Merge branch 'security-book-24' of github.com:paolomatarazzo/windows-docs-pr into security-book-24

2025-05-13 13:57:22 +00:00 · 2024-11-07 09:51:12 -05:00 · 2024-11-07 09:51:12 -05:00 · acf2b36760
commit acf2b36760
parent 22032c817c 09507f26c3
17 changed files with 475 additions and 40 deletions
--- a/windows/client-management/mdm/declaredconfiguration-csp.md
+++ b/windows/client-management/mdm/declaredconfiguration-csp.md
@ -1,7 +1,7 @@
 ---
 title: DeclaredConfiguration CSP
 description: Learn more about the DeclaredConfiguration CSP.
-ms.date: 09/12/2024
+ms.date: 11/05/2024
 ---
 <!-- Auto-Generated CSP Document -->
@ -45,6 +45,8 @@ The following list shows the DeclaredConfiguration configuration service provide
      - [Results](#hostinventoryresults)
        - [{DocID}](#hostinventoryresultsdocid)
          - [Document](#hostinventoryresultsdociddocument)
  - [ManagementServiceConfiguration](#managementserviceconfiguration)
    - [ConflictResolution](#managementserviceconfigurationconflictresolution)
 <!-- DeclaredConfiguration-Tree-End -->
 <!-- Device-Host-Begin -->
@ -728,6 +730,93 @@ The Document node's value is an XML based document containing a collection of se
 <!-- Device-Host-Inventory-Results-{DocID}-Document-End -->
 <!-- Device-ManagementServiceConfiguration-Begin -->
 ## ManagementServiceConfiguration
 <!-- Device-ManagementServiceConfiguration-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
 | ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
 <!-- Device-ManagementServiceConfiguration-Applicability-End -->
 <!-- Device-ManagementServiceConfiguration-OmaUri-Begin -->
 ```Device
 ./Device/Vendor/MSFT/DeclaredConfiguration/ManagementServiceConfiguration
 ```
 <!-- Device-ManagementServiceConfiguration-OmaUri-End -->
 <!-- Device-ManagementServiceConfiguration-Description-Begin -->
 <!-- Description-Source-DDF -->
 The ManagementServiceConfiguration node that's used to control certain Windows Declared Configuration behavior.
 <!-- Device-ManagementServiceConfiguration-Description-End -->
 <!-- Device-ManagementServiceConfiguration-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 <!-- Device-ManagementServiceConfiguration-Editable-End -->
 <!-- Device-ManagementServiceConfiguration-DFProperties-Begin -->
 **Description framework properties**:
 | Property name | Property value |
 |:--|:--|
 | Format | `node` |
 | Access Type | Get |
 <!-- Device-ManagementServiceConfiguration-DFProperties-End -->
 <!-- Device-ManagementServiceConfiguration-Examples-Begin -->
 <!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
 <!-- Device-ManagementServiceConfiguration-Examples-End -->
 <!-- Device-ManagementServiceConfiguration-End -->
 <!-- Device-ManagementServiceConfiguration-ConflictResolution-Begin -->
 ### ManagementServiceConfiguration/ConflictResolution
 <!-- Device-ManagementServiceConfiguration-ConflictResolution-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
 | ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
 <!-- Device-ManagementServiceConfiguration-ConflictResolution-Applicability-End -->
 <!-- Device-ManagementServiceConfiguration-ConflictResolution-OmaUri-Begin -->
 ```Device
 ./Device/Vendor/MSFT/DeclaredConfiguration/ManagementServiceConfiguration/ConflictResolution
 ```
 <!-- Device-ManagementServiceConfiguration-ConflictResolution-OmaUri-End -->
 <!-- Device-ManagementServiceConfiguration-ConflictResolution-Description-Begin -->
 <!-- Description-Source-DDF -->
 This node controls to turn on conflict resolution on and off.
 <!-- Device-ManagementServiceConfiguration-ConflictResolution-Description-End -->
 <!-- Device-ManagementServiceConfiguration-ConflictResolution-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 <!-- Device-ManagementServiceConfiguration-ConflictResolution-Editable-End -->
 <!-- Device-ManagementServiceConfiguration-ConflictResolution-DFProperties-Begin -->
 **Description framework properties**:
 | Property name | Property value |
 |:--|:--|
 | Format | `int` |
 | Access Type | Add, Delete, Get, Replace |
 <!-- Device-ManagementServiceConfiguration-ConflictResolution-DFProperties-End -->
 <!-- Device-ManagementServiceConfiguration-ConflictResolution-AllowedValues-Begin -->
 **Allowed values**:
 | Value | Description |
 |:--|:--|
 | 0 | The conflict resolution is OFF. |
 | 1 | The conflict resolution is ON. |
 <!-- Device-ManagementServiceConfiguration-ConflictResolution-AllowedValues-End -->
 <!-- Device-ManagementServiceConfiguration-ConflictResolution-Examples-Begin -->
 <!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
 <!-- Device-ManagementServiceConfiguration-ConflictResolution-Examples-End -->
 <!-- Device-ManagementServiceConfiguration-ConflictResolution-End -->
 <!-- DeclaredConfiguration-CspMoreInfo-Begin -->
 <!-- Add any additional information about this CSP here. Anything outside this section will get overwritten. -->
 ## DeclaredConfiguration OMA URI
--- a/windows/client-management/mdm/declaredconfiguration-ddf-file.md
+++ b/windows/client-management/mdm/declaredconfiguration-ddf-file.md
@ -1,7 +1,7 @@
 ---
 title: DeclaredConfiguration DDF file
 description: View the XML file containing the device description framework (DDF) for the DeclaredConfiguration configuration service provider.
