diff --git a/.openpublishing.redirection.education.json b/.openpublishing.redirection.education.json
index 7e028ba6b7..e27a545a00 100644
--- a/.openpublishing.redirection.education.json
+++ b/.openpublishing.redirection.education.json
@@ -229,6 +229,11 @@
"source_path": "education/windows/windows-editions-for-education-customers.md",
"redirect_url": "/education/windows",
"redirect_document_id": false
+ },
+ {
+ "source_path": "education/windows/configure-windows-for-education.md",
+ "redirect_url": "/education/windows",
+ "redirect_document_id": false
}
]
}
\ No newline at end of file
diff --git a/education/windows/configure-windows-for-education.md b/education/windows/configure-windows-for-education.md
deleted file mode 100644
index d9b96510a0..0000000000
--- a/education/windows/configure-windows-for-education.md
+++ /dev/null
@@ -1,159 +0,0 @@
----
-title: Windows 10 configuration recommendations for education customers
-description: Learn how to configure the OS diagnostic data, consumer experiences, Cortana, search, and some of the preinstalled apps, so that Windows is ready for your school.
-ms.topic: how-to
-ms.date: 08/10/2022
-appliesto:
- - ✅ Windows 10
----
-# Windows 10 configuration recommendations for education customers
-
-Privacy is important to us, we want to provide you with ways to customize the OS diagnostic data, consumer experiences, Cortana, search, and some of the preinstalled apps, for usage with [education editions of Windows 10](windows-editions-for-education-customers.md) in education environments. These features work on all Windows 10 editions, but education editions of Windows 10 have the settings preconfigured. We recommend that all Windows 10 devices in an education setting be configured with **[SetEduPolicies](#setedupolicies)** enabled. For more information, see the following table. To learn more about Microsoft's commitment to privacy, see [Windows 10 and privacy](https://go.microsoft.com/fwlink/?LinkId=809305).
-
-We want all students to have the chance to use the apps they need for success in the classroom and all school personnel to have apps they need for their job. Students and school personnel who use assistive technology apps not available in the Microsoft Store, and use devices running Windows 10 S, will be able to configure the device at no extra charge to Windows 10 Pro Education. To learn more about the steps to configure this device, see [Switch to Windows 10 Pro Education from Windows 10 Pro or Windows 10 S](change-to-pro-education.md).
-
-In Windows 10, version 1703 (Creators Update), it's straightforward to configure Windows to be education ready.
-
-| Area | How to configure | What this area does | Windows 10 Education | Windows 10 Pro Education | Windows 10 S |
-| --- | --- | --- | --- | --- | --- |
-| **Diagnostic Data** | **AllowTelemetry** | Sets Diagnostic Data to [Basic](/windows/configuration/configure-windows-telemetry-in-your-organization) | This feature is already set | This feature is already set | The policy must be set |
-| **Microsoft consumer experiences** | **SetEduPolicies** | Disables suggested content from Windows such as app recommendations | This feature is already set | This feature is already set | The policy must be set |
-| **Cortana** | **AllowCortana** | Disables Cortana * Cortana is enabled by default on all editions in Windows 10, version 1703 | If using Windows 10 Education, upgrading from Windows 10, version 1607 to Windows 10, version 1703 will enable Cortana. See the [Recommended configuration](#recommended-configuration) section below for recommended Cortana settings. | If using Windows 10 Pro Education, upgrading from Windows 10, version 1607 to Windows 10, version 1703 will enable Cortana. See the [Recommended configuration](#recommended-configuration) section below for recommended Cortana settings. | See the [Recommended configuration](#recommended-configuration) section below for recommended Cortana settings. |
-| **Safe search** | **SetEduPolicies** | Locks Bing safe search to Strict in Microsoft Edge | This feature is already set | This feature is already set | The policy must be set |
-| **Bing search advertising** | Ad free search with Bing | Disables ads when searching the internet with Bing in Microsoft Edge. See [Ad-free search with Bing](#ad-free-search-with-bing | View configuration instructions as detailed in [Ad-free search with Bing](#ad-free-search-with-bing) | View configuration instructions as detailed in [Ad-free search with Bing](#ad-free-search-with-bing) | View configuration instructions as detailed in [Ad-free search with Bing](#ad-free-search-with-bing) |
-| **Apps** | **SetEduPolicies** | Preinstalled apps like Microsoft Edge, Movies & TV, Groove, and Skype become education ready * Any app can detect Windows is running in an education ready configuration through [IsEducationEnvironment](/uwp/api/windows.system.profile.educationsettings) | This feature is already set | This feature is already set | The policy must be set |
-
-
-## Recommended configuration
-It's easy to be education ready when using Microsoft products. We recommend the following configuration:
-
-1. Use an Office 365 Education tenant.
-
- With Office 365, you also have Microsoft Entra ID. To learn more about Office 365 Education features and pricing, see [Office 365 Education plans and pricing](https://products.office.com/en-us/academic/compare-office-365-education-plans).
-
-2. Activate Intune for Education in your tenant.
-
- You can [sign up to learn more about Intune for Education](https://info.microsoft.com/US-WNDWS-CNTNT-FY17-01Jan-17-IntuneforEducationlandingpageandnurture292531_01Registration-ForminBody.html).
-
-3. On PCs running Windows 10, version 1703:
- 1. Provision the PC using one of these methods:
- * [Provision PCs with the Set up School PCs app](use-set-up-school-pcs-app.md) - The usage of this method will automatically set both **SetEduPolicies** to True and **AllowCortana** to False.
- * [Provision PCs with a custom package created with Windows Configuration Designer](/windows/configuration/provisioning-packages/provisioning-create-package) - Make sure to set both **SetEduPolicies** to True and **AllowCortana** to False.
- 2. Join the PC to Microsoft Entra ID.
- * Use Set up School PCs or Windows Configuration Designer to bulk enroll to Microsoft Entra ID.
- * Manually Microsoft Entra join the PC during the Windows device setup experience.
- 3. Enroll the PCs in MDM.
- * If you've activated Intune for Education in your Microsoft Entra tenant, enrollment will happen automatically when the PC is joined to Microsoft Entra ID. Intune for Education will automatically set **SetEduPolicies** to True and **AllowCortana** to False.
- 4. Ensure that needed assistive technology apps can be used.
- * If you've students or school personnel who rely on assistive technology apps that aren't available in the Microsoft Store, and who are using a Windows 10 S device, configure their device to Windows 10 Pro Education to allow the download and use of non-Microsoft Store assistive technology apps. See [Switch to Windows 10 Pro Education from Windows 10 Pro or Windows 10 S](change-to-pro-education.md) for more info.
-
-4. Distribute the PCs to students.
-
- Students sign in with their Azure AD/Office 365 identity, which enables single sign-on to Bing in Microsoft Edge, enabling an ad-free search experience with Bing in Microsoft Edge.
-
-5. Ongoing management through Intune for Education.
-
- You can set many policies through Intune for Education, including **SetEduPolicies** and **AllowCortana**, for ongoing management of the PCs.
-
-## Configuring Windows
-You can configure Windows through provisioning or management tools including industry standard MDM.
-- Provisioning - A one-time setup process.
-- Management - A one-time and/or ongoing management of a PC by setting policies.
-
-You can set all the education compliance areas through both provisioning and management tools. Additionally, these Microsoft education tools will ensure PCs that you set up are education ready:
-- [Set up School PCs](use-set-up-school-pcs-app.md)
-- [Intune for Education](/intune-education/available-settings)
-
-## AllowCortana
-**AllowCortana** is a policy that enables or disables Cortana. It's a policy node in the Policy configuration service provider, [AllowCortana](/windows/client-management/mdm/policy-configuration-service-provider#experience-allowcortana).
-
-> [!NOTE]
-> See the [Recommended configuration](#recommended-configuration) section for recommended Cortana settings.
-
-Use one of these methods to set this policy.
-
-### MDM
-- Intune for Education automatically sets this policy in the **All devices** group policy configuration.
-- If you're using an MDM provider other than Intune for Education, check your MDM provider documentation on how to set this policy.
- - If your MDM provider doesn't explicitly support this policy, you can manually set this policy if your MDM provider allows specific OMA-URIs to be manually set.
-
- For example, in Intune, create a new configuration policy and add an OMA-URI.
- - OMA-URI: ./Vendor/MSFT/Policy/Config/Experience/AllowCortana
- - Data type: Integer
- - Value: 0
-
-### Group Policy
-Set **Computer Configuration > Administrative Templates > Windows Components > Search > AllowCortana** to **Disabled**.
-
-### Provisioning tools
-- [Set up School PCs](use-set-up-school-pcs-app.md) always sets this policy in provisioning packages it creates.
-- [Windows Configuration Designer](/windows/configuration/provisioning-packages/provisioning-create-package)
- - Under **Runtime settings**, click the **Policies** settings group, set **Experience > Cortana** to **No**.
-
-## SetEduPolicies
-**SetEduPolicies** is a policy that applies a set of configuration behaviors to Windows. It's a policy node in the [SharedPC configuration service provider](/windows/client-management/mdm/sharedpc-csp).
-
-Use one of these methods to set this policy.
-
-### MDM
-- Intune for Education automatically sets this policy in the **All devices** group policy configuration.
