From 03d522de6dd2eb2e19ff7442b1d51239e9ffedad Mon Sep 17 00:00:00 2001 From: Giammarco Boscaro Date: Thu, 12 Dec 2024 11:24:41 +0100 Subject: [PATCH 01/18] fixed shell launcher powershell script --- windows/configuration/assigned-access/shell-launcher/index.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/windows/configuration/assigned-access/shell-launcher/index.md b/windows/configuration/assigned-access/shell-launcher/index.md index 4c942afd74..5ffc4c6801 100644 --- a/windows/configuration/assigned-access/shell-launcher/index.md +++ b/windows/configuration/assigned-access/shell-launcher/index.md @@ -78,7 +78,7 @@ $shellLauncherConfiguration = @" $namespaceName="root\cimv2\mdm\dmmap" $className="MDM_AssignedAccess" $obj = Get-CimInstance -Namespace $namespaceName -ClassName $className -$obj.Configuration = [System.Net.WebUtility]::HtmlEncode($shellLauncherConfiguration) +$obj.ShellLauncher = [System.Net.WebUtility]::HtmlEncode($shellLauncherConfiguration) $obj = Set-CimInstance -CimInstance $obj -ErrorVariable cimSetError -ErrorAction SilentlyContinue if($cimSetError) { Write-Output "An ERROR occurred. Displaying error record and attempting to retrieve error logs...`n" @@ -86,6 +86,7 @@ if($cimSetError) { $timeout = New-TimeSpan -Seconds 30 $stopwatch = [System.Diagnostics.Stopwatch]::StartNew() + $eventLogFilterHashTable = @{ LogName='Microsoft-Windows-AssignedAccess/Admin' } do{ $events = Get-WinEvent -FilterHashtable $eventLogFilterHashTable -ErrorAction Ignore } until ($events.Count -or $stopwatch.Elapsed -gt $timeout) # wait for the log to be available From d865e57600ef8ed77110812a7de29f4e4551c4c8 Mon Sep 17 00:00:00 2001 From: Robin Harwood <19212983+robinharwood@users.noreply.github.com> Date: Tue, 17 Dec 2024 09:14:42 +0000 Subject: [PATCH 02/18] Update deprecated-features.md Fixing typo --- windows/whats-new/deprecated-features.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/whats-new/deprecated-features.md b/windows/whats-new/deprecated-features.md index 2a9c66a21f..568b781fc7 100644 --- a/windows/whats-new/deprecated-features.md +++ b/windows/whats-new/deprecated-features.md @@ -52,7 +52,7 @@ The features in this article are no longer being actively developed, and might b | Paint 3D | Paint 3D is deprecated and will be removed from the Microsoft Store on November 4, 2024. To view and edit 2D images, you can use [Paint](https://apps.microsoft.com/detail/9pcfs5b6t72h) or [Photos](https://apps.microsoft.com/detail/9wzdncrfjbh4). For viewing 3D content, you can use [3D Viewer](https://apps.microsoft.com/detail/9nblggh42ths). For more information, see [Resources for deprecated features](deprecated-features-resources.md#paint-3d). | August 2024 | | Adobe Type1 fonts | Adobe PostScript Type1 fonts are deprecated and support will be removed in a future release of Windows.

In January 2023, Adobe announced the [end of support for PostScript Type1 fonts](https://helpx.adobe.com/fonts/kb/postscript-type-1-fonts-end-of-support.html) for their latest software offerings. Remove any dependencies on this font type by selecting a supported font type. To display currently installed fonts, go to **Settings** > **Personalization** > **Fonts**. Application developers and content owners should test their apps and data files with the Adobe Type1 fonts removed. For more information, contact the application vendor or Adobe. | August 2024 | | DirectAccess | DirectAccess is deprecated and will be removed in a future release of Windows. We recommend [migrating from DirectAccess to Always On VPN](/windows-server/remote/remote-access/da-always-on-vpn-migration/da-always-on-migration-overview). | June 2024 | -| NTLM | All versions of [NTLM](/windows/win32/secauthn/microsoft-ntlm), including LANMAN, NTLMv1, and NTLMv2, are no longer under active feature development and are deprecated. Use of NTLM will continue to work in the next release of Windows Server and the next annual release of Windows. Calls to NTLM should be replaced by calls to Negotiate, which will try to authenticate with Kerberos and only fall back to NTLM when necessary. For more information, see, [Resources for deprecated features](deprecated-features-resources.md).

**[Update - November 2024]**: NTLMv1 is [removed](removed-features.md) starting in Windows 11, version 24H2 and Windows Server 20205. | June 2024 | +| NTLM | All versions of [NTLM](/windows/win32/secauthn/microsoft-ntlm), including LANMAN, NTLMv1, and NTLMv2, are no longer under active feature development and are deprecated. Use of NTLM will continue to work in the next release of Windows Server and the next annual release of Windows. Calls to NTLM should be replaced by calls to Negotiate, which will try to authenticate with Kerberos and only fall back to NTLM when necessary. For more information, see, [Resources for deprecated features](deprecated-features-resources.md).

