Merge branch 'main' into dep-vbsencl-9693593

2025-05-12 13:27:23 +00:00 · 2025-04-15 14:34:10 -07:00 · 2025-04-15 14:34:10 -07:00 · 9cc45830d7
commit 9cc45830d7
parent f989d0ccb6 edc272a2da
17 changed files with 330 additions and 5110 deletions
--- a/.github/workflows/AutoPublish.yml
+++ b/.github/workflows/AutoPublish.yml
@ -0,0 +1,25 @@
 name: (Scheduled) Publish to live
 permissions:
  contents: write
  pull-requests: write
 on:
  schedule:
    - cron: "25 5,11,17,22 * * *" # Times are UTC based on Daylight Saving Time. Need to be adjusted for Standard Time. Scheduling at :25 to account for queuing lag.
  workflow_dispatch:
 jobs:
  auto-publish:
    if: github.repository_owner == 'MicrosoftDocs' && contains(github.event.repository.topics, 'build')
    uses: MicrosoftDocs/microsoft-365-docs/.github/workflows/Shared-AutoPublish.yml@workflows-prod
    with:
        PayloadJson: ${{ toJSON(github) }}
        EnableAutoPublish: true
    secrets:
        AccessToken: ${{ secrets.GITHUB_TOKEN }}
        PrivateKey: ${{ secrets.M365_APP_PRIVATE_KEY }}
        ClientId: ${{ secrets.M365_APP_CLIENT_ID }}
--- a/includes/licensing/_edition-requirements.md
+++ b/includes/licensing/_edition-requirements.md
@ -41,7 +41,7 @@ ms.topic: include
 |**[Microsoft Defender Application Guard (MDAG) configure via MDM](/windows/client-management/mdm/windowsdefenderapplicationguard-csp)**|❌|Yes|❌|Yes|
 |**[Microsoft Defender Application Guard (MDAG) for Edge enterprise mode and enterprise management](/windows/security/application-security/application-isolation/microsoft-defender-application-guard/configure-md-app-guard)**|❌|Yes|❌|Yes|
 |**[Microsoft Defender Application Guard (MDAG) for Edge standalone mode](/windows/security/application-security/application-isolation/microsoft-defender-application-guard/md-app-guard-overview)**|Yes|Yes|Yes|Yes|
-|**[Microsoft Defender Application Guard (MDAG) for Microsoft Office](https://support.microsoft.com/office/application-guard-for-office-9e0fb9c2-ffad-43bf-8ba3-78f785fdba46)**|❌|Yes|❌|Yes|
+|**[Microsoft Defender Application Guard (MDAG) for Microsoft Office](/defender-office-365/app-guard-for-office-install)**|❌|Yes|❌|Yes|
 |**Microsoft Defender Application Guard (MDAG) public APIs**|❌|Yes|❌|Yes|
 |**[Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint)**|Yes|Yes|Yes|Yes|
 |**[Microsoft Defender SmartScreen](/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/)**|Yes|Yes|Yes|Yes|
--- a/includes/licensing/_licensing-requirements.md
+++ b/includes/licensing/_licensing-requirements.md
@ -1,7 +1,7 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
-ms.date: 11/02/2023
+ms.date: 04/14/2025
 ms.topic: include
 ---
@ -41,7 +41,7 @@ ms.topic: include
 |**[Microsoft Defender Application Guard (MDAG) configure via MDM](/windows/client-management/mdm/windowsdefenderapplicationguard-csp)**|❌|Yes|Yes|Yes|Yes|
 |**[Microsoft Defender Application Guard (MDAG) for Edge enterprise mode and enterprise management](/windows/security/application-security/application-isolation/microsoft-defender-application-guard/configure-md-app-guard)**|❌|Yes|Yes|Yes|Yes|
 |**[Microsoft Defender Application Guard (MDAG) for Edge standalone mode](/windows/security/application-security/application-isolation/microsoft-defender-application-guard/md-app-guard-overview)**|Yes|Yes|Yes|Yes|Yes|
-|**[Microsoft Defender Application Guard (MDAG) for Microsoft Office](https://support.microsoft.com/office/application-guard-for-office-9e0fb9c2-ffad-43bf-8ba3-78f785fdba46)**|❌|❌|❌|❌|❌|
+|**[Microsoft Defender Application Guard (MDAG) for Microsoft Office](/defender-office-365/app-guard-for-office-install)**|❌|❌|❌|❌|❌|
 |**Microsoft Defender Application Guard (MDAG) public APIs**|❌|Yes|Yes|Yes|Yes|
 |**[Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint)**|❌|❌|Yes|❌|Yes|
 |**[Microsoft Defender SmartScreen](/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/)**|Yes|Yes|Yes|Yes|Yes|
--- a/includes/licensing/unbranded-boot.md
+++ b/includes/licensing/unbranded-boot.md
@ -0,0 +1,14 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
 ms.date: 04/09/2025
 ms.topic: include
 ---
 ### Windows edition requirements
 The following list contains the Windows editions that support Unbranded Boot:
 ✅ Enterprise / Enterprise LTSC\
 ✅ Education\
 ✅ IoT Enterprise / IoT Enterprise LTSC
--- a/windows/client-management/mdm/policy-csp-accounts.md
+++ b/windows/client-management/mdm/policy-csp-accounts.md
@ -144,7 +144,7 @@ Allows IT Admins the ability to disable the Microsoft Account Sign-In Assistant
 <!-- AllowMicrosoftAccountSignInAssistant-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 > [!CAUTION]
-> If the Microsoft Account Sign-In Assistant service is disabled, the initial digital license activation with a Multiple Activation Key (MAK) will fail.
+> If the Microsoft Account Sign-In Assistant service is disabled, the initial digital license activation with a Multiple Activation Key (MAK) or Digital Product Key (DPK) will fail.