-- If you're using an MDM provider other than Intune for Education, check your MDM provider documentation on how to set this policy.
- - If your MDM provider doesn't explicitly support this policy, you can manually set this policy if your MDM provider allows specific OMA-URIs to be manually set.
-
- For example, in Intune, create a new configuration policy and add an OMA-URI.
- - OMA-URI: ./Vendor/MSFT/SharedPC/SetEduPolicies
- - Data type: Boolean
- - Value: true
-
- 
-
-### Group Policy
-**SetEduPolicies** isn't natively supported in Group Policy. Instead, use the [MDM Bridge WMI Provider](/windows/win32/dmwmibridgeprov/mdm-bridge-wmi-provider-portal) to set the policy in [MDM SharedPC](/windows/win32/dmwmibridgeprov/mdm-sharedpc).
-
-For example:
-
-- Open PowerShell as an administrator and enter the following:
-
- ```
- $sharedPC = Get-CimInstance -Namespace "root\cimv2\mdm\dmmap" -ClassName "MDM_SharedPC"
-
- $sharedPC.SetEduPolicies = $True
-
- Set-CimInstance -CimInstance $sharedPC
-
- Get-CimInstance -Namespace $namespaceName -ClassName $MDM_SharedPCClass
- ```
-
-### Provisioning tools
-- [Set up School PCs](use-set-up-school-pcs-app.md) always sets this policy in provisioning packages it creates.
-- [Windows Configuration Designer](/windows/configuration/provisioning-packages/provisioning-create-package)
- - Under **Runtime settings**, click the **SharedPC** settings group, set **PolicyCustomization > SetEduPolicies** to **True**.
-
- 
-
-## Ad-free search with Bing
-Provide an ad-free experience that is a safer, more private search option for K–12 education institutions in the United States.
-
-### Configurations
-
-
-
-#### Microsoft Entra ID and Office 365 Education tenant
-To suppress ads when searching with Bing on Microsoft Edge on any network, follow these steps:
-
-1. Ensure your Office 365 tenant is registered as an education tenant. For more information, see [Verify your Office 365 domain to prove education status](https://support.office.com/article/Verify-your-Office-365-domain-to-prove-ownership-nonprofit-or-education-status-or-to-activate-viva-engage-87d1844e-aa47-4dc0-a61b-1b773fd4e590).
-2. Domain join the Windows 10 PCs to your Microsoft Entra tenant (this tenant is the same as your Office 365 tenant).
-3. Configure **SetEduPolicies** according to one of the methods described in the previous sections in this topic.
-4. Have students sign in with their Microsoft Entra identity, which is the same as your Office 365 identity, to use the PC.
-> [!NOTE]
-> If you are verifying your Office 365 domain to prove education status (step 1 above), you may need to wait up to 7 days for the ad-free experience to take effect. Microsoft recommends not to roll out the browser to your students until that time.
-
-#### Office 365 sign-in to Bing
-To suppress ads only when the student signs into Bing with their Office 365 account in Microsoft Edge, follow these steps:
-
-1. Configure **SetEduPolicies** according to one of the methods described in the previous sections in this topic.
-2. Have students sign into Bing with their Office 365 account.
-
-
-## Related topics
-[Deployment recommendations for school IT administrators](edu-deployment-recommendations.md)
diff --git a/education/windows/images/setedupolicies_omauri.png b/education/windows/images/setedupolicies_omauri.png
deleted file mode 100644
index eb3d9e216c..0000000000
Binary files a/education/windows/images/setedupolicies_omauri.png and /dev/null differ
diff --git a/education/windows/images/wcd/setedupolicies.png b/education/windows/images/wcd/setedupolicies.png
deleted file mode 100644
index e240063f68..0000000000
Binary files a/education/windows/images/wcd/setedupolicies.png and /dev/null differ
diff --git a/education/windows/images/wcd/wcd_settings_assignedaccess.png b/education/windows/images/wcd/wcd_settings_assignedaccess.png
deleted file mode 100644
index 443a5d0688..0000000000
Binary files a/education/windows/images/wcd/wcd_settings_assignedaccess.png and /dev/null differ
diff --git a/education/windows/windows-11-se-overview.md b/education/windows/windows-11-se-overview.md
index eec8f909f1..56477ff62e 100644
--- a/education/windows/windows-11-se-overview.md
+++ b/education/windows/windows-11-se-overview.md
@@ -102,10 +102,10 @@ The following applications can also run on Windows 11 SE, and can be deployed us
| `ContentKeeper Cloud` | 9.01.45 | `Win32` | `ContentKeeper Technologies` |
| `DigiExam` | 14.1.0 | `Win32` | `Digiexam` |
| `Digital Secure testing browser` | 15.0.0 | `Win32` | `Digiexam` |
-| `Dolphin Guide Connect` | 1.25 | `Win32` | `Dolphin Guide Connect` |
+| `Dolphin Guide Connect` | 1.27 | `Win32` | `Dolphin Guide Connect` |
| `Dragon Professional Individual` | 15.00.100 | `Win32` | `Nuance Communications` |
| `DRC INSIGHT Online Assessments` | 14.0.0.0 | `Store` | `Data recognition Corporation` |
-| `Duo from Cisco` | 3.0.0 | `Win32` | `Cisco` |
+| `Duo from Cisco` | 6.3.0 | `Win32` | `Cisco` |
| `Dyknow` | 7.9.13.7 | `Win32` | `Dyknow` |
| `e-Speaking Voice and Speech recognition` | 4.4.0.11 | `Win32` | `e-speaking` |
| `EasyReader` | 10.0.4.498 | `Win32` | `Dolphin Computer Access` |
@@ -114,7 +114,7 @@ The following applications can also run on Windows 11 SE, and can be deployed us
| `ESET Endpoint Security` | 10.1.2046.0 | `Win32` | `ESET` |
| `ESET Remote Administrator Agent` | 10.0.1126.0 | `Win32` | `ESET` |
| `eTests` | 4.0.25 | `Win32` | `CASAS` |
-| `Exam Writepad` | 23.2.4.2338 | `Win32` | `Sheldnet` |
+| `Exam Writepad` | 23.12.10.1200 | `Win32` | `Sheldnet` |
| `FirstVoices Keyboard` | 15.0.270 | `Win32` | `SIL International` |
| `FortiClient` | 7.2.0.4034+ | `Win32` | `Fortinet` |
| `Free NaturalReader` | 16.1.2 | `Win32` | `Natural Soft` |
@@ -126,8 +126,10 @@ The following applications can also run on Windows 11 SE, and can be deployed us
| `Immunet` | 7.5.8.21178 | `Win32` | `Immunet` |
| `Impero Backdrop Client` | 5.0.151 | `Win32` | `Impero Software` |
| `IMT Lazarus` | 2.86.0 | `Win32` | `IMTLazarus` |
+| `Inprint` | 3.7.6 | `Win32` | `Inprint` |
| `Inspiration 10` | 10.11 | `Win32` | `TechEdology Ltd` |
-| `JAWS for Windows` | 2023.2307.37 | `Win32` | `Freedom Scientific` |
+| `Instashare` | 1.3.13.0 | `Win32` | `Instashare` |
+| `JAWS for Windows` | 2024.2312.53 | `Win32` | `Freedom Scientific` |
| `Kite Student Portal` | 9.0.0.0 | `Win32` | `Dynamic Learning Maps` |
| `Keyman` | 16.0.142 | `Win32` | `SIL International` |
| `Kortext` | 2.3.433.0 | `Store` | `Kortext` |
@@ -155,7 +157,7 @@ The following applications can also run on Windows 11 SE, and can be deployed us
| `NetSupport School` | 14.00.0012 | `Win32` | `NetSupport` |
| `NextUp Talker` | 1.0.49 | `Win32` | `NextUp Technologies` |
| `Netsweeper Workstation Agent` | 4.50.54.54 | `Win32` | `Netsweeper` |
-| `NonVisual Desktop Access` | 2023.1. | `Win32` | `NV Access` |
+| `NonVisual Desktop Access` | 2023.3 | `Win32` | `NV Access` |
| `NWEA Secure Testing Browser` | 5.4.387.0 | `Win32` | `NWEA` |
| `PC Talker Neo` | 2209 | `Win32` | `Kochi System Development` |
| `PC Talker Neo Plus` | 2209 | `Win32` | `Kochi System Development` |
@@ -166,7 +168,7 @@ The following applications can also run on Windows 11 SE, and can be deployed us
| `ReadAndWriteForWindows` | 12.0.78 | `Win32` | `Texthelp Ltd.` |
| `Remote Desktop client (MSRDC)` | 1.2.4487.0 | `Win32` | `Microsoft` |
| `Remote Help` | 5.0.1311.0 | `Win32` | `Microsoft` |
-| `Respondus Lockdown Browser` | 2.0.9.03 | `Win32` | `Respondus` |
+| `Respondus Lockdown Browser` | 2.1.1.05 | `Win32` | `Respondus` |
| `Safe Exam Browser` | 3.5.0.544 | `Win32` | `Safe Exam Browser` |
|`SchoolYear` | 3.5.4 | `Win32` |`SchoolYear` |
|`School Manager` | 3.6.10-1149 | `Win32` |`Linewize` |
@@ -175,9 +177,10 @@ The following applications can also run on Windows 11 SE, and can be deployed us
| `Senso.Cloud` |2021.11.15.0 | `Win32` | `Senso.Cloud` |
| `Skoolnext` | 2.19 | `Win32` | `Skool.net` |
| `Smoothwall Monitor` | 2.9.2 | `Win32` | `Smoothwall Ltd` |
-| `SuperNova Magnifier & Screen Reader` | 22.03 | `Win32` | `Dolphin Computer Access` |
+| `SuperNova Magnifier & Screen Reader` | 22.04 | `Win32` | `Dolphin Computer Access` |
| `SuperNova Magnifier & Speech` | 21.03 | `Win32` | `Dolphin Computer Access` |
-|`TX Secure Browser` | 15.0.0 | `Win32` | `Cambium Development` |
+| `Snapplify` | 6.9.7 | `Win32` | `Snapplify` |
+|`TX Secure Browser` | 16.0.0 | `Win32` | `Cambium Development` |
