic: how-to
ms.date: 04/05/2023
appliesto:
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>
---
# CiTool technical reference

8
windows/security/application-security/application-control/windows-defender-application-control/wdac.md
View File

@ -6,7 +6,7 @@ ms.collection:
- highpri
- tier3
- must-keep
ms.date: 04/06/2023
ms.date: 08/30/2023
ms.topic: article
---
@ -33,9 +33,9 @@ Windows 10 and Windows 11 include two technologies that can be used for applicat
## WDAC and Smart App Control
Starting in Windows 11 version 22H2, [Smart App Control](https://support.microsoft.com/topic/what-is-smart-app-control-285ea03d-fa88-4d56-882e-6698afdb7003) provides application control for consumers. Smart App Control is based on WDAC, allowing enterprise customers to create a policy that offers the same security and compatibility with the ability to customize it to run line-of-business (LOB) apps. To make it easier to implement this policy, an [example policy](design/example-wdac-base-policies.md) is provided. The example policy includes **Enabled:Conditional Windows Lockdown Policy** rule which isn't supported for WDAC enterprise policies. This rule must be removed before you use the example policy. To use this example policy as a starting point for creating your own policy, see [Create a custom base policy using an example WDAC base policy](design/create-wdac-policy-for-lightly-managed-devices.md#create-a-custom-base-policy-using-an-example-wdac-base-policy).
Starting in Windows 11 version 22H2, [Smart App Control](https://support.microsoft.com/topic/what-is-smart-app-control-285ea03d-fa88-4d56-882e-6698afdb7003) provides application control for consumers. Smart App Control is based on WDAC, allowing enterprise customers to create a policy that offers the same security and compatibility with the ability to customize it to run line-of-business (LOB) apps. To make it easier to implement this policy, an [example policy](design/example-wdac-base-policies.md) is provided. The example policy includes **Enabled:Conditional Windows Lockdown Policy** option that isn't supported for WDAC enterprise policies. This rule must be removed before you use the example policy. To use this example policy as a starting point for creating your own policy, see [Create a custom base policy using an example WDAC base policy](design/create-wdac-policy-for-lightly-managed-devices.md#create-a-custom-base-policy-using-an-example-wdac-base-policy).
Smart App Control is only available on clean installation of Windows 11 version 22H2 or later, and starts in evaluation mode. Smart App Control will automatically turn off for enterprise managed devices unless the user has turned it on first. To turn Smart App Control on or off across your organization's endpoints, you can set the **VerifiedAndReputablePolicyState** (DWORD) registry value under `HKLM\SYSTEM\CurrentControlSet\Control\CI\Policy` to one of the values listed below. After you change the registry value, you must either restart the device or use [CiTool.exe -r](/windows/security/threat-protection/windows-defender-application-control/operations/citool-commands#refresh-the-wdac-policies-on-the-system) for the change to take effect.
Smart App Control is only available on clean installation of Windows 11 version 22H2 or later, and starts in evaluation mode. Smart App Control is automatically turned off for enterprise managed devices unless the user has turned it on first. To turn off Smart App Control across your organization's endpoints, you can set the **VerifiedAndReputablePolicyState** (DWORD) registry value under `HKLM\SYSTEM\CurrentControlSet\Control\CI\Policy` as shown in the following table. After you change the registry value, you must either restart the device or use [CiTool.exe -r](/windows/security/threat-protection/windows-defender-application-control/operations/citool-commands#refresh-the-wdac-policies-on-the-system) for the change to take effect.
| Value | Description |
|-------|-------------|
@ -48,7 +48,7 @@ Smart App Control is only available on clean installation of Windows 11 version
### Smart App Control Enforced Blocks
Smart App Control enforces the [Microsoft Recommended Driver Block rules](design/microsoft-recommended-driver-block-rules.md) and the [Microsoft Recommended Block Rules](design/applications-that-can-bypass-wdac.md), with a few exceptions for compatibility considerations. The following are not blocked by Smart App Control:
Smart App Control enforces the [Microsoft Recommended Driver Block rules](design/microsoft-recommended-driver-block-rules.md) and the [Microsoft Recommended Block Rules](design/applications-that-can-bypass-wdac.md), with a few exceptions for compatibility considerations. The following aren't blocked by Smart App Control:
- Infdefaultinstall.exe
- Microsoft.Build.dll

8
windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md
View File

@ -68,7 +68,9 @@ To register the applications, follow these steps:
:::row-end:::
:::row:::
:::column span="3":::
3. Review the permissions requested by the *Microsoft Pin Reset Service Production* application and select **Accept** to confirm consent to both applications to access your organization
3. Review the permissions requested by the *Microsoft Pin Reset Service Production* application and select **Accept** to confirm consent to both applications to access your organization.
>[!NOTE]
>After accepance, the redirect page will show a blank page. This is a known behavior.
:::column-end:::
:::column span="1":::
:::image type="content" alt-text="Screenshot showing the PIN reset service permissions final page." source="images/pinreset/pin-reset-service-prompt-2.png" lightbox="images/pinreset/pin-reset-service-prompt-2.png" border="true":::
@ -178,7 +180,7 @@ The _PIN reset_ configuration can be viewed by running [**dsregcmd /status**](/a
**Applies to:** Azure AD joined devices
PIN reset on Azure AD-joined devices uses a flow called *web sign-in* to authenticate users in the lock screen. Web sign-in only allows navigation to specific domains. If web sign-in attempts to navigate to a domain that isn't allowed, it displays a page with the error message: *We can't open that page right now*.\
PIN reset on Azure AD-joined devices uses a flow called *web sign-in* to authenticate users in the lock screen. Web sign-in only allows navigation to specific domains. If web sign-in attempts to navigate to a domain that isn't allowed, it displays a page with the error message: *"We can't open that page right now"*.\
If you have a federated environment and authentication is handled using AD FS or a third-party identity provider, then you must configure your devices with a policy to allow a list of domains that can be reached during PIN reset flows. When set, it ensures that authentication pages from that identity provider can be used during Azure AD joined PIN reset.
[!INCLUDE [intune-settings-catalog-1](../../../../includes/configure/intune-settings-catalog-1.md)]
@ -196,7 +198,7 @@ Alternatively, you can configure devices using a [custom policy][INT-1] with the
| <li> OMA-URI: `./Vendor/MSFT/Policy/Config/Authentication/ConfigureWebSignInAllowedUrls` </li><li>Data type: String </li><li>Value: Provide a semicolon delimited list of domains needed for authentication during the PIN reset scenario. An example value would be **signin.contoso.com;portal.contoso.com**</li>|
> [!NOTE]
> For Azure Government, there is a known issue with PIN reset on Azure AD Joined devices failing. When the user attempts to launch PIN reset, the PIN reset UI shows an error page that says, "We can't open that page right now." The ConfigureWebSignInAllowedUrls policy can be used to work around this issue. If you are experiencing this problem and you are using Azure US Government cloud, set **login.microsoftonline.us** as the value for the ConfigureWebSignInAllowedUrls policy.
> For Azure Government, there is a known issue with PIN reset on Azure AD Joined devices failing. When the user attempts to launch PIN reset, the PIN reset UI shows an error page that says, *"We can't open that page right now"*. The ConfigureWebSignInAllowedUrls policy can be used to work around this issue. If you are experiencing this problem and you are using Azure US Government cloud, set **login.microsoftonline.us** as the value for the ConfigureWebSignInAllowedUrls policy.
## Use PIN reset

2
windows/security/identity-protection/hello-for-business/passwordless-strategy.md
View File

@ -317,7 +317,7 @@ The following image shows the SCRIL setting for a user in Active Directory Admin
> 1. Enable the setting.
> 1. Save changes again.
>
> When you upgrade the domain to Windows Server 2016 domain forest functional level or later, the domain controller automatically does this action for you.
> When you upgrade the domain functional level to Windows Server 2016 or later, the domain controller automatically does this action for you.
The following image shows the SCRIL setting for a user in Active Directory Administrative Center on Windows Server 2016:

