Merge pull request #10506 from vinaypamnani-msft/vp-csp-2412

CSP Updates for December 2024
2025-05-14 14:27:22 +00:00 · 2025-01-29 00:26:35 +05:30 · 2025-01-29 00:26:35 +05:30 · c3b6f1e3bf
commit c3b6f1e3bf
parent cf2c8a7989 157e4d5b81
10 changed files with 436 additions and 123 deletions
--- a/windows/client-management/mdm/healthattestation-csp.md
+++ b/windows/client-management/mdm/healthattestation-csp.md
@ -1,7 +1,7 @@
 ---
 title: HealthAttestation CSP
 description: Learn more about the HealthAttestation CSP.
-ms.date: 01/31/2024
+ms.date: 01/14/2025
 ---

 <!-- Auto-Generated CSP Document -->
@ -51,7 +51,7 @@ The following list shows the HealthAttestation configuration service provider no
 <!-- Device-AttestErrorMessage-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
-| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 22H2 with [KB5046732](https://support.microsoft.com/help/5046732) [10.0.22621.4541] and later <br> ✅ Windows 11, version 24H2 with [KB5046617](https://support.microsoft.com/help/5046617) [10.0.26100.2314] and later <br> ✅ Windows Insider Preview |
 <!-- Device-AttestErrorMessage-Applicability-End -->

 <!-- Device-AttestErrorMessage-OmaUri-Begin -->
--- a/windows/client-management/mdm/healthattestation-ddf.md
+++ b/windows/client-management/mdm/healthattestation-ddf.md
@ -1,7 +1,7 @@
 ---
 title: HealthAttestation DDF file
 description: View the XML file containing the device description framework (DDF) for the HealthAttestation configuration service provider.
-ms.date: 06/28/2024
+ms.date: 01/14/2025
 ---

 <!-- Auto-Generated CSP Document -->
@ -436,7 +436,7 @@ The following XML file contains the device description framework (DDF) for the H
          <MIME />
        </DFType>
        <MSFT:Applicability>
-          <MSFT:OsBuildVersion>99.9.99999</MSFT:OsBuildVersion>
+          <MSFT:OsBuildVersion>99.9.99999, 10.0.26100.2314, 10.0.22621.4541</MSFT:OsBuildVersion>
          <MSFT:CspVersion>1.4</MSFT:CspVersion>
        </MSFT:Applicability>
      </DFProperties>
--- a/windows/client-management/mdm/policies-in-preview.md
+++ b/windows/client-management/mdm/policies-in-preview.md
@ -1,7 +1,7 @@
 ---
 title: Configuration service provider preview policies
 description: Learn more about configuration service provider (CSP) policies that are available for Windows Insider Preview.
-ms.date: 11/27/2024
+ms.date: 01/14/2025
 ---

 <!-- Auto-Generated CSP Document -->
@ -31,6 +31,7 @@ This article lists the policies that are applicable for Windows Insider Preview

 ## Connectivity

+- [DisableCrossDeviceResume](policy-csp-connectivity.md#disablecrossdeviceresume)
 - [UseCellularWhenWiFiPoor](policy-csp-connectivity.md#usecellularwhenwifipoor)
 - [DisableCellularSettingsPage](policy-csp-connectivity.md#disablecellularsettingspage)
 - [DisableCellularOperatorSettingsPage](policy-csp-connectivity.md#disablecellularoperatorsettingspage)
@ -46,6 +47,10 @@ This article lists the policies that are applicable for Windows Insider Preview
 - [DODisallowCacheServerDownloadsOnVPN](policy-csp-deliveryoptimization.md#dodisallowcacheserverdownloadsonvpn)
 - [DOVpnKeywords](policy-csp-deliveryoptimization.md#dovpnkeywords)

+## DeviceGuard
+
+- [MachineIdentityIsolation](policy-csp-deviceguard.md#machineidentityisolation)
+
 ## DevicePreparation CSP

 - [PageEnabled](devicepreparation-csp.md#pageenabled)
@ -80,6 +85,12 @@ This article lists the policies that are applicable for Windows Insider Preview

 - [AttestErrorMessage](healthattestation-csp.md#attesterrormessage)

+## HumanPresence
+
+- [ForcePrivacyScreen](policy-csp-humanpresence.md#forceprivacyscreen)
+- [ForcePrivacyScreenDim](policy-csp-humanpresence.md#forceprivacyscreendim)
+- [ForcePrivacyScreenNotification](policy-csp-humanpresence.md#forceprivacyscreennotification)
+
 ## InternetExplorer

 - [AllowLegacyURLFields](policy-csp-internetexplorer.md#allowlegacyurlfields)
@ -115,6 +126,10 @@ This article lists the policies that are applicable for Windows Insider Preview

 - [DisablePostLogonProvisioning](passportforwork-csp.md#devicetenantidpoliciesdisablepostlogonprovisioning)

+## Printers
+
+- [ConfigureIppTlsCertificatePolicy](policy-csp-printers.md#configureipptlscertificatepolicy)
+
 ## Reboot CSP

 - [WeeklyRecurrent](reboot-csp.md#scheduleweeklyrecurrent)
--- a/windows/client-management/mdm/policy-csp-connectivity.md
+++ b/windows/client-management/mdm/policy-csp-connectivity.md
@ -1,7 +1,7 @@
 ---
 title: Connectivity Policy CSP
 description: Learn more about the Connectivity Area in Policy CSP.
-ms.date: 11/05/2024
+ms.date: 01/14/2025
 ---

 <!-- Auto-Generated CSP Document -->
@ -684,6 +684,61 @@ This policy makes all configurable settings in the 'Cellular' Settings page read