| `VitalSourceBookShelf` | 10.2.26.0 | `Win32` | `VitalSource Technologies Inc` |
|`WA Secure Browser` | 16.0.0 | `Win32` | `Cambium Development` |
| `Winbird` | 19 | `Win32` | `Winbird Co., Ltd.` |
@@ -185,8 +188,8 @@ The following applications can also run on Windows 11 SE, and can be deployed us
| `Windows SEB` | 3.4.0 | `Win32` | `Illinois Stateboard of Education` |
| `Windows Notepad` | 12.0.78 | `Store` | `Microsoft Corporation` |
| `Zoom` | 5.12.8 (10232) | `Win32` | `Zoom` |
-| `ZoomText Fusion` | 2023.2307.7.400 | `Win32` | `Freedom Scientific` |
-| `ZoomText Magnifier/Reader` | 2023.2307.29.400 | `Win32` | `Freedom Scientific` |
+| `ZoomText Fusion` | 2024.2310.13.400 | `Win32` | `Freedom Scientific` |
+| `ZoomText Magnifier/Reader` | 2024.2312.26.400 | `Win32` | `Freedom Scientific` |
## Add your own applications
@@ -224,4 +227,4 @@ For more information on Intune requirements for adding education apps, see [Conf
[EDUWIN-1]: /education/windows/tutorial-school-deployment/configure-device-apps
[EDUWIN-2]: /education/windows/tutorial-school-deployment/
-[WIN-1]: /windows/whats-new/windows-11-requirements
\ No newline at end of file
+[WIN-1]: /windows/whats-new/windows-11-requirements
diff --git a/windows/client-management/client-tools/quick-assist.md b/windows/client-management/client-tools/quick-assist.md
index f902b92204..6239626e67 100644
--- a/windows/client-management/client-tools/quick-assist.md
+++ b/windows/client-management/client-tools/quick-assist.md
@@ -11,7 +11,7 @@ ms.collection:
# Use Quick Assist to help users
-Quick Assist is a Microsoft Store application that enables a person to share their device with another person over a remote connection. Your support staff can use it to remotely connect to a user's device and then view its display, make annotations, or take full control. In this way, they can troubleshoot, diagnose technological issues, and provide instructions to users directly on their devices.
+Quick Assist is an application that enables a person to share their [Windows](#install-quick-assist-on-windows) or [macOS](#install-quick-assist-on-macos) device with another person over a remote connection. Your support staff can use it to remotely connect to a user's device and then view its display, make annotations, or take full control. In this way, they can troubleshoot, diagnose technological issues, and provide instructions to users directly on their devices.
## Before you begin
@@ -89,7 +89,7 @@ Microsoft logs a small amount of session data to monitor the health of the Quick
In some scenarios, the helper does require the sharer to respond to application permission prompts (User Account Control), but otherwise the helper has the same permissions as the sharer on the device.
-## Install Quick Assist
+## Install Quick Assist on Windows
### Install Quick Assist from the Microsoft Store
@@ -127,7 +127,7 @@ To install Quick Assist offline, you need to download your APPXBUNDLE and unenco
1. Run the following command to install Quick Assist: `Add-AppxProvisionedPackage -Online -PackagePath "MicrosoftCorporationII.QuickAssist_8wekyb3d8bbwe.AppxBundle" -LicensePath "MicrosoftCorporationII.QuickAssist_8wekyb3d8bbwe_4bc27046-84c5-8679-dcc7-d44c77a47dd0.xml"`
1. After Quick Assist has installed, run this command to confirm that Quick Assist is installed for the user: `Get-AppxPackage *QuickAssist* -AllUsers`
-## Microsoft Edge WebView2
+### Microsoft Edge WebView2
The Microsoft Edge WebView2 is a development control that uses Microsoft Edge as the rendering engine to display web content in native apps. The new Quick Assist application has been developed using this control, making it a necessary component for the app to function.
@@ -136,6 +136,13 @@ The Microsoft Edge WebView2 is a development control that uses Microsoft Edg
For more information on distributing and installing Microsoft Edge WebView2, visit [Distribute your app and the WebView2 Runtime](/microsoft-edge/webview2/concepts/distribution)
+## Install Quick Assist on macOS
+
+Quick Assist for macOS is available for interactions with Microsoft Support. If Microsoft products on your macOS device are not working as expected, contact [Microsoft Support](https://support.microsoft.com/contactus) for assistance. Your Microsoft Support agent will guide you through the process of downloading and installing it on your device.
+
+> [!NOTE]
+> Quick Assist for macOS is not available outside of Microsoft Support interactions.
+
## Next steps
If you have any problems, questions, or suggestions for Quick Assist, contact us by using the [Feedback Hub app](https://support.microsoft.com/windows/send-feedback-to-microsoft-with-the-feedback-hub-app-f59187f8-8739-22d6-ba93-f66612949332).
diff --git a/windows/client-management/mdm/policy-csp-update.md b/windows/client-management/mdm/policy-csp-update.md
index d52bea489c..e8dfe5371f 100644
--- a/windows/client-management/mdm/policy-csp-update.md
+++ b/windows/client-management/mdm/policy-csp-update.md
@@ -1,7 +1,7 @@
---
title: Update Policy CSP
description: Learn more about the Update Area in Policy CSP.
-ms.date: 02/14/2024
+ms.date: 02/14/2024
---
@@ -1556,7 +1556,8 @@ Configure this policy to specify whether to receive **Windows Feature Updates**
- SetPolicyDrivenUpdateSourceForOtherUpdates
> [!NOTE]
-> If you have not properly configured Update/UpdateServiceUrl correctly to point to your WSUS server, this policy will have no effect.
+> - If you have not properly configured Update/UpdateServiceUrl correctly to point to your WSUS server, this policy will have no effect.
+> - If you're also using the **Specify settings for optional component installation and component repair** ([ADMX_Servicing](policy-csp-admx-servicing.md)) policy to enable content for FoDs and language packs, see [How to make Features on Demand and language packs available when you're using WSUS or Configuration Manager](/windows/deployment/update/fod-and-lang-packs) to verify your policy configuration.
@@ -1694,7 +1695,8 @@ Configure this policy to specify whether to receive **Windows Quality Updates**
- SetPolicyDrivenUpdateSourceForOtherUpdates
> [!NOTE]
-> If you have not properly configured Update/UpdateServiceUrl correctly to point to your WSUS server, this policy will have no effect.
+> - If you have not properly configured Update/UpdateServiceUrl correctly to point to your WSUS server, this policy will have no effect.
+> - If you're also using the **Specify settings for optional component installation and component repair** ([ADMX_Servicing](policy-csp-admx-servicing.md)) policy to enable content for FoDs and language packs, see [How to make Features on Demand and language packs available when you're using WSUS or Configuration Manager](/windows/deployment/update/fod-and-lang-packs) to verify your policy configuration.
diff --git a/windows/configuration/cellular/provisioning-apn.md b/windows/configuration/cellular/provisioning-apn.md
index 88c77810eb..8fcf389cf7 100644
--- a/windows/configuration/cellular/provisioning-apn.md
+++ b/windows/configuration/cellular/provisioning-apn.md
@@ -1,47 +1,44 @@
---
-title: Configure cellular settings for tablets and PCs
-description: Enterprises can provision cellular settings for tablets and PC with built-in cellular modems or plug-in USB modem dongles.
+title: Configure cellular settings
+description: Learn how to provision cellular settings for devices with built-in modems or plug-in USB modem dongles.
ms.topic: concept-article
-ms.date: 04/13/2018
+ms.date: 04/23/2024
---
-# Configure cellular settings for tablets and PCs
+# Configure cellular settings
->**Looking for consumer information?** See [Cellular settings in Windows 10](https://support.microsoft.com/help/10739/windows-10-cellular-settings)
+This article describes how to configure cellular settings for devices that have a cellular modem using a [provisioning package](../provisioning-packages/provisioning-packages.md). After the devices are configured, users are automatically connected using the access point name (APN) defined in the provisioning package, without needing to connect manually.
-Enterprises can configure cellular settings for tablets and PC that have built-in cellular modems or plug-in USB modem dongles and apply the settings in a [provisioning package](../provisioning-packages/provisioning-packages.md). After the devices are configured, users are automatically connected using the access point name (APN) defined by the enterprise without needing to manually connect.