 <!-- AllowMicrosoftAccountSignInAssistant-Editable-End -->
 <!-- AllowMicrosoftAccountSignInAssistant-DFProperties-Begin -->
--- a/windows/configuration/images/icons/xml.svg
+++ b/windows/configuration/images/icons/xml.svg
@ -0,0 +1,7 @@
 <svg width="18" height="18" viewBox="0 0 18 18" fill="none" xmlns="http://www.w3.org/2000/svg">
 <path d="M3.46385 12.006L1.41972 14.0625L3.46272 16.11L2.66735 16.9054L0.224976 14.4596V13.6643L2.66622 11.2129L3.46385 12.006ZM9.79985 11.2185L9.01235 12.0161L11.0666 14.0625L9.00672 16.11L9.79985 16.9076L12.2625 14.463V13.6654L9.79985 11.2185ZM4.5281 17.2598L5.59685 17.6153L7.84685 10.8653L6.7781 10.5098L4.5281 17.2598Z" fill="#0883D9"/>
 <g opacity="0.75">
 <path d="M15.5858 4.66425L12.2108 1.28925L11.8125 1.125H2.8125L2.25 1.6875V10.125H3.375V2.25H11.25V5.625H14.625V15.75H12.5618L11.43 16.875H15.1875L15.75 16.3125V5.0625L15.5858 4.66425Z" fill="#0883D9"/>
 <path opacity="0.1" d="M15.1875 5.0625V16.3125H11.9959L13.3875 14.931V13.1985L10.125 10.125H2.8125V1.6875H11.8125L15.1875 5.0625Z" fill="#0883D9"/>
 </g>
 </svg>
--- a/windows/configuration/unbranded-boot/images/boot.jpg
+++ b/windows/configuration/unbranded-boot/images/boot.jpg
--- a/windows/configuration/unbranded-boot/images/boot.png
+++ b/windows/configuration/unbranded-boot/images/boot.png
--- a/windows/configuration/unbranded-boot/index.md
+++ b/windows/configuration/unbranded-boot/index.md
@ -1,160 +1,155 @@
 ---
 title: Unbranded Boot
-description: Unbranded Boot
+description: Learn about Unbranded Boot, a feature that suppresses Windows elements that appear when Windows starts. Unbranded Boot can also suppress the crash screen when Windows encounters an error that it can't recover from.
-ms.date: 09/10/2024
+ms.date: 04/11/2025
-ms.topic: overview
+ms.topic: how-to
 ---
 # Unbranded Boot
-You can suppress Windows elements that appear when Windows starts or resumes and can suppress the crash screen when Windows encounters an error that it can't recover from. This feature is known as Unbranded Boot.
+Unbranded Boot is a Windows feature that allows you to suppress Windows elements that appear when Windows starts. It can also suppress the crash screen when Windows encounters an error that it can't recover from. This feature is useful for devices that are used in public spaces, such as kiosks and digital signs, where a clean and professional appearance is important.
 [!INCLUDE [unbranded-boot](../../../includes/licensing/unbranded-boot.md)]
 ## Enable Unbranded Boot
 Unbranded Boot is an optional component and isn't enabled by default in Windows. To configure it, you must first enable it.
 There are different ways to enable Unbranded Boot, select the method that best fits your needs to learn more.
 #### [:::image type="icon" source="../images/icons/control-panel.svg"::: **Control Panel**](#tab/control-panel1)
 To enable Unbranded Boot using the Control Panel, follow these steps:
 1. Open **Control Panel** > **Programs** > **Turn Windows features on or off** or use the command `optionalfeatures.exe`
 1. Expand **Device Lockdown** and select **Unbranded Boot**
 1. Select **OK** to enable Unbranded Boot
 1. Restart your device to apply the changes
 #### [:::image type="icon" source="../images/icons/powershell.svg"::: **PowerShell**](#tab/powershell1)
 To enable Unbranded Boot using PowerShell, follow these steps:
 1. Open a PowerShell window with administrator privileges
 1. Run the following command:
    ```powershell
    Enable-WindowsOptionalFeature -FeatureName Client-DeviceLockdown,Client-EmbeddedBootExp -Online
    ```
 1. Restart your device to apply the changes
 ---
 > [!IMPORTANT]
 > The first user to sign in to the device must be an administrator. This ensures that the **RunOnce** registry settings correctly apply the settings. Also, when using auto sign-in, you must not configure auto sign-in on your device at design time. Instead, auto sign-in should be configured manually after first signing in as an administrator.
-## Requirements
+## Configure Unbranded Boot
-Unbranded Boot can be enabled on:
+The following instructions provide details about how to configure your devices. Select the option that best suits your needs.
- Windows 10 Enterprise
+> [!NOTE]
- Windows 10 IoT Enterprise
+> If Windows is already installed, you can't apply a provisioning package to configure Unbranded Boot. Instead, you must use the command prompt to configure Unbranded Boot.
 - Windows 10 Education
 - Windows 11 Enterprise
 - Windows 11 IoT Enterprise
 - Windows 11 Education
-## Terminology
+#### [:::image type="icon" source="../images/icons/cmd.svg"::: **Command prompt**](#tab/cmd)
- **Turn on, Enable:** To make the setting available to the device and optionally apply the settings to the device. Generally "turn on" is used in the user interface or control panel, whereas "enable" is used for command line.
+You can use the `bcdedit.exe` command to configure Unbranded Boot settings at runtime.
- **Configure:** To customize the setting or subsettings.
+> [!NOTE]
 > `Bcdedit.exe` is a command-line tool for editing the Boot Configuration Data (BCD) of Windows. Administrator privileges are required to use BCDEdit to modify the BCD.
- **Embedded Boot Experience:** this feature is called "Embedded Boot Experience" in Windows 10, build 1511.
+1. Open a command prompt as an administrator
-
+1. Run the following command to disable the F8 key during startup to prevent access to the **Advanced startup options** menu
 - **Custom Boot Experience:** this feature is called "Custom Boot Experience" in Windows 10, build 1607 and later.
 ## Turn on Unbranded Boot settings
 Unbranded Boot is an optional component and isn't enabled by default in Windows. It must be enabled prior to configuring.
 If Windows has already been installed, you can't apply a provisioning package to configure Unbranded Boot; instead you must use BDCEdit to configure Unbranded boot if Windows is installed.
 BCDEdit is the primary tool for editing the Boot Configuration Database (BCD) of Windows and is included in Windows in the %WINDIR%\\System32 folder. Administrator privileges are required to use BCDEdit to modify the BCD.
 ### Turn on Unbranded Boot by using Control Panel
 1. In the Windows search bar, type **Turn Windows features on or off** and either press **Enter** or tap or select **Turn Windows features on or off** to open the **Windows Features** window.
 1. In the **Windows Features** window, expand the **Device Lockdown** node, and select (to turn on) or clear (to turn off) the checkbox for **Unbranded Boot**.
 1. Select **OK**. The **Windows Features** window indicates that Windows is searching for required files and displays a progress bar. Once found, the window indicates that Windows is applying the changes. When completed, the window indicates the requested changes are completed.