 <!-- DisableCellularSettingsPage-End -->

+<!-- DisableCrossDeviceResume-Begin -->
+## DisableCrossDeviceResume
+
+<!-- DisableCrossDeviceResume-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ❌ Device <br> ✅ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+<!-- DisableCrossDeviceResume-Applicability-End -->
+
+<!-- DisableCrossDeviceResume-OmaUri-Begin -->
+```User
+./User/Vendor/MSFT/Policy/Config/Connectivity/DisableCrossDeviceResume
+```
+<!-- DisableCrossDeviceResume-OmaUri-End -->
+
+<!-- DisableCrossDeviceResume-Description-Begin -->
+<!-- Description-Source-DDF -->
+This policy allows IT admins to turn off CrossDeviceResume feature to continue tasks, such as browsing file, continue using 1P/3P apps that require linking between Phone and PC.
+
+- If you enable this policy setting, the Windows device won't receive any CrossDeviceResume notification.
+
+- If you disable this policy setting, the Windows device will receive notification to resume activity from linked phone.
+
+- If you don't configure this policy setting, the default behavior is that the CrossDeviceResume feature is turned 'ON'. Changes to this policy take effect on reboot.
+<!-- DisableCrossDeviceResume-Description-End -->
+
+<!-- DisableCrossDeviceResume-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- DisableCrossDeviceResume-Editable-End -->
+
+<!-- DisableCrossDeviceResume-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `int` |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value  | 0 |
+<!-- DisableCrossDeviceResume-DFProperties-End -->
+
+<!-- DisableCrossDeviceResume-AllowedValues-Begin -->
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 (Default) | CrossDeviceResume is Enabled. |
+| 1 | CrossDeviceResume is Disabled. |
+<!-- DisableCrossDeviceResume-AllowedValues-End -->
+
+<!-- DisableCrossDeviceResume-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- DisableCrossDeviceResume-Examples-End -->
+
+<!-- DisableCrossDeviceResume-End -->
+
 <!-- DisableDownloadingOfPrintDriversOverHTTP-Begin -->
 ## DisableDownloadingOfPrintDriversOverHTTP

--- a/windows/client-management/mdm/policy-csp-deliveryoptimization.md
+++ b/windows/client-management/mdm/policy-csp-deliveryoptimization.md
@ -1,7 +1,7 @@
 ---
 title: DeliveryOptimization Policy CSP
 description: Learn more about the DeliveryOptimization Area in Policy CSP.
-ms.date: 08/06/2024
+ms.date: 01/21/2025
 ---

 <!-- Auto-Generated CSP Document -->
@ -34,11 +34,7 @@ ms.date: 08/06/2024

 <!-- DOAbsoluteMaxCacheSize-Description-Begin -->
 <!-- Description-Source-ADMX -->
-Specifies the maximum size in GB of Delivery Optimization cache.
-
-This policy overrides the DOMaxCacheSize policy.
-
-The value 0 (zero) means "unlimited" cache; Delivery Optimization will clear the cache when the device runs low on disk space.
+Specifies the maximum size in GB of Delivery Optimization cache. This policy overrides the MaxCacheSize policy.
 <!-- DOAbsoluteMaxCacheSize-Description-End -->

 <!-- DOAbsoluteMaxCacheSize-Editable-Begin -->
@ -93,7 +89,7 @@ The value 0 (zero) means "unlimited" cache; Delivery Optimization will clear the

 <!-- DOAllowVPNPeerCaching-Description-Begin -->
 <!-- Description-Source-DDF-Forced -->
-Specifies whether the device is allowed to participate in Peer Caching while connected via VPN to the domain network. This means the device can download from or upload to other domain network devices, either on VPN or on the corporate domain network.
+Specifies whether the device, with an active VPN connection, is allowed to participate in P2P or not.
 <!-- DOAllowVPNPeerCaching-Description-End -->

 <!-- DOAllowVPNPeerCaching-Editable-Begin -->
@ -125,8 +121,8 @@ Specifies whether the device is allowed to participate in Peer Caching while con
 | Name | Value |
 |:--|:--|
 | Name | AllowVPNPeerCaching |
-| Friendly Name | Enable Peer Caching while the device connects via VPN |
-| Element Name | Enable Peer Caching while the device connects via VPN. |
+| Friendly Name | Enable P2P while the device connects via VPN |
+| Element Name | Enable P2P while the device connects via VPN. |
 | Location | Computer Configuration |
 | Path | Windows Components > Delivery Optimization |
 | Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization |
@ -156,9 +152,7 @@ Specifies whether the device is allowed to participate in Peer Caching while con

 <!-- DOCacheHost-Description-Begin -->
 <!-- Description-Source-ADMX -->
-This policy allows you to set one or more Microsoft Connected Cache servers that will be used by your client(s).
-
-One or more values can be added as either fully qualified domain names (FQDN) or IP addresses. To add multiple values, separate each FQDN or IP address by commas.
+Specifies one or more Microsoft Connected Cache servers that will be used by your client(s). One or more values can be added as either fully qualified domain names (FQDN) or IP addresses. To add multiple values, separate each FQDN or IP address by commas.
 <!-- DOCacheHost-Description-End -->

 <!-- DOCacheHost-Editable-Begin -->
@ -214,17 +208,10 @@ One or more values can be added as either fully qualified domain names (FQDN) or

 <!-- DOCacheHostSource-Description-Begin -->
 <!-- Description-Source-ADMX -->
-This policy allows you to specify how your client(s) can discover Microsoft Connected Cache servers dynamically.
-
-Options available are:
-
-0 = Disable DNS-SD.
-
-1 = DHCP Option 235.
+Specifies how your client(s) can discover Microsoft Connected Cache servers dynamically.

+1 = DHCP Option 235
 2 = DHCP Option 235 Force.
-
-If this policy isn't configured, the client will attempt to automatically find a cache server using DNS-SD. If set to 0, the client won't use DNS-SD to automatically find a cache server. If set to 1 or 2, the client will query DHCP Option ID 235 and use the returned value as the Cache Server Hostname. Option 2 overrides the Cache Server Hostname policy, if configured.
 <!-- DOCacheHostSource-Description-End -->

 <!-- DOCacheHostSource-Editable-Begin -->
@ -240,10 +227,18 @@ If this policy isn't configured, the client will attempt to automatically find a
 |:--|:--|
 | Format | `int` |
 | Access Type | Add, Delete, Get, Replace |
-| Allowed Values | Range: `[0-4294967295]` |
 | Default Value  | 0 |
 <!-- DOCacheHostSource-DFProperties-End -->

+<!-- DOCacheHostSource-AllowedValues-Begin -->
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 1 | DHCP Option 235. |
+| 2 | DHCP Option 235 Force. |
+<!-- DOCacheHostSource-AllowedValues-End -->
+
 <!-- DOCacheHostSource-GpMapping-Begin -->
 **Group policy mapping**:

@ -281,13 +276,7 @@ If this policy isn't configured, the client will attempt to automatically find a