30
windows/security/operating-system-security/data-protection/personal-data-encryption/configure-pde-in-intune.md
View File

@ -1,30 +0,0 @@
---
title: Configure Personal Data Encryption (PDE) in Intune
description: Configuring and enabling Personal Data Encryption (PDE) required and recommended policies in Intune
ms.topic: how-to
ms.date: 03/13/2023
---
<!-- Max 5963468 OS 32516487 -->
<!-- Max 6946251 -->
# Configure Personal Data Encryption (PDE) policies in Intune
The various required and recommended policies needed for Personal Data Encryption (PDE) can be configured in Intune. The following links for both required and recommended policies contain step by step instructions on how to configure these policies in Intune.
## Required prerequisites
1. [Enable Personal Data Encryption (PDE)](intune-enable-pde.md)
1. [Disable Winlogon automatic restart sign-on (ARSO)](intune-disable-arso.md)
## Security hardening recommendations
1. [Disable kernel-mode crash dumps and live dumps](intune-disable-memory-dumps.md)
1. [Disable Windows Error Reporting (WER)/user-mode crash dumps](intune-disable-wer.md)
1. [Disable hibernation](intune-disable-hibernation.md)
1. [Disable allowing users to select when a password is required when resuming from connected standby](intune-disable-password-connected-standby.md)
## See also
- [Personal Data Encryption (PDE)](index.md)
- [Personal Data Encryption (PDE) FAQ](faq-pde.yml)

141
windows/security/operating-system-security/data-protection/personal-data-encryption/configure.md Normal file
View File

@ -0,0 +1,141 @@
---
title: PDE settings and configuration
description: Learn about the available options to configure Personal Data Encryption (PDE) and how to configure them via Microsoft Intune or Configuration Service Providers (CSP).
ms.topic: how-to
ms.date: 08/11/2023
---
# PDE settings and configuration
This article describes the Personal Data Encryption (PDE) settings and how to configure them via Microsoft Intune or Configuration Service Providers (CSP).
> [!NOTE]
> PDE can be configured using MDM policies. The content to be protected by PDE can be specified using [PDE APIs](/uwp/api/windows.security.dataprotection.userdataprotectionmanager). There is no user interface in Windows to either enable PDE or protect content using PDE.
>
> The PDE APIs can be used to create custom applications and scripts to specify which content to protect and at what level to protect the content. Additionally, the PDE APIs can't be used to protect content until the PDE policy has been enabled.
## PDE settings
The following table lists the required settings to enable PDE.
| Setting name | Description |
|-|-|
|Enable Personal Data Encryption|PDE isn't enabled by default. Before PDE can be used, you must enable it.|
|Sign-in and lock last interactive user automatically after a restart| Winlogon automatic restart sign-on (ARSO) isn't supported for use with PDE. To use PDE, ARSO must be disabled.|
## PDE hardening recommendations
The following table lists the recommended settings to improve PDE's security.
| Setting name | Description |
|-|-|
|Kernel-mode crash dumps and live dumps|Kernel-mode crash dumps and live dumps can potentially cause the keys used by PDE to protect content to be exposed. For greatest security, disable kernel-mode crash dumps and live dumps.|
|Windows Error Reporting (WER)/user-mode crash dumps|Disabling Windows Error Reporting prevents user-mode crash dumps. User-mode crash dumps can potentially cause the keys used by PDE to protect content to be exposed. For greatest security, disable user-mode crash dumps.|
|Hibernation|Hibernation files can potentially cause the keys used by Personal Data Encryption (PDE) to protect content to be exposed. For greatest security, disable hibernation.|
|Allow users to select when a password is required when resuming from connected standby |When this policy isn't configured on Azure AD joined devices, users on a Connected Standby device can change the amount of time after the device´s screen turns off before a password is required to wake the device. During the time when the screen turns off but a password isn't required, the keys used by PDE to protect content could potentially be exposed. It's recommended to explicitly disable this policy on Azure AD joined devices.|
## Configure PDE with Microsoft Intune
[!INCLUDE [intune-settings-catalog-1](../../../../../includes/configure/intune-settings-catalog-1.md)]
| Category | Setting name | Value |
|--|--|--|
|**PDE**|Enable Personal Data Encryption (User)|Enable Personal Data Encryption|
|**Administrative Templates > Windows Components > Windows Logon Options**|Sign-in and lock last interactive user automatically after a restart|Disabled|
|**Memory Dump**|Allow Live Dump|Block|
|**Memory Dump**|Allow Crash Dump|Block|
|**Administrative Templates > Windows Components > Windows Error Reporting** | Disable Windows Error Reporting | Enabled|
|**Power**|Allow Hibernate|Block|
|**Administrative Templates > System > Logon** | Allow users to select when a password is required when resuming from connected standby | Disabled|
[!INCLUDE [intune-settings-catalog-2](../../../../../includes/configure/intune-settings-catalog-2.md)]
> [!TIP]
> Use the following Graph call to automatically create the settings catalog policy in your tenant without assignments nor scope tags.
>
> When using this call, authenticate to your tenant in the Graph Explorer window. If it's the first time using Graph Explorer, you may need to authorize the application to access your tenant or to modify the existing permissions. This graph call requires *DeviceManagementConfiguration.ReadWrite.All* permissions.
```msgraph-interactive
POST https://graph.microsoft.com/beta/deviceManagement/configurationPolicies
Content-Type: application/json
{ "id": "00-0000-0000-0000-000000000000", "name": "_MSLearn_PDE", "description": "", "platforms": "windows10", "technologies": "mdm", "roleScopeTagIds": [ "0" ], "settings": [ { "@odata.type": "#microsoft.graph.deviceManagementConfigurationSetting", "settingInstance": { "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance", "settingDefinitionId": "device_vendor_msft_policy_config_admx_credentialproviders_allowdomaindelaylock", "choiceSettingValue": { "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingValue", "value": "device_vendor_msft_policy_config_admx_credentialproviders_allowdomaindelaylock_0", "children": [] } } }, { "@odata.type": "#microsoft.graph.deviceManagementConfigurationSetting", "settingInstance": { "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance", "settingDefinitionId": "device_vendor_msft_policy_config_errorreporting_disablewindowserrorreporting", "choiceSettingValue": { "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingValue", "value": "device_vendor_msft_policy_config_errorreporting_disablewindowserrorreporting_1", "children": [] } } }, { "@odata.type": "#microsoft.graph.deviceManagementConfigurationSetting", "settingInstance": { "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance", "settingDefinitionId": "device_vendor_msft_policy_config_windowslogon_allowautomaticrestartsignon", "choiceSettingValue": { "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingValue", "value": "device_vendor_msft_policy_config_windowslogon_allowautomaticrestartsignon_0", "children": [] } } }, { "@odata.type": "#microsoft.graph.deviceManagementConfigurationSetting", "settingInstance": { "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance", "settingDefinitionId": "device_vendor_msft_policy_config_memorydump_allowcrashdump", "choiceSettingValue": { "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingValue", "value": "device_vendor_msft_policy_config_memorydump_allowcrashdump_0", "children": [] } } }, { "@odata.type": "#microsoft.graph.deviceManagementConfigurationSetting", "settingInstance": { "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance", "settingDefinitionId": "device_vendor_msft_policy_config_memorydump_allowlivedump", "choiceSettingValue": { "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingValue", "value": "device_vendor_msft_policy_config_memorydump_allowlivedump_0", "children": [] } } }, { "@odata.type": "#microsoft.graph.deviceManagementConfigurationSetting", "settingInstance": { "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance", "settingDefinitionId": "user_vendor_msft_pde_enablepersonaldataencryption", "choiceSettingValue": { "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingValue", "value": "user_vendor_msft_pde_enablepersonaldataencryption_1", "children": [] } } }, { "@odata.type": "#microsoft.graph.deviceManagementConfigurationSetting", "settingInstance": { "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance", "settingDefinitionId": "device_vendor_msft_policy_config_power_allowhibernate", "choiceSettingValue": { "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingValue", "value": "device_vendor_msft_policy_config_power_allowhibernate_0", "children": [] } } } ] }
```
## Configure PDE with CSP
Alternatively, you can configure devices using the [Policy CSP][CSP-1] and [PDE CSP][CSP-2].
|OMA-URI|Format|Value|
|-|-|-|
|`./User/Vendor/MSFT/PDE/EnablePersonalDataEncryption`|int|`1`|
|`./Device/Vendor/MSFT/Policy/Config/WindowsLogon/AllowAutomaticRestartSignOn`|string|`<disabled/>`|
|`./Device/Vendor/MSFT/Policy/Config/MemoryDump/AllowCrashDump`| int| `0`|
|`./Device/Vendor/MSFT/Policy/Config/MemoryDump/AllowLiveDump` |int| `0`|
|`./Device/Vendor/MSFT/Policy/Config/ErrorReporting/DisableWindowsErrorReporting`|string|`<enabled/>`|
|`./Device/Vendor/MSFT/Policy/Config/Power/AllowHibernate` |int| `0`|
|`./Device/Vendor/MSFT/Policy/Config/ADMX_CredentialProviders/AllowDomainDelayLock`|string|`<disabled/>`|
## Disable PDE
Once PDE is enabled, it isn't recommended to disable it. However if you need to disable PDE, you can do so using the following steps.
### Disable PDE with a settings catalog policy in Intune
[!INCLUDE [intune-settings-catalog-1](../../../../../includes/configure/intune-settings-catalog-1.md)]
| Category | Setting name | Value |
|--|--|--|
|**PDE**|**Enable Personal Data Encryption (User)**|Disable Personal Data Encryption|
[!INCLUDE [intune-settings-catalog-2](../../../../../includes/configure/intune-settings-catalog-2.md)]
### Disable PDE with CSP
You can disable PDE with CSP using the following setting:
|OMA-URI|Format|Value|
|-|-|-|
|`./User/Vendor/MSFT/PDE/EnablePersonalDataEncryption`|int|`0`|
## Decrypt PDE-encrypted content
Disabling PDE doesn't decrypt any PDE protected content. It only prevents the PDE API from being able to protect any additional content. PDE-protected files can be manually decrypted using the following steps:
1. Open the properties of the file
1. Under the **General** tab, select **Advanced...**
1. Uncheck the option **Encrypt contents to secure data**
1. Select **OK**, and then **OK** again
PDE-protected files can also be decrypted using [`cipher.exe`][WINS-1], which can be helpful in the following scenarios:
- Decrypting a large number of files on a device
- Decrypting files on multiple of devices
To decrypt files on a device using `cipher.exe`:
- Decrypt all files under a directory including subdirectories:
```cmd
cipher.exe /d /s:<path_to_directory>
```
- Decrypt a single file or all of the files in the specified directory, but not any subdirectories:
```cmd
cipher.exe /d <path_to_file_or_directory>
```
> [!IMPORTANT]
> Once a user selects to manually decrypt a file, the user won't be able to manually protect the file again using PDE.
## Next steps
- Review the [Personal Data Encryption (PDE) FAQ](faq.yml)
<!--links used in this document-->
[CSP-1]: /windows/client-management/mdm/policy-configuration-service-provider
[CSP-2]: /windows/client-management/mdm/personaldataencryption-csp
[WINS-1]: /windows-server/administration/windows-commands/cipher