-ms.date: 06/28/2024
+ms.date: 11/05/2024
 ---
 <!-- Auto-Generated CSP Document -->
@ -466,6 +466,61 @@ The following XML file contains the device description framework (DDF) for the D
        </Node>
      </Node>
    </Node>
    <Node>
      <NodeName>ManagementServiceConfiguration</NodeName>
      <DFProperties>
        <AccessType>
          <Get />
        </AccessType>
        <Description>The ManagementServiceConfiguration node that is used to control certain Windows Declared Configuration behavior</Description>
        <DFFormat>
          <node />
        </DFFormat>
        <Occurrence>
          <One />
        </Occurrence>
        <Scope>
          <Dynamic />
        </Scope>
        <DFType>
          <DDFName />
        </DFType>
      </DFProperties>
      <Node>
        <NodeName>ConflictResolution</NodeName>
        <DFProperties>
          <AccessType>
            <Add />
            <Delete />
            <Get />
            <Replace />
          </AccessType>
          <Description>This node controls to turn on conflict resolution on and off.</Description>
          <DFFormat>
            <int />
          </DFFormat>
          <Occurrence>
            <One />
          </Occurrence>
          <Scope>
            <Dynamic />
          </Scope>
          <DFType>
            <MIME />
          </DFType>
          <MSFT:AllowedValues ValueType="ENUM">
            <MSFT:Enum>
              <MSFT:Value>0</MSFT:Value>
              <MSFT:ValueDescription>The conflict resolution is OFF.</MSFT:ValueDescription>
            </MSFT:Enum>
            <MSFT:Enum>
              <MSFT:Value>1</MSFT:Value>
              <MSFT:ValueDescription>The conflict resolution is ON.</MSFT:ValueDescription>
            </MSFT:Enum>
          </MSFT:AllowedValues>
        </DFProperties>
      </Node>
    </Node>
  </Node>
 </MgmtTree>
 ```
--- a/windows/client-management/mdm/laps-csp.md
+++ b/windows/client-management/mdm/laps-csp.md
@ -1,7 +1,7 @@
 ---
 title: LAPS CSP
 description: Learn more about the LAPS CSP.
-ms.date: 09/27/2024
+ms.date: 11/05/2024
 ---
 <!-- Auto-Generated CSP Document -->
@ -325,7 +325,7 @@ Note if a custom managed local administrator account name is specified in this s
 <!-- Description-Source-DDF -->
 Use this setting to configure whether the password is encrypted before being stored in Active Directory.
-This setting is ignored if the password is currently being stored in Azure.
+This setting is ignored if the password is currently being stored in Microsoft Entra ID.
 This setting is only honored when the Active Directory domain is at Windows Server 2016 Domain Functional Level or higher.
@ -387,7 +387,7 @@ If not specified, this setting defaults to True.
 <!-- Description-Source-DDF -->
 Use this setting to configure the name or SID of a user or group that can decrypt the password stored in Active Directory.
-This setting is ignored if the password is currently being stored in Azure.
+This setting is ignored if the password is currently being stored in Microsoft Entra ID.
 If not specified, the password will be decryptable by the Domain Admins group in the device's domain.
--- a/windows/client-management/mdm/laps-ddf-file.md
+++ b/windows/client-management/mdm/laps-ddf-file.md
@ -1,7 +1,7 @@
 ---
 title: LAPS DDF file
 description: View the XML file containing the device description framework (DDF) for the LAPS configuration service provider.
-ms.date: 09/27/2024
+ms.date: 11/05/2024
 ---
 <!-- Auto-Generated CSP Document -->
@ -80,7 +80,7 @@ The following XML file contains the device description framework (DDF) for the L
 The allowable settings are:
 0=Disabled (password will not be backed up)
-1=Backup the password to Azure AD only
+1=Backup the password to Microsoft Entra ID only
 2=Backup the password to Active Directory only
 If not specified, this setting will default to 0.</Description>
@ -103,7 +103,7 @@ If not specified, this setting will default to 0.</Description>
            </MSFT:Enum>
            <MSFT:Enum>
              <MSFT:Value>1</MSFT:Value>
-              <MSFT:ValueDescription>Backup the password to Azure AD only</MSFT:ValueDescription>
+              <MSFT:ValueDescription>Backup the password to Microsoft Entra ID only</MSFT:ValueDescription>
            </MSFT:Enum>
            <MSFT:Enum>
              <MSFT:Value>2</MSFT:Value>
@ -126,7 +126,7 @@ If not specified, this setting will default to 0.</Description>
 If not specified, this setting will default to 30 days
-This setting has a minimum allowed value of 1 day when backing the password to onpremises Active Directory, and 7 days when backing the password to Azure AD.
+This setting has a minimum allowed value of 1 day when backing the password to onpremises Active Directory, and 7 days when backing the password to Microsoft Entra ID.