 1. Restart your device to apply the changes.
 ## Configure Unbranded Boot settings at runtime using BCDEdit
 1. Open a command prompt as an administrator.
 1. Run the following command to disable the F8 key during startup to prevent access to the **Advanced startup options** menu.
   ```cmd
   bcdedit.exe -set {globalsettings} advancedoptions false
   ```
-1. Run the following command to disable the F10 key during startup to prevent access to the **Advanced startup options** menu.
+1. Run the following command to disable the F10 key during startup to prevent access to the **Advanced startup options** menu
   ```cmd
   bcdedit.exe -set {globalsettings} optionsedit false
   ```
-1. Run the following command to suppress all Windows UI elements (logo, status indicator, and status message) during startup.
+1. Run the following command to suppress all Windows UI elements (logo, status indicator, and status message) during startup
   ```cmd
   bcdedit.exe -set {globalsettings} bootuxdisabled on
   ```
-1. Run the following command to suppress any error screens that are displayed during boot. If **noerrordisplay** is on and the boot manager hits a *WinLoad Error* or *Bad Disk Error*, the system displays a black screen.
+1. Run the following command to suppress any error screens that are displayed during boot. If `noerrordisplay` is set to `on` and the boot manager hits a *WinLoad Error* or *Bad Disk Error*, the system displays a black screen
   ```cmd
   bcdedit.exe -set {bootmgr} noerrordisplay on
   ```
-## Configure Unbranded Boot using Unattend
+#### [:::image type="icon" source="../images/icons/xml.svg"::: **Unattend**](#tab/unattend)
-You can also configure the Unattend settings in the [Microsoft-Windows-Embedded-BootExp](/windows-hardware/customize/desktop/unattend/microsoft-windows-embedded-bootexp) component to add Unbranded Boot features to your image during the design or imaging phase. You can manually create an Unattend answer file or use Windows System Image Manager (Windows SIM) to add the appropriate settings to your answer file. For more information about the Unbranded Boot settings and XML examples, see the settings in Microsoft-Windows-Embedded-BootExp.
+You can configure the Unattend settings in the `Microsoft-Windows-Embedded-BootExp` component to add Unbranded Boot features to your image during the design or imaging phase. You can manually create an Unattend answer file or use Windows System Image Manager (Windows SIM) to add the appropriate settings to your answer file.
 ### Unbranded Boot settings
-The following table shows Unbranded Boot settings and their values.
+The following table lists Unbranded Boot settings and their values.
 | Setting | Description | Value |
 |---------|-------------|-------|
-| DisableBootMenu | Contains an integer that disables the F8 and F10 keys during startup to prevent access to the Advanced startup options menu. | Set to 1 to disable the menu; otherwise; set to 0 (zero). The default value is 0. |
+| `DisableBootMenu` | Contains an integer that disables the F8 and F10 keys during startup to prevent access to the *Advanced startup options* menu. | - Set to `1` to disable the menu<br>- The default value is `0`|
-| DisplayDisabled | Contains an integer that configures the device to display a blank screen when Windows encounters an error that it can't recover from. | Set to 1 to display a blank screen on error; otherwise; set to 0 (zero). The default value is 0. |
+| `DisplayDisabled` | Contains an integer that configures the device to display a blank screen when Windows encounters an error that it can't recover from. | - Set to `1` to display a blank screen on error<br>- The default value is `0`|
-| HideAllBootUI | Contains an integer that suppresses all Windows UI elements (logo, status indicator, and status message) during startup. | Set to 1 to suppress all Windows UI elements during startup; otherwise; set to 0 (zero). The default value is 0. |
+| `HideAllBootUI` | Contains an integer that suppresses all Windows UI elements (logo, status indicator, and status message) during startup. | - Set to `1` to suppress all Windows UI elements during startup<br>- The default value is `0`|
-| HideBootLogo | Contains an integer that suppresses the default Windows logo that displays during the OS loading phase. | Set to 1 to suppress the default Windows logo; otherwise; set to 0 (zero). The default value is 0. |
+| `HideBootLogo` | Contains an integer that suppresses the default Windows logo that displays during the OS loading phase. | - Set to `1` to suppress the default Windows logo<br>- The default value is `0`|
-| HideBootStatusIndicator | Contains an integer that suppresses the status indicator that displays during the OS loading phase. | Set to 1 to suppress the status indicator; otherwise; set to 0 (zero). The default value is 0. |
+| `HideBootStatusIndicator` | Contains an integer that suppresses the status indicator that displays during the OS loading phase. | - Set to `1` to suppress the status indicator<br>- The default value is `0`|
-| HideBootStatusMessage | Contains an integer that suppresses the startup status text that displays during the OS loading phase. | Set to 1 to suppress the startup status text; otherwise; set to 0 (zero). The default value is 0. |
+| `HideBootStatusMessage` | Contains an integer that suppresses the startup status text that displays during the OS loading phase. | - Set to `1` to suppress the startup status text<br>- The default value is `0`|
-## Customize the boot screen using Windows Configuration Designer and Deployment Image Servicing and Management (DISM)
+For more information about the Unbranded Boot settings and XML examples, see the settings in [Microsoft-Windows-Embedded-BootExp](/windows-hardware/customize/desktop/unattend/microsoft-windows-embedded-bootexp).
-You must enable Unbranded boot on the installation media with DISM before you can apply settings for Unbranded boot using either Windows Configuration Designer or applying a provisioning package during setup.
+#### [:::image type="icon" source="../images/icons/provisioning-package.svg"::: **PPKG**](#tab/ppkg)
-1. Create a provisioning package or create a new Windows image in Windows Configuration Designer by following the instructions in [Create a provisioning package](/windows/configuration/provisioning-packages/provisioning-create-package).
+Customize the boot screen using Windows Configuration Designer and Deployment Image Servicing and Management (DISM).
-1. In the Available customizations page, select **Runtime settings** &gt; **SMISettings** and then set the value for the boot screen settings. The following values are just examples.
+You must enable Unbranded Boot on the installation media with DISM before you can apply settings for Unbranded Boot using either Windows Configuration Designer or applying a provisioning package during setup.
-   - **HideAllBootUI**=FALSE
+[!INCLUDE [provisioning-package-1](../../../includes/configure/provisioning-package-1.md)]
   - **HideBootLogo**=FALSE
   - **HideBootStatusIndicator**=TRUE
   - **HideBootStatusMessage**=TRUE
   - **CrashDumpEnabled**=Full dump
-   > [!TIP]
+|Path|Value|
-   > For more information, see [SMISettings](/windows/configuration/wcd/wcd-smisettings) in the Windows Configuration Designer reference.