 <!-- DODelayBackgroundDownloadFromHttp-Description-Begin -->
 <!-- Description-Source-ADMX -->
-This policy allows you to delay the use of an HTTP source in a background download that's allowed to use P2P.
-
-After the max delay has reached, the download will resume using HTTP, either downloading the entire payload or complementing the bytes that couldn't be downloaded from Peers.
-
-Note that a download that's waiting for peer sources, will appear to be stuck for the end user.
-
-The recommended value is 1 hour (3600).
+For background downloads that use P2P, specifies the time to wait before starting to download from the HTTP source.
 <!-- DODelayBackgroundDownloadFromHttp-Description-End -->

 <!-- DODelayBackgroundDownloadFromHttp-Editable-Begin -->
@ -311,7 +300,7 @@ The recommended value is 1 hour (3600).
 | Name | Value |
 |:--|:--|
 | Name | DelayBackgroundDownloadFromHttp |
-| Friendly Name | Delay background download from http (in secs) |
+| Friendly Name | Delay background download from http (in seconds) |
 | Element Name | Delay background download from http (in secs) |
 | Location | Computer Configuration |
 | Path | Windows Components > Delivery Optimization |
@ -342,7 +331,7 @@ The recommended value is 1 hour (3600).

 <!-- DODelayCacheServerFallbackBackground-Description-Begin -->
 <!-- Description-Source-DDF-Forced -->
-Specifies the time in seconds to delay the fallback from Cache Server to the HTTP source for a background content download. Note that the DODelayBackgroundDownloadFromHttp policy takes precedence over this policy to allow downloads from peers first.
+For background downloads that use a cache server, specifies the time to wait before falling back to download from the original HTTP source.
 <!-- DODelayCacheServerFallbackBackground-Description-End -->

 <!-- DODelayCacheServerFallbackBackground-Editable-Begin -->
@ -397,7 +386,7 @@ Specifies the time in seconds to delay the fallback from Cache Server to the HTT

 <!-- DODelayCacheServerFallbackForeground-Description-Begin -->
 <!-- Description-Source-DDF-Forced -->
-Specifies the time in seconds to delay the fallback from Cache Server to the HTTP source for foreground content download. Note that the DODelayForegroundDownloadFromHttp policy takes precedence over this policy to allow downloads from peers first.
+For foreground downloads that use a cache server, specifies the time to wait before falling back to download from the original HTTP source.
 <!-- DODelayCacheServerFallbackForeground-Description-End -->

 <!-- DODelayCacheServerFallbackForeground-Editable-Begin -->
@ -452,13 +441,7 @@ Specifies the time in seconds to delay the fallback from Cache Server to the HTT

 <!-- DODelayForegroundDownloadFromHttp-Description-Begin -->
 <!-- Description-Source-ADMX -->
-This policy allows you to delay the use of an HTTP source in a foreground (interactive) download that's allowed to use P2P.
-
-After the max delay has reached, the download will resume using HTTP, either downloading the entire payload or complementing the bytes that couldn't be downloaded from Peers.
-
-Note that a download that's waiting for peer sources, will appear to be stuck for the end user.
-
-The recommended value is 1 minute (60).
+For foreground downloads that use P2P, specifies the time to wait before starting to download from the HTTP source.
 <!-- DODelayForegroundDownloadFromHttp-Description-End -->

 <!-- DODelayForegroundDownloadFromHttp-Editable-Begin -->
@ -482,7 +465,7 @@ The recommended value is 1 minute (60).
 | Name | Value |
 |:--|:--|
 | Name | DelayForegroundDownloadFromHttp |
-| Friendly Name | Delay Foreground download from http (in secs) |
+| Friendly Name | Delay Foreground download from http (in seconds) |
 | Element Name | Delay Foreground download from http (in secs) |
 | Location | Computer Configuration |
 | Path | Windows Components > Delivery Optimization |
@ -513,7 +496,7 @@ The recommended value is 1 minute (60).

 <!-- DODisallowCacheServerDownloadsOnVPN-Description-Begin -->
 <!-- Description-Source-DDF -->
-Disallow downloads from Microsoft Connected Cache servers when the device connects via VPN. By default, the device is allowed to download from Microsoft Connected Cache when connected via VPN.
+Specify to disallow downloads from Microsoft Connected Cache servers when the device has an active VPN connection. By default, the button is 'Not Set'. This means the device is allowed to download from Microsoft Connected Cache when the device has an active VPN connection. To block these downloads, turn the button on to 'Enabled'.
 <!-- DODisallowCacheServerDownloadsOnVPN-Description-End -->

 <!-- DODisallowCacheServerDownloadsOnVPN-Editable-Begin -->
@ -535,8 +518,8 @@ Disallow downloads from Microsoft Connected Cache servers when the device connec

 | Value | Description |
 |:--|:--|
-| 0 (Default) | Allowed. |
-| 1 | Not allowed. |
+| 0 (Default) | Not Set. |
+| 1 | Enabled. |
 <!-- DODisallowCacheServerDownloadsOnVPN-AllowedValues-End -->

 <!-- DODisallowCacheServerDownloadsOnVPN-GpMapping-Begin -->
@ -572,7 +555,7 @@ Disallow downloads from Microsoft Connected Cache servers when the device connec

 <!-- DODownloadMode-Description-Begin -->
 <!-- Description-Source-DDF-Forced -->
-Specifies the download method that Delivery Optimization can use in downloads of Windows Updates, Apps and App updates. The default value is 1.
+Specifies the method that Delivery Optimization can use to download content on behalf of various Microsoft products.
 <!-- DODownloadMode-Description-End -->

 <!-- DODownloadMode-Editable-Begin -->
@ -598,10 +581,10 @@ Specifies the download method that Delivery Optimization can use in downloads of
 |:--|:--|
 | 0 (Default) | HTTP only, no peering. |
 | 1 | HTTP blended with peering behind the same NAT. |
-| 2 | When this option is selected, peering will cross NATs. To create a custom group use Group ID in combination with Mode 2. |
+| 2 | HTTP blended with peering across a private group. |
 | 3 | HTTP blended with Internet peering. |
-| 99 | Simple download mode with no peering. Delivery Optimization downloads using HTTP only and doesn't attempt to contact the Delivery Optimization cloud services. Added in Windows 10, version 1607. |
-| 100 | Bypass mode. Windows 10: Don't use Delivery Optimization and use BITS instead. Windows 11: Deprecated, use Simple mode instead. |
+| 99 | HTTP only, no peering, no use of DO cloud service. |
+| 100 | Bypass mode, deprecated in Windows 11. |
 <!-- DODownloadMode-AllowedValues-End -->