 This setting has a maximum allowed value of 365 days.</Description>
          <DFFormat>
@ -154,7 +154,7 @@ This setting has a maximum allowed value of 365 days.</Description>
                <MSFT:DependencyAllowedValue ValueType="ENUM">
                  <MSFT:Enum>
                    <MSFT:Value>1</MSFT:Value>
-                    <MSFT:ValueDescription>BackupDirectory configured to Azure AD</MSFT:ValueDescription>
+                    <MSFT:ValueDescription>BackupDirectory configured to Microsoft Entra ID</MSFT:ValueDescription>
                  </MSFT:Enum>
                </MSFT:DependencyAllowedValue>
              </MSFT:Dependency>
@ -442,7 +442,7 @@ If not specified, this setting defaults to True.</Description>
          <DefaultValue>True</DefaultValue>
          <Description>Use this setting to configure whether the password is encrypted before being stored in Active Directory.
-This setting is ignored if the password is currently being stored in Azure.
+This setting is ignored if the password is currently being stored in Microsoft Entra ID.
 This setting is only honored when the Active Directory domain is at Windows Server 2016 Domain Functional Level or higher.
@ -499,7 +499,7 @@ If not specified, this setting defaults to True.</Description>
          </AccessType>
          <Description>Use this setting to configure the name or SID of a user or group that can decrypt the password stored in Active Directory.
-This setting is ignored if the password is currently being stored in Azure.
+This setting is ignored if the password is currently being stored in Microsoft Entra ID.
 If not specified, the password will be decryptable by the Domain Admins group in the device's domain.
--- a/windows/client-management/mdm/passportforwork-csp.md
+++ b/windows/client-management/mdm/passportforwork-csp.md
@ -1,7 +1,7 @@
 ---
 title: PassportForWork CSP
 description: Learn more about the PassportForWork CSP.
-ms.date: 08/06/2024
+ms.date: 11/05/2024
 ---
 <!-- Auto-Generated CSP Document -->
@ -265,7 +265,7 @@ If the user forgets their PIN, it can be changed to a new PIN using the Windows
 <!-- Device-{TenantId}-Policies-EnableWindowsHelloProvisioningForSecurityKeys-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
-| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 22H2 [10.0.22621] and later |
 <!-- Device-{TenantId}-Policies-EnableWindowsHelloProvisioningForSecurityKeys-Applicability-End -->
 <!-- Device-{TenantId}-Policies-EnableWindowsHelloProvisioningForSecurityKeys-OmaUri-Begin -->
--- a/windows/client-management/mdm/passportforwork-ddf.md
+++ b/windows/client-management/mdm/passportforwork-ddf.md
@ -1,7 +1,7 @@
 ---
 title: PassportForWork DDF file
 description: View the XML file containing the device description framework (DDF) for the PassportForWork configuration service provider.
-ms.date: 06/28/2024
+ms.date: 11/05/2024
 ---
 <!-- Auto-Generated CSP Document -->
@ -831,7 +831,7 @@ If you disable or do not configure this policy setting, the PIN recovery secret
              <MIME />
            </DFType>
            <MSFT:Applicability>
-              <MSFT:OsBuildVersion>99.9.99999</MSFT:OsBuildVersion>
+              <MSFT:OsBuildVersion>10.0.22621</MSFT:OsBuildVersion>
              <MSFT:CspVersion>1.6</MSFT:CspVersion>
            </MSFT:Applicability>
            <MSFT:AllowedValues ValueType="ENUM">
--- a/windows/client-management/mdm/policies-in-policy-csp-supported-by-surface-hub.md
+++ b/windows/client-management/mdm/policies-in-policy-csp-supported-by-surface-hub.md
@ -1,7 +1,7 @@
 ---
 title: Policies supported by Windows 10 Team
 description: Learn about the policies supported by Windows 10 Team.
-ms.date: 08/06/2024
+ms.date: 11/05/2024
 ---
 <!-- Auto-Generated CSP Document -->
@ -417,6 +417,7 @@ This article lists the policies that are applicable for the Surface Hub operatin
 - [ExcludeJapaneseIMEExceptJIS0208andEUDC](policy-csp-textinput.md#excludejapaneseimeexceptjis0208andeudc)
 - [ExcludeJapaneseIMEExceptShiftJIS](policy-csp-textinput.md#excludejapaneseimeexceptshiftjis)
 - [ForceTouchKeyboardDockedState](policy-csp-textinput.md#forcetouchkeyboarddockedstate)
 - [TouchKeyboardControllerModeAvailability](policy-csp-textinput.md#touchkeyboardcontrollermodeavailability)
 - [TouchKeyboardDictationButtonAvailability](policy-csp-textinput.md#touchkeyboarddictationbuttonavailability)
 - [TouchKeyboardEmojiButtonAvailability](policy-csp-textinput.md#touchkeyboardemojibuttonavailability)
 - [TouchKeyboardFullModeAvailability](policy-csp-textinput.md#touchkeyboardfullmodeavailability)
--- a/windows/client-management/mdm/policies-in-preview.md
+++ b/windows/client-management/mdm/policies-in-preview.md
@ -1,7 +1,7 @@
 ---
 title: Configuration service provider preview policies
 description: Learn more about configuration service provider (CSP) policies that are available for Windows Insider Preview.