18
windows/security/operating-system-security/data-protection/personal-data-encryption/faq-pde.yml → windows/security/operating-system-security/data-protection/personal-data-encryption/faq.yml
View File

@ -4,7 +4,7 @@ metadata:
title: Frequently asked questions for Personal Data Encryption (PDE)
description: Answers to common questions regarding Personal Data Encryption (PDE).
ms.topic: faq
ms.date: 03/13/2023
ms.date: 08/11/2023
title: Frequently asked questions for Personal Data Encryption (PDE)
summary: |
@ -45,17 +45,9 @@ sections:
answer: |
No. PDE protected content can only be accessed after signing on locally to Windows with Windows Hello for Business credentials.
- question: How can it be determined if a file is protected with PDE?
answer: |
- Files protected with PDE and EFS will both show a padlock on the file's icon. To verify whether a file is protected with PDE vs. EFS:
1. In the properties of the file, navigate to **General** > **Advanced**. The option **Encrypt contents to secure data** should be selected.
2. Select the **Details** button.
3. If the file is protected with PDE, under **Protection status:**, the item **Personal Data Encryption is:** will be marked as **On**.
- [`cipher.exe`](/windows-server/administration/windows-commands/cipher) can also be used to show the encryption state of the file.
- question: Can users manually encrypt and decrypt files with PDE?
answer: |
Currently users can decrypt files manually but they can't encrypt files manually. For information on how a user can manually decrypt a file, see the section **Disable PDE and decrypt files** in [Personal Data Encryption (PDE)](index.md).
Currently users can decrypt files manually but they can't encrypt files manually. For information on how a user can manually decrypt a file, see the section [Decrypt PDE-encrypted content](configure.md#decrypt-pde-encrypted-content).
- question: If a user signs into Windows with a password instead of Windows Hello for Business, will they be able to access their PDE protected content?
answer: |
@ -64,9 +56,3 @@ sections:
- question: What encryption method and strength does PDE use?
answer: |
PDE uses AES-CBC with a 256-bit key to encrypt content.
additionalContent: |
## See also
- [Personal Data Encryption (PDE)](index.md)
- [Configure Personal Data Encryption (PDE) polices in Intune](configure-pde-in-intune.md)

20
windows/security/operating-system-security/data-protection/personal-data-encryption/includes/pde-description.md
View File

@ -1,20 +0,0 @@
---
ms.topic: include
ms.date: 03/13/2023
---
<!-- Max 5963468 OS 32516487 -->
<!-- Max 6946251 -->
Starting in Windows 11, version 22H2, Personal Data Encryption (PDE) is a security feature that provides more encryption capabilities to Windows.
PDE differs from BitLocker in that it encrypts individual files and content instead of whole volumes and disks. PDE occurs in addition to other encryption methods such as BitLocker.
PDE utilizes Windows Hello for Business to link data encryption keys with user credentials. This feature can minimize the number of credentials the user has to remember to gain access to content. For example, when using BitLocker with PIN, a user would need to authenticate twice - once with the BitLocker PIN and a second time with Windows credentials. This requirement requires users to remember two different credentials. With PDE, users only need to enter one set of credentials via Windows Hello for Business.
Because PDE utilizes Windows Hello for Business, PDE is also accessibility friendly due to the accessibility features available when using Windows Hello for Business.
Unlike BitLocker that releases data encryption keys at boot, PDE doesn't release data encryption keys until a user signs in using Windows Hello for Business. Users will only be able to access their PDE protected content once they've signed into Windows using Windows Hello for Business. Additionally, PDE has the ability to also discard the encryption keys when the device is locked.
> [!NOTE]
> PDE can be enabled using MDM policies. The content to be protected by PDE can be specified using [PDE APIs](/uwp/api/windows.security.dataprotection.userdataprotectionmanager). There is no user interface in Windows to either enable PDE or protect content using PDE.