**[Update - November 2024]**: NTLMv1 is [removed](removed-features.md) starting in Windows 11, version 24H2 and Windows Server 2025. | June 2024 | | Driver Verifier GUI (verifiergui.exe) | Driver Verifier GUI, verifiergui.exe, is deprecated and will be removed in a future version of Windows. You can use the [Verifier Command Line](/windows-hardware/drivers/devtest/verifier-command-line) (verifier.exe) instead of the Driver Verifier GUI.| May 2024 | | NPLogonNotify and NPPasswordChangeNotify APIs | Starting in Windows 11, version 24H2, the inclusion of password payload in MPR notifications is set to disabled by default through group policy in [NPLogonNotify](/windows/win32/api/npapi/nf-npapi-nplogonnotify) and [NPPasswordChangeNotify](/windows/win32/api/npapi/nf-npapi-nppasswordchangenotify) APIs. The APIs may be removed in a future release. The primary reason for disabling this feature is to enhance security. When enabled, these APIs allow the caller to retrieve a user's password, presenting potential risks for password exposure and harvesting by malicious users. To include password payload in MPR notifications, set the [EnableMPRNotifications](/windows/client-management/mdm/policy-csp-windowslogon#enablemprnotifications) policy to `enabled`.| March 2024 | | TLS server authentication certificates using RSA keys with key lengths shorter than 2048 bits | Support for certificates using RSA keys with key lengths shorter than 2048 bits will be deprecated. Internet standards and regulatory bodies disallowed the use of 1024-bit keys in 2013, recommending specifically that RSA keys should have a key length of 2048 bits or longer. For more information, see [Transitioning of Cryptographic Algorithms and Key Sizes - Discussion Paper (nist.gov)](https://csrc.nist.gov/CSRC/media/Projects/Key-Management/documents/transitions/Transitioning_CryptoAlgos_070209.pdf). This deprecation focuses on ensuring that all RSA certificates used for TLS server authentication must have key lengths greater than or equal to 2048 bits to be considered valid by Windows.

TLS certificates issued by enterprise or test certification authorities (CA) aren't impacted with this change. However, we recommend that they be updated to RSA keys greater than or equal to 2048 bits as a security best practice. This change is necessary to preserve security of Windows customers using certificates for authentication and cryptographic purposes.| March 2024| From dda722c0dbb5183504e55a9db7443a1fe52521e9 Mon Sep 17 00:00:00 2001 From: tiaraquan Date: Tue, 17 Dec 2024 09:37:25 -0800 Subject: [PATCH 03/18] Added VBS and ARM64-CHPE information --- .../manage/windows-autopatch-hotpatch-updates.md | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/windows/deployment/windows-autopatch/manage/windows-autopatch-hotpatch-updates.md b/windows/deployment/windows-autopatch/manage/windows-autopatch-hotpatch-updates.md index f59aeefc45..c4c4038b35 100644 --- a/windows/deployment/windows-autopatch/manage/windows-autopatch-hotpatch-updates.md +++ b/windows/deployment/windows-autopatch/manage/windows-autopatch-hotpatch-updates.md @@ -1,7 +1,7 @@ --- title: Hotpatch updates description: Use Hotpatch updates to receive security updates without restarting your device -ms.date: 11/19/2024 +ms.date: 12/17/2024 ms.service: windows-client ms.subservice: autopatch ms.topic: how-to @@ -35,9 +35,12 @@ Hotpatch updates are [Monthly B release security updates](/windows/deployment/up To benefit from Hotpatch updates, devices must meet the following prerequisites: - Operating System: Devices must be running Windows 11 24H2 or later. -- VBS (Virtualization-based security): VBS must be enabled to ensure secure installation of Hotpatch updates. +- VBS (Virtualization-based security): VBS must be enabled to ensure secure installation of Hotpatch updates. For more information on how to set and detect if VBS is enabled, see [Virtualization-based Security](/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity). - Latest Baseline Release: Devices must be on the latest baseline release version to qualify for Hotpatch updates. Microsoft releases Baseline updates quarterly as standard cumulative updates. For more information on the latest schedule for these releases, see [Release notes for Hotpatch](https://support.microsoft.com/topic/release-notes-for-hotpatch-in-azure-automanage-for-windows-server-2022-4e234525-5bd5-4171-9886-b475dabe0ce8?preview=true). +> [!NOTE] +> Hotpatch is available on Windows Server. For more information, see [Hotpatch for Windows Server Azure Edition](/windows-server/azure-edition/hotpatch). + ## Ineligible devices Devices that don't meet one or more prerequisites automatically receive the Latest Cumulative Update (LCU) instead. Latest Cumulative Update (LCU) contains monthly updates that supersede the previous month's updates containing both security and nonsecurity releases. @@ -45,7 +48,7 @@ Devices that don't meet one or more prerequisites automatically receive the Late LCUs requires you to restart the device, but the LCU ensures that the device remains fully secure and compliant. > [!NOTE] -> If devices aren't eligible for Hotpatch updates, these devices are offered the LCU. The LCU keeps your configured Update ring settings, it doesn't change the settings. +> If devices aren't eligible for Hotpatch updates, these devices are offered the LCU. The LCU keeps your configured Update ring settings, it doesn't change the settings.

For **ARM64 devices**, Compiled Hybrid PE Usage (CHPE) is turned on by default. You must turn off CHPE to receive regular LCU to keep your ARM64 device compliant and secure.