-
-For users who work in different locations, you can configure one APN to connect when the users are at work and a different APN when the users are traveling.
+For users who work in different locations, you can configure one APN to connect when the users are at work, and a different APN when the users are traveling.
## Prerequisites
-- Windows 10, version 1703, desktop editions (Home, Pro, Enterprise, Education)
-- Tablet or PC with built-in cellular modem or plug-in USB modem dongle
+- Device with built-in cellular modem or plug-in USB modem dongle
- [Windows Configuration Designer](../provisioning-packages/provisioning-install-icd.md)
-- APN (the address that your PC uses to connect to the Internet when using the cellular data connection)
+- APN (the address that the device uses to connect to the Internet when using the cellular data connection)
## How to configure cellular settings in a provisioning package
-1. In Windows Configuration Designer, [start a new project](../provisioning-packages/provisioning-create-package.md) using the **Advanced provisioning** option.
-1. Enter a name for your project, and then click **Next**.
-1. Select **All Windows desktop editions**, click **Next**, and then click **Finish**.
-1. Go to **Runtime settings > Connections > EnterpriseAPN**.
-1. Enter a name for the connection, and then click **Add**.
+1. In Windows Configuration Designer, [start a new project](../provisioning-packages/provisioning-create-package.md) using the **Advanced provisioning** option
+1. Enter a name for your project, and then select **Next**
+1. Select **All Windows desktop editions**, select **Next**, and then select **Finish**
+1. Go to **Runtime settings > Connections > EnterpriseAPN**
+1. Enter a name for the connection, and then select **Add**
-1. The connection appears in the **Available customizations** pane. Select it to view the settings that you can configure for the connection.
+1. The connection appears in the **Available customizations** pane. Select it to view the settings that you can configure for the connection
-1. The following table describes the settings available for the connection.
+1. The following table describes the settings available for the connection
| Setting | Description |
| --- | --- |
- | AlwaysOn | By default, the Connection Manager will automatically attempt to connect to the APN when a connection is available. You can disable this setting. |
+ | AlwaysOn | By default, the Connection Manager automatically attempts to connect to the APN when a connection is available. You can disable the setting. |
| APNName | Enter the name of the APN. |
| AuthType | You can select **None** (the default), or specify **Auto**, **PAP**, **CHAP**, or **MSCHAPv2** authentication. If you select PAP, CHAP, or MSCHAPv2 authentication, you must also enter a user name and password. |
- | ClassId | This is a GUID that defines the APN class to the modem. This is only required when **IsAttachAPN** is **true** and the attach APN is not only used as the Internet APN. |
+ | ClassId | This is a GUID that defines the APN class to the modem. This is only required when **IsAttachAPN** is **true** and the attached APN isn't only used as the Internet APN. |
| Enabled | By default, the connection is enabled. You can change this setting. |
| IccId | This is the Integrated Circuit Card ID (ICCID) associated with the cellular connection profile. |
| IPType | By default, the connection can use IPv4 and IPv6 concurrently. You can change this setting to only IPv4, only IPv6, or IPv6 with IPv4 provided by 46xlat. |
@@ -55,22 +52,22 @@ For users who work in different locations, you can configure one APN to connect
## Confirm the settings
-After you apply the provisioning package, you can confirm that the settings have been applied.
+After you apply the provisioning package, you can confirm that the settings are applied.
-1. On the configured device, open a command prompt as an administrator.
+1. On the configured device, open a command prompt as an administrator
1. Run the following command:
```cmd
netsh mbn show profiles
```
-1. The command will list the mobile broadband profiles. Using the "Name" for the listed mobile broadband profile, run:
+1. The command lists the mobile broadband profiles. Using the **Name** for the listed mobile broadband profile, run:
```cmd
netsh mbn show profiles name="name"
```
- This command will list details for that profile, including Access Point Name.
+ This command lists the details for that profile, including Access Point Name.
Alternatively, you can also use the command:
@@ -84,4 +81,4 @@ From the results of that command, get the name of the cellular/mobile broadband
netsh mbn show connection interface="name"
```
-The result of that command will show details for the cellular interface, including Access Point Name.
+The result of that command shows the details for the cellular interface, including Access Point Name.
diff --git a/windows/configuration/images/icons/notification.svg b/windows/configuration/images/icons/notification.svg
new file mode 100644
index 0000000000..0da0f9814d
--- /dev/null
+++ b/windows/configuration/images/icons/notification.svg
@@ -0,0 +1,3 @@
+
diff --git a/windows/configuration/images/icons/taskbar.svg b/windows/configuration/images/icons/taskbar.svg
new file mode 100644
index 0000000000..1a5a54d980
--- /dev/null
+++ b/windows/configuration/images/icons/taskbar.svg
@@ -0,0 +1,3 @@
+
diff --git a/windows/configuration/images/icons/touch.svg b/windows/configuration/images/icons/touch.svg
new file mode 100644
index 0000000000..886e616e56
--- /dev/null
+++ b/windows/configuration/images/icons/touch.svg
@@ -0,0 +1,3 @@
+
diff --git a/windows/configuration/start/layout.md b/windows/configuration/start/layout.md
index 32c9952e4a..8a771280ae 100644
--- a/windows/configuration/start/layout.md
+++ b/windows/configuration/start/layout.md
@@ -291,19 +291,18 @@ To pin a legacy `.url` shortcut to Start, you must create a `.url` file (right-c
The following example shows how to create a tile of the Web site's URL, which you can treat similarly to a Windows desktop application tile:
```XML
-
+
```
>[!NOTE]
->In Windows 10, version 1703, `Export-StartLayout` will use `DesktopApplicationLinkPath` for the .url shortcut. You must change `DesktopApplicationLinkPath` to `DesktopApplicationID` and provide the URL.
+>`Export-StartLayout` uses `DesktopApplicationLinkPath` for the .url shortcut. You must change `DesktopApplicationLinkPath` to `DesktopApplicationID` and provide the URL.
#### start:SecondaryTile
-You can use the **start:SecondaryTile** tag to pin a Web link through a Microsoft Edge secondary tile. This method doesn't require more actions compared to the method of using legacy `.url` shortcuts (through the start:DesktopApplicationTile tag).
+You can use the `start:SecondaryTile` tag to pin a web link through a Microsoft Edge secondary tile. This method doesn't require more actions compared to the method of using legacy `.url` shortcuts (through the `start:DesktopApplicationTile` tag).
The following example shows how to create a tile of the Web site's URL using the Microsoft Edge secondary tile:
diff --git a/windows/configuration/start/policy-settings.md b/windows/configuration/start/policy-settings.md
index f978ff31a8..9dd5437ffc 100644
--- a/windows/configuration/start/policy-settings.md
+++ b/windows/configuration/start/policy-settings.md
@@ -81,7 +81,7 @@ Select one of the tabs to see the list of available settings:
|[Prevent users from customizing their Start](#prevent-users-from-customizing-their-start)|❌|✅|
|[Prevent users from uninstalling applications from Start](#prevent-users-from-uninstalling-applications-from-start)|❌|✅|
|[Remove common program groups](#remove-common-program-groups)|❌|✅|
-|[Show "Run as different user" command](#show-run-as-different-user-command)|❌|✅|
+|[Show **Run as different user** command](#show-run-as-different-user-command)|❌|✅|
::: zone-end
[!INCLUDE [clear-history-of-recently-opened-documents-on-exit](includes/clear-history-of-recently-opened-documents-on-exit.md)]
@@ -116,7 +116,6 @@ Select one of the tabs to see the list of available settings:
[!INCLUDE [remove-common-program-groups](includes/remove-common-program-groups.md)]
[!INCLUDE [show-run-as-different-user-command](includes/show-run-as-different-user-command.md)]
-
#### [:::image type="icon" source="../images/icons/allapps.svg"::: **All apps**](#tab/allapps)
|Policy name| CSP | GPO |
diff --git a/windows/configuration/taskbar/images/pin-add-10.png b/windows/configuration/taskbar/images/pin-add-10.png
new file mode 100644
index 0000000000..398028ee4b
Binary files /dev/null and b/windows/configuration/taskbar/images/pin-add-10.png differ
diff --git a/windows/configuration/taskbar/images/pin-add-11.png b/windows/configuration/taskbar/images/pin-add-11.png
new file mode 100644
index 0000000000..de84d0154c
Binary files /dev/null and b/windows/configuration/taskbar/images/pin-add-11.png differ
diff --git a/windows/configuration/taskbar/images/pin-layout-10.png b/windows/configuration/taskbar/images/pin-layout-10.png
new file mode 100644
index 0000000000..463655d37e
Binary files /dev/null and b/windows/configuration/taskbar/images/pin-layout-10.png differ
diff --git a/windows/configuration/taskbar/images/pin-layout-11.png b/windows/configuration/taskbar/images/pin-layout-11.png
new file mode 100644
index 0000000000..717f210776
Binary files /dev/null and b/windows/configuration/taskbar/images/pin-layout-11.png differ