 <!-- DODownloadMode-GpMapping-Begin -->
@ -641,11 +624,7 @@ Specifies the download method that Delivery Optimization can use in downloads of

 <!-- DOGroupId-Description-Begin -->
 <!-- Description-Source-ADMX -->
-Group ID must be set as a GUID. This Policy specifies an arbitrary group ID that the device belongs to.
-
-Use this if you need to create a single group for Local Network Peering for branches that are on different domains or aren't on the same LAN.
-
-Note this is a best effort optimization and shouldn't be relied on for an authentication of identity.
+Specifies an arbitrary group ID that the device belongs to. A GUID must be used.
 <!-- DOGroupId-Description-End -->

 <!-- DOGroupId-Editable-Begin -->
@ -698,7 +677,7 @@ Note this is a best effort optimization and shouldn't be relied on for an authen

 <!-- DOGroupIdSource-Description-Begin -->
 <!-- Description-Source-DDF-Forced -->
-Set this policy to restrict peer selection to a specific source. Available options are: 1 = AD Site, 2 = Authenticated domain SID, 3 = DHCP Option ID, 4 = DNS Suffix, 5 = Microsoft Entra ID. When set, the Group ID will be assigned automatically from the selected source. This policy is ignored if the GroupID policy is also set. The options set in this policy only apply to Group (2) download mode. If Group (2) isn't set as Download mode, this policy will be ignored. For option 3 - DHCP Option ID, the client will query DHCP Option ID 234 and use the returned GUID value as the Group ID. Starting with Windows 10, version 1903, you can use the Microsoft Entra tenant ID as a means to define groups. To do this, set the value of DOGroupIdSource to 5.
+Specifies the source of group ID used for peer selection.
 <!-- DOGroupIdSource-Description-End -->

 <!-- DOGroupIdSource-Editable-Begin -->
@ -722,12 +701,12 @@ Set this policy to restrict peer selection to a specific source. Available optio

 | Value | Description |
 |:--|:--|
-| 0 (Default) | Unset. |
+| 0 (Default) | Not Set. |
 | 1 | AD site. |
 | 2 | Authenticated domain SID. |
-| 3 | DHCP user option. |
-| 4 | DNS suffix. |
-| 5 | Microsoft Entra ID. |
+| 3 | DHCP Option ID. |
+| 4 | DNS Suffix. |
+| 5 | Entra ID Tenant ID. |
 <!-- DOGroupIdSource-AllowedValues-End -->

 <!-- DOGroupIdSource-GpMapping-Begin -->
@ -768,8 +747,6 @@ Set this policy to restrict peer selection to a specific source. Available optio
 <!-- DOMaxBackgroundDownloadBandwidth-Description-Begin -->
 <!-- Description-Source-ADMX -->
 Specifies the maximum background download bandwidth in KiloBytes/second that the device can use across all concurrent download activities using Delivery Optimization.
-
-The default value 0 (zero) means that Delivery Optimization dynamically adjusts to use the available bandwidth for downloads.
 <!-- DOMaxBackgroundDownloadBandwidth-Description-End -->

 <!-- DOMaxBackgroundDownloadBandwidth-Editable-Begin -->
@ -824,7 +801,7 @@ The default value 0 (zero) means that Delivery Optimization dynamically adjusts

 <!-- DOMaxCacheAge-Description-Begin -->
 <!-- Description-Source-DDF-Forced -->
-Specifies the maximum time in seconds that each file is held in the Delivery Optimization cache after downloading successfully. The value 0 (zero) means unlimited; Delivery Optimization will hold the files in the cache longer and make the files available for uploads to other devices, as long as the cache size hasn't exceeded. The value 0 is new in Windows 10, version 1607. The default value is 604800 seconds (7 days).
+Specifies the maximum time in seconds that each file is held in the Delivery Optimization cache after downloading successfully.
 <!-- DOMaxCacheAge-Description-End -->

 <!-- DOMaxCacheAge-Editable-Begin -->
@ -879,7 +856,7 @@ Specifies the maximum time in seconds that each file is held in the Delivery Opt

 <!-- DOMaxCacheSize-Description-Begin -->
 <!-- Description-Source-DDF-Forced -->
-Specifies the maximum cache size that Delivery Optimization can utilize, as a percentage of disk size (1-100). The default value is 20.
+Specifies the maximum cache size that Delivery Optimization can utilize, as a percentage of the available drive space.
 <!-- DOMaxCacheSize-Description-End -->

 <!-- DOMaxCacheSize-Editable-Begin -->
@ -935,8 +912,6 @@ Specifies the maximum cache size that Delivery Optimization can utilize, as a pe
 <!-- DOMaxForegroundDownloadBandwidth-Description-Begin -->
 <!-- Description-Source-ADMX -->
 Specifies the maximum foreground download bandwidth in KiloBytes/second that the device can use across all concurrent download activities using Delivery Optimization.
-
-The default value 0 (zero) means that Delivery Optimization dynamically adjusts to use the available bandwidth for downloads.
 <!-- DOMaxForegroundDownloadBandwidth-Description-End -->

 <!-- DOMaxForegroundDownloadBandwidth-Editable-Begin -->
@ -991,7 +966,7 @@ The default value 0 (zero) means that Delivery Optimization dynamically adjusts

 <!-- DOMinBackgroundQos-Description-Begin -->
 <!-- Description-Source-DDF-Forced -->
-Specifies the minimum download QoS (Quality of Service or speed) in KiloBytes/sec for background downloads. This policy affects the blending of peer and HTTP sources. Delivery Optimization complements the download from the HTTP source to achieve the minimum QoS value set. The default value is 20480 (20 MB/s).
+Specifies the minimum download QoS (Quality of Service) in KiloBytes/sec for background downloads.
 <!-- DOMinBackgroundQos-Description-End -->

 <!-- DOMinBackgroundQos-Editable-Begin -->
@ -1046,11 +1021,7 @@ Specifies the minimum download QoS (Quality of Service or speed) in KiloBytes/se

 <!-- DOMinBatteryPercentageAllowedToUpload-Description-Begin -->
 <!-- Description-Source-ADMX -->
-Specify any value between 1 and 100 (in percentage) to allow the device to upload data to LAN and Group peers while on DC power (Battery).
-
-The recommended value to set if you allow uploads on battery is 40 (for 40%). The device can download from peers while on battery regardless of this policy.
-
-The value 0 means "not-limited"; The cloud service set default value will be used.
+Specifies the minimum battery level required for uploading to peers, while on battery power.
 <!-- DOMinBatteryPercentageAllowedToUpload-Description-End -->