## Release cycles From b5e931a47a5af9e558be363ea0998b9ec685d498 Mon Sep 17 00:00:00 2001 From: tiaraquan Date: Tue, 17 Dec 2024 09:44:27 -0800 Subject: [PATCH 04/18] Fixed link --- .../manage/windows-autopatch-hotpatch-updates.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/windows-autopatch/manage/windows-autopatch-hotpatch-updates.md b/windows/deployment/windows-autopatch/manage/windows-autopatch-hotpatch-updates.md index c4c4038b35..cc0fe7063c 100644 --- a/windows/deployment/windows-autopatch/manage/windows-autopatch-hotpatch-updates.md +++ b/windows/deployment/windows-autopatch/manage/windows-autopatch-hotpatch-updates.md @@ -35,7 +35,7 @@ Hotpatch updates are [Monthly B release security updates](/windows/deployment/up To benefit from Hotpatch updates, devices must meet the following prerequisites: - Operating System: Devices must be running Windows 11 24H2 or later. -- VBS (Virtualization-based security): VBS must be enabled to ensure secure installation of Hotpatch updates. For more information on how to set and detect if VBS is enabled, see [Virtualization-based Security](/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity). +- VBS (Virtualization-based security): VBS must be enabled to ensure secure installation of Hotpatch updates. For more information on how to set and detect if VBS is enabled, see [Virtualization-based Security](/windows/security/hardware-security/enable-virtualization-based-protection-of-code-integrity?tabs=security). - Latest Baseline Release: Devices must be on the latest baseline release version to qualify for Hotpatch updates. Microsoft releases Baseline updates quarterly as standard cumulative updates. For more information on the latest schedule for these releases, see [Release notes for Hotpatch](https://support.microsoft.com/topic/release-notes-for-hotpatch-in-azure-automanage-for-windows-server-2022-4e234525-5bd5-4171-9886-b475dabe0ce8?preview=true). > [!NOTE] From f52d87e3cf1b4419e2fa24f398c2b04901f2c6e3 Mon Sep 17 00:00:00 2001 From: tiaraquan Date: Tue, 17 Dec 2024 09:49:40 -0800 Subject: [PATCH 05/18] Fixed the actual broken link --- .../manage/windows-autopatch-hotpatch-updates.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/windows-autopatch/manage/windows-autopatch-hotpatch-updates.md b/windows/deployment/windows-autopatch/manage/windows-autopatch-hotpatch-updates.md index cc0fe7063c..cd65318f7f 100644 --- a/windows/deployment/windows-autopatch/manage/windows-autopatch-hotpatch-updates.md +++ b/windows/deployment/windows-autopatch/manage/windows-autopatch-hotpatch-updates.md @@ -39,7 +39,7 @@ To benefit from Hotpatch updates, devices must meet the following prerequisites: - Latest Baseline Release: Devices must be on the latest baseline release version to qualify for Hotpatch updates. Microsoft releases Baseline updates quarterly as standard cumulative updates. For more information on the latest schedule for these releases, see [Release notes for Hotpatch](https://support.microsoft.com/topic/release-notes-for-hotpatch-in-azure-automanage-for-windows-server-2022-4e234525-5bd5-4171-9886-b475dabe0ce8?preview=true). > [!NOTE] -> Hotpatch is available on Windows Server. For more information, see [Hotpatch for Windows Server Azure Edition](/windows-server/azure-edition/hotpatch). +> Hotpatch is available on Windows Server. For more information, see [Hotpatch for Windows Server Azure Edition](/windows-server/get-started/enable-hotpatch-azure-edition). ## Ineligible devices From 431f11951bd9fd15ac97eabdb76c66c4b6a2fb70 Mon Sep 17 00:00:00 2001 From: tiaraquan Date: Tue, 17 Dec 2024 10:29:38 -0800 Subject: [PATCH 06/18] Added error code 80070020 --- windows/deployment/update/windows-update-error-reference.md | 1 + 1 file changed, 1 insertion(+) diff --git a/windows/deployment/update/windows-update-error-reference.md b/windows/deployment/update/windows-update-error-reference.md index b6dbfb03a0..f5d53887cf 100644 --- a/windows/deployment/update/windows-update-error-reference.md +++ b/windows/deployment/update/windows-update-error-reference.md @@ -257,6 +257,7 @@ The PnP enumerated device is removed from the System Spec because one of the har | Error code | Message | Description | |------------|-----------------------------------|--------------------------------------------------------------| +| `0x80070020` | `InstallFileLocked`| Couldn't access the file because it is already in use. This can occur when the installer tries to replace a file that an antivirus, antimalware or backup program is currently scanning. | | `0x80240001` | `WU_E_NO_SERVICE` | Windows Update Agent was unable to provide the service. | `0x80240002` | `WU_E_MAX_CAPACITY_REACHED` | The maximum capacity of the service was exceeded. | `0x80240003` | `WU_E_UNKNOWN_ID` | An ID can't be found. From 22aa9a423c388fc59375252158b8c510a6559188 Mon Sep 17 00:00:00 2001 From: David Callaghan Date: Tue, 17 Dec 2024 11:07:49 -0800 Subject: [PATCH 07/18] Update windows-autopatch-hotpatch-updates.md Adding important device OS prerequisites that prevent devices from installing updates and not being secure. --- .../windows-autopatch-hotpatch-updates.md | 25 ++++++++++++++----- 1 file changed, 19 