diff --git a/windows/configuration/taskbar/images/pin-remove-10.png b/windows/configuration/taskbar/images/pin-remove-10.png
new file mode 100644
index 0000000000..7d8671887b
Binary files /dev/null and b/windows/configuration/taskbar/images/pin-remove-10.png differ
diff --git a/windows/configuration/taskbar/images/pin-remove-11.png b/windows/configuration/taskbar/images/pin-remove-11.png
new file mode 100644
index 0000000000..d815923516
Binary files /dev/null and b/windows/configuration/taskbar/images/pin-remove-11.png differ
diff --git a/windows/configuration/taskbar/images/pin-replace-10.png b/windows/configuration/taskbar/images/pin-replace-10.png
new file mode 100644
index 0000000000..31b1bfd98a
Binary files /dev/null and b/windows/configuration/taskbar/images/pin-replace-10.png differ
diff --git a/windows/configuration/taskbar/images/pin-replace-11.png b/windows/configuration/taskbar/images/pin-replace-11.png
new file mode 100644
index 0000000000..ce90eebcad
Binary files /dev/null and b/windows/configuration/taskbar/images/pin-replace-11.png differ
diff --git a/windows/configuration/taskbar/images/start-layout-group-policy.png b/windows/configuration/taskbar/images/start-layout-group-policy.png
deleted file mode 100644
index 99252bd139..0000000000
Binary files a/windows/configuration/taskbar/images/start-layout-group-policy.png and /dev/null differ
diff --git a/windows/configuration/taskbar/images/taskbar-10.png b/windows/configuration/taskbar/images/taskbar-10.png
new file mode 100644
index 0000000000..d99c1dd15d
Binary files /dev/null and b/windows/configuration/taskbar/images/taskbar-10.png differ
diff --git a/windows/configuration/taskbar/images/taskbar-11.png b/windows/configuration/taskbar/images/taskbar-11.png
new file mode 100644
index 0000000000..accd2c6f8f
Binary files /dev/null and b/windows/configuration/taskbar/images/taskbar-11.png differ
diff --git a/windows/configuration/taskbar/images/taskbar-default-plus.png b/windows/configuration/taskbar/images/taskbar-default-plus.png
deleted file mode 100644
index 8afcebac09..0000000000
Binary files a/windows/configuration/taskbar/images/taskbar-default-plus.png and /dev/null differ
diff --git a/windows/configuration/taskbar/images/taskbar-default-removed.png b/windows/configuration/taskbar/images/taskbar-default-removed.png
deleted file mode 100644
index b3ff924e9f..0000000000
Binary files a/windows/configuration/taskbar/images/taskbar-default-removed.png and /dev/null differ
diff --git a/windows/configuration/taskbar/images/taskbar-default.png b/windows/configuration/taskbar/images/taskbar-default.png
deleted file mode 100644
index 41c6c72258..0000000000
Binary files a/windows/configuration/taskbar/images/taskbar-default.png and /dev/null differ
diff --git a/windows/configuration/taskbar/images/taskbar-generic.png b/windows/configuration/taskbar/images/taskbar-generic.png
deleted file mode 100644
index 6d47a6795a..0000000000
Binary files a/windows/configuration/taskbar/images/taskbar-generic.png and /dev/null differ
diff --git a/windows/configuration/taskbar/images/taskbar-region-defr.png b/windows/configuration/taskbar/images/taskbar-region-defr.png
deleted file mode 100644
index 6d707b16f4..0000000000
Binary files a/windows/configuration/taskbar/images/taskbar-region-defr.png and /dev/null differ
diff --git a/windows/configuration/taskbar/images/taskbar-region-other.png b/windows/configuration/taskbar/images/taskbar-region-other.png
deleted file mode 100644
index fab367ef7a..0000000000
Binary files a/windows/configuration/taskbar/images/taskbar-region-other.png and /dev/null differ
diff --git a/windows/configuration/taskbar/images/taskbar-region-usuk.png b/windows/configuration/taskbar/images/taskbar-region-usuk.png
deleted file mode 100644
index 6bba65ee81..0000000000
Binary files a/windows/configuration/taskbar/images/taskbar-region-usuk.png and /dev/null differ
diff --git a/windows/configuration/taskbar/images/taskbar-sections-10.png b/windows/configuration/taskbar/images/taskbar-sections-10.png
new file mode 100644
index 0000000000..eec49c3d24
Binary files /dev/null and b/windows/configuration/taskbar/images/taskbar-sections-10.png differ
diff --git a/windows/configuration/taskbar/images/taskbar-sections-11.png b/windows/configuration/taskbar/images/taskbar-sections-11.png
new file mode 100644
index 0000000000..3e14e85b9d
Binary files /dev/null and b/windows/configuration/taskbar/images/taskbar-sections-11.png differ
diff --git a/windows/configuration/taskbar/includes/allow-widgets.md b/windows/configuration/taskbar/includes/allow-widgets.md
new file mode 100644
index 0000000000..83a0bb12e7
--- /dev/null
+++ b/windows/configuration/taskbar/includes/allow-widgets.md
@@ -0,0 +1,18 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 04/11/2024
+ms.topic: include
+---
+
+### Allow widgets
+
+This policy specifies whether the widgets feature is allowed on the device.
+
+- Widgets are turned on by default, unless you change this in your settings
+- If you turn on this policy setting, widgets are enabled automatically, unless you turn it off in your settings
+
+| | Path |
+|--|--|
+| **CSP** | `./Device/Vendor/MSFT/Policy/Config/NewsAndInterests/`[AllowNewsAndInterests](/windows/client-management/mdm/policy-csp-newsandinterests#allownewsandinterests) |
+| **GPO** | **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Widgets** |
diff --git a/windows/configuration/taskbar/includes/configure-start-layout.md b/windows/configuration/taskbar/includes/configure-start-layout.md
new file mode 100644
index 0000000000..7edd14def2
--- /dev/null
+++ b/windows/configuration/taskbar/includes/configure-start-layout.md
@@ -0,0 +1,19 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 04/10/2024
+ms.topic: include
+---
+
+### Configure Start layout
+
+
+
+This policy setting lets you specify the applications pinned to the taskbar. The layout that you specify has an XML format.
+
+| | Path |
+|--|--|
+| **CSP** | - `./Device/Vendor/MSFT/Policy/Config/Start/StartLayout`/[Configure start layout](/windows/client-management/mdm/policy-csp-start#startlayout)
- `./User/Vendor/MSFT/Policy/Config/Start/StartLayout`/[Configure start layout](/windows/client-management/mdm/policy-csp-start#startlayout) |
+| **GPO** | **Computer Configuration** > **Administrative Templates** > **Start Menu and Taskbar**
**User Configuration** > **Administrative Templates** > **Start Menu and Taskbar** |
+
+For more information, see [Customize the taskbar pinned applications](../pinned-apps.md).
diff --git a/windows/configuration/taskbar/includes/configures-search-on-the-taskbar.md b/windows/configuration/taskbar/includes/configures-search-on-the-taskbar.md
new file mode 100644
index 0000000000..3382db1ac7
--- /dev/null
+++ b/windows/configuration/taskbar/includes/configures-search-on-the-taskbar.md
@@ -0,0 +1,21 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 04/11/2024
+ms.topic: include
+---
+
+### Configures search on the taskbar
+
+This policy setting allows you to configure search on the taskbar.
+
+- If you enable this policy setting and set it to **hide**, search on taskbar is hidden by default. Users can't change it in Settings
+- If you enable this policy setting and set it to **search icon only**, the search icon is displayed on the taskbar by default. Users can't change it in Settings
+- If you enable this policy setting and set it to **search icon and label**, the search icon and label are displayed on the taskbar by default. Users can't change it in Settings
+- If you enable this policy setting and set it to **search box**, the search box is displayed on the taskbar by default. Users can't change it in Settings
+- If you disable or don't configure this policy setting, search on taskbar is configured according to the defaults for your Windows edition. Users can change search on taskbar in Settings
+
+| | Path |
+|--|--|
+| **CSP** | `./Device/Vendor/MSFT/Policy/Config/Search/`[ConfigureSearchOnTaskbarMode](/windows/client-management/mdm/policy-csp-search#configuresearchontaskbarmode) |
+| **GPO** | **Computer Configuration** > **Windows Components** > **Search** |
diff --git a/windows/configuration/taskbar/includes/disable-editing-quick-settings.md b/windows/configuration/taskbar/includes/disable-editing-quick-settings.md
index b9dea0f3a5..d1f29ba96d 100644
--- a/windows/configuration/taskbar/includes/disable-editing-quick-settings.md
+++ b/windows/configuration/taskbar/includes/disable-editing-quick-settings.md
@@ -5,9 +5,10 @@ ms.date: 03/18/2024
ms.topic: include
---
-### Disable editing quick settings
+### Disable editing Quick Settings
-When you enable this policy setting, users can't modify quick settings. If you disable or don't configure this policy setting, users can edit quick settings, like pinning or unpinning buttons.
+- If you enable this policy setting, users can't modify Quick Settings
+- If you disable or don't configure this policy setting, users can edit Quick Settings
| | Path |
|--|--|
diff --git a/windows/configuration/taskbar/includes/do-not-allow-pinning-items-in-jump-lists.md b/windows/configuration/taskbar/includes/do-not-allow-pinning-items-in-jump-lists.md
new file mode 100644
index 0000000000..22d26069ab
--- /dev/null
+++ b/windows/configuration/taskbar/includes/do-not-allow-pinning-items-in-jump-lists.md
@@ -0,0 +1,18 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 04/11/2024
+ms.topic: include
+---
+
+### Do not allow pinning items in Jump Lists
+
+With this policy setting you control the pinning of items in Jump Lists.