-ms.date: 09/27/2024
+ms.date: 11/05/2024
 ---
 <!-- Auto-Generated CSP Document -->
@ -29,10 +29,17 @@ This article lists the policies that are applicable for Windows Insider Preview
 - [EnablePhysicalDeviceAccessOnErrorScreens](clouddesktop-csp.md#userenablephysicaldeviceaccessonerrorscreens)
 - [EnableBootToCloudSharedPCMode](clouddesktop-csp.md#deviceenableboottocloudsharedpcmode)
 ## Connectivity
 - [UseCellularWhenWiFiPoor](policy-csp-connectivity.md#usecellularwhenwifipoor)
 - [DisableCellularSettingsPage](policy-csp-connectivity.md#disablecellularsettingspage)
 - [DisableCellularOperatorSettingsPage](policy-csp-connectivity.md#disablecellularoperatorsettingspage)
 ## DeclaredConfiguration CSP
 - [Document](declaredconfiguration-csp.md#hostcompletedocumentsdociddocument)
 - [Abandoned](declaredconfiguration-csp.md#hostcompletedocumentsdocidpropertiesabandoned)
 - [ConflictResolution](declaredconfiguration-csp.md#managementserviceconfigurationconflictresolution)
 ## DeliveryOptimization
@ -52,6 +59,10 @@ This article lists the policies that are applicable for Windows Insider Preview
 - [MdmAgentInstalled](devicepreparation-csp.md#mdmprovidermdmagentinstalled)
 - [RebootRequired](devicepreparation-csp.md#mdmproviderrebootrequired)
 ## Display
 - [ConfigureMultipleDisplayMode](policy-csp-display.md#configuremultipledisplaymode)
 ## DMClient CSP
 - [DiscoveryEndpoint](dmclient-csp.md#deviceproviderprovideridlinkedenrollmentdiscoveryendpoint)
@ -97,7 +108,6 @@ This article lists the policies that are applicable for Windows Insider Preview
 ## PassportForWork CSP
 - [EnableWindowsHelloProvisioningForSecurityKeys](passportforwork-csp.md#devicetenantidpoliciesenablewindowshelloprovisioningforsecuritykeys)
 - [DisablePostLogonProvisioning](passportforwork-csp.md#devicetenantidpoliciesdisablepostlogonprovisioning)
 ## Reboot CSP
@ -112,6 +122,10 @@ This article lists the policies that are applicable for Windows Insider Preview
 - [ExchangeModernAuthEnabled](surfacehub-csp.md#deviceaccountexchangemodernauthenabled)
 ## TextInput
 - [TouchKeyboardControllerModeAvailability](policy-csp-textinput.md#touchkeyboardcontrollermodeavailability)
 ## Update
 - [AllowTemporaryEnterpriseFeatureControl](policy-csp-update.md#allowtemporaryenterprisefeaturecontrol)
--- a/windows/client-management/mdm/policy-csp-connectivity.md
+++ b/windows/client-management/mdm/policy-csp-connectivity.md
@ -1,7 +1,7 @@
 ---
 title: Connectivity Policy CSP
 description: Learn more about the Connectivity Area in Policy CSP.
-ms.date: 04/10/2024
+ms.date: 11/05/2024
 ---
 <!-- Auto-Generated CSP Document -->
@ -11,6 +11,8 @@ ms.date: 04/10/2024
 [!INCLUDE [ADMX-backed CSP tip](includes/mdm-admx-csp-note.md)]
 [!INCLUDE [Windows Insider tip](includes/mdm-insider-csp-note.md)]
 <!-- Connectivity-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 <!-- Connectivity-Editable-End -->
@ -584,6 +586,104 @@ Also, see the "Web-based printing" policy setting in Computer Configuration/Admi
 <!-- DiablePrintingOverHTTP-End -->
 <!-- DisableCellularOperatorSettingsPage-Begin -->
 ## DisableCellularOperatorSettingsPage
 <!-- DisableCellularOperatorSettingsPage-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
 | ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
 <!-- DisableCellularOperatorSettingsPage-Applicability-End -->
 <!-- DisableCellularOperatorSettingsPage-OmaUri-Begin -->
 ```Device
 ./Device/Vendor/MSFT/Policy/Config/Connectivity/DisableCellularOperatorSettingsPage
 ```
 <!-- DisableCellularOperatorSettingsPage-OmaUri-End -->
 <!-- DisableCellularOperatorSettingsPage-Description-Begin -->
 <!-- Description-Source-DDF -->
 This policy makes all configurable settings in the 'Cellular' > 'Mobile operator settings' page read-only.
 <!-- DisableCellularOperatorSettingsPage-Description-End -->
 <!-- DisableCellularOperatorSettingsPage-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 <!-- DisableCellularOperatorSettingsPage-Editable-End -->
 <!-- DisableCellularOperatorSettingsPage-DFProperties-Begin -->
 **Description framework properties**:
 | Property name | Property value |
 |:--|:--|
 | Format | `int` |
 | Access Type | Add, Delete, Get, Replace |
 | Default Value  | 0 |
 <!-- DisableCellularOperatorSettingsPage-DFProperties-End -->
 <!-- DisableCellularOperatorSettingsPage-AllowedValues-Begin -->
 **Allowed values**:
 | Value | Description |
 |:--|:--|
 | 0 (Default) | Disabled. |
 | 1 | Enabled. |
 <!-- DisableCellularOperatorSettingsPage-AllowedValues-End -->
 <!-- DisableCellularOperatorSettingsPage-Examples-Begin -->
 <!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
 <!-- DisableCellularOperatorSettingsPage-Examples-End -->
 <!-- DisableCellularOperatorSettingsPage-End -->
 <!-- DisableCellularSettingsPage-Begin -->
 ## DisableCellularSettingsPage
 <!-- DisableCellularSettingsPage-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
 | ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
 <!-- DisableCellularSettingsPage-Applicability-End -->
 <!-- DisableCellularSettingsPage-OmaUri-Begin -->
 ```Device
 ./Device/Vendor/MSFT/Policy/Config/Connectivity/DisableCellularSettingsPage
 ```
 <!-- DisableCellularSettingsPage-OmaUri-End -->
 <!-- DisableCellularSettingsPage-Description-Begin -->
 <!-- Description-Source-DDF -->
 This policy makes all configurable settings in the 'Cellular' Settings page read-only.