insertions(+), 6 deletions(-) diff --git a/windows/deployment/windows-autopatch/manage/windows-autopatch-hotpatch-updates.md b/windows/deployment/windows-autopatch/manage/windows-autopatch-hotpatch-updates.md index cd65318f7f..76c71d2c57 100644 --- a/windows/deployment/windows-autopatch/manage/windows-autopatch-hotpatch-updates.md +++ b/windows/deployment/windows-autopatch/manage/windows-autopatch-hotpatch-updates.md @@ -1,7 +1,7 @@ --- title: Hotpatch updates description: Use Hotpatch updates to receive security updates without restarting your device -ms.date: 12/17/2024 +ms.date: 11/19/2024 ms.service: windows-client ms.subservice: autopatch ms.topic: how-to @@ -30,17 +30,30 @@ Hotpatch updates are [Monthly B release security updates](/windows/deployment/up - No changes are required to your existing update ring configurations. Your existing ring configurations are honored alongside Hotpatch policies. - The [Hotpatch quality update report](../monitor/windows-autopatch-hotpatch-quality-update-report.md) provides a per policy level view of the current update statuses for all devices that receive Hotpatch updates. +## Operating system configuration prerequisites +To prepare a device to receive hotpatch updates, configure the following device-side operating system settings. Failure to configure these settings will result in the device not being offered the hotpatch update or being unable to apply all the hotpatch updates, leaving some vulnerabilities unmitigated. + +### Virtualization based security (VBS) +VBS must be enabled for a device to be offered hotpatch updates. For information on how to set and detect VBS enabled, see [Virtualization-based Security (VBS)](https://learn.microsoft.com/en-us/windows/security/hardware-security/enable-virtualization-based-protection-of-code-integrity?tabs=security). + +### Arm 64 devices must disable compiled hybrid PE usage (CHPE) (Arm 64 CPU Only) +The following requirement only appies to Arm 64 CPU devices when using hotpatch updates. Hotpatch updates are not compatible with servicing CHPE OS binaries located in the %SystemRoot%\SyChpe32 folder. In order to ensure all the hotpatch updates take effect, you must set the CHPE disable flag and restart the device to disable CHPE usage. You only need to set this flag one time. The registry setting will persist through updates. To disable CHPE, set the following registry key: +Path: **HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management** +Key value: **HotPatchRestrictions=1** + +> [!IMPORTANT:] +> This setting is required becuase it forces the operating system to use the emulation x86-only binaries insetad of CHPE binaries on Arm 64 devices. CHPE binaries include native Arm 64 code to improve performance so you excluding them may impact performance or compatibility. Be sure to > test application compatibility or performance impacts before rolling out hotpatch updates widely on Arm 64 CPU based devices. + +If you choose to no longer use Hotpatch updates you can clear the flag (HotPatchRestrictions=0) and restart the computer which will reenable CHPE usage. + ## Eligible devices To benefit from Hotpatch updates, devices must meet the following prerequisites: - Operating System: Devices must be running Windows 11 24H2 or later. -- VBS (Virtualization-based security): VBS must be enabled to ensure secure installation of Hotpatch updates. For more information on how to set and detect if VBS is enabled, see [Virtualization-based Security](/windows/security/hardware-security/enable-virtualization-based-protection-of-code-integrity?tabs=security). +- VBS (Virtualization-based security): VBS must be enabled to ensure secure installation of Hotpatch updates. - Latest Baseline Release: Devices must be on the latest baseline release version to qualify for Hotpatch updates. Microsoft releases Baseline updates quarterly as standard cumulative updates. For more information on the latest schedule for these releases, see [Release notes for Hotpatch](https://support.microsoft.com/topic/release-notes-for-hotpatch-in-azure-automanage-for-windows-server-2022-4e234525-5bd5-4171-9886-b475dabe0ce8?preview=true). -> [!NOTE] -> Hotpatch is available on Windows Server. For more information, see [Hotpatch for Windows Server Azure Edition](/windows-server/get-started/enable-hotpatch-azure-edition). - ## Ineligible devices Devices that don't meet one or more prerequisites automatically receive the Latest Cumulative Update (LCU) instead. Latest Cumulative Update (LCU) contains monthly updates that supersede the previous month's updates containing both security and nonsecurity releases. @@ -48,7 +61,7 @@ Devices that don't meet one or more prerequisites automatically receive the Late LCUs requires you to restart the device, but the LCU ensures that the device remains fully secure and compliant. > [!NOTE] -> If devices aren't eligible for Hotpatch updates, these devices are offered the LCU. The LCU keeps your configured Update ring settings, it doesn't change the settings.

For **ARM64 devices**, Compiled Hybrid PE Usage (CHPE) is turned on by default. You must turn off CHPE to receive regular LCU to keep your ARM64 device compliant and secure.