184
windows/security/operating-system-security/data-protection/personal-data-encryption/index.md
View File

@ -2,89 +2,40 @@
title: Personal Data Encryption (PDE)
description: Personal Data Encryption unlocks user encrypted files at user sign-in instead of at boot.
ms.topic: how-to
ms.date: 03/13/2023
ms.date: 08/11/2023
---
# Personal Data Encryption (PDE)
[!INCLUDE [Personal Data Encryption (PDE) description](includes/pde-description.md)]
Starting in Windows 11, version 22H2, Personal Data Encryption (PDE) is a security feature that provides file-based data encryption capabilities to Windows.
[!INCLUDE [personal-data-encryption-pde](../../../../../includes/licensing/personal-data-encryption-pde.md)]
PDE utilizes Windows Hello for Business to link *data encryption keys* with user credentials. When a user signs in to a device using Windows Hello for Business, decryption keys are released, and encrypted data is accessible to the user.\
When a user logs off, decryption keys are discarded and data is inaccessible, even if another user signs into the device.
The use of Windows Hello for Business offers the following advantages:
- It reduces the number of credentials to access encrypted content: users only need to sign-in with Windows Hello for Business
- The accessibility features available when using Windows Hello for Business extend to PDE protected content
PDE differs from BitLocker in that it encrypts files instead of whole volumes and disks. PDE occurs in addition to other encryption methods such as BitLocker.\
Unlike BitLocker that releases data encryption keys at boot, PDE doesn't release data encryption keys until a user signs in using Windows Hello for Business.
## Prerequisites
### Required
To use PDE, the following prerequisites must be met:
- [Azure AD joined device](/azure/active-directory/devices/concept-azure-ad-join)
- [Windows Hello for Business Overview](../../../identity-protection/hello-for-business/index.md)
- Windows 11, version 22H2 and later Enterprise and Education editions
- Windows 11, version 22H2 and later
- The devices must be [Azure AD joined][AAD-1]. Domain-joined and hybrid Azure AD joined devices aren't supported
- Users must sign in using [Windows Hello for Business](../../../identity-protection/hello-for-business/index.md)
### Not supported with PDE
> [!IMPORTANT]
> If you sign in with a password or a [security key][AAD-2], you can't access PDE protected content.
- [FIDO/security key authentication](/azure/active-directory/authentication/howto-authentication-passwordless-security-key)
- [Winlogon automatic restart sign-on (ARSO)](/windows-server/identity/ad-ds/manage/component-updates/winlogon-automatic-restart-sign-on--arso-)
- For information on disabling ARSO via Intune, see [Disable Winlogon automatic restart sign-on (ARSO)](intune-disable-arso.md).
- [Protect your enterprise data using Windows Information Protection (WIP)](../../../information-protection/windows-information-protection/protect-enterprise-data-using-wip.md)
- [Hybrid Azure AD joined devices](/azure/active-directory/devices/concept-azure-ad-join-hybrid)
- Remote Desktop connections
### Security hardening recommendations
- [Kernel-mode crash dumps and live dumps disabled](/windows/client-management/mdm/policy-csp-memorydump#memorydump-policies)
Kernel-mode crash dumps and live dumps can potentially cause the keys used by PDE to protect content to be exposed. For greatest security, disable kernel-mode crash dumps and live dumps. For information on disabling crash dumps and live dumps via Intune, see [Disable kernel-mode crash dumps and live dumps](intune-disable-memory-dumps.md).
- [Windows Error Reporting (WER) disabled/User-mode crash dumps disabled](/windows/client-management/mdm/policy-csp-errorreporting#errorreporting-disablewindowserrorreporting)
Disabling Windows Error Reporting prevents user-mode crash dumps. User-mode crash dumps can potentially cause the keys used by PDE to protect content to be exposed. For greatest security, disable user-mode crash dumps. For more information on disabling crash dumps via Intune, see [Disable Windows Error Reporting (WER)/user-mode crash dumps](intune-disable-wer.md).
- [Hibernation disabled](/windows/client-management/mdm/policy-csp-power#power-allowhibernate)
Hibernation files can potentially cause the keys used by PDE to protect content to be exposed. For greatest security, disable hibernation. For more information on disabling crash dumps via Intune, see [Disable hibernation](intune-disable-hibernation.md).
- [Allowing users to select when a password is required when resuming from connected standby disabled](/windows/client-management/mdm/policy-csp-admx-credentialproviders#admx-credentialproviders-allowdomaindelaylock)
When this policy isn't configured, the outcome between on-premises Active Directory joined devices and workgroup devices, including Azure Active Directory joined devices, is different:
- On-premises Active Directory joined devices:
- A user can't change the amount of time after the device´s screen turns off before a password is required when waking the device.
- A password is required immediately after the screen turns off.
The above is the desired outcome, but PDE isn't supported with on-premises Active Directory joined devices.
- Workgroup devices, including Azure AD joined devices:
- A user on a Connected Standby device can change the amount of time after the device´s screen turns off before a password is required to wake the device.
- During the time when the screen turns off but a password isn't required, the keys used by PDE to protect content could potentially be exposed. This outcome isn't a desired outcome.
Because of this undesired outcome, it's recommended to explicitly disable this policy on Azure AD joined devices instead of leaving it at the default of **Not configured**.
For information on disabling this policy via Intune, see [Disable allowing users to select when a password is required when resuming from connected standby](intune-disable-password-connected-standby.md).
### Highly recommended
- [BitLocker Drive Encryption](../bitlocker/index.md) enabled
Although PDE will work without BitLocker, it's recommended to also enable BitLocker. PDE is meant to work alongside BitLocker for increased security. PDE isn't a replacement for BitLocker.
- Backup solution such as [OneDrive in Microsoft 365](/sharepoint/onedrive-overview)
In certain scenarios such as TPM resets or destructive PIN resets, the keys used by PDE to protect content will be lost. In such scenarios, any content protected with PDE will no longer be accessible. The only way to recover such content would be from backup.
- [Windows Hello for Business PIN reset service](../../../identity-protection/hello-for-business/hello-feature-pin-reset.md)
Destructive PIN resets will cause keys used by PDE to protect content to be lost. A destructive PIN reset will make any content protected with PDE no longer accessible after the destructive PIN reset has occurred. Content protected with PDE will need to be recovered from a backup after a destructive PIN reset. For this reason Windows Hello for Business PIN reset service is recommended since it provides non-destructive PIN resets.
- [Windows Hello Enhanced Sign-in Security](/windows-hardware/design/device-experiences/windows-hello-enhanced-sign-in-security)
Provides additional security when authenticating with Windows Hello for Business via biometrics or PIN
[!INCLUDE [personal-data-encryption-pde](../../../../../includes/licensing/personal-data-encryption-pde.md)]
## PDE protection levels
PDE uses AES-CBC with a 256-bit key to protect content and offers two levels of protection. The level of protection is determined based on the organizational needs. These levels can be set via the [PDE APIs](/uwp/api/windows.security.dataprotection.userdataprotectionmanager).
PDE uses *AES-CBC* with a *256-bit key* to protect content and offers two levels of protection. The level of protection is determined based on the organizational needs. These levels can be set via the [PDE APIs](/uwp/api/windows.security.dataprotection.userdataprotectionmanager).
| Item | Level 1 | Level 2 |
|---|---|---|
@ -103,27 +54,11 @@ When a file is protected with PDE, its icon will show a padlock. If the user has
Scenarios where a user will be denied access to PDE protected content include:
- User has signed into Windows via a password instead of signing in with Windows Hello for Business biometric or PIN.
- If protected via level 2 protection, when the device is locked.
- When trying to access content on the device remotely. For example, UNC network paths.
- Remote Desktop sessions.
- Other users on the device who aren't owners of the content, even if they're signed in via Windows Hello for Business and have permissions to navigate to the PDE protected content.
## How to enable PDE
To enable PDE on devices, push an MDM policy to the devices with the following parameters:
- Name: **Personal Data Encryption**
- OMA-URI: **./User/Vendor/MSFT/PDE/EnablePersonalDataEncryption**
- Data type: **Integer**
- Value: **1**
There's also a [PDE CSP](/windows/client-management/mdm/personaldataencryption-csp) available for MDM solutions that support it.
> [!NOTE]
> Enabling the PDE policy on devices only enables the PDE feature. It does not protect any content. To protect content via PDE, use the [PDE APIs](/uwp/api/windows.security.dataprotection.userdataprotectionmanager). The PDE APIs can be used to create custom applications and scripts to specify which content to protect and at what level to protect the content. Additionally, the PDE APIs can't be used to protect content until the PDE policy has been enabled.
For information on enabling PDE via Intune, see [Enable Personal Data Encryption (PDE)](intune-enable-pde.md).
- User has signed into Windows via a password instead of signing in with Windows Hello for Business biometric or PIN
- If protected via level 2 protection, when the device is locked
- When trying to access content on the device remotely. For example, UNC network paths
- Remote Desktop sessions
- Other users on the device who aren't owners of the content, even if they're signed in via Windows Hello for Business and have permissions to navigate to the PDE protected content
## Differences between PDE and BitLocker
@ -132,8 +67,8 @@ PDE is meant to work alongside BitLocker. PDE isn't a replacement for BitLocker,
| Item | PDE | BitLocker |
|--|--|--|
| Release of decryption key | At user sign-in via Windows Hello for Business | At boot |
| Decryption keys discarded | When user signs out of Windows or one minute after Windows lock screen is engaged | At reboot |
| Files protected | Individual specified files | Entire volume/drive |
| Decryption keys discarded | When user signs out of Windows or one minute after Windows lock screen is engaged | At shutdown |
| Protected content | All files in protected folders | Entire volume/drive |
| Authentication to access protected content | Windows Hello for Business | When BitLocker with TPM + PIN is enabled, BitLocker PIN plus Windows sign-in |
## Differences between PDE and EFS
@ -143,61 +78,38 @@ The main difference between protecting files with PDE instead of EFS is the meth
To see if a file is protected with PDE or with EFS:
1. Open the properties of the file
2. Under the **General** tab, select **Advanced...**
3. In the **Advanced Attributes** windows, select **Details**
1. Under the **General** tab, select **Advanced...**
1. In the **Advanced Attributes** windows, select **Details**
For PDE protected files, under **Protection status:** there will be an item listed as **Personal Data Encryption is:** and it will have the attribute of **On**.
For EFS protected files, under **Users who can access this file:**, there will be a **Certificate thumbprint** next to the users with access to the file. There will also be a section at the bottom labeled **Recovery certificates for this file as defined by recovery policy:**.
Encryption information including what encryption method is being used to protect the file can be obtained with the [cipher.exe /c](/windows-server/administration/windows-commands/cipher) command.
Encryption information including what encryption method is being used to protect the file can be obtained with the [`cipher.exe /c`](/windows-server/administration/windows-commands/cipher) command.
## Disable PDE and decrypt content
## Recommendations for using PDE
Once PDE is enabled, it isn't recommended to disable it. However if PDE does need to be disabled, it can be done so via the MDM policy described in the section [How to enable PDE](#how-to-enable-pde). The value of the OMA-URI needs to be changed from **`1`** to **`0`** as follows:
The following are recommendations for using PDE:
- Name: **Personal Data Encryption**
- OMA-URI: **./User/Vendor/MSFT/PDE/EnablePersonalDataEncryption**
- Data type: **Integer**
- Value: **0**
Disabling PDE doesn't decrypt any PDE protected content. It only prevents the PDE API from being able to protect any additional content. PDE protected files can be manually decrypted using the following steps:
1. Open the properties of the file
2. Under the **General** tab, select **Advanced...**
3. Uncheck the option **Encrypt contents to secure data**
4. Select **OK**, and then **OK** again
PDE protected files can also be decrypted using [cipher.exe](/windows-server/administration/windows-commands/cipher). Using `cipher.exe` can be helpful to decrypt files in the following scenarios:
- Decrypting a large number of files on a device
- Decrypting files on a large number of devices.
To decrypt files on a device using `cipher.exe`:
- Decrypt all files under a directory including subdirectories:
```cmd
cipher.exe /d /s:<path_to_directory>
```
- Decrypt a single file or all of the files in the specified directory, but not any subdirectories:
```cmd
cipher.exe /d <path_to_file_or_directory>
```
> [!IMPORTANT]
> Once a user selects to manually decrypt a file, the user will not be able to manually protect the file again using PDE.
- Enable [BitLocker Drive Encryption](../bitlocker/index.md). Although PDE works without BitLocker, it's recommended to enable BitLocker. PDE is meant to work alongside BitLocker for increased security at it isn't a replacement for BitLocker
- Backup solution such as [OneDrive in Microsoft 365](/sharepoint/onedrive-overview). In certain scenarios, such as TPM resets or destructive PIN resets, the keys used by PDE to protect content will be lost making any PDE-protected content inaccessible. The only way to recover such content is from a backup. If the files are synced to OneDrive, to regain access you must re-sync OneDrive
- [Windows Hello for Business PIN reset service](../../../identity-protection/hello-for-business/hello-feature-pin-reset.md). Destructive PIN resets will cause keys used by PDE to protect content to be lost, making any content protected with PDE inaccessible. After a destructive PIN reset, content protected with PDE must be recovered from a backup. For this reason, Windows Hello for Business PIN reset service is recommended since it provides non-destructive PIN resets
- [Windows Hello Enhanced Sign-in Security](/windows-hardware/design/device-experiences/windows-hello-enhanced-sign-in-security) offers additional security when authenticating with Windows Hello for Business via biometrics or PIN
## Windows out of box applications that support PDE
Certain Windows applications support PDE out of the box. If PDE is enabled on a device, these applications will utilize PDE.
Certain Windows applications support PDE out of the box. If PDE is enabled on a device, these applications will utilize PDE:
- Mail
- Supports protecting both email bodies and attachments
| App name | Details |
|-|-|
| Mail | Supports protecting both email bodies and attachments|
## See also
## Next steps
- [Personal Data Encryption (PDE) FAQ](faq-pde.yml)
- [Configure Personal Data Encryption (PDE) polices in Intune](configure-pde-in-intune.md)
- Learn about the available options to configure Personal Data Encryption (PDE) and how to configure them via Microsoft Intune or configuration Service Provider (CSP): [PDE settings and configuration](configure.md)
- Review the [Personal Data Encryption (PDE) FAQ](faq.yml)
<!--links used in this document-->
[AAD-1]: /azure/active-directory/devices/concept-azure-ad-join
[AAD-2]: /azure/active-directory/authentication/howto-authentication-passwordless-security-key