 <!-- DisableCellularSettingsPage-Description-End -->
 <!-- DisableCellularSettingsPage-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 <!-- DisableCellularSettingsPage-Editable-End -->
 <!-- DisableCellularSettingsPage-DFProperties-Begin -->
 **Description framework properties**:
 | Property name | Property value |
 |:--|:--|
 | Format | `int` |
 | Access Type | Add, Delete, Get, Replace |
 | Default Value  | 0 |
 <!-- DisableCellularSettingsPage-DFProperties-End -->
 <!-- DisableCellularSettingsPage-AllowedValues-Begin -->
 **Allowed values**:
 | Value | Description |
 |:--|:--|
 | 0 (Default) | Disabled. |
 | 1 | Enabled. |
 <!-- DisableCellularSettingsPage-AllowedValues-End -->
 <!-- DisableCellularSettingsPage-Examples-Begin -->
 <!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
 <!-- DisableCellularSettingsPage-Examples-End -->
 <!-- DisableCellularSettingsPage-End -->
 <!-- DisableDownloadingOfPrintDriversOverHTTP-Begin -->
 ## DisableDownloadingOfPrintDriversOverHTTP
@ -899,6 +999,55 @@ If you disable this setting or don't configure it, the user will be able to crea
 <!-- ProhibitInstallationAndConfigurationOfNetworkBridge-End -->
 <!-- UseCellularWhenWiFiPoor-Begin -->
 ## UseCellularWhenWiFiPoor
 <!-- UseCellularWhenWiFiPoor-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
 | ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
 <!-- UseCellularWhenWiFiPoor-Applicability-End -->
 <!-- UseCellularWhenWiFiPoor-OmaUri-Begin -->
 ```Device
 ./Device/Vendor/MSFT/Policy/Config/Connectivity/UseCellularWhenWiFiPoor
 ```
 <!-- UseCellularWhenWiFiPoor-OmaUri-End -->
 <!-- UseCellularWhenWiFiPoor-Description-Begin -->
 <!-- Description-Source-DDF -->
 This policy allows the use of a cellular connection when Wi-Fi connectivity is limited.
 <!-- UseCellularWhenWiFiPoor-Description-End -->
 <!-- UseCellularWhenWiFiPoor-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 <!-- UseCellularWhenWiFiPoor-Editable-End -->
 <!-- UseCellularWhenWiFiPoor-DFProperties-Begin -->
 **Description framework properties**:
 | Property name | Property value |
 |:--|:--|
 | Format | `int` |
 | Access Type | Add, Delete, Get, Replace |
 | Default Value  | 1 |
 <!-- UseCellularWhenWiFiPoor-DFProperties-End -->
 <!-- UseCellularWhenWiFiPoor-AllowedValues-Begin -->
 **Allowed values**:
 | Value | Description |
 |:--|:--|
 | 0 | Disabled. |
 | 1 (Default) | Enabled. |
 <!-- UseCellularWhenWiFiPoor-AllowedValues-End -->
 <!-- UseCellularWhenWiFiPoor-Examples-Begin -->
 <!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
 <!-- UseCellularWhenWiFiPoor-Examples-End -->
 <!-- UseCellularWhenWiFiPoor-End -->
 <!-- Connectivity-CspMoreInfo-Begin -->
 <!-- Add any additional information about this CSP here. Anything outside this section will get overwritten. -->
 <!-- Connectivity-CspMoreInfo-End -->
--- a/windows/client-management/mdm/policy-csp-display.md
+++ b/windows/client-management/mdm/policy-csp-display.md
@ -1,7 +1,7 @@
 ---
 title: Display Policy CSP
 description: Learn more about the Display Area in Policy CSP.
-ms.date: 01/18/2024
+ms.date: 11/05/2024
 ---
 <!-- Auto-Generated CSP Document -->
@ -9,10 +9,72 @@ ms.date: 01/18/2024
 <!-- Display-Begin -->
 # Policy CSP - Display
 [!INCLUDE [Windows Insider tip](includes/mdm-insider-csp-note.md)]
 <!-- Display-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 <!-- Display-Editable-End -->
 <!-- ConfigureMultipleDisplayMode-Begin -->
 ## ConfigureMultipleDisplayMode
 <!-- ConfigureMultipleDisplayMode-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
 | ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
 <!-- ConfigureMultipleDisplayMode-Applicability-End -->
 <!-- ConfigureMultipleDisplayMode-OmaUri-Begin -->
 ```Device
 ./Device/Vendor/MSFT/Policy/Config/Display/ConfigureMultipleDisplayMode
 ```
 <!-- ConfigureMultipleDisplayMode-OmaUri-End -->
 <!-- ConfigureMultipleDisplayMode-Description-Begin -->
 <!-- Description-Source-DDF -->
 This policy set the default display to set the arrangement between cloning or extending.