 <!-- DOMinBatteryPercentageAllowedToUpload-Editable-Begin -->
@ -1105,12 +1076,7 @@ The value 0 means "not-limited"; The cloud service set default value will be use

 <!-- DOMinDiskSizeAllowedToPeer-Description-Begin -->
 <!-- Description-Source-ADMX -->
-Specifies the required minimum disk size (capacity in GB) for the device to use Peer Caching. The cloud service set default value will be used.
-
-Recommended values: 64 GB to 256 GB.
-
-> [!NOTE]
-> If the DOModifyCacheDrive policy is set, the disk size check will apply to the new working directory specified by this policy.
+Specifies the required minimum total disk size in GB for the device to use P2P.
 <!-- DOMinDiskSizeAllowedToPeer-Description-End -->

 <!-- DOMinDiskSizeAllowedToPeer-Editable-Begin -->
@ -1134,8 +1100,8 @@ Recommended values: 64 GB to 256 GB.
 | Name | Value |
 |:--|:--|
 | Name | MinDiskSizeAllowedToPeer |
-| Friendly Name | Minimum disk size allowed to use Peer Caching (in GB) |
-| Element Name | Minimum disk size allowed to use Peer Caching (in GB) |
+| Friendly Name | Minimum disk size allowed to use P2P (in GB) |
+| Element Name | Minimum disk size allowed to use P2P (in GB) |
 | Location | Computer Configuration |
 | Path | Windows Components > Delivery Optimization |
 | Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization |
@ -1165,7 +1131,7 @@ Recommended values: 64 GB to 256 GB.

 <!-- DOMinFileSizeToCache-Description-Begin -->
 <!-- Description-Source-DDF-Forced -->
-Specifies the minimum content file size in MB enabled to use Peer Caching. Recommended values: 1 MB to 100,000 MB. The default value is 100 MB.
+Specifies the minimum content file size in MB eligible to use P2P.
 <!-- DOMinFileSizeToCache-Description-End -->

 <!-- DOMinFileSizeToCache-Editable-Begin -->
@ -1189,8 +1155,8 @@ Specifies the minimum content file size in MB enabled to use Peer Caching. Recom
 | Name | Value |
 |:--|:--|
 | Name | MinFileSizeToCache |
-| Friendly Name | Minimum Peer Caching Content File Size (in MB) |
-| Element Name | Minimum Peer Caching Content File Size (in MB) |
+| Friendly Name | Minimum P2P Content File Size (in MB) |
+| Element Name | Minimum P2P Content File Size (in MB) |
 | Location | Computer Configuration |
 | Path | Windows Components > Delivery Optimization |
 | Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization |
@ -1220,7 +1186,7 @@ Specifies the minimum content file size in MB enabled to use Peer Caching. Recom

 <!-- DOMinRAMAllowedToPeer-Description-Begin -->
 <!-- Description-Source-DDF-Forced -->
-Specifies the minimum RAM size in GB required to use Peer Caching. For example, if the minimum set is 1 GB, then devices with 1 GB or higher available RAM will be allowed to use Peer caching. Recommended values: 1 GB to 4 GB. The default value is 4 GB.
+Specifies the minimum total RAM size in GB required to use P2P.
 <!-- DOMinRAMAllowedToPeer-Description-End -->

 <!-- DOMinRAMAllowedToPeer-Editable-Begin -->
@ -1244,8 +1210,8 @@ Specifies the minimum RAM size in GB required to use Peer Caching. For example,
 | Name | Value |
 |:--|:--|
 | Name | MinRAMAllowedToPeer |
-| Friendly Name | Minimum RAM capacity (inclusive) required to enable use of Peer Caching (in GB) |
-| Element Name | Minimum RAM capacity (inclusive) required to enable use of Peer Caching (in GB) |
+| Friendly Name | Minimum RAM capacity (inclusive) required to enable use of P2P (in GB) |
+| Element Name | Minimum RAM capacity (inclusive) required to enable use of P2P (in GB) |
 | Location | Computer Configuration |
 | Path | Windows Components > Delivery Optimization |
 | Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization |
@ -1275,9 +1241,7 @@ Specifies the minimum RAM size in GB required to use Peer Caching. For example,

 <!-- DOModifyCacheDrive-Description-Begin -->
 <!-- Description-Source-ADMX -->
-Specifies the drive Delivery Optimization shall use for its cache.
-
-By default, %SystemDrive% is used to store the cache. The drive location can be specified using environment variables, drive letter or using a full path.
+Specifies the drive that Delivery Optimization should use for its cache. The drive location can be specified using environment variables, drive letter or using a full path.
 <!-- DOModifyCacheDrive-Description-End -->

 <!-- DOModifyCacheDrive-Editable-Begin -->
@ -1330,7 +1294,7 @@ By default, %SystemDrive% is used to store the cache. The drive location can be

 <!-- DOMonthlyUploadDataCap-Description-Begin -->
 <!-- Description-Source-DDF-Forced -->
-Specifies the maximum total bytes in GB that Delivery Optimization is allowed to upload to Internet peers in each calendar month. The value 0 (zero) means unlimited; No monthly upload limit's applied if 0 is set. The default value is 5120 (5 TB).
+Specifies the maximum bytes in GB that Delivery Optimization is allowed to upload to Internet peers in each calendar month.
 <!-- DOMonthlyUploadDataCap-Description-End -->

 <!-- DOMonthlyUploadDataCap-Editable-Begin -->
@ -1386,8 +1350,6 @@ Specifies the maximum total bytes in GB that Delivery Optimization is allowed to
 <!-- DOPercentageMaxBackgroundBandwidth-Description-Begin -->
 <!-- Description-Source-ADMX -->
 Specifies the maximum background download bandwidth that Delivery Optimization uses across all concurrent download activities as a percentage of available download bandwidth.
-
-The default value 0 (zero) means that Delivery Optimization dynamically adjusts to use the available bandwidth for background downloads.
 <!-- DOPercentageMaxBackgroundBandwidth-Description-End -->