+|---|---|
 |`Runtime settings/SMISettings/HideAllBootUI`| `TRUE` or `FALSE`|
 |`Runtime settings/SMISettings/HideBootLogo`| `TRUE` or `FALSE`|
 |`Runtime settings/SMISettings/HideBootStatusIndicator`| `TRUE` or `FALSE`|
 |`Runtime settings/SMISettings/HideBootStatusMessage`| `TRUE` or `FALSE`|
-1. Once you have finished configuring the settings and building the package or image, you use DISM to apply the settings.
+> [!TIP]
-   1. Open a command prompt with administrator privileges.
+> For more information, see [SMISettings](/windows/configuration/wcd/wcd-smisettings) in the Windows Configuration Designer reference.
   1. Copy install.wim to a temporary folder on hard drive (in the following steps, it assumes it's called c:\\wim).
   1. Create a new directory.
-      ```cmd
+Once you finish to configure the settings and building the package or image, use DISM to apply the settings:
      md c:\wim
      ```
-   1. Mount the image.
+1. Open a command prompt with administrator privileges
 1. Copy `install.wim` to a temporary folder on the hard drive (for example, `c:\wim`)
 1. Create a new directory to mount the image:
-      ```cmd
+    ```cmd
-      dism /mount-wim /wimfile:c:\bootmedia\sources\install.wim /index:1 /MountDir:c:\wim
+    md c:\wim
-      ```
+    ```
 1. Mount the image:
    ```cmd
    dism /mount-wim /wimfile:c:\bootmedia\sources\install.wim /index:1 /MountDir:c:\wim
    ```
 1. Enable the feature:
    ```cmd
    dism /image:c:\wim /enable-feature /featureName:Client-EmbeddedBootExp
    ```
 1. Commit the change:
    ```cmd
    dism /unmount-wim /MountDir:c:\wim /Commit
    ```
-   1. Enable the feature.
+---
-      ```cmd
+In the following image:
      dism /image:c:\wim /enable-feature /featureName:Client-EmbeddedBootExp
      ```
-   1. Commit the change.
+1. `BootLogo` is outlined in green
 1. `BootStatusIndicator` is outlined in red
 1. `BootStatusMessage` is outlined in blue
-      ```cmd
+:::image type="content" source="images/boot.png" alt-text="Screenshot of the boot screen showing the areas that can be configured with Unbranded Boot." border="false":::
      dism /unmount-wim /MountDir:c:\wim /Commit
      ```
 In the following image, the BootLogo is outlined in green, the BootStatusIndicator is outlined in red, and the BootStatusMessage is outlined in blue.
 ![unbranded boot screen](images/boot.jpg)
 ## Replace the startup logo
 The only supported way to replace the startup logo with a custom logo is to modify the Boot Graphics Resource Table (BGRT) on a device that uses UEFI as the firmware interface. If your device uses the BGRT to include a custom logo, it's always displayed and you can't suppress the custom logo.
 ## Suppress Errors During Boot
 Errors that occur during early Windows Boot are typically a sign of bad device configuration or failing hardware and require user intervention to recover. You can suppress all error screens during early boot by enabling the **noerrordisplay** BCD setting.
 1. Open a command prompt as an administrator.
 1. Run the following command to suppress error screens during boot.
   ```cmd
   bcdedit.exe -set {bootmgr} noerrordisplay on
   ```
 ## Related articles
 - [Custom Logon](../custom-logon/index.md)
--- a/windows/deployment/do/mcc-ent-deploy-to-linux.md
+++ b/windows/deployment/do/mcc-ent-deploy-to-linux.md
@ -28,7 +28,7 @@ Before deploying Connected Cache to a Linux host machine, ensure that the host m
 1. Open a command line window *as administrator* on the host machine, then change directory to the extracted provisioning package.
    >[!Note]
-    >* If you are deploying your cache node to a Linux host machine that uses a TLS-inspecting proxy (e.g. ZScaler), ensure that you've [configured the proxy settings](mcc-ent-create-resource-and-cache.md#proxy-settings) for your cache node, then place the proxy certificate file (.pem) in the extracted provisioning package directory and add `proxyTlsCertificatePath="/path/to/pem/file"` to the provisioning command.
+    >* If you're deploying your cache node to a host machine that uses a TLS-inspecting proxy (e.g. ZScaler), ensure that you've [configured the proxy settings](mcc-ent-create-resource-and-cache.md#proxy-settings) for your cache node, then place the proxy certificate file (.pem) in the extracted provisioning package directory and then add `proxytlscertificatepath="/path/to/pem/file"` to the provisioning command.
 1. Set access permissions to allow the `provisionmcc.sh` script within the provisioning package directory to execute.
 1. Run the provisioning command on the host machine.
@ -47,8 +47,8 @@ To deploy a cache node programmatically, you'll need to use Azure CLI to get the
 1. Download and extract the [Connected Cache provisioning package for Linux](https://aka.ms/MCC-Ent-InstallScript-Linux) to your host machine.
 1. Open a command line window *as administrator* on the host machine, then change directory to the extracted provisioning package.
-    >[!Note]
+    > [!Note]
-    >* If you are deploying your cache node to a host machine that uses a TLS-inspecting proxy (e.g. ZScaler), ensure that you've [configured the proxy settings](mcc-ent-create-resource-and-cache.md#proxy-settings) for your cache node, then place the proxy certificate file (.pem) in the extracted provisioning package directory and add `proxyTlsCertificatePath="/path/to/pem/file"` to the provisioning command.
+    >* If you're deploying your cache node to a host machine that uses a TLS-inspecting proxy (e.g. ZScaler), ensure that you've [configured the proxy settings](mcc-ent-create-resource-and-cache.md#proxy-settings) for your cache node, then place the proxy certificate file (.pem) in the extracted provisioning package directory and then add `proxytlscertificatepath="/path/to/pem/file"` to the provisioning command.