 <!-- ConfigureMultipleDisplayMode-Description-End -->
 <!-- ConfigureMultipleDisplayMode-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 <!-- ConfigureMultipleDisplayMode-Editable-End -->
 <!-- ConfigureMultipleDisplayMode-DFProperties-Begin -->
 **Description framework properties**:
 | Property name | Property value |
 |:--|:--|
 | Format | `int` |
 | Access Type | Add, Delete, Get, Replace |
 | Default Value  | 1 |
 <!-- ConfigureMultipleDisplayMode-DFProperties-End -->
 <!-- ConfigureMultipleDisplayMode-AllowedValues-Begin -->
 **Allowed values**:
 | Value | Description |
 |:--|:--|
 | 0 | Default. |
 | 1 (Default) | Clone. |
 | 2 | Extend. |
 <!-- ConfigureMultipleDisplayMode-AllowedValues-End -->
 <!-- ConfigureMultipleDisplayMode-GpMapping-Begin -->
 **Group policy mapping**:
 | Name | Value |
 |:--|:--|
 | Name | ConfigureMultipleDisplayMode |
 | Path | Display > AT > System > DisplayCat |
 | Element Name | ConfigureMultipleDisplayModePrompt |
 <!-- ConfigureMultipleDisplayMode-GpMapping-End -->
 <!-- ConfigureMultipleDisplayMode-Examples-Begin -->
 <!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
 <!-- ConfigureMultipleDisplayMode-Examples-End -->
 <!-- ConfigureMultipleDisplayMode-End -->
 <!-- DisablePerProcessDpiForApps-Begin -->
 ## DisablePerProcessDpiForApps
--- a/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md
+++ b/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md
@ -1,7 +1,7 @@
 ---
 title: LocalPoliciesSecurityOptions Policy CSP
 description: Learn more about the LocalPoliciesSecurityOptions Area in Policy CSP.
-ms.date: 09/27/2024
+ms.date: 11/05/2024
 ---
 <!-- Auto-Generated CSP Document -->
@ -388,10 +388,27 @@ Audit: Audit the use of Backup and Restore privilege This security setting deter
 |:--|:--|
 | Format | `b64` |
 | Access Type | Add, Delete, Get, Replace |
-| Allowed Values | List (Delimiter: ``) |
+| Default Value  | AA== |
 | Default Value  | 00 |
 <!-- Audit_AuditTheUseOfBackupAndRestoreprivilege-DFProperties-End -->
 <!-- Audit_AuditTheUseOfBackupAndRestoreprivilege-AllowedValues-Begin -->
 **Allowed values**:
 | Value | Description |
 |:--|:--|
 | AQ== | Enable. |
 | AA== (Default) | Disable. |
 <!-- Audit_AuditTheUseOfBackupAndRestoreprivilege-AllowedValues-End -->
 <!-- Audit_AuditTheUseOfBackupAndRestoreprivilege-GpMapping-Begin -->
 **Group policy mapping**:
 | Name | Value |
 |:--|:--|
 | Name | Audit: Audit the use of Backup and Restore privilege |
 | Path | Windows Settings > Security Settings > Local Policies > Security Options |
 <!-- Audit_AuditTheUseOfBackupAndRestoreprivilege-GpMapping-End -->
 <!-- Audit_AuditTheUseOfBackupAndRestoreprivilege-Examples-Begin -->
 <!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
 <!-- Audit_AuditTheUseOfBackupAndRestoreprivilege-Examples-End -->
--- a/windows/client-management/mdm/policy-csp-remotedesktopservices.md
+++ b/windows/client-management/mdm/policy-csp-remotedesktopservices.md
@ -1,7 +1,7 @@
 ---
 title: RemoteDesktopServices Policy CSP
 description: Learn more about the RemoteDesktopServices Area in Policy CSP.
-ms.date: 09/27/2024
+ms.date: 11/05/2024
 ---
 <!-- Auto-Generated CSP Document -->
@ -156,7 +156,7 @@ FIPS compliance can be configured through the System cryptography. Use FIPS comp
 <!-- DisconnectOnLockLegacyAuthn-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
-| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ [10.0.20348.2461] and later <br> ✅ [10.0.25398.887] and later <br> ✅ Windows 10, version 2004 [10.0.19041.4474] and later <br> ✅ Windows 11, version 21H2 with [KB5037770](https://support.microsoft.com/help/5037770) [10.0.22000.2960] and later <br> ✅ Windows 11, version 22H2 with [KB5037771](https://support.microsoft.com/help/5037771) [10.0.22621.3593] and later <br> ✅ Windows 11, version 24H2 [10.0.26100] and later |
 <!-- DisconnectOnLockLegacyAuthn-Applicability-End -->
 <!-- DisconnectOnLockLegacyAuthn-OmaUri-Begin -->
@ -217,7 +217,7 @@ This policy applies only when using legacy authentication to authenticate to the
 <!-- DisconnectOnLockMicrosoftIdentityAuthn-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
-| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ [10.0.20348.2461] and later <br> ✅ [10.0.25398.887] and later <br> ✅ Windows 10, version 2004 [10.0.19041.4474] and later <br> ✅ Windows 11, version 21H2 with [KB5037770](https://support.microsoft.com/help/5037770) [10.0.22000.2960] and later <br> ✅ Windows 11, version 22H2 with [KB5037771](https://support.microsoft.com/help/5037771) [10.0.22621.3593] and later <br> ✅ Windows 11, version 24H2 [10.0.26100] and later |
 <!-- DisconnectOnLockMicrosoftIdentityAuthn-Applicability-End -->
 <!-- DisconnectOnLockMicrosoftIdentityAuthn-OmaUri-Begin -->
--- a/windows/client-management/mdm/policy-csp-textinput.md
+++ b/windows/client-management/mdm/policy-csp-textinput.md
@ -1,7 +1,7 @@
 ---
 title: TextInput Policy CSP
 description: Learn more about the TextInput Area in Policy CSP.