 <!-- DOPercentageMaxBackgroundBandwidth-Editable-Begin -->
@ -1445,8 +1407,6 @@ Downloads from LAN peers won't be throttled even when this policy is set.
 <!-- DOPercentageMaxForegroundBandwidth-Description-Begin -->
 <!-- Description-Source-ADMX -->
 Specifies the maximum foreground download bandwidth that Delivery Optimization uses across all concurrent download activities as a percentage of available download bandwidth.
-
-The default value 0 (zero) means that Delivery Optimization dynamically adjusts to use the available bandwidth for foreground downloads.
 <!-- DOPercentageMaxForegroundBandwidth-Description-End -->

 <!-- DOPercentageMaxForegroundBandwidth-Editable-Begin -->
@ -1501,7 +1461,7 @@ The default value 0 (zero) means that Delivery Optimization dynamically adjusts

 <!-- DORestrictPeerSelectionBy-Description-Begin -->
 <!-- Description-Source-DDF-Forced -->
-Set this policy to restrict peer selection via selected option. Options available are: 1=Subnet mask, 2 = Local discovery (DNS-SD). These options apply to both Download Mode LAN (1) and Group (2).
+Specifies to restrict peer selection using the selected method, in addition to the DownloadMode policy.
 <!-- DORestrictPeerSelectionBy-Description-End -->

 <!-- DORestrictPeerSelectionBy-Editable-Begin -->
@ -1528,7 +1488,7 @@ In Windows 11 the 'Local Peer Discovery' option was introduced to restrict peer
 |:--|:--|
 | 0 (Default) | None. |
 | 1 | Subnet mask. |
-| 2 | Local peer discovery (DNS-SD). |
+| 2 | Local discovery (DNS-SD). |
 <!-- DORestrictPeerSelectionBy-AllowedValues-End -->

 <!-- DORestrictPeerSelectionBy-GpMapping-Begin -->
@ -1681,7 +1641,7 @@ This policy allows an IT Admin to define the following details:

 <!-- DOVpnKeywords-Description-Begin -->
 <!-- Description-Source-ADMX -->
-This policy allows you to set one or more keywords used to recognize VPN connections. To add multiple keywords, separate them with commas.
+Specifies one or more keywords used to recognize VPN connections. To add multiple keywords, separate each by a comma.
 <!-- DOVpnKeywords-Description-End -->

 <!-- DOVpnKeywords-Editable-Begin -->
--- a/windows/client-management/mdm/policy-csp-deviceguard.md
+++ b/windows/client-management/mdm/policy-csp-deviceguard.md
@ -1,7 +1,7 @@
 ---
 title: DeviceGuard Policy CSP
 description: Learn more about the DeviceGuard Area in Policy CSP.
-ms.date: 01/18/2024
+ms.date: 01/14/2025
 ---

 <!-- Auto-Generated CSP Document -->
@ -9,6 +9,8 @@ ms.date: 01/18/2024
 <!-- DeviceGuard-Begin -->
 # Policy CSP - DeviceGuard

+[!INCLUDE [Windows Insider tip](includes/mdm-insider-csp-note.md)]
+
 <!-- DeviceGuard-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 <!-- DeviceGuard-Editable-End -->
@ -205,6 +207,70 @@ Credential Guard Configuration: 0 - Turns off CredentialGuard remotely if config

 <!-- LsaCfgFlags-End -->

+<!-- MachineIdentityIsolation-Begin -->
+## MachineIdentityIsolation
+
+<!-- MachineIdentityIsolation-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device <br> ❌ User | ❌ Pro <br> ✅ Enterprise <br> ✅ Education <br> ❌ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+<!-- MachineIdentityIsolation-Applicability-End -->
+
+<!-- MachineIdentityIsolation-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Policy/Config/DeviceGuard/MachineIdentityIsolation
+```
+<!-- MachineIdentityIsolation-OmaUri-End -->
+
+<!-- MachineIdentityIsolation-Description-Begin -->
+<!-- Description-Source-DDF-Forced -->
+Machine Identity Isolation: 0 - Machine password is only LSASS-bound and stored in $MACHINE.ACC registry key. 1 - Machine password both LSASS-bound and IUM-bound. It's stored in $MACHINE.ACC and $MACHINE.ACC.IUM registry keys. 2 - Machine password is only IUM-bound and stored in $MACHINE.ACC.IUM registry key.
+<!-- MachineIdentityIsolation-Description-End -->
+
+<!-- MachineIdentityIsolation-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- MachineIdentityIsolation-Editable-End -->
+
+<!-- MachineIdentityIsolation-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `int` |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value  | 0 |
+<!-- MachineIdentityIsolation-DFProperties-End -->
+
+<!-- MachineIdentityIsolation-AllowedValues-Begin -->
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 (Default) | (Disabled) Machine password is only LSASS-bound and stored in $MACHINE.ACC registry key. |
+| 1 | (Enabled in audit mode) Machine password both LSASS-bound and IUM-bound. It's stored in $MACHINE.ACC and $MACHINE.ACC.IUM registry keys. |
+| 2 | (Enabled in enforcement mode) Machine password is only IUM-bound and stored in $MACHINE.ACC.IUM registry key. |
+<!-- MachineIdentityIsolation-AllowedValues-End -->
+
+<!-- MachineIdentityIsolation-GpMapping-Begin -->
+**Group policy mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | VirtualizationBasedSecurity |
+| Friendly Name | Turn On Virtualization Based Security |
+| Element Name | Machine Identity Isolation Configuration. |
+| Location | Computer Configuration |
+| Path | System > Device Guard |
+| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\DeviceGuard |
+| ADMX File Name | DeviceGuard.admx |
+<!-- MachineIdentityIsolation-GpMapping-End -->
+
+<!-- MachineIdentityIsolation-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- MachineIdentityIsolation-Examples-End -->
+
+<!-- MachineIdentityIsolation-End -->
+
 <!-- RequirePlatformSecurityFeatures-Begin -->
 ## RequirePlatformSecurityFeatures

--- a/windows/client-management/mdm/policy-csp-humanpresence.md
+++ b/windows/client-management/mdm/policy-csp-humanpresence.md
@ -1,7 +1,7 @@
 ---
 title: HumanPresence Policy CSP
 description: Learn more about the HumanPresence Area in Policy CSP.
-ms.date: 09/27/2024
+ms.date: 01/14/2025
 ---

 <!-- Auto-Generated CSP Document -->
@ -9,6 +9,8 @@ ms.date: 09/27/2024
 <!-- HumanPresence-Begin -->
 # Policy CSP - HumanPresence