+> If devices aren't eligible for Hotpatch updates, these devices are offered the LCU. The LCU keeps your configured Update ring settings, it doesn't change the settings. ## Release cycles From 6d0fa75a3079518865557312087d5ffc8e1c858a Mon Sep 17 00:00:00 2001 From: Tiara Quan <95256667+tiaraquan@users.noreply.github.com> Date: Tue, 17 Dec 2024 11:51:04 -0800 Subject: [PATCH 08/18] Update windows-autopatch-hotpatch-updates.md Fixed broken links and a bunch of style/grammar. --- .../windows-autopatch-hotpatch-updates.md | 19 +++++++++++-------- 1 file changed, 11 insertions(+), 8 deletions(-) diff --git a/windows/deployment/windows-autopatch/manage/windows-autopatch-hotpatch-updates.md b/windows/deployment/windows-autopatch/manage/windows-autopatch-hotpatch-updates.md index 76c71d2c57..5e16a7ada2 100644 --- a/windows/deployment/windows-autopatch/manage/windows-autopatch-hotpatch-updates.md +++ b/windows/deployment/windows-autopatch/manage/windows-autopatch-hotpatch-updates.md @@ -31,20 +31,23 @@ Hotpatch updates are [Monthly B release security updates](/windows/deployment/up - The [Hotpatch quality update report](../monitor/windows-autopatch-hotpatch-quality-update-report.md) provides a per policy level view of the current update statuses for all devices that receive Hotpatch updates. ## Operating system configuration prerequisites -To prepare a device to receive hotpatch updates, configure the following device-side operating system settings. Failure to configure these settings will result in the device not being offered the hotpatch update or being unable to apply all the hotpatch updates, leaving some vulnerabilities unmitigated. + +To prepare a device to receive Hotpatch updates, configure the following operating system settings on the device. You must configure these settings for the device to be offered the Hotpatch update and to apply all Hotpatch updates. ### Virtualization based security (VBS) -VBS must be enabled for a device to be offered hotpatch updates. For information on how to set and detect VBS enabled, see [Virtualization-based Security (VBS)](https://learn.microsoft.com/en-us/windows/security/hardware-security/enable-virtualization-based-protection-of-code-integrity?tabs=security). + +VBS must be turned on for a device to be offered Hotpatch updates. For information on how to set and detect VBS enabled, see [Virtualization-based Security (VBS)](/windows/security/hardware-security/enable-virtualization-based-protection-of-code-integrity?tabs=security). ### Arm 64 devices must disable compiled hybrid PE usage (CHPE) (Arm 64 CPU Only) -The following requirement only appies to Arm 64 CPU devices when using hotpatch updates. Hotpatch updates are not compatible with servicing CHPE OS binaries located in the %SystemRoot%\SyChpe32 folder. In order to ensure all the hotpatch updates take effect, you must set the CHPE disable flag and restart the device to disable CHPE usage. You only need to set this flag one time. The registry setting will persist through updates. To disable CHPE, set the following registry key: -Path: **HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management** -Key value: **HotPatchRestrictions=1** + +This requirement only applies to Arm 64 CPU devices when using Hotpatch updates. Hotpatch updates aren't compatible with servicing CHPE OS binaries located in the `%SystemRoot%\SyChpe32` folder. To ensure all the Hotpatch updates are applied, you must set the CHPE disable flag and restart the device to disable CHPE usage. You only need to set this flag one time. The registry setting remains applied through updates. To disable CHPE, set the following registry key: +Path: `**HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management**` +Key value: `**HotPatchRestrictions=1**` > [!IMPORTANT:] -> This setting is required becuase it forces the operating system to use the emulation x86-only binaries insetad of CHPE binaries on Arm 64 devices. CHPE binaries include native Arm 64 code to improve performance so you excluding them may impact performance or compatibility. Be sure to > test application compatibility or performance impacts before rolling out hotpatch updates widely on Arm 64 CPU based devices. +> This setting is required because it forces the operating system to use the emulation x86-only binaries insetad of CHPE binaries on Arm 64 devices. CHPE binaries include native Arm 64 code to improve performance, excluding the CHPE binaries might affect performance or compatibility. Be sure to test application compatibility and performance before rolling out hotpatch updates widely on Arm 64 CPU based devices. -If you choose to no longer use Hotpatch updates you can clear the flag (HotPatchRestrictions=0) and restart the computer which will reenable CHPE usage. +If you choose to no longer use hotpatch updates you can clear the flag (`HotPatchRestrictions=0`) then restart the device to turn on CHPE usage. ## Eligible devices @@ -83,7 +86,7 @@ For more information about the release calendar for Hotpatch updates, see [Relea 1. Go to the **Quality updates** tab. 1. Select **Create**, and select **Windows quality update policy (preview)**. 1. Under the **Basics** section, enter a name for your new policy and select Next. -1. Under the **Settings** section, set **"When available, apply without restarting the device ("hotpatch")** to **Allow**. Then, select **Next**. +1. Under the **Settings** section, set **"When available, apply without restarting the device ("Hotpatch")** to **Allow**. Then, select **Next**. 1. Select the appropriate Scope tags or leave as Default and select **Next**. 1. Assign the devices to the policy and select **Next**. 