-ms.date: 01/18/2024
+ms.date: 11/05/2024
 ---
 <!-- Auto-Generated CSP Document -->
@ -9,6 +9,8 @@ ms.date: 01/18/2024
 <!-- TextInput-Begin -->
 # Policy CSP - TextInput
 [!INCLUDE [Windows Insider tip](includes/mdm-insider-csp-note.md)]
 <!-- TextInput-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 <!-- TextInput-Editable-End -->
@ -1172,6 +1174,56 @@ Specifies the touch keyboard is always docked. When this policy is set to enable
 <!-- ForceTouchKeyboardDockedState-End -->
 <!-- TouchKeyboardControllerModeAvailability-Begin -->
 ## TouchKeyboardControllerModeAvailability
 <!-- TouchKeyboardControllerModeAvailability-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
 | ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
 <!-- TouchKeyboardControllerModeAvailability-Applicability-End -->
 <!-- TouchKeyboardControllerModeAvailability-OmaUri-Begin -->
 ```Device
 ./Device/Vendor/MSFT/Policy/Config/TextInput/TouchKeyboardControllerModeAvailability
 ```
 <!-- TouchKeyboardControllerModeAvailability-OmaUri-End -->
 <!-- TouchKeyboardControllerModeAvailability-Description-Begin -->
 <!-- Description-Source-DDF -->
 Specifies whether the controller keyboard mode is enabled or disabled for the touch keyboard. When this policy is set to disabled, the controller keyboard mode for touch keyboard is disabled.
 <!-- TouchKeyboardControllerModeAvailability-Description-End -->
 <!-- TouchKeyboardControllerModeAvailability-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 <!-- TouchKeyboardControllerModeAvailability-Editable-End -->
 <!-- TouchKeyboardControllerModeAvailability-DFProperties-Begin -->
 **Description framework properties**:
 | Property name | Property value |
 |:--|:--|
 | Format | `int` |
 | Access Type | Add, Delete, Get, Replace |
 | Default Value  | 0 |
 <!-- TouchKeyboardControllerModeAvailability-DFProperties-End -->
 <!-- TouchKeyboardControllerModeAvailability-AllowedValues-Begin -->
 **Allowed values**:
 | Value | Description |
 |:--|:--|
 | 0 (Default) | The OS determines when it's most appropriate to be available. |
 | 1 | Controller keyboard is always available. |
 | 2 | Controller keyboard is always disabled. |
 <!-- TouchKeyboardControllerModeAvailability-AllowedValues-End -->
 <!-- TouchKeyboardControllerModeAvailability-Examples-Begin -->
 <!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
 <!-- TouchKeyboardControllerModeAvailability-Examples-End -->
 <!-- TouchKeyboardControllerModeAvailability-End -->
 <!-- TouchKeyboardDictationButtonAvailability-Begin -->
 ## TouchKeyboardDictationButtonAvailability
--- a/windows/client-management/mdm/policy-csp-wifi.md
+++ b/windows/client-management/mdm/policy-csp-wifi.md
@ -1,7 +1,7 @@
 ---
 title: Wifi Policy CSP
 description: Learn more about the Wifi Area in Policy CSP.
-ms.date: 01/31/2024
+ms.date: 11/05/2024
 ---
 <!-- Auto-Generated CSP Document -->
@ -188,10 +188,7 @@ By default, ICS is disabled when you create a remote access connection, but admi
 <!-- AllowManualWiFiConfiguration-Description-Begin -->
 <!-- Description-Source-DDF -->
-Allow or disallow connecting to Wi-Fi outside of MDM server-installed networks. Most restricted value is 0.
+Allow or block connections to Wi-Fi outside of MDM server-installed networks. If you change this setting to Block, you must deploy enterprise Wi-Fi profiles to the device using the Wi-Fi CSP before you apply this setting. Otherwise, the device will go offline since it won't be able to connect to Wi-Fi. Note that choosing to block Wi-Fi connections will delete any previously installed user-configured Wi-Fi profiles from the device, though not all non-MDM profiles will be deleted.
 > [!NOTE]
 > Setting this policy deletes any previously installed user-configured and Wi-Fi sense Wi-Fi profiles from the device. Certain Wi-Fi profiles that aren't user configured nor Wi-Fi sense might not be deleted. In addition, not all non-MDM profiles are completely deleted.