+[!INCLUDE [Windows Insider tip](includes/mdm-insider-csp-note.md)]
+
 <!-- HumanPresence-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 <!-- HumanPresence-Editable-End -->
@ -526,6 +528,183 @@ Determines the timeout for Lock on Leave forced by the MDM policy. The user will

 <!-- ForceLockTimeout-End -->

+<!-- ForcePrivacyScreen-Begin -->
+## ForcePrivacyScreen
+
+<!-- ForcePrivacyScreen-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ❌ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+<!-- ForcePrivacyScreen-Applicability-End -->
+
+<!-- ForcePrivacyScreen-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Policy/Config/HumanPresence/ForcePrivacyScreen
+```
+<!-- ForcePrivacyScreen-OmaUri-End -->
+
+<!-- ForcePrivacyScreen-Description-Begin -->
+<!-- Description-Source-DDF -->
+Determines whether detect when other people are looking at my screen is forced on/off by the MDM policy. The user won't be able to change this setting and the UI will be greyed out.
+<!-- ForcePrivacyScreen-Description-End -->
+
+<!-- ForcePrivacyScreen-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- ForcePrivacyScreen-Editable-End -->
+
+<!-- ForcePrivacyScreen-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `int` |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value  | 0 |
+<!-- ForcePrivacyScreen-DFProperties-End -->
+
+<!-- ForcePrivacyScreen-AllowedValues-Begin -->
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 2 | ForcedOff. |
+| 1 | ForcedOn. |
+| 0 (Default) | DefaultToUserChoice. |
+<!-- ForcePrivacyScreen-AllowedValues-End -->
+
+<!-- ForcePrivacyScreen-GpMapping-Begin -->
+**Group policy mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | ForcePrivacyScreen |
+| Path | Sensors > AT > WindowsComponents > HumanPresence |
+<!-- ForcePrivacyScreen-GpMapping-End -->
+
+<!-- ForcePrivacyScreen-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- ForcePrivacyScreen-Examples-End -->
+
+<!-- ForcePrivacyScreen-End -->
+
+<!-- ForcePrivacyScreenDim-Begin -->
+## ForcePrivacyScreenDim
+
+<!-- ForcePrivacyScreenDim-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ❌ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+<!-- ForcePrivacyScreenDim-Applicability-End -->
+
+<!-- ForcePrivacyScreenDim-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Policy/Config/HumanPresence/ForcePrivacyScreenDim
+```
+<!-- ForcePrivacyScreenDim-OmaUri-End -->
+
+<!-- ForcePrivacyScreenDim-Description-Begin -->
+<!-- Description-Source-DDF -->
+Determines whether dim the screen when other people are looking at my screen checkbox is forced checked/unchecked by the MDM policy. The user won't be able to change this setting and the checkbox in the UI will be greyed out.
+<!-- ForcePrivacyScreenDim-Description-End -->
+
+<!-- ForcePrivacyScreenDim-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- ForcePrivacyScreenDim-Editable-End -->
+
+<!-- ForcePrivacyScreenDim-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `int` |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value  | 0 |
+<!-- ForcePrivacyScreenDim-DFProperties-End -->
+
+<!-- ForcePrivacyScreenDim-AllowedValues-Begin -->
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 2 | ForcedUnchecked. |
+| 1 | ForcedChecked. |
+| 0 (Default) | DefaultToUserChoice. |
+<!-- ForcePrivacyScreenDim-AllowedValues-End -->
+
+<!-- ForcePrivacyScreenDim-GpMapping-Begin -->
+**Group policy mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | ForcePrivacyScreenDim |
+| Path | Sensors > AT > WindowsComponents > HumanPresence |
+<!-- ForcePrivacyScreenDim-GpMapping-End -->
+
+<!-- ForcePrivacyScreenDim-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- ForcePrivacyScreenDim-Examples-End -->
+
+<!-- ForcePrivacyScreenDim-End -->
+
+<!-- ForcePrivacyScreenNotification-Begin -->
+## ForcePrivacyScreenNotification
+
+<!-- ForcePrivacyScreenNotification-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ❌ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+<!-- ForcePrivacyScreenNotification-Applicability-End -->
+
+<!-- ForcePrivacyScreenNotification-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Policy/Config/HumanPresence/ForcePrivacyScreenNotification
+```
+<!-- ForcePrivacyScreenNotification-OmaUri-End -->
+
+<!-- ForcePrivacyScreenNotification-Description-Begin -->
+<!-- Description-Source-DDF -->
+Determines whether providing alert when people are looking at my screen checkbox is forced checked/unchecked by the MDM policy. The user won't be able to change this setting and the checkbox in the UI will be greyed out.
+<!-- ForcePrivacyScreenNotification-Description-End -->
+
+<!-- ForcePrivacyScreenNotification-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- ForcePrivacyScreenNotification-Editable-End -->
+
+<!-- ForcePrivacyScreenNotification-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `int` |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value  | 0 |
+<!-- ForcePrivacyScreenNotification-DFProperties-End -->
+
+<!-- ForcePrivacyScreenNotification-AllowedValues-Begin -->
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 2 | ForcedUnchecked. |
+| 1 | ForcedChecked. |
+| 0 (Default) | DefaultToUserChoice. |
+<!-- ForcePrivacyScreenNotification-AllowedValues-End -->
+
+<!-- ForcePrivacyScreenNotification-GpMapping-Begin -->
+**Group policy mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | ForcePrivacyScreenNotification |
+| Path | Sensors > AT > WindowsComponents > HumanPresence |
+<!-- ForcePrivacyScreenNotification-GpMapping-End -->
+
+<!-- ForcePrivacyScreenNotification-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- ForcePrivacyScreenNotification-Examples-End -->
+
+<!-- ForcePrivacyScreenNotification-End -->
+
 <!-- HumanPresence-CspMoreInfo-Begin -->
 <!-- Add any additional information about this CSP here. Anything outside this section will get overwritten. -->
 <!-- HumanPresence-CspMoreInfo-End -->
--- a/windows/client-management/mdm/policy-csp-printers.md
+++ b/windows/client-management/mdm/policy-csp-printers.md
@ -1,7 +1,7 @@
 ---
 title: Printers Policy CSP
 description: Learn more about the Printers Area in Policy CSP.
-ms.date: 09/27/2024
+ms.date: 01/14/2025
 ---

 <!-- Auto-Generated CSP Document -->
@ -11,6 +11,8 @@ ms.date: 09/27/2024

 [!INCLUDE [ADMX-backed CSP tip](includes/mdm-admx-csp-note.md)]