1. Review the policy and select **Create**. From 2f52fff7844b4ea8643be4c5d5732c3645dd8000 Mon Sep 17 00:00:00 2001 From: Tiara Quan <95256667+tiaraquan@users.noreply.github.com> Date: Tue, 17 Dec 2024 11:55:22 -0800 Subject: [PATCH 09/18] Update windows-autopatch-hotpatch-updates.md Style/grammar/specificity tweak. --- .../manage/windows-autopatch-hotpatch-updates.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/windows-autopatch/manage/windows-autopatch-hotpatch-updates.md b/windows/deployment/windows-autopatch/manage/windows-autopatch-hotpatch-updates.md index 5e16a7ada2..bb9a220536 100644 --- a/windows/deployment/windows-autopatch/manage/windows-autopatch-hotpatch-updates.md +++ b/windows/deployment/windows-autopatch/manage/windows-autopatch-hotpatch-updates.md @@ -47,7 +47,7 @@ Key value: `**HotPatchRestrictions=1**` > [!IMPORTANT:] > This setting is required because it forces the operating system to use the emulation x86-only binaries insetad of CHPE binaries on Arm 64 devices. CHPE binaries include native Arm 64 code to improve performance, excluding the CHPE binaries might affect performance or compatibility. Be sure to test application compatibility and performance before rolling out hotpatch updates widely on Arm 64 CPU based devices. -If you choose to no longer use hotpatch updates you can clear the flag (`HotPatchRestrictions=0`) then restart the device to turn on CHPE usage. +If you choose to no longer use Hotpatch updates you can clear the CHPE disasble flag (`HotPatchRestrictions=0`) then restart the device to turn on CHPE usage. ## Eligible devices From ee2c677fae74dc0aab1df1bc2839860d523ee848 Mon Sep 17 00:00:00 2001 From: Tiara Quan <95256667+tiaraquan@users.noreply.github.com> Date: Tue, 17 Dec 2024 13:33:43 -0800 Subject: [PATCH 10/18] Update windows-autopatch-hotpatch-updates.md Tweak --- .../manage/windows-autopatch-hotpatch-updates.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/windows-autopatch/manage/windows-autopatch-hotpatch-updates.md b/windows/deployment/windows-autopatch/manage/windows-autopatch-hotpatch-updates.md index bb9a220536..6f86ba7eb0 100644 --- a/windows/deployment/windows-autopatch/manage/windows-autopatch-hotpatch-updates.md +++ b/windows/deployment/windows-autopatch/manage/windows-autopatch-hotpatch-updates.md @@ -47,7 +47,7 @@ Key value: `**HotPatchRestrictions=1**` > [!IMPORTANT:] > This setting is required because it forces the operating system to use the emulation x86-only binaries insetad of CHPE binaries on Arm 64 devices. CHPE binaries include native Arm 64 code to improve performance, excluding the CHPE binaries might affect performance or compatibility. Be sure to test application compatibility and performance before rolling out hotpatch updates widely on Arm 64 CPU based devices. -If you choose to no longer use Hotpatch updates you can clear the CHPE disasble flag (`HotPatchRestrictions=0`) then restart the device to turn on CHPE usage. +If you choose to no longer use Hotpatch updates, clear the CHPE disasble flag (`HotPatchRestrictions=0`) then restart the device to turn on CHPE usage. ## Eligible devices From 14237d08e59d64e557e5290fd1980c4f7cb99261 Mon Sep 17 00:00:00 2001 From: Tiara Quan <95256667+tiaraquan@users.noreply.github.com> Date: Tue, 17 Dec 2024 13:36:50 -0800 Subject: [PATCH 11/18] Update windows-autopatch-hotpatch-updates.md More grammar and style tweaks. --- .../manage/windows-autopatch-hotpatch-updates.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/windows-autopatch/manage/windows-autopatch-hotpatch-updates.md b/windows/deployment/windows-autopatch/manage/windows-autopatch-hotpatch-updates.md index 6f86ba7eb0..28ff8a692c 100644 --- a/windows/deployment/windows-autopatch/manage/windows-autopatch-hotpatch-updates.md +++ b/windows/deployment/windows-autopatch/manage/windows-autopatch-hotpatch-updates.md @@ -36,7 +36,7 @@ To prepare a device to receive Hotpatch updates, configure the following operati ### Virtualization based security (VBS) -VBS must be turned on for a device to be offered Hotpatch updates. For information on how to set and detect VBS enabled, see [Virtualization-based Security (VBS)](/windows/security/hardware-security/enable-virtualization-based-protection-of-code-integrity?tabs=security). +VBS must be turned on for a device to be offered Hotpatch updates. For information on how to set and detect if VBS is enabled, see [Virtualization-based Security (VBS)](/windows/security/hardware-security/enable-virtualization-based-protection-of-code-integrity?tabs=security). ### Arm 64 devices must disable compiled hybrid PE usage (CHPE) (Arm 64 CPU Only) From b2f300aac1748861ab7bc229947ba002e2c1d941 Mon Sep 17 00:00:00 2001 From: Tiara Quan <95256667+tiaraquan@users.noreply.github.com> Date: Tue, 17 Dec 2024 13:43:51 -0800 Subject: [PATCH 12/18] Update windows-autopatch-hotpatch-updates.md Hopefully last one. --- .../manage/windows-autopatch-hotpatch-updates.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/windows-autopatch/manage/windows-autopatch-hotpatch-updates.md b/windows/deployment/windows-autopatch/manage/windows-autopatch-hotpatch-updates.md index 28ff8a692c..efb01d9aa2 100644 --- a/windows/deployment/windows-autopatch/manage/windows-autopatch-hotpatch-updates.md +++ b/windows/deployment/windows-autopatch/manage/windows-autopatch-hotpatch-updates.md @@ -45,7 +45,7 @@ Path: `**HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management Key value: `**HotPatchRestrictions=1**` > [!IMPORTANT:] -> This setting is required because it forces the operating system to use the emulation x86-only binaries insetad of CHPE binaries on Arm 64 devices. CHPE binaries include native Arm 64 code to improve performance, excluding the CHPE binaries might affect performance or compatibility. Be sure to test application compatibility and performance before rolling out hotpatch updates widely on Arm 64 