+
+- If you enable this policy setting, users can't pin files, folders, websites, or other items to their Jump Lists in the Start Menu and Taskbar. Users can't unpin existing items pinned to their Jump Lists. Existing items already pinned to their Jump Lists continue to show
+- If you disable or don't configure this policy setting, users can pin files, folders, websites, and other items to a program's Jump List so that the items are always present in this menu
+
+| | Path |
+|--|--|
+| **CSP** | Not available. |
+| **GPO** | **User Configuration** > **Administrative Templates** > **Start Menu and Taskbar** |
diff --git a/windows/configuration/taskbar/includes/do-not-allow-pinning-programs-to-the-taskbar.md b/windows/configuration/taskbar/includes/do-not-allow-pinning-programs-to-the-taskbar.md
new file mode 100644
index 0000000000..70b4320f49
--- /dev/null
+++ b/windows/configuration/taskbar/includes/do-not-allow-pinning-programs-to-the-taskbar.md
@@ -0,0 +1,18 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 04/11/2024
+ms.topic: include
+---
+
+### Do not allow pinning programs to the Taskbar
+
+This policy setting allows you to control pinning programs to the Taskbar.
+
+- If you enable this policy setting, users can't change the programs currently pinned to the Taskbar. If any programs are already pinned to the Taskbar, these programs continue to show in the Taskbar. However, users can't unpin these programs already pinned to the Taskbar, and they can't pin new programs to the Taskbar
+- If you disable or don't configure this policy setting, users can change the programs currently pinned to the Taskbar
+
+| | Path |
+|--|--|
+| **CSP** | `./Device/Vendor/MSFT/Policy/Config/Start/`[NoPinningToTaskbar](/windows/client-management/mdm/policy-csp-start#nopinningtotaskbar) |
+| **GPO** | **User Configuration** > **Administrative Templates** > **Start Menu and Taskbar** |
diff --git a/windows/configuration/taskbar/includes/do-not-allow-pinning-store-app-to-the-taskbar.md b/windows/configuration/taskbar/includes/do-not-allow-pinning-store-app-to-the-taskbar.md
new file mode 100644
index 0000000000..a394034ed7
--- /dev/null
+++ b/windows/configuration/taskbar/includes/do-not-allow-pinning-store-app-to-the-taskbar.md
@@ -0,0 +1,18 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 04/11/2024
+ms.topic: include
+---
+
+### Do not allow pinning Store app to the Taskbar
+
+This policy setting allows you to control pinning the Store app to the Taskbar.
+
+- If you enable this policy setting, users can't pin the Store app to the Taskbar. If the Store app is already pinned to the Taskbar, it will be removed from the Taskbar on next sign in
+- If you disable or don't configure this policy setting, users can pin the Store app to the Taskbar
+
+| | Path |
+|--|--|
+| **CSP** | Not available. |
+| **GPO** | **User Configuration** > **Administrative Templates** > **Start Menu and Taskbar** |
diff --git a/windows/configuration/taskbar/includes/do-not-allow-taskbars-on-more-than-one-display.md b/windows/configuration/taskbar/includes/do-not-allow-taskbars-on-more-than-one-display.md
new file mode 100644
index 0000000000..7766466c8c
--- /dev/null
+++ b/windows/configuration/taskbar/includes/do-not-allow-taskbars-on-more-than-one-display.md
@@ -0,0 +1,15 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 04/11/2024
+ms.topic: include
+---
+
+### Do not allow taskbars on more than one display
+
+This policy setting allows you to prevent taskbars from being displayed on more than one monitor. If you enable this policy setting, users aren't able to show taskbars on more than one display. The multiple display section is not enabled in the taskbar properties dialog. If you disable or don't configure this policy setting, users can show taskbars on more than one display.
+
+| | Path |
+|--|--|
+| **CSP** | Not available. |
+| **GPO** | **User Configuration** > **Administrative Templates** > **Start Menu and Taskbar** |
diff --git a/windows/configuration/taskbar/includes/do-not-display-or-track-items-in-jump-lists-from-remote-locations.md b/windows/configuration/taskbar/includes/do-not-display-or-track-items-in-jump-lists-from-remote-locations.md
new file mode 100644
index 0000000000..fb0d96e2d0
--- /dev/null
+++ b/windows/configuration/taskbar/includes/do-not-display-or-track-items-in-jump-lists-from-remote-locations.md
@@ -0,0 +1,21 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 04/11/2024
+ms.topic: include
+---
+
+### Do not display or track items in Jump Lists from remote locations
+
+This policy setting allows you to control displaying or tracking items in Jump Lists from remote locations. The Start Menu and Taskbar display Jump Lists off of programs. These menus include files, folders, websites, and other relevant items for that program. This helps users more easily reopen their most important documents and other tasks.
+
+- If you enable this policy setting, the Start Menu and Taskbar only track the files that the user opens locally on this computer. Files that the user opens over the network from remote computers aren't tracked or shown in the Jump Lists. Use this setting to reduce network traffic, particularly over slow network connections
+- If you disable or don't configure this policy setting, all files that the user opens appear in the menus, including files located remotely on another computer
+
+> [!NOTE]
+> This setting doesn't prevent Windows from displaying remote files that the user has explicitly pinned to the Jump Lists.
+
+| | Path |
+|--|--|
+| **CSP** | Not available. |
+| **GPO** | **User Configuration** > **Administrative Templates** > **Start Menu and Taskbar** |
diff --git a/windows/configuration/taskbar/includes/example-add-pins.md b/windows/configuration/taskbar/includes/example-add-pins.md
new file mode 100644
index 0000000000..06a78334f7
--- /dev/null
+++ b/windows/configuration/taskbar/includes/example-add-pins.md
@@ -0,0 +1,27 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 03/13/2024
+ms.topic: include
+---
+
+```xml
+
+
+
+
+
+
+
+
+
+
+
+
+
+```
diff --git a/windows/configuration/taskbar/includes/example-region.md b/windows/configuration/taskbar/includes/example-region.md
new file mode 100644
index 0000000000..7c3c8f4eba
--- /dev/null
+++ b/windows/configuration/taskbar/includes/example-region.md
@@ -0,0 +1,43 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 03/13/2024
+ms.topic: include
+---
+
+```xml
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+```
diff --git a/windows/configuration/taskbar/includes/example-remove-pins.md b/windows/configuration/taskbar/includes/example-remove-pins.md
new file mode 100644
index 0000000000..e2f95fc832
--- /dev/null
+++ b/windows/configuration/taskbar/includes/example-remove-pins.md
@@ -0,0 +1,24 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 03/13/2024
+ms.topic: include
+---
+
+```xml
+
+
+
+
+
+
+
+
+
+
+```
diff --git a/windows/configuration/taskbar/includes/example-replace-pins.md b/windows/configuration/taskbar/includes/example-replace-pins.md
new file mode 100644
index 0000000000..ccd014ee99
--- /dev/null
+++ b/windows/configuration/taskbar/includes/example-replace-pins.md
@@ -0,0 +1,27 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 03/13/2024
+ms.topic: include
+---
+
+```xml
+
+
+
+
+
+
+
+
+
+
+
+
+
+```
diff --git a/windows/configuration/taskbar/includes/example.md b/windows/configuration/taskbar/includes/example.md
new file mode 100644
index 0000000000..4a31f71fce
--- /dev/null
+++ b/windows/configuration/taskbar/includes/example.md
@@ -0,0 +1,53 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 03/13/2024
+ms.topic: include
+---
+
+```xml
+
+
+
+
+
+
+
+
+
+```
+
+::: zone pivot="windows-10"
+
+### Sample taskbar configuration added to Start layout XML file
+
+If you configure the Start layout using policy settings, you can modify the existing XML file by adding the taskbar customizations to it. Here's an example of a Start layout XML file that includes the `CustomTaskbarLayoutCollection` node.
+
+```xml
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+```
+
+::: zone-end
diff --git a/windows/configuration/taskbar/includes/hide-recent-jumplists.md b/windows/configuration/taskbar/includes/hide-recent-jumplists.md
new file mode 100644
index 0000000000..67c433344f
--- /dev/null
+++ b/windows/configuration/taskbar/includes/hide-recent-jumplists.md
@@ -0,0 +1,23 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 04/12/2024
+ms.topic: include
+---
+
+### Hide recent jumplists
+
+Prevents the operating system and installed programs from creating and displaying shortcuts to recently opened documents.
+
+- If you enable this setting:
+ - The system and apps don't create shortcuts to documents opened
+ - The system empties the Recent Items menu on the Start menu, and apps don't display shortcuts at the bottom of the File menu
+ - The Jump Lists in the Start Menu and Taskbar don't show lists of recently or frequently used files, folders, or websites
+- If you disable or don't configure this setting, the system stores and displays shortcuts to recently and frequently used files, folders, and websites
+- If you enable this setting but don't enable the **Remove Recent Items menu from Start Menu** setting, the Recent Items menu appears on the Start menu, but it's empty.