 1. Set access permissions to allow the `provisionmcc.sh` script within the provisioning package directory to execute.
 1. Replace the values in the following provisioning command before running it on the host machine.
--- a/windows/deployment/windows-autopatch/manage/windows-autopatch-hotpatch-updates.md
+++ b/windows/deployment/windows-autopatch/manage/windows-autopatch-hotpatch-updates.md
@ -1,7 +1,7 @@
 ---
 title: Hotpatch updates
 description: Use Hotpatch updates to receive security updates without restarting your device
-ms.date: 04/04/2025
+ms.date: 04/11/2025
 ms.service: windows-client
 ms.subservice: autopatch
 ms.topic: how-to
@ -21,25 +21,20 @@ Hotpatch updates are designed to reduce downtime and disruptions. Hotpatch updat
 Hotpatch is an extension of Windows Update and requires Autopatch to create and deploy hotpatches to devices enrolled in the Autopatch quality update policy.
 > [!NOTE]
 > Hotpatch is also available on Windows Server and Windows 365. For more information, see [Hotpatch for Windows Server Azure Edition](/windows-server/get-started/enable-hotpatch-azure-edition).
 ## Key benefits
 - Hotpatch updates streamline the installation process and enhance compliance efficiency.
 - No changes are required to your existing update ring configurations. Your existing ring configurations are honored alongside Hotpatch policies.
 - The [Hotpatch quality update report](../monitor/windows-autopatch-hotpatch-quality-update-report.md) provides a per policy level view of the current update statuses for all devices that receive Hotpatch updates.
-## Release cycles
+## Prerequisites
-For more information about the release calendar for Hotpatch updates, see [Release notes for Hotpatch](https://support.microsoft.com/topic/release-notes-for-hotpatch-public-preview-on-windows-11-version-24h2-enterprise-clients-c117ee02-fd35-4612-8ea9-949c5d0ba6d1).
+To benefit from Hotpatch updates, devices must meet the following prerequisites:
-| Quarter | Baseline updates (requires restart) | Hotpatch (no restart required) |
+- For licensing requirements, see [Prerequisites](../prepare/windows-autopatch-prerequisites.md)
-| ----- | ----- | ----- |
+- Windows 11 Enterprise version 24H2 or later
-| 1 | January | February and March |
+- Devices must be on the latest baseline release version to qualify for Hotpatch updates. Microsoft releases Baseline updates quarterly as standard cumulative updates. For more information on the latest schedule for these releases, see [Release notes for Hotpatch](https://support.microsoft.com/topic/release-notes-for-hotpatch-in-azure-automanage-for-windows-server-2022-4e234525-5bd5-4171-9886-b475dabe0ce8?preview=true).
-| 2 | April | May and June |
+- Microsoft Intune to manage hotpatch update deployment with the [Windows quality update policy with hotpatch turned on](#enroll-devices-to-receive-hotpatch-updates).
 | 3 | July | August and September |
 | 4 | October | November and December |
 ## Operating system configuration prerequisites
@ -49,28 +44,30 @@ To prepare a device to receive Hotpatch updates, configure the following operati
 VBS must be turned on for a device to be offered Hotpatch updates. For information on how to set and detect if VBS is enabled, see [Virtualization-based Security (VBS)](/windows/security/hardware-security/enable-virtualization-based-protection-of-code-integrity?tabs=security).
-### Arm 64 devices must disable compiled hybrid PE usage (CHPE) (Arm 64 CPU Only) (Public preview)
+> [!NOTE]
 > Devices might be temporarily ineligible because they don’t have VBS enabled or aren’t currently on the latest baseline release. To ensure that all your Windows devices are configured properly to be eligible for hotpatch updates, see [Troubleshoot hotpatch updates](#troubleshoot-hotpatch-updates).
 ### Arm 64 devices must disable compiled hybrid PE usage (CHPE) (Arm 64 CPU Only)
 > [!IMPORTANT]
 > **Arm 64 devices are in public preview**. It's being actively developed and might not be complete. They're made available on a "Preview" basis. You can test and use these features in production environments and scenarios and provide feedback.
-This requirement only applies to Arm 64 CPU devices when using Hotpatch updates. Hotpatch updates aren't compatible with servicing CHPE OS binaries located in the `%SystemRoot%\SyChpe32` folder. To ensure all the Hotpatch updates are applied, you must set the CHPE disable flag and restart the device to disable CHPE usage. You only need to set this flag one time. The registry setting remains applied through updates. To disable CHPE, create and/or set the following DWORD registry key:
+This requirement only applies to Arm 64 CPU devices when using Hotpatch updates. Hotpatch updates aren't compatible with servicing CHPE OS binaries located in the `%SystemRoot%\SyChpe32` folder.
-Path: `HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management`
+
-DWORD key value: HotPatchRestrictions=1
+To ensure all the Hotpatch updates are applied, you must set the CHPE disable flag and restart the device to disable CHPE usage. You only need to set this flag one time. The registry setting remains applied through updates.
 > [!IMPORTANT]
 > This setting is required because it forces the operating system to use the emulation x86-only binaries instead of CHPE binaries on Arm 64 devices. CHPE binaries include native Arm 64 code to improve performance, excluding the CHPE binaries might affect performance or compatibility. Be sure to test application compatibility and performance before rolling out Hotpatch updates widely on Arm 64 CPU based devices.
 To disable CHPE, create and/or set the following DWORD registry key:
 Path: `HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management`
 DWORD key value: HotPatchRestrictions=1
 > [!NOTE]
 > There are no plans to support hotpatch updates on Arm64 devices with CHPE enabled. Disabling CHPE is required only for Arm64 devices. AMD and Intel CPUs don’t have CHPE.
 If you choose to no longer use Hotpatch updates, clear the CHPE disable flag (`HotPatchRestrictions=0`) then restart the device to turn on CHPE usage.  
 ## Eligible devices
 To benefit from Hotpatch updates, devices must meet the following prerequisites:
 - Operating System: Devices must be running Windows 11 24H2 or later.
 - VBS (Virtualization-based security): VBS must be enabled to ensure secure installation of Hotpatch updates.
 - Latest Baseline Release: Devices must be on the latest baseline release version to qualify for Hotpatch updates. Microsoft releases Baseline updates quarterly as standard cumulative updates. For more information on the latest schedule for these releases, see [Release notes for Hotpatch](https://support.microsoft.com/topic/release-notes-for-hotpatch-in-azure-automanage-for-windows-server-2022-4e234525-5bd5-4171-9886-b475dabe0ce8?preview=true).
 ## Ineligible devices
 Devices that don't meet one or more prerequisites automatically receive the Latest Cumulative Update (LCU) instead. Latest Cumulative Update (LCU) contains monthly updates that supersede the previous month's updates containing both security and nonsecurity releases.  