CPU based devices. +> This setting is required because it forces the operating system to use the emulation x86-only binaries insetad of CHPE binaries on Arm 64 devices. CHPE binaries include native Arm 64 code to improve performance, excluding the CHPE binaries might affect performance or compatibility. Be sure to test application compatibility and performance before rolling out Hotpatch updates widely on Arm 64 CPU based devices. If you choose to no longer use Hotpatch updates, clear the CHPE disasble flag (`HotPatchRestrictions=0`) then restart the device to turn on CHPE usage. From 69f6f8644df862c4a044dca4828ad38410b254b8 Mon Sep 17 00:00:00 2001 From: UCOwner <91348318+UCOwner@users.noreply.github.com> Date: Wed, 18 Dec 2024 08:58:14 -0800 Subject: [PATCH 13/18] Learn Editor: Update wufb-reports-workbook.md --- windows/deployment/update/wufb-reports-workbook.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/windows/deployment/update/wufb-reports-workbook.md b/windows/deployment/update/wufb-reports-workbook.md index cefc7b717e..faa2671fbe 100644 --- a/windows/deployment/update/wufb-reports-workbook.md +++ b/windows/deployment/update/wufb-reports-workbook.md @@ -159,7 +159,8 @@ Just like the [**Quality updates**](#quality-updates-tab) and [**Feature updates The **Update status** group for driver updates contains the following items: -- **Update states for all driver updates**: Chart containing the number of devices in a specific state, such as installing, for driver updates. +- **Update states for all driver updates**: Chart containing the number of driver updates in a specific state, such as installing. + - **Distribution of Driver Classes**: Chart containing the number of drivers in a specific class. - **Update alerts for all driver updates**: Chart containing the count of active errors and warnings for driver updates. From b1b135485a67020bf180da7026e4b8f456fca4bd Mon Sep 17 00:00:00 2001 From: Robert Durff <43757104+MSRobertD@users.noreply.github.com> Date: Thu, 19 Dec 2024 10:43:06 -0800 Subject: [PATCH 15/18] Remove broken links from CC topic for previous Windows versions There are 3 broken (404) links in this topic, for the Admin Guide documents for the Windows 7 and Windows Vista evaluations. We are removing these links for now. --- .../certification/validations/cc-windows-previous.md | 9 +++------ 1 file changed, 3 insertions(+), 6 deletions(-) diff --git a/windows/security/security-foundations/certification/validations/cc-windows-previous.md b/windows/security/security-foundations/certification/validations/cc-windows-previous.md index 8d5cd8c275..d648de3a05 100644 --- a/windows/security/security-foundations/certification/validations/cc-windows-previous.md +++ b/windows/security/security-foundations/certification/validations/cc-windows-previous.md @@ -30,14 +30,14 @@ The following tables list the completed Common Criteria certifications for Windo |Product details |Date |Scope |Documents | |---------|---------|---------|---------| -|Validated editions: Enterprise, Ultimate. |March 24, 2011 |Certified against the Protection Profile for General Purpose Operating Systems. |[Security Target][security-target-march-2011]; [Administrative Guide][admin-guide-march-2011]; [Certification Report][certification-report-march-2011] | +|Validated editions: Enterprise, Ultimate. |March 24, 2011 |Certified against the Protection Profile for General Purpose Operating Systems. |[Security Target][security-target-march-2011]; [Certification Report][certification-report-march-2011] | ## Windows Vista |Product details |Date |Scope |Documents | |---------|---------|---------|---------| -|Validated edition: Enterprise. |August 15, 2009 |EAL 4. Controlled Access Protection Profile. CC Part 2: security functional requirements. CC Part 3: security assurance requirements. |[Security Target][security-target-august-2009]; [Administrative Guide][admin-guide-august-2009]; [Certification Report][certification-report-august-2009] | -|Validated edition: Enterprise. |September 17, 2008 |EAL 1. CC Part 2: security functional requirements. CC Part 3: security assurance requirements. |[Security Target][security-target-september-2008]; [Administrative Guide][admin-guide-september-2008]; [Certification Report][certification-report-september-2008] | +|Validated edition: Enterprise. |August 15, 2009 |EAL 4. Controlled Access Protection Profile. CC Part 2: security functional requirements. CC Part 3: security assurance requirements. |[Security Target][security-target-august-2009]; [Certification Report][certification-report-august-2009] | +|Validated edition: Enterprise. |September 17, 2008 |EAL 1. CC Part 2: security functional requirements. CC Part 3: security assurance requirements. |[Security Target][security-target-september-2008]; [Certification Report][certification-report-september-2008] | --- @@ -65,9 +65,6 @@ The following tables list the completed Common Criteria certifications for Windo [admin-guide-january-2015-rt]: https://download.microsoft.com/download/8/6/e/86e8c001-8556-4949-90cf-f5beac918026/microsoft%20windows%208%20microsoft%20windows%20rt%20common%20criteria%20supplemental%20admin.docx [admin-guide-april-2014]: https://download.microsoft.com/download/0/8/4/08468080-540b-4326-91bf-f2a33b7e1764/administrative%20guidance%20for%20software%20full%20disk%20encryption%20clients.pdf [admin-guide-january-2014]: https://download.microsoft.com/download/a/9/f/a9fd7e2d-023b-4925-a62f-58a7f1a6bd47/microsoft%20windows%208%20windows%20server%202012%20supplemental%20admin%20guidance%20ipsec%20vpn%20client.docx -[admin-guide-march-2011]: https://www.microsoft.com/downloads/en/details.aspx?familyid=ee05b6d0-9939-4765-9217-63083bb94a00 -[admin-guide-august-2009]: https://www.microsoft.com/downloads/en/details.aspx?familyid=06166288-24c4-4c42-9daa-2b2473ddf567 -[admin-guide-september-2008]: https://www.microsoft.com/downloads/en/details.aspx?familyid=06166288-24c4-4c42-9daa-2b2473ddf567 From 93dcf73c4c5bcc5d842be67e79b1ea38e65a7c06 Mon Sep 17 00:00:00 2001 From: Blake Drumm Date: Fri, 27 Dec 2024 13:58:49 -0500 Subject: [PATCH 16/18] Small formatting update to standardize the look :man_office_worker: --- windows/deployment/update/waas-wu-settings.