+- If you enable this setting, but then later disable it or set it to **Not Configured**, the document shortcuts saved before the setting was enabled reappear in the Recent Items menu and program File menus, and Jump Lists. This setting doesn't hide or prevent the user from pinning files, folders, or websites to the Jump Lists. This setting doesn't hide document shortcuts displayed in the Open dialog box
+
+| | Path |
+|--|--|
+| **CSP** | - `./Device/Vendor/MSFT/Policy/Config/Start/`[HideRecentJumplists](/windows/client-management/mdm/policy-csp-start#hiderecentjumplists)
- `./User/Vendor/MSFT/Policy/Config/Start/`[HideRecentJumplists](/windows/client-management/mdm/policy-csp-start#hiderecentjumplists) |
+| **GPO** | **Computer Configuration** > **Administrative Templates** > **Start Menu and Taskbar** > **don't keep history of recently opened documents**
**User Configuration** > **Administrative Templates** > **Start Menu and Taskbar** > **don't keep history of recently opened documents**|
diff --git a/windows/configuration/taskbar/includes/hide-the-notification-area.md b/windows/configuration/taskbar/includes/hide-the-notification-area.md
new file mode 100644
index 0000000000..1313ae901b
--- /dev/null
+++ b/windows/configuration/taskbar/includes/hide-the-notification-area.md
@@ -0,0 +1,15 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 04/11/2024
+ms.topic: include
+---
+
+### Hide the notification area
+
+This setting affects the notification area (previously called the "system tray") on the taskbar. Description: The notification area is located at the far right end of the task bar and includes the icons for current notifications and the system clock. If this setting is enabled, the user?s entire notification area, including the notification icons, is hidden. The taskbar displays only the Start button, taskbar buttons, custom toolbars (if any), and the system clock. If this setting is disabled or isn't configured, the notification area is shown in the user's taskbar. Note: Enabling this setting overrides the "Turn off notification area cleanup" setting, because if the notification area is hidden, there's no need to clean up the icons.
+
+| | Path |
+|--|--|
+| **CSP** | Not available. |
+| **GPO** | **User Configuration** > **Administrative Templates** > **Start Menu and Taskbar** |
diff --git a/windows/configuration/taskbar/includes/hide-the-taskview-button.md b/windows/configuration/taskbar/includes/hide-the-taskview-button.md
new file mode 100644
index 0000000000..aa95d9a03f
--- /dev/null
+++ b/windows/configuration/taskbar/includes/hide-the-taskview-button.md
@@ -0,0 +1,15 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 04/11/2024
+ms.topic: include
+---
+
+### Hide the TaskView button
+
+This policy setting allows you to hide the TaskView button. If you enable this policy setting, the TaskView button is hidden and the Settings toggle disabled.
+
+| | Path |
+|--|--|
+| **CSP** |- `./Device/Vendor/MSFT/Policy/Config/Start/`[HideTaskViewButton](/windows/client-management/mdm/policy-csp-start#hidetaskviewbutton)
- `./User/Vendor/MSFT/Policy/Config/Start/`[HideTaskViewButton](/windows/client-management/mdm/policy-csp-start#hidetaskviewbutton) |
+| **GPO** |- **User Configuration** > **Administrative Templates** > **Start Menu and Taskbar**
- **Computer Configuration** > **Administrative Templates** > **Start Menu and Taskbar** |
diff --git a/windows/configuration/taskbar/includes/lock-all-taskbar-settings.md b/windows/configuration/taskbar/includes/lock-all-taskbar-settings.md
new file mode 100644
index 0000000000..59e7e89884
--- /dev/null
+++ b/windows/configuration/taskbar/includes/lock-all-taskbar-settings.md
@@ -0,0 +1,18 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 04/11/2024
+ms.topic: include
+---
+
+### Lock all taskbar settings
+
+With this policy setting you lock all taskbar settings.
+
+- If you enable this policy setting, the user can't access the taskbar control panel. The user can't resize, move, or rearrange toolbars on their taskbar
+- If you disable or don't configure this policy setting, the user can set any taskbar setting that isn't prevented by another policy setting
+
+| | Path |
+|--|--|
+| **CSP** | Not available. |
+| **GPO** | **User Configuration** > **Administrative Templates** > **Start Menu and Taskbar** |
diff --git a/windows/configuration/taskbar/includes/lock-the-taskbar.md b/windows/configuration/taskbar/includes/lock-the-taskbar.md
new file mode 100644
index 0000000000..2f5694702d
--- /dev/null
+++ b/windows/configuration/taskbar/includes/lock-the-taskbar.md
@@ -0,0 +1,15 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 04/11/2024
+ms.topic: include
+---
+
+### Lock the Taskbar
+
+This setting affects the taskbar, which is used to switch between running applications. The taskbar includes the Start button, list of currently running tasks, and the notification area. By default, the taskbar is located at the bottom of the screen, but it can be dragged to any side of the screen. When it's locked, it can't be moved or resized. If you enable this setting, it prevents the user from moving or resizing the taskbar. While the taskbar is locked, autohide and other taskbar options are still available in Taskbar properties. If you disable this setting or don't configure it, the user can configure the taskbar position. Note: Enabling this setting also locks the QuickLaunch bar and any other toolbars that the user has on their taskbar. The toolbar's position is locked, and the user can't show and hide various toolbars using the taskbar context menu.
+
+| | Path |
+|--|--|
+| **CSP** | Not available. |
+| **GPO** | **User Configuration** > **Administrative Templates** > **Start Menu and Taskbar** |
diff --git a/windows/configuration/taskbar/includes/prevent-changes-to-taskbar-and-start-menu-settings.md b/windows/configuration/taskbar/includes/prevent-changes-to-taskbar-and-start-menu-settings.md
new file mode 100644
index 0000000000..a159c12d82
--- /dev/null
+++ b/windows/configuration/taskbar/includes/prevent-changes-to-taskbar-and-start-menu-settings.md
@@ -0,0 +1,18 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 04/11/2024
+ms.topic: include
+---
+
+### Prevent changes to Taskbar and Start Menu Settings
+
+With this policy setting you prevent changes to taskbar and Start settings.
+
+- If you enable this policy setting, the user can't open the Taskbar properties dialog box. If the user right-clicks the taskbar and then selects Properties, a message appears explaining that a setting prevents the action
+- If you disable or don't configure this policy setting, the Taskbar and Start menu items are available from Settings on the Start menu
+
+| | Path |
+|--|--|
+| **CSP** | Not available. |
+| **GPO** | - **User Configuration** > **Administrative Templates** > **Start Menu and Taskbar**
- **Computer Configuration** > **Administrative Templates** > **Start Menu and Taskbar** |
diff --git a/windows/configuration/taskbar/includes/prevent-grouping-of-taskbar-items.md b/windows/configuration/taskbar/includes/prevent-grouping-of-taskbar-items.md
new file mode 100644
index 0000000000..eb97a11ff8
--- /dev/null
+++ b/windows/configuration/taskbar/includes/prevent-grouping-of-taskbar-items.md
@@ -0,0 +1,18 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 04/11/2024
+ms.topic: include
+---
+
+### Prevent grouping of taskbar items
+
+Taskbar grouping consolidates similar applications when there's no room on the taskbar. It kicks in when the user's taskbar is full.
+
+- If you enable this policy setting, it prevents the taskbar from grouping items that share the same program name. By default, this setting is always enabled
+- If you disable or don't configure it, items on the taskbar that share the same program are grouped together. The users have the option to disable grouping if they choose
+
+| | Path |
+|--|--|
+| **CSP** | Not available. |
+| **GPO** | **User Configuration** > **Administrative Templates** > **Start Menu and Taskbar** |
diff --git a/windows/configuration/taskbar/includes/prevent-users-from-adding-or-removing-toolbars.md b/windows/configuration/taskbar/includes/prevent-users-from-adding-or-removing-toolbars.md
new file mode 100644
index 0000000000..da36dcc670
--- /dev/null
+++ b/windows/configuration/taskbar/includes/prevent-users-from-adding-or-removing-toolbars.md
@@ -0,0 +1,18 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 04/11/2024
+ms.topic: include
+---
+
+### Prevent users from adding or removing toolbars
+
+With this policy setting you prevent users from adding or removing toolbars.
+
+- If you enable this policy setting, the user isn't allowed to add or remove any toolbars to the taskbar. Applications can't add toolbars either
+- If you disable or don't configure this policy setting, the users and applications can add toolbars to the taskbar
+
+| | Path |
+|--|--|
+| **CSP** | Not available. |
+| **GPO** | **User Configuration** > **Administrative Templates** > **Start Menu and Taskbar** |
diff --git a/windows/configuration/taskbar/includes/prevent-users-from-moving-taskbar-to-another-screen-dock-location.md b/windows/configuration/taskbar/includes/prevent-users-from-moving-taskbar-to-another-screen-dock-location.md
new file mode 100644
index 0000000000..953135ecf3
--- /dev/null
+++ b/windows/configuration/taskbar/includes/prevent-users-from-moving-taskbar-to-another-screen-dock-location.md
@@ -0,0 +1,18 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 04/11/2024
+ms.topic: include
+---
+
+### Prevent users from moving taskbar to another screen dock location
+
+With this policy setting you prevent users from moving taskbar to another screen dock location.