@ -80,6 +77,32 @@ LCUs requires you to restart the device, but the LCU ensures that the device rem
 > [!NOTE]
 > If devices aren't eligible for Hotpatch updates, these devices are offered the LCU. The LCU keeps your configured Update ring settings, it doesn't change the settings.
 ## Release cycles
 For more information about the release calendar for hotpatch updates, see [Release notes for Hotpatch](https://support.microsoft.com/topic/release-notes-for-hotpatch-public-preview-on-windows-11-version-24h2-enterprise-clients-c117ee02-fd35-4612-8ea9-949c5d0ba6d1).
 - Baseline: Includes the latest security fixes, cumulative new features, and enhancements. Restart required.
 - Hotpatch: Includes security updates. No restarted required.
 | Quarter | Baseline updates (requires restart) | Hotpatch (no restart required) |
 | ----- | ----- | ----- |
 | 1 | January | February and March |
 | 2 | April | May and June |
 | 3 | July | August and September |
 | 4 | October | November and December |
 ## Hotpatch on Windows 11 Enterprise or Windows Server 2025
 > [!NOTE]
 > Hotpatch is also available on Windows Server and Windows 365. For more information, see [Hotpatch for Windows Server Azure Edition](/windows-server/get-started/enable-hotpatch-azure-edition).
 Hotpatch updates are similar between Windows 11 and Windows Server 2025.
 - Windows Autopatch manages Windows 11 updates
 - Azure Update Manager and optional Azure Arc subscription for Windows 2025 Datacenter/Standard Editions (on-premises) manages Windows Server 2025 Datacenter Azure Edition. For more information, on Windows Server and Windows 365, see [Hotpatch for Windows Server Azure Edition](/windows-server/get-started/enable-hotpatch-azure-edition).
 The calendar dates, eight hotpatch months, and four baseline months, planned each year are the same for all the hotpatch-supported operating systems (OS). It’s possible for additional baseline months for one OS (for example, Windows Server 2022), while there are hotpatch months for another OS, such as Server 2025 or Windows 11, version 24H2. Review the release notes from [Windows release health](/windows/release-health/) to keep up to date.
 ## Enroll devices to receive Hotpatch updates
 > [!NOTE]
@ -94,11 +117,11 @@ LCUs requires you to restart the device, but the LCU ensures that the device rem
 1. Select **Create**, and select **Windows quality update policy**.
 1. Under the **Basics** section, enter a name for your new policy and select Next.
 1. Under the **Settings** section, set **"When available, apply without restarting the device ("Hotpatch")** to **Allow**. Then, select **Next**.
-1. Select the appropriate Scope tags or leave as Default and select **Next**.
+1. Select the appropriate Scope tags or leave as Default. Then, select **Next**.
 1. Assign the devices to the policy and select **Next**.
 1. Review the policy and select **Create**.
-These steps ensure that targeted devices, which are [eligible](#eligible-devices) to receive Hotpatch updates, are configured properly. [Ineligible devices](#ineligible-devices) are offered the latest cumulative updates (LCU).
+These steps ensure that targeted devices, which are [eligible](#prerequisites) to receive Hotpatch updates, are configured properly. [Ineligible devices](#ineligible-devices) are offered the latest cumulative updates (LCU).
 > [!NOTE]
 > Turning on Hotpatch updates doesn't change the existing deadline-driven or scheduled install configurations on your managed devices. Deferral and active hour settings still apply.
@ -106,3 +129,48 @@ These steps ensure that targeted devices, which are [eligible](#eligible-devices
 ## Roll back a hotpatch update
 Automatic rollback of a Hotpatch update isn’t supported but you can uninstall them. If you experience an unexpected issue with hotpatch updates, you can investigate by uninstalling the hotpatch update and installing the latest standard cumulative update (LCU) and restart. Uninstalling a hotpatch update is quick, however, it does require a device restart.
 ## Troubleshoot hotpatch updates
 ### Step 1: Verify the device is eligible for hotpatch updates and on a hotpatch baseline before the hotpatch update is installed
 Hotpatching follows the hotpatch release cycle. Review the prerequisites to ensure the device is [eligible](#prerequisites) for hotpatch updates. For information on devices that don’t meet the prerequisites, see [Ineligible devices](#ineligible-devices).
 For the latest release schedule, see the [hotpatch release notes](https://support.microsoft.com/topic/release-notes-for-hotpatch-public-preview-on-windows-11-version-24h2-enterprise-clients-c117ee02-fd35-4612-8ea9-949c5d0ba6d1). For information on Windows update history, see [Windows 11, version 24H2 update history](https://support.microsoft.com/topic/windows-11-version-24h2-update-history-0929c747-1815-4543-8461-0160d16f15e5).
 ### Step 2: Verify the device has Virtualization-based security (VBS) turned on
 1. Select **Start**, and enter `System information` in the Search.
 1. Select **System information** from the results.
 1. Under **System summary**, under the **Item column**, find **Virtualization-based security**.
 1. Under the **Value column**, ensure it states **Running**.
 ### Step 3: Verify the device is properly configured to turn on hotpatch updates
 1. In Intune, review your configured policies within Autopatch to see which groups of devices are targeted with a hotpatch policy by going to the **Windows Update** > **Quality Updates** page.  
 1. Ensure the hotpatch update policy is set to **Allow**.
 1. On the device, select **Start** > **Settings** > **Windows Update** > **Advanced options** > **Configured update policies** > find **Enable hotpatching when available**. This setting indicates that the device is enrolled in hotpatch updates as configured by Autopatch.
 ### Step 4: Disable compiled hybrid PE usage (CHPE) (Arm64 CPU only)
 For more information, see [Arm 64 devices must disable compiled hybrid PE usage (CHPE) (Arm 64 CPU Only)](#arm-64-devices-must-disable-compiled-hybrid-pe-usage-chpe-arm-64-cpu-only).
 ### Step 5: Use Event viewer to verify the device has hotpatch updates turned on
 1. Right-click on the **Start** menu, and select **Event viewer**.
 1. Search for **AllowRebootlessUpdates** in the filter. If AllowRebootlessUpdates is set to `1`, the device is enrolled in the Autopatch update policy and has hotpatch updates turned on:
 ``
 "data": {
 "payload": "{\"Orchestrator\":{\"UpdatePolicy\":{\"Update/AllowRebootlessUpdates\":true}}}",
 "isEnrolled": 1,
 "isCached": 1,
 "vbsState": 2,
 ``
 ### Step 6: Check Windows Logs for any hotpatch errors
 Hotpatch updates provide an inbox monitor service that checks for the health of the updates installed on the device. If the monitor service detects an error, the service logs an event in the Windows Application Logs. If there's a critical error, the device installs the standard (LCU) update to ensure the device is fully secure.