+[!INCLUDE [Windows Insider tip](includes/mdm-insider-csp-note.md)]
+
 <!-- Printers-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 <!-- Printers-Editable-End -->
@ -348,6 +350,56 @@ The following are the supported values:

 <!-- ConfigureIppPageCountsPolicy-End -->

+<!-- ConfigureIppTlsCertificatePolicy-Begin -->
+## ConfigureIppTlsCertificatePolicy
+
+<!-- ConfigureIppTlsCertificatePolicy-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+<!-- ConfigureIppTlsCertificatePolicy-Applicability-End -->
+
+<!-- ConfigureIppTlsCertificatePolicy-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Policy/Config/Printers/ConfigureIppTlsCertificatePolicy
+```
+<!-- ConfigureIppTlsCertificatePolicy-OmaUri-End -->
+
+<!-- ConfigureIppTlsCertificatePolicy-Description-Begin -->
+<!-- Description-Source-Not-Found -->
+<!-- ConfigureIppTlsCertificatePolicy-Description-End -->
+
+<!-- ConfigureIppTlsCertificatePolicy-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- ConfigureIppTlsCertificatePolicy-Editable-End -->
+
+<!-- ConfigureIppTlsCertificatePolicy-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `chr` (string) |
+| Access Type | Add, Delete, Get, Replace |
+<!-- ConfigureIppTlsCertificatePolicy-DFProperties-End -->
+
+<!-- ConfigureIppTlsCertificatePolicy-AdmxBacked-Begin -->
+<!-- ADMX-Not-Found -->
+[!INCLUDE [ADMX-backed policy note](includes/mdm-admx-policy-note.md)]
+
+**ADMX mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | ConfigureIppTlsCertificatePolicy |
+| ADMX File Name | Printing.admx |
+<!-- ConfigureIppTlsCertificatePolicy-AdmxBacked-End -->
+
+<!-- ConfigureIppTlsCertificatePolicy-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- ConfigureIppTlsCertificatePolicy-Examples-End -->
+
+<!-- ConfigureIppTlsCertificatePolicy-End -->
+
 <!-- ConfigureRedirectionGuardPolicy-Begin -->
 ## ConfigureRedirectionGuardPolicy

--- a/windows/client-management/mdm/vpnv2-csp.md
+++ b/windows/client-management/mdm/vpnv2-csp.md
@ -1,7 +1,7 @@
 ---
 title: VPNv2 CSP
 description: Learn more about the VPNv2 CSP.
-ms.date: 01/18/2024
+ms.date: 01/14/2025
 ---

 <!-- Auto-Generated CSP Document -->
@ -863,11 +863,7 @@ Returns the type of App/Id. This value can be either of the following: PackageFa

 <!-- Device-{ProfileName}-ByPassForLocal-Description-Begin -->
 <!-- Description-Source-DDF -->
-False: Don't Bypass for Local traffic.
-
-True: ByPass VPN Interface for Local Traffic.
-
-Optional. When this setting is True, requests to local resources that are available on the same Wi-Fi network as the VPN client can bypass the VPN. For example, if enterprise policy for VPN requires force tunnel for VPN, but enterprise intends to allow the remote user to connect locally to media center in their home, then this option should be set to True. The user can bypass VPN for local subnet traffic. When this is set to False, the setting is disabled and no subnet exceptions are allowed.
+Not supported.
 <!-- Device-{ProfileName}-ByPassForLocal-Description-End -->

 <!-- Device-{ProfileName}-ByPassForLocal-Editable-Begin -->
@ -5160,11 +5156,7 @@ Returns the type of App/Id. This value can be either of the following: PackageFa

 <!-- User-{ProfileName}-ByPassForLocal-Description-Begin -->
 <!-- Description-Source-DDF -->
-False: Don't Bypass for Local traffic.
-
-True: ByPass VPN Interface for Local Traffic.
-
-Optional. When this setting is True, requests to local resources that are available on the same Wi-Fi network as the VPN client can bypass the VPN. For example, if enterprise policy for VPN requires force tunnel for VPN, but enterprise intends to allow the remote user to connect locally to media center in their home, then this option should be set to True. The user can bypass VPN for local subnet traffic. When this is set to False, the setting is disabled and no subnet exceptions are allowed.
+Not supported.
 <!-- User-{ProfileName}-ByPassForLocal-Description-End -->

 <!-- User-{ProfileName}-ByPassForLocal-Editable-Begin -->
--- a/windows/client-management/mdm/vpnv2-ddf-file.md
+++ b/windows/client-management/mdm/vpnv2-ddf-file.md
@ -1,7 +1,7 @@
 ---
 title: VPNv2 DDF file
 description: View the XML file containing the device description framework (DDF) for the VPNv2 configuration service provider.
-ms.date: 06/28/2024
+ms.date: 01/14/2025
 ---

 <!-- Auto-Generated CSP Document -->
@ -1156,10 +1156,7 @@ The following XML file contains the device description framework (DDF) for the V
            <Replace />
          </AccessType>
          <Description>
-                        False : Do not Bypass for Local traffic
-                        True : ByPass VPN Interface for Local Traffic
-
-                        Optional. When this setting is True, requests to local resources that are available on the same Wi-Fi network as the VPN client can bypass the VPN. For example, if enterprise policy for VPN requires force tunnel for VPN, but enterprise intends to allow the remote user to connect locally to media center in their home, then this option should be set to True. The user can bypass VPN for local subnet traffic. When this is set to False, the setting is disabled and no subnet exceptions are allowed.
+                        Not supported.
                    </Description>
          <DFFormat>
            <bool />
@ -4425,10 +4422,7 @@ A device tunnel profile must be deleted before another device tunnel profile can
            <Replace />
          </AccessType>
          <Description>
-                        False : Do not Bypass for Local traffic
-                        True : ByPass VPN Interface for Local Traffic
-
-                        Optional. When this setting is True, requests to local resources that are available on the same Wi-Fi network as the VPN client can bypass the VPN. For example, if enterprise policy for VPN requires force tunnel for VPN, but enterprise intends to allow the remote user to connect locally to media center in their home, then this option should be set to True. The user can bypass VPN for local subnet traffic. When this is set to False, the setting is disabled and no subnet exceptions are allowed.
+                        Not supported.
                    </Description>
          <DFFormat>
            <bool />