63
windows/security/operating-system-security/data-protection/personal-data-encryption/intune-disable-arso.md
View File

@ -1,63 +0,0 @@
---
title: Disable Winlogon automatic restart sign-on (ARSO) for PDE in Intune
description: Disable Winlogon automatic restart sign-on (ARSO) for PDE in Intune
ms.topic: how-to
ms.date: 06/01/2023
---
# Disable Winlogon automatic restart sign-on (ARSO) for PDE
Winlogon automatic restart sign-on (ARSO) isn't supported for use with Personal Data Encryption (PDE). For this reason, in order to use PDE, ARSO needs to be disabled.
## Disable Winlogon automatic restart sign-on (ARSO) in Intune
To disable ARSO using Intune, follow the below steps:
1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431)
1. In the **Home** screen, select **Devices** in the left pane
1. In the **Devices | Overview** screen, under **Policy**, select **Configuration Profiles**
1. In the **Devices | Configuration profiles** screen, make sure **Profiles** is selected at the top, and then select **Create profile**
1. In the **Create profile** window that opens:
1. Under **Platform**, select **Windows 10 and later**
1. Under **Profile type**, select **Templates**
1. When the templates appear, under **Template name**, select **Administrative templates**
1. Select **Create** to close the **Create profile** window.
1. The **Create profile** screen will open. In the **Basics** page:
1. Next to **Name**, enter **Disable ARSO**
1. Next to **Description**, enter a description
1. Select **Next**
1. In the **Configuration settings** page:
1. On the left pane of the page, make sure **Computer Configuration** is selected
1. Under **Setting name**, scroll down and select **Windows Components**
1. Under **Setting name**, scroll down and select **Windows Logon Options**. You may need to navigate between pages on the bottom right corner before finding the **Windows Logon Options** option
1. Under **Setting name** of the **Windows Logon Options** pane, select **Sign-in and lock last interactive user automatically after a restart**
1. In the **Sign-in and lock last interactive user automatically after a restart** window that opens, select **Disabled**, and then select **OK**
1. Select **Next**
1. In the **Scope tags** page, configure if necessary and then select **Next**
1. In the **Assignments** page:
1. Under **Included groups**, select **Add groups**
> [!NOTE]
> Make sure to select **Add groups** under **Included groups** and not under **Excluded groups**. Accidentally adding the desired device groups under **Excluded groups** will result in those devices being excluded and they won't receive the configuration profile.
1. In the **Select groups to include** window that opens, select the groups that the configuration profile should be assigned to, and then select **Select** to close the **Select groups to include** window
1. Under **Included groups** > **Groups**, ensure the correct group(s) are selected, and then select **Next**
1. In **Review + create** page, review the configuration to make sure everything is configured correctly, and then select **Create**
## Additional PDE configurations in Intune
The following PDE configurations can also be configured using Intune:
### Prerequisites
- [Enable Personal Data Encryption (PDE)](intune-enable-pde.md)
### Security hardening recommendations
- [Disable kernel-mode crash dumps and live dumps](intune-disable-memory-dumps.md)
- [Disable Windows Error Reporting (WER)/user-mode crash dumps](intune-disable-wer.md)
- [Disable hibernation](intune-disable-hibernation.md)
- [Disable allowing users to select when a password is required when resuming from connected standby](intune-disable-password-connected-standby.md)
## More information
- [Personal Data Encryption (PDE)](index.md)
- [Personal Data Encryption (PDE) FAQ](faq-pde.yml)