 1. Right-click on the **Start** menu, and select **Event viewer**.
 1. Search for **hotpatch** in the filter to view the logs.
--- a/windows/deployment/windows-autopatch/overview/windows-autopatch-faq.yml
+++ b/windows/deployment/windows-autopatch/overview/windows-autopatch-faq.yml
@ -4,7 +4,7 @@ metadata:
  description: Answers to frequently asked questions about Windows Autopatch.
  ms.service: windows-client
  ms.topic: faq
-  ms.date: 03/31/2025
+  ms.date: 04/11/2025
  audience: itpro
  ms.localizationpriority: medium
  manager: aaroncz
@ -97,6 +97,59 @@ sections:
      - question: Can I configure when to move to the next ring or is it controlled by Windows Autopatch?
        answer: |
          You're in full control over when updates are deployed to their devices. Autopatch groups will recommend a set of intelligent defaults but those are fully customizable so that you can achieve your desired rollout.
  - name: Hotpatch updates
    questions:
      - question: What are the licensing requirements for hotpatch updates?
        answer: |
          Windows 11 Enterprise E3 or E5, Windows 11 Enterprise F3 or F5, Windows 11 Education A3 or A5, or a Windows 365 Enterprise license. For more information, see [Prerequisites](../prepare/windows-autopatch-prerequisites.md).
      - question: Can I still restart devices as often as I want?
        answer: |
          Yes, devices that install hotpatch updates are protected the moment the update is installed. However, if a user or your IT Admin wishes to restart the PC you can do it anytime. The device restarts and runs the hotpatch updates.
      - question: Can I use hotpatch updates on Arm64 devices?
        answer: |
          Yes, hotpatch updates are available for Arm64 devices. For more information, see [Arm 64 devices must disable compiled hybrid PE usage (CHPE) (Arm 64 CPU Only)](../manage/windows-autopatch-hotpatch-updates.md#arm-64-devices-must-disable-compiled-hybrid-pe-usage-chpe-arm-64-cpu-only)).
      - question: What is the default hotpatch behavior on Windows Home or Pro devices?
        answer: |
          Hotpatch updates aren't available to Home or Pro devices. Hotpatching requires domain admin or group policy. It's available only via Windows Autopatch update policy, which includes Windows 365 Enterprise, E3/E5, F3 and A3/A5 licenses. 
      - question: How do I enroll devices to receive hotpatch updates?
        answer: |
          For more information, see [Enroll devices to receive hotpatch updates](../manage/windows-autopatch-hotpatch-updates.md#enroll-devices-to-receive-hotpatch-updates).
      - question: What if some devices in my hotpatch policy aren't eligible for hotpatch updates?
        answer: |
          For more information on eligibility, see [Prerequisites](../prepare/windows-autopatch-prerequisites.md) and [ineligible devices](../manage/windows-autopatch-hotpatch-updates.md#ineligible-devices).
      - question: How is hotpatching different for Windows 11 Enterprise and Windows Server 2025?
        answer: |
          For more information, see [Hotpatch on Windows 11 Enterprise or Windows Server 2025](../manage/windows-autopatch-hotpatch-updates.md#hotpatch-on-windows-11-enterprise-or-windows-server-2025).
      - question: How can I tell which of my devices installed a hotpatch update?
        answer: |
          Devices receiving the hotpatch update have a different KB number tracking the release and a different OS version than devices receiving the standard update that requires a restart. The monthly KB release articles indicate if the KB installed is hotpatch capable and the corresponding OS version. The following Windows Update message appears “Great news! The latest security update was installed without a restart.”
      - question: What if I restart a device after receiving a hotpatch update?
        answer: |
          The device stays on the hotpatch update KB/OS version after a restart. It won't receive any new features as part of the regular servicing track until the next quarterly cumulative baseline update. 
      - question: Do hotpatch updates only update common system binaries loaded in third-party processes or only Microsoft processes?
        answer: |
          Hotpatch updates aren't limited to Microsoft processes. Hotpatch updates are only created for OS binaries. Any process loading OS binaries that have hotpatch updates installed are updated before the application or operating system uses the binaries. This includes common system dynamic link libraries (DLLs) like ntdll.dll. 
      - question: How can I find out if a hotpatch update was applied to the specific DLL?
        answer: | 
          You can see the hotpatch modules in the memory dump. Symbols for hotpatched DLLs depend on the function that receives the update. Some code that is hotpatch-updated could be public (symbols), while other functions could be private (no symbols).  
      - question: Are there kernel-mode hotpatch updates?
        answer: |
          Yes, there are kernel-mode hotpatch updates.
      - question: What does a failure to apply a hotpatch update look like?
        answer: |
          Hotpatch failures are the same as CBS failures when installing other KBs (not enough disk space or download errors for example). In addition, hotpatch update errors are recorded in the event logs. Search the system log for the keyword “hotpatch” to see if your system encountered any errors.
      - question: Can you switch from hotpatch update to the Standard Windows monthly updates?
        answer: |
          Yes, you can. You can manually download the standard Windows monthly update from the Microsoft Update Catalog. In this case, the device stops receiving hotpatch updates and receives standard Windows updates until the month after the next baseline update. Since the device is still enrolled in hotpatching, the device automatically rejoins the hotpatch cadence of updates after the update is released on the baseline month.
      - question: How do hotpatch update events show up in audit logs?
        answer: |
          Process explorer shows it loaded in memory OS ``<binary name>_hotpatch`` loaded in memory. The hotpatch update KB includes a link to the CSV file listing the update payload. 
      - question: Can I get security alerts through Event Tracing for Windows (ETW) about hotpatch updates?
        answer: |
          Hotpatch events are captured in the audit log. Search for “hotpatch” in the audit log to find related errors if any were captured.
      - question: Do I need to test hotpatch updates if I already test monthly updates?
        answer: |
          You should test hotpatch updates when released 8 times a year (according to plan) and the regular monthly updates 12 times a year. There are no hotpatch updates for you to test in January (1B), April (4B), July (7B), or October (10B).
  - name: Support
    questions:
      - question: Does Windows Autopatch Support Dual Scan for Windows Update?
--- a/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2025.md
+++ b/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2025.md
@ -1,7 +1,7 @@
 ---
 title: What's new 2025
 description: This article lists the 2025 feature releases and any corresponding Message center post numbers.