 <!-- AllowManualWiFiConfiguration-Description-End -->
 <!-- AllowManualWiFiConfiguration-Editable-Begin -->
--- a/windows/client-management/mdm/policy-csp-windowsai.md
+++ b/windows/client-management/mdm/policy-csp-windowsai.md
@ -1,7 +1,7 @@
 ---
 title: WindowsAI Policy CSP
 description: Learn more about the WindowsAI Area in Policy CSP.
-ms.date: 09/27/2024
+ms.date: 11/05/2024
 ---
 <!-- Auto-Generated CSP Document -->
@ -286,10 +286,9 @@ This policy setting allows you to turn off Windows Copilot.
 <!-- TurnOffWindowsCopilot-Description-End -->
 <!-- TurnOffWindowsCopilot-Editable-Begin -->
 > [!Note]
 > - The TurnOffWindowsCopilot policy isn't for the [new Copilot experience](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/evolving-copilot-in-windows-for-your-workforce/ba-p/4141999) that's in some [Windows Insider builds](https://blogs.windows.com/windows-insider/2024/05/22/releasing-windows-11-version-24h2-to-the-release-preview-channel/) and that will be gradually rolling out to Windows 11 and Windows 10 devices. <!--9048085-->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 > [!NOTE]
 > - The TurnOffWindowsCopilot policy isn't for the [new Copilot experience](https://techcommunity.microsoft.com/blog/windows-itpro-blog/evolving-copilot-in-windows-for-your-workforce/4141999) that's in some [Windows Insider builds](https://blogs.windows.com/windows-insider/2024/05/22/releasing-windows-11-version-24h2-to-the-release-preview-channel/) and that will be gradually rolling out to Windows 11 and Windows 10 devices. <!--9048085-->
 <!-- TurnOffWindowsCopilot-Editable-End -->
 <!-- TurnOffWindowsCopilot-DFProperties-Begin -->
--- a/windows/deployment/update/media-dynamic-update.md
+++ b/windows/deployment/update/media-dynamic-update.md
@ -13,7 +13,7 @@ appliesto:
 - ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
 - ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
 - ✅ <a href=https://learn.microsoft.com/windows/release-health/windows-server-release-info target=_blank>Windows Server</a>
-ms.date: 10/15/2024
+ms.date: 11/06/2024
 ---
 # Update Windows installation media with Dynamic Update
@ -121,7 +121,7 @@ Optional Components, along with the .NET feature, can be installed offline, howe
 ### Checkpoint cumulative updates
-Starting with Windows 11, version 24H2, the latest cumulative update may have a prerequisite cumulative update that is required to be installed first. These are known as checkpoint cumulative updates. In these cases, the cumulative update file level differentials are based on a previous cumulative update instead of the Windows RTM release. The benefit is a smaller update package and faster installation. When you obtain the latest cumulative update from the [Microsoft Update Catalog](https://catalog.update.microsoft.com), checkpoint cumulative updates will be available from the download button. In addition, the knowledge base article for the cumulative update will provide additional information. 
+Starting with Windows 11, version 24H2, and Windows Server 2025, the latest cumulative update may have a prerequisite cumulative update that is required to be installed first. These are known as checkpoint cumulative updates. In these cases, the cumulative update file level differentials are based on a previous cumulative update instead of the Windows RTM release. The benefit is a smaller update package and faster installation. When you obtain the latest cumulative update from the [Microsoft Update Catalog](https://catalog.update.microsoft.com), checkpoint cumulative updates will be available from the download button. In addition, the knowledge base article for the cumulative update will provide additional information. 
 To install the checkpoint(s) when servicing the Windows OS (steps 9 & 12) and WinPE (steps 17 & 23), call `Add-WindowsPackage` with the target cumulative update. The folder from `-PackagePath` will be used to discover and install one or more checkpoints as needed. Only the target cumulative update and checkpoint cumulative updates should be in the `-PackagePath` folder. Cumulative update packages with a revision <= the target cumulative update will be processed. If you are not customizing the image with additional languages and/or optional features, then separate calls to `Add-WindowsPackage` (checkpoint cumulative updates first) can be used for steps 9 & 17 above. Separate calls cannot be used for steps 12 and 23.
--- a/windows/security/book/cloud-services-protect-your-work-information.md
+++ b/windows/security/book/cloud-services-protect-your-work-information.md
@ -38,7 +38,7 @@ When a device is Microsoft Entra ID joined and managed with Microsoft Intune<sup
 - Single sign-on (SSO) to enterprise and SaaS applications
 - No use of consumer Microsoft account identity
-Organizations and users can join or register their Windows devices with Microsoft Entra ID to get a seamless experience to both native and web applications. In addition, users can setup Windows Hello for Business or FIDO2 security keys with Microsoft Entra ID and benefit from greater security with passwordless authentication.
+Organizations and users can join or register their Windows devices with Microsoft Entra ID to get a seamless experience to both native and web applications. In addition, users can set up Windows Hello for Business or FIDO2 security keys with Microsoft Entra ID and benefit from greater security with passwordless authentication.
 In combination with Microsoft Intune, Microsoft Entra ID offers powerful security control through Conditional Access to restrict access to organizational resources to healthy and compliant devices. Note that Microsoft Entra ID is only supported on Windows Pro and Enterprise editions.