62
windows/security/operating-system-security/data-protection/personal-data-encryption/intune-disable-hibernation.md
View File

@ -1,62 +0,0 @@
---
title: Disable hibernation for PDE in Intune
description: Disable hibernation for PDE in Intune
ms.topic: how-to
ms.date: 03/13/2023
---
# Disable hibernation for PDE
Hibernation files can potentially cause the keys used by Personal Data Encryption (PDE) to protect content to be exposed. For greatest security, disable hibernation.
## Disable hibernation in Intune
To disable hibernation using Intune, follow the below steps:
1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431)
1. In the **Home** screen, select **Devices** in the left pane
1. In the **Devices | Overview** screen, under **Policy**, select **Configuration Profiles**
1. In the **Devices | Configuration profiles** screen, make sure **Profiles** is selected at the top, and then select **Create profile**
1. In the **Create profile** window that opens:
1. Under **Platform**, select **Windows 10 and later**
1. Under **Profile type**, select **Settings catalog**
1. Select **Create** to close the **Create profile** window
1. The **Create profile** screen will open. In the **Basics** page:
1. Next to **Name**, enter **Disable Hibernation**
1. Next to **Description**, enter a description
1. Select **Next**
1. In the **Configuration settings** page:
1. select **Add settings**
1. In the **Settings picker** window that opens:
1. Under **Browse by category**, scroll down and select **Power**
1. When the settings for the **Power** category appear under **Setting name** in the lower pane, select **Allow Hibernate**, and then select the **X** in the top right corner of the **Settings picker** window to close the window
1. Change **Allow Hibernate** from **Allow** to **Block** by selecting the slider next to the option
1. Select **Next**
1. In the **Scope tags** page, configure if necessary and then select **Next**
1. In the **Assignments** page:
1. Under **Included groups**, select **Add groups**
> [!NOTE]
> Make sure to add the correct groups under **Included groups** and not under **Excluded groups**. Accidentally adding the desired device groups under **Excluded groups** will result in those devices being excluded and they won't receive the configuration profile.
1. In the **Select groups to include** window that opens, select the groups that the configuration profile should be assigned to, and then select **Select** to close the **Select groups to include** window
1. Under **Included groups** > **Groups**, ensure the correct group(s) are selected, and then select **Next**
1. In **Review + create** page, review the configuration to make sure everything is configured correctly, and then select **Create**
## Additional PDE configurations in Intune
The following PDE configurations can also be configured using Intune:
### Prerequisites
- [Enable Personal Data Encryption (PDE)](intune-enable-pde.md)
- [Disable Winlogon automatic restart sign-on (ARSO)](intune-disable-arso.md)
### Security hardening recommendations
- [Disable kernel-mode crash dumps and live dumps](intune-disable-memory-dumps.md)
- [Disable Windows Error Reporting (WER)/user-mode crash dumps](intune-disable-wer.md)
- [Disable allowing users to select when a password is required when resuming from connected standby](intune-disable-password-connected-standby.md)
## More information
- [Personal Data Encryption (PDE)](index.md)
- [Personal Data Encryption (PDE) FAQ](faq-pde.yml)

61
windows/security/operating-system-security/data-protection/personal-data-encryption/intune-disable-memory-dumps.md
View File

@ -1,61 +0,0 @@
---
title: Disable kernel-mode crash dumps and live dumps for PDE in Intune
description: Disable kernel-mode crash dumps and live dumps for PDE in Intune
ms.topic: how-to
ms.date: 03/13/2023
---
# Disable kernel-mode crash dumps and live dumps for PDE
Kernel-mode crash dumps and live dumps can potentially cause the keys used by Personal Data Encryption (PDE) to protect content to be exposed. For greatest security, disable kernel-mode crash dumps and live dumps.
## Disable kernel-mode crash dumps and live dumps in Intune
To disable kernel-mode crash dumps and live dumps using Intune, follow the below steps:
1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431)
1. In the **Home** screen, select **Devices** in the left pane
1. In the **Devices | Overview** screen, under **Policy**, select **Configuration Profiles**
1. In the **Devices | Configuration profiles** screen, make sure **Profiles** is selected at the top, and then select **Create profile**
1. In the **Create profile** window that opens:
1. Under **Platform**, select **Windows 10 and later**
1. Under **Profile type**, select **Settings catalog**
1. Select **Create** to close the **Create profile** window
1. The **Create profile** screen will open. In the **Basics** page:
1. Next to **Name**, enter **Disable Kernel-Mode Crash Dumps**
1. Next to **Description**, enter a description.
1. Select **Next**
1. In the **Configuration settings** page:
1. Select **Add settings**
1. In the **Settings picker** window that opens:
1. Under **Browse by category**, scroll down and select **Memory Dump**
1. When the settings for the **Memory Dump** category appear under **Setting name** in the lower pane, select both **Allow Crash Dump** and **Allow Live Dump**, and then select the **X** in the top right corner of the **Settings picker** window to close the window
1. Change both **Allow Live Dump** and **Allow Crash Dump** from **Allow** to **Block** by selecting the slider next to each option, and then select **Next**
1. In the **Scope tags** page, configure if necessary and then select **Next**
1. In the **Assignments** page:
1. Under **Included groups**, select **Add groups**
> [!NOTE]
> Make sure to add the correct groups under **Included groups** and not under **Excluded groups**. Accidentally adding the desired device groups under **Excluded groups** will result in those devices being excluded and they won't receive the configuration profile.
1. In the **Select groups to include** window that opens, select the groups that the configuration profile should be assigned to, and then select **Select** to close the **Select groups to include** window
1. Under **Included groups** > **Groups**, ensure the correct group(s) are selected, and then select **Next**
1. In **Review + create** page, review the configuration to make sure everything is configured correctly, and then select **Create**
## Additional PDE configurations in Intune
The following PDE configurations can also be configured using Intune:
### Prerequisites
- [Enable Personal Data Encryption (PDE)](intune-enable-pde.md)
- [Disable Winlogon automatic restart sign-on (ARSO)](intune-disable-arso.md)
### Security hardening recommendations
- [Disable Windows Error Reporting (WER)/user-mode crash dumps](intune-disable-wer.md)
- [Disable hibernation](intune-disable-hibernation.md)
- [Disable allowing users to select when a password is required when resuming from connected standby](intune-disable-password-connected-standby.md)
## More information
- [Personal Data Encryption (PDE)](index.md)
- [Personal Data Encryption (PDE) FAQ](faq-pde.yml)

76
windows/security/operating-system-security/data-protection/personal-data-encryption/intune-disable-password-connected-standby.md
View File