-ms.date: 03/31/2025
+ms.date: 04/11/2025
 ms.service: windows-client
 ms.subservice: autopatch
 ms.topic: whats-new
@ -21,6 +21,15 @@ This article lists new and updated feature releases, and service releases, with
 Minor corrections such as typos, style, or formatting issues aren't listed.
 ## April 2025
 ### April feature releases or updates
 | Article | Description |
 | ----- | ----- |
 | [Hotpatch updates](../manage/windows-autopatch-hotpatch-updates.md) | Added [troubleshooting](../manage/windows-autopatch-hotpatch-updates.md#troubleshoot-hotpatch-updates) section |
 | [FAQ](../overview/windows-autopatch-faq.yml) | Added [hotpatch updates](../overview/windows-autopatch-faq.yml#hotpatch-updates) section to the FAQ. |
 ## March 2025
 ### March feature releases or updates
--- a/windows/security/application-security/application-control/app-control-for-business/design/microsoft-recommended-driver-block-rules.md
+++ b/windows/security/application-security/application-control/app-control-for-business/design/microsoft-recommended-driver-block-rules.md
--- a/windows/security/identity-protection/credential-guard/configure.md
+++ b/windows/security/identity-protection/credential-guard/configure.md
@ -212,7 +212,7 @@ The following event indicates whether TPM is used for key protection. Path: `App
  :::column-end:::
 :::row-end:::
-If you're running with a TPM, the TPM PCR mask value is something other than 0.
+The TPM PCR mask is only relevant when SRTM is used. If the cached Copy status is 1, SRTM was not used - typically indicating DRTM is in use - and the PCR mask should be ignored.
 ## Disable Credential Guard
--- a/windows/security/operating-system-security/data-protection/bitlocker/network-unlock.md
+++ b/windows/security/operating-system-security/data-protection/bitlocker/network-unlock.md
@ -139,7 +139,7 @@ To enroll a certificate from an existing certificate authority:
 1. Select **All Tasks** > **Request New Certificate**
 1. When the Certificate Enrollment wizard opens, select **Next**
 1. Select **Active Directory Enrollment Policy**
-1. Choose the certificate template that was created for Network Unlock on the domain controller. Then select **Enroll**
+1. Choose the certificate template that was created for Network Unlock on the domain controller. In case the message "More information is required to enroll for this certificate. Click here to configure settings." is shown, click on it. On the new window, in **Subject** tab, under **Alternative names**, select **DNS** and set the FQDN of the WDS server. Save the changes by clicking **OK** and then select **Enroll**
 1. When prompted for more information, select **Subject Name** and provide a friendly name value. The friendly name should include information for the domain or organizational unit for the certificate For example: *BitLocker Network Unlock Certificate for Contoso domain*
 1. Create the certificate. Ensure the certificate appears in the **Personal** folder
 1. Export the public key certificate for Network Unlock:
--- a/windows/whats-new/extended-security-updates.md
+++ b/windows/whats-new/extended-security-updates.md
@ -8,7 +8,7 @@ author: mestew
 manager: aaroncz
 ms.localizationpriority: medium
 ms.topic: article
-ms.date: 03/18/2025
+ms.date: 04/14/2025
 ms.collection:
  - highpri
  - tier2
@ -23,6 +23,8 @@ The Windows 10 Extended Security Updates (ESU) program gives customers the optio
 Individuals or organizations who elect to continue using Windows 10 after support ends on October 14, 2025, will have the option of enrolling their PCs into a paid ESU subscription. The ESU program enables PCs to continue to receive critical and important security updates through an annual subscription service after support ends. The [Microsoft Security Response Center](https://msrc.microsoft.com/) defines the [severity rating for security updates](https://www.microsoft.com/msrc/security-update-severity-rating-system).
 > [!Note]
 > Looking for consumer information? For individuals or Windows 10 Home customers, more information about Extended Security Updates for Windows 10 is available in the frequently asked questions section of the [End of support for Windows 10](https://www.microsoft.com/windows/end-of-support) page. <!--10013381-->
 ## Device prerequisites
@ -45,7 +47,19 @@ The following are frequently asked questions about the ESU program for Windows 1
 ### How much does ESU cost?
-Extended Security Updates for organizations and businesses on Windows 10 can be purchased today through the Microsoft Volume Licensing Program, at $61 USD per device for Year One. For more information, see [When to use Windows 10 Extended Security Updates](https://techcommunity.microsoft.com/blog/windows-itpro-blog/when-to-use-windows-10-extended-security-updates/4102628). The price doubles every consecutive year, for a maximum of three years. ESU is available at no additional cost for Windows 10 virtual machines running in Windows 365 or Azure Virtual Desktop. Additionally, Windows 10 endpoints connecting to Windows 365 Cloud PCs will be entitled to the ESU for up to three years, with an active Windows 365 subscription license. For more information about Windows 365, see [What is Windows 365?](/windows-365/overview).
+Extended Security Updates for organizations and businesses on Windows 10 can be purchased today through the Microsoft Volume Licensing Program, at $61 USD per device for Year One. For more information, see [When to use Windows 10 Extended Security Updates](https://techcommunity.microsoft.com/blog/windows-itpro-blog/when-to-use-windows-10-extended-security-updates/4102628). The price doubles every consecutive year, for a maximum of three years. ESU is available at no additional cost for Windows 10 virtual machines in the following services:
 - [Windows 365](/windows-365/overview) 
 - [Azure Virtual Desktop](/azure/virtual-desktop/overview)
 - [Azure virtual machines](/azure/virtual-machines/overview)
 - [Azure Dedicated Host](/azure/virtual-machines/dedicated-hosts)
 - [Azure VMware Solution](/azure/azure-vmware/introduction)
 - [Nutanix Cloud Clusters on Azure](/azure/baremetal-infrastructure/workloads/nc2-on-azure/about-nc2-on-azure)
 - [Azure Local](/azure/azure-local/overview) (Azure Local is the new name for Azure Stack HCI)
 - [Azure Stack Hub](/azure-stack/operator/azure-stack-overview)
 - [Azure Stack Edge](/azure/databox-online/)
 Additionally, Windows 10 endpoints connecting to Windows 365 Cloud PCs will be entitled to the ESU for up to three years, with an active Windows 365 subscription license. For more information about Windows 365, see [What is Windows 365?](/windows-365/overview).
 For individuals or Windows 10 Home customers, Extended Security Updates for Windows 10 will be available for purchase at $30 for one year.