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/deployment/update/waas-wu-settings.md b/windows/deployment/update/waas-wu-settings.md index 1448b50473..18e7af7514 100644 --- a/windows/deployment/update/waas-wu-settings.md +++ b/windows/deployment/update/waas-wu-settings.md @@ -14,7 +14,7 @@ ms.localizationpriority: medium appliesto: - ✅ Windows 11 - ✅ Windows 10 -ms.date: 12/14/2024 +ms.date: 12/27/2024 --- # Manage additional Windows Update settings @@ -300,7 +300,7 @@ On new devices, Windows Update doesn't begin installing background updates until In scenarios where initial sign-in is delayed, setting the following registry values allow devices to begin background update work before a user first signs in: -- **Registry key**: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Orchestrator +- **Registry key**: `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Orchestrator` - **DWORD value name**: ScanBeforeInitialLogonAllowed - **Value data**: 1 From b5f0b13b7ded9d67a39204ec19fa857a85d10d04 Mon Sep 17 00:00:00 2001 From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com> Date: Mon, 30 Dec 2024 15:02:39 -0500 Subject: [PATCH 17/18] Added note with KB --- windows/configuration/windows-spotlight/index.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/windows/configuration/windows-spotlight/index.md b/windows/configuration/windows-spotlight/index.md index ad39469d22..994088b132 100644 --- a/windows/configuration/windows-spotlight/index.md +++ b/windows/configuration/windows-spotlight/index.md @@ -21,6 +21,9 @@ Windows spotlight is a feature that displays different wallpapers and offers sug :::image type="content" source="images/lockscreen-11.png" alt-text="Screenshot of the Windows 11 lock screen with Windows Spotlight enabled." border="false"::: +> [!NOTE] +> After installing the [October 22, 2024 KB5046633](https://support.microsoft.com/topic/22631-4460-6ff7b117-cd80-471a-a9ac-48a794bda2d6), the default Windows wallpaper changes to Windows spotlight. To change the new default behavior use the [AllowSpotlightCollection policy setting](#policy-settings), or configure a custom lock screen and background image. + ::: zone-end ::: zone pivot="windows-10" @@ -31,6 +34,9 @@ Windows spotlight is a feature that displays different wallpapers and offers sug :::image type="content" source="images/lockscreen-10.png" alt-text="Screenshot of the Windows 10 lock screen with Windows Spotlight enabled." border="false"::: +> [!NOTE] +> After installing the [December 10, 2024](https://support.microsoft.com/topic/19045-5247-454fbd4c-0723-449e-915b-8515ab41f8e3), the default Windows wallpaper changes to Windows spotlight. To change the new default behavior use the [AllowSpotlightCollection policy setting](#policy-settings), or configure a custom lock screen and background image. + ::: zone-end ## Windows edition and licensing requirements From d2b551eaf0f0b721fb15d501b2f5bd2ddf192561 Mon Sep 17 00:00:00 2001 From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com> Date: Tue, 31 Dec 2024 06:40:43 -0500 Subject: [PATCH 18/18] improved sentence --- windows/configuration/windows-spotlight/index.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/configuration/windows-spotlight/index.md b/windows/configuration/windows-spotlight/index.md index 994088b132..c16b4fb35a 100644 --- a/windows/configuration/windows-spotlight/index.md +++ b/windows/configuration/windows-spotlight/index.md @@ -22,7 +22,7 @@ Windows spotlight is a feature that displays different wallpapers and offers sug :::image type="content" source="images/lockscreen-11.png" alt-text="Screenshot of the Windows 11 lock screen with Windows Spotlight enabled." border="false"::: > [!NOTE] -> After installing the [October 22, 2024 KB5046633](https://support.microsoft.com/topic/22631-4460-6ff7b117-cd80-471a-a9ac-48a794bda2d6), the default Windows wallpaper changes to Windows spotlight. To change the new default behavior use the [AllowSpotlightCollection policy setting](#policy-settings), or configure a custom lock screen and background image. +> After installing the [KB5046633 (October 22, 2024)](https://support.microsoft.com/topic/22631-4460-6ff7b117-cd80-471a-a9ac-48a794bda2d6), the default Windows wallpaper changes to Windows spotlight. To modify this behavior, use the [AllowSpotlightCollection policy setting](#policy-settings), or configure a custom lock screen and background image. ::: zone-end @@ -35,7 +35,7 @@ Windows spotlight is a feature that displays different wallpapers and offers sug :::image type="content" source="images/lockscreen-10.png" alt-text="Screenshot of the Windows 10 lock screen with Windows Spotlight enabled." border="false"::: > [!NOTE] -> After installing the [December 10, 2024](https://support.microsoft.com/topic/19045-5247-454fbd4c-0723-449e-915b-8515ab41f8e3), the default Windows wallpaper changes to Windows spotlight. To change the new default behavior use the [AllowSpotlightCollection policy setting](#policy-settings), or configure a custom lock screen and background image. +> After installing the [KB5048652 (December 10, 2024)](https://support.microsoft.com/topic/19045-5247-454fbd4c-0723-449e-915b-8515ab41f8e3), the default Windows wallpaper changes to Windows spotlight. To modify this behavior, configure a custom lock screen and background image. ::: zone-end