@ -1,76 +0,0 @@
---
title: Disable allowing users to select when a password is required when resuming from connected standby for PDE in Intune
description: Disable allowing users to select when a password is required when resuming from connected standby for PDE in Intune
ms.topic: how-to
ms.date: 03/13/2023
---
# Disable allowing users to select when a password is required when resuming from connected standby for PDE
When the **Disable allowing users to select when a password is required when resuming from connected standby** policy isn't configured, the outcome between on-premises Active Directory joined devices and workgroup devices, including Azure Active Directory joined devices, is different:
- On-premises Active Directory joined devices:
- A user can't change the amount of time after the device's screen turns off before a password is required when waking the device
- A password is required immediately after the screen turns off
The above is the desired outcome, but PDE isn't supported with on-premises Active Directory joined devices
- Workgroup devices, including Azure AD joined devices:
- A user on a Connected Standby device can change the amount of time after the device´s screen turns off before a password is required to wake the device
- During the time when the screen turns off but a password isn't required, the keys used by PDE to protect content could potentially be exposed. This outcome isn't a desired outcome
Because of this undesired outcome, it's recommended to explicitly disable this policy on Azure AD joined devices instead of leaving it at the default of **Not configured**.
## Disable allowing users to select when a password is required when resuming from connected standby in Intune
To disable the policy **Disable allowing users to select when a password is required when resuming from connected standby** using Intune, follow the below steps:
1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431)
1. In the **Home** screen, select **Devices** in the left pane
1. In the **Devices | Overview** screen, under **Policy**, select **Configuration Profiles**
1. In the **Devices | Configuration profiles** screen, make sure **Profiles** is selected at the top, and then select **Create profile**
1. In the **Create profile** window that opens:
1. Under **Platform**, select **Windows 10 and later**
1. Under **Profile type**, select **Settings catalog**
1. Select **Create** to close the **Create profile** window
1. The **Create profile** screen will open. In the **Basics** page:
1. Next to **Name**, enter **Disable allowing users to select when a password is required when resuming from connected standby**
1. Next to **Description**, enter a description
1. Select **Next**.
1. In the **Configuration settings** page:
1. Select **Add settings**
1. In the **Settings picker** window that opens:
1. Under **Browse by category**, expand **Administrative Templates**
1. Under **Administrative Templates**, scroll down and expand **System**
1. Under **System**, scroll down and select **Logon**
1. When the settings for the **Logon** subcategory appear under **Setting name** in the lower pane, select **Allow users to select when a password is required when resuming from connected standby**, and then select the **X** in the top right corner of the **Settings picker** window to close the window
1. Leave the slider for **Allow users to select when a password is required when resuming from connected standby** at the default of **Disabled**
1. select **Next**
1. In the **Scope tags** page, configure if necessary and then select **Next**
1. In the **Assignments** page:
1. Under **Included groups**, select **Add groups**
> [!NOTE]
> Make sure to add the correct groups under **Included groups** and not under **Excluded groups**. Accidentally adding the desired device groups under **Excluded groups** will result in those devices being excluded and they won't receive the configuration profile.
1. In the **Select groups to include** window that opens, select the groups that the configuration profile should be assigned to, and then select **Select** to close the **Select groups to include** window
1. Under **Included groups** > **Groups**, ensure the correct group(s) are selected, and then select **Next**
1. In **Review + create** page, review the configuration to make sure everything is configured correctly, and then select **Create**
## Additional PDE configurations in Intune
The following PDE configurations can also be configured using Intune:
### Prerequisites
- [Enable Personal Data Encryption (PDE)](intune-enable-pde.md)
- [Disable Winlogon automatic restart sign-on (ARSO)](intune-disable-arso.md)
### Security hardening recommendations
- [Disable kernel-mode crash dumps and live dumps](intune-disable-memory-dumps.md)
- [Disable Windows Error Reporting (WER)/user-mode crash dumps](intune-disable-wer.md)
- [Disable hibernation](intune-disable-hibernation.md)
## More information
- [Personal Data Encryption (PDE)](index.md)
- [Personal Data Encryption (PDE) FAQ](faq-pde.yml)

64
windows/security/operating-system-security/data-protection/personal-data-encryption/intune-disable-wer.md
View File

@ -1,64 +0,0 @@
---
title: Disable Windows Error Reporting (WER)/user-mode crash dumps for PDE in Intune
description: Disable Windows Error Reporting (WER)/user-mode crash dumps for PDE in Intune
ms.topic: how-to
ms.date: 03/13/2023
---
# Disable Windows Error Reporting (WER)/user-mode crash dumps for PDE
Disabling Windows Error Reporting prevents user-mode crash dumps. User-mode crash dumps can potentially cause the keys used by PDE to protect content to be exposed. For greatest security, disable user-mode crash dumps.
## Disable Windows Error Reporting (WER)/user-mode crash dumps in Intune
To disable Windows Error Reporting (WER) and user-mode crash dumps using Intune, follow the below steps:
1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431)
1. In the **Home** screen, select **Devices** in the left pane
1. In the **Devices | Overview** screen, under **Policy**, select **Configuration Profiles**
1. In the **Devices | Configuration profiles** screen, make sure **Profiles** is selected at the top, and then select **Create profile**
1. In the **Create profile** window that opens:
1. Under **Platform**, select **Windows 10 and later**
1. Under **Profile type**, select **Settings catalog**
1. Select **Create** to close the **Create profile** window
1. The **Create profile** screen will open. In the **Basics** page:
1. Next to **Name**, enter **Disable Windows Error Reporting (WER)**
1. Next to **Description**, enter a description
1. Select **Next**
1. In the **Configuration settings** page:
1. Select **Add settings**
1. In the **Settings picker** window that opens:
1. Under **Browse by category**, expand **Administrative Templates**
1. Under **Administrative Templates**, scroll down and expand **Windows Components**
1. Under **Windows Components**, scroll down and select **Windows Error Reporting**. Make sure to only select **Windows Error Reporting** and not to expand it
1. When the settings for the **Windows Error Reporting** subcategory appear under **Setting name** in the lower pane, select **Disable Windows Error Reporting**, and then select the **X** in the top right corner of the **Settings picker** window to close the window
1. Change **Disable Windows Error Reporting** from **Disabled** to **Enabled** by selecting the slider next to the option
1. Select **Next**
1. In the **Scope tags** page, configure if necessary and then select **Next**
1. In the **Assignments** page:
1. Under **Included groups**, select **Add groups**
> [!NOTE]
> Make sure to add the correct groups under **Included groups** and not under **Excluded groups**. Accidentally adding the desired device groups under **Excluded groups** will result in those devices being excluded and they won't receive the configuration profile.
1. In the **Select groups to include** window that opens, select the groups that the configuration profile should be assigned to, and then select **Select** to close the **Select groups to include** window
1. Under **Included groups** > **Groups**, ensure the correct group(s) are selected, and then select **Next**
1. In **Review + create** page, review the configuration to make sure everything is configured correctly, and then select **Create**
## Additional PDE configurations in Intune
The following PDE configurations can also be configured using Intune:
### Prerequisites
- [Enable Personal Data Encryption (PDE)](intune-enable-pde.md)
- [Disable Winlogon automatic restart sign-on (ARSO)](intune-disable-arso.md)
### Security hardening recommendations
- [Disable kernel-mode crash dumps and live dumps](intune-disable-memory-dumps.md)
- [Disable hibernation](intune-disable-hibernation.md)
- [Disable allowing users to select when a password is required when resuming from connected standby](intune-disable-password-connected-standby.md)
## More information
- [Personal Data Encryption (PDE)](index.md)
- [Personal Data Encryption (PDE) FAQ](faq-pde.yml)

70
windows/security/operating-system-security/data-protection/personal-data-encryption/intune-enable-pde.md
View File

@ -1,70 +0,0 @@
---
title: Enable Personal Data Encryption (PDE) in Intune
description: Enable Personal Data Encryption (PDE) in Intune
ms.topic: how-to
ms.date: 03/13/2023
---
# Enable Personal Data Encryption (PDE)
By default, Personal Data Encryption (PDE) is not enabled on devices. Before PDE can be used on a device, it needs to be enabled. This can be done via a custom OMA-URI policy assigned to the device.
> [!NOTE]
> Enabling the PDE policy on devices only enables the PDE feature. It does not protect any content. To protect content via PDE, use the [PDE APIs](/uwp/api/windows.security.dataprotection.userdataprotectionmanager). The PDE APIs can be used to create custom applications and scripts to specify which content to protect and at what level to protect the content. Additionally, the PDE APIs can't be used to protect content until the PDE policy has been enabled.
## Enable Personal Data Encryption (PDE) in Intune
To enable Personal Data Encryption (PDE) using Intune, follow the below steps:
1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
1. In the **Home** screen, select **Devices** in the left pane
1. In the **Devices | Overview** screen, under **Policy**, select **Configuration Profiles**
1. In the **Devices | Configuration profiles** screen, make sure **Profiles** is selected at the top, and then select **Create profile**
1. In the **Create profile** window that opens:
1. Under **Platform**, select **Windows 10 and later**
1. Under **Profile type**, select **Templates**
1. When the templates appears, under **Template name**, select **Custom**
1. Select **Create** to close the **Create profile** window
1. The **Custom** screen will open. In the **Basics** page:
1. Next to **Name**, enter **Personal Data Encryption**
1. Next to **Description**, enter a description
1. Select **Next**
1. In **Configuration settings** page:
1. Next to **OMA-URI Settings**, select **Add**
1. In the **Add Row** window that opens:
1. Next to **Name**, enter **Personal Data Encryption**
1. Next to **Description**, enter a description
1. Next to **OMA-URI**, enter in:
**`./User/Vendor/MSFT/PDE/EnablePersonalDataEncryption`**
1. Next to **Data type**, select **Integer**
1. Next to **Value**, enter in **1**
1. Select **Save** to close the **Add Row** window
1. Select **Next**
1. In the **Assignments** page:
1. Under **Included groups**, select **Add groups**
> [!NOTE]
> Make sure to add the correct groups under **Included groups** and not under **Excluded groups**. Accidentally adding the desired device groups under **Excluded groups** will result in those devices being excluded and they won't receive the configuration profile.
1. In the **Select groups to include** window that opens, select the groups that the configuration profile should be assigned to, and then select **Select** to close the **Select groups to include** window
1. Under **Included groups** > **Groups**, ensure the correct group(s) are selected, and then select **Next**
1. In **Applicability Rules**, configure if necessary and then select **Next**
1. In **Review + create** page, review the configuration to make sure everything is configured correctly, and then select **Create**
## Additional PDE configurations in Intune
The following PDE configurations can also be configured using Intune:
### Prerequisites
- [Disable Winlogon automatic restart sign-on (ARSO)](intune-disable-arso.md)
### Security hardening recommendations
- [Disable kernel-mode crash dumps and live dumps](intune-disable-memory-dumps.md)
- [Disable Windows Error Reporting (WER)/user-mode crash dumps](intune-disable-wer.md)
- [Disable hibernation](intune-disable-hibernation.md)
- [Disable allowing users to select when a password is required when resuming from connected standby](intune-disable-password-connected-standby.md)
## More information
- [Personal Data Encryption (PDE)](index.md)
- [Personal Data Encryption (PDE) FAQ](faq-pde.yml)

20
windows/security/operating-system-security/data-protection/personal-data-encryption/toc.yml
View File

@ -1,19 +1,7 @@
items:
- name: Overview
- name: PDE overview
href: index.md
- name: Configure PDE with Intune
href: configure-pde-in-intune.md
- name: Enable Personal Data Encryption (PDE)
href: intune-enable-pde.md
- name: Disable Winlogon automatic restart sign-on (ARSO) for PDE
href: intune-disable-arso.md
- name: Disable kernel-mode crash dumps and live dumps for PDE
href: intune-disable-memory-dumps.md
- name: Disable Windows Error Reporting (WER)/user-mode crash dumps for PDE
href: intune-disable-wer.md
- name: Disable hibernation for PDE
href: intune-disable-hibernation.md
- name: Disable allowing users to select when a password is required when resuming from connected standby for PDE
href: intune-disable-password-connected-standby.md
- name: Configure PDE
href: configure.md
- name: PDE frequently asked questions (FAQ)
href: faq-pde.yml
href: faq.yml

3
windows/whats-new/deprecated-features.md
View File

@ -1,7 +1,7 @@
---
title: Deprecated features in the Windows client
description: Review the list of features that Microsoft is no longer actively developing in Windows 10 and Windows 11.
ms.date: 08/01/2023
ms.date: 09/01/2023
ms.prod: windows-client
ms.technology: itpro-fundamentals
ms.localizationpriority: medium
@ -51,6 +51,7 @@ The features in this article are no longer being actively developed, and might b
| Microsoft Edge | The legacy version of Microsoft Edge is no longer being developed.| 2004 |
| Companion Device Framework | The [Companion Device Framework](/windows-hardware/design/device-experiences/windows-hello-companion-device-framework) is no longer under active development.| 2004 |
| Dynamic Disks | The [Dynamic Disks](/windows/win32/fileio/basic-and-dynamic-disks#dynamic-disks) feature is no longer being developed. This feature will be fully replaced by [Storage Spaces](/windows-server/storage/storage-spaces/overview) in a future release.| 2004 |
| Microsoft BitLocker Administration and Monitoring (MBAM)| [Microsoft BitLocker Administration and Monitoring (MBAM)](/microsoft-desktop-optimization-pack/mbam-v25/), part of the [Microsoft Desktop Optimization Pack (MDOP)](/lifecycle/announcements/mdop-extended) is is no longer being developed. | September, 2019 |
| Language Community tab in Feedback Hub | The Language Community tab will be removed from the Feedback Hub. The standard feedback process: [Feedback Hub - Feedback](feedback-hub://?newFeedback=true&feedbackType=2) is the recommended way to provide translation feedback. | 1909 |
| My People / People in the Shell | My People is no longer being developed. It may be removed in a future update. | 1909 |
| Package State Roaming (PSR) | PSR will be removed in a future update. PSR allows non-Microsoft developers to access roaming data on devices, enabling developers of UWP applications to write data to Windows and synchronize it to other instantiations of Windows for that user. <br>&nbsp;<br>The recommended replacement for PSR is [Azure App Service](/azure/app-service/). Azure App Service is widely supported, well documented, reliable, and supports cross-platform/cross-ecosystem scenarios such as iOS, Android and web. <br>&nbsp;<br>PSR was removed in Windows 11.| 1909 |

2
windows/whats-new/windows-11-overview.md
View File

@ -152,7 +152,7 @@ For more information on the security features you can configure, manage, and enf
- Your Windows 10 apps will also work on Windows 11. **[App Assure](https://www.microsoft.com/fasttrack/microsoft-365/app-assure)** is also available if there are some issues.
You can continue to use **MSIX packages** for your UWP, Win32, WPF, and WinForm desktop application files. Continue to use **Windows Package Manager** to install Windows apps. You can create **Azure virtual desktops** that run Windows 11. Use **Azure Virtual desktop with MSIX app attach** to virtualize desktops and apps. For more information on these features, see [Overview of apps on Windows client devices](/windows/application-management/apps-in-windows-10).
You can continue to use **MSIX packages** for your UWP, Win32, WPF, and WinForm desktop application files. Continue to use **Windows Package Manager** to install Windows apps. You can create **Azure virtual desktops** that run Windows 11. Use **Azure Virtual desktop with MSIX app attach** to virtualize desktops and apps. For more information on these features, see [Overview of apps on Windows client devices](/windows/application-management/overview-windows-apps).
In the **Settings** app > **Apps**, users can manage some of the app settings. For example, they can get apps anywhere, but let the user know if there's a comparable app in the Microsoft Store. They can also choose which apps start when they sign in.