+
+- If you enable this policy setting, users can't drag their taskbar to another area of the monitor(s)
+- If you disable or don't configure this policy setting, users can drag their taskbar to another area of the monitor, unless prevented by another policy setting
+
+| | Path |
+|--|--|
+| **CSP** | Not available. |
+| **GPO** | **User Configuration** > **Administrative Templates** > **Start Menu and Taskbar** |
diff --git a/windows/configuration/taskbar/includes/prevent-users-from-rearranging-toolbars.md b/windows/configuration/taskbar/includes/prevent-users-from-rearranging-toolbars.md
new file mode 100644
index 0000000000..0e64eb8a09
--- /dev/null
+++ b/windows/configuration/taskbar/includes/prevent-users-from-rearranging-toolbars.md
@@ -0,0 +1,18 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 04/11/2024
+ms.topic: include
+---
+
+### Prevent users from rearranging toolbars
+
+With this policy setting you prevent users from rearranging toolbars.
+
+- If you enable this policy setting, users can't drag or drop toolbars to the taskbar
+- If you disable or don't configure this policy setting, users can rearrange the toolbars on the taskbar
+
+| | Path |
+|--|--|
+| **CSP** | Not available. |
+| **GPO** | **User Configuration** > **Administrative Templates** > **Start Menu and Taskbar** |
diff --git a/windows/configuration/taskbar/includes/prevent-users-from-resizing-the-taskbar.md b/windows/configuration/taskbar/includes/prevent-users-from-resizing-the-taskbar.md
new file mode 100644
index 0000000000..cddb749761
--- /dev/null
+++ b/windows/configuration/taskbar/includes/prevent-users-from-resizing-the-taskbar.md
@@ -0,0 +1,18 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 04/11/2024
+ms.topic: include
+---
+
+### Prevent users from resizing the taskbar
+
+With this policy setting you prevent users from resizing the taskbar.
+
+- If you enable this policy setting, users can't resize their taskbar
+- If you disable or don't configure this policy setting, users can resize their taskbar, unless prevented by another setting
+
+| | Path |
+|--|--|
+| **CSP** | Not available. |
+| **GPO** | **User Configuration** > **Administrative Templates** > **Start Menu and Taskbar** |
diff --git a/windows/configuration/taskbar/includes/remove-access-to-the-context-menus-for-the-taskbar.md b/windows/configuration/taskbar/includes/remove-access-to-the-context-menus-for-the-taskbar.md
new file mode 100644
index 0000000000..5ff72e3932
--- /dev/null
+++ b/windows/configuration/taskbar/includes/remove-access-to-the-context-menus-for-the-taskbar.md
@@ -0,0 +1,20 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 04/11/2024
+ms.topic: include
+---
+
+### Remove access to the context menus for the taskbar
+
+With this policy setting you can remove access to the context menus for the taskbar.
+
+- If you enable this policy setting, the menus that appear when you right-click the taskbar and items on the taskbar are hidden. For example the Start button, the clock, and the taskbar buttons.
+- If you disable or don't configure this policy setting, the context menus for the taskbar are available
+
+This policy setting doesn't prevent users from using other methods to issue the commands that appear on these menus.
+
+| | Path |
+|--|--|
+| **CSP** | Not available. |
+| **GPO** | - **User Configuration** > **Administrative Templates** > **Start Menu and Taskbar**
- **Computer Configuration** > **Administrative Templates** > **Start Menu and Taskbar** |
diff --git a/windows/configuration/taskbar/includes/remove-clock-from-the-system-notification-area.md b/windows/configuration/taskbar/includes/remove-clock-from-the-system-notification-area.md
new file mode 100644
index 0000000000..569921f889
--- /dev/null
+++ b/windows/configuration/taskbar/includes/remove-clock-from-the-system-notification-area.md
@@ -0,0 +1,16 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 04/11/2024
+ms.topic: include
+---
+
+### Remove Clock from the system notification area
+
+- If you enable this policy setting, the clock isn't displayed in the system notification area
+- If you disable or don't configure this policy setting, the default behavior accur, and the clock appears in the notification area
+
+| | Path |
+|--|--|
+| **CSP** | Not available. |
+| **GPO** | **User Configuration** > **Administrative Templates** > **Start Menu and Taskbar** |
diff --git a/windows/configuration/taskbar/includes/remove-notifications-and-action-center.md b/windows/configuration/taskbar/includes/remove-notifications-and-action-center.md
new file mode 100644
index 0000000000..850a20179f
--- /dev/null
+++ b/windows/configuration/taskbar/includes/remove-notifications-and-action-center.md
@@ -0,0 +1,20 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 04/11/2024
+ms.topic: include
+---
+
+### Remove Notifications and Action Center
+
+This policy setting removes *Notifications* and *Action Center* from the notification area on the taskbar.
+
+The notification area is located at the far right end of the taskbar, and includes icons for current notifications and the system clock.
+
+- If this setting is enabled, Notifications and Action Center aren't displayed in the notification area. The user can read notifications when they appear, but they can't review any notifications they miss
+- If you disable or don't configure this policy setting, Notification and Security and Maintenance are displayed on the taskbar
+
+| | Path |
+|--|--|
+| **CSP** | Not available. |
+| **GPO** | **User Configuration** > **Administrative Templates** > **Start Menu and Taskbar** |
diff --git a/windows/configuration/taskbar/includes/remove-pinned-programs-from-the-taskbar.md b/windows/configuration/taskbar/includes/remove-pinned-programs-from-the-taskbar.md
new file mode 100644
index 0000000000..069de94c04
--- /dev/null
+++ b/windows/configuration/taskbar/includes/remove-pinned-programs-from-the-taskbar.md
@@ -0,0 +1,18 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 04/11/2024
+ms.topic: include
+---
+
+### Remove pinned programs from the Taskbar
+
+This policy setting allows you to remove pinned programs from the taskbar.
+
+- If you enable this policy setting, pinned programs are removed from the taskbar. Users can't pin programs to the taskbar
+- If you disable or don't configure this policy setting, users can pin programs so that the program shortcuts stay on the taskbar
+
+| | Path |
+|--|--|
+| **CSP** | Not available. |
+| **GPO** | - **User Configuration** > **Administrative Templates** > **Start Menu and Taskbar**
- **Computer Configuration** > **Administrative Templates** > **Start Menu and Taskbar** |
diff --git a/windows/configuration/taskbar/includes/remove-quick-settings.md b/windows/configuration/taskbar/includes/remove-quick-settings.md
new file mode 100644
index 0000000000..55eaca637d
--- /dev/null
+++ b/windows/configuration/taskbar/includes/remove-quick-settings.md
@@ -0,0 +1,20 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 04/11/2024
+ms.topic: include
+---
+
+### Remove Quick Settings
+
+This policy setting removes Quick Settings from the bottom right area on the taskbar. The Quick Settings area is located at the left of the clock in the taskbar and includes icons for current network and volume.
+
+If this setting is enabled, Quick Settings isn't displayed in the Quick Settings area.
+
+> [!NOTE]
+> A reboot is required for this policy setting to take effect.
+
+| | Path |
+|--|--|
+| **CSP** | `./User/Vendor/MSFT/Policy/Config/Start/`[DisableControlCenter](/windows/client-management/mdm/policy-csp-start#disablecontrolcenter) |
+| **GPO** | **User Configuration** > **Administrative Templates** > **Start Menu and Taskbar** |
diff --git a/windows/configuration/taskbar/includes/remove-the-battery-meter.md b/windows/configuration/taskbar/includes/remove-the-battery-meter.md
new file mode 100644
index 0000000000..445dba6aa5
--- /dev/null
+++ b/windows/configuration/taskbar/includes/remove-the-battery-meter.md
@@ -0,0 +1,18 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 04/11/2024
+ms.topic: include
+---
+
+### Remove the battery meter
+
+With this policy setting you can remove the battery meter from the system control area.
+
+- If you enable this policy setting, the battery meter isn't displayed in the system notification area
+- If you disable or don't configure this policy setting, the battery meter is displayed in the system notification area
+
+| | Path |
+|--|--|
+| **CSP** | Not available. |
+| **GPO** | **User Configuration** > **Administrative Templates** > **Start Menu and Taskbar** |
diff --git a/windows/configuration/taskbar/includes/remove-the-meet-now-icon.md b/windows/configuration/taskbar/includes/remove-the-meet-now-icon.md
new file mode 100644
index 0000000000..75cd22365b
--- /dev/null
+++ b/windows/configuration/taskbar/includes/remove-the-meet-now-icon.md
@@ -0,0 +1,18 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 04/11/2024
+ms.topic: include
+---
+
+### Remove the Meet Now icon
+
+With this policy setting allows you can remove the Meet Now icon from the system control area.
+
+- If you enable this policy setting, the Meet Now icon isn't displayed in the system notification area
+- If you disable or don't configure this policy setting, the Meet Now icon is displayed in the system notification area
+
+| | Path |
+|--|--|
+| **CSP** | Not available. |
+| **GPO** | **User Configuration** > **Administrative Templates** > **Start Menu and Taskbar** |
diff --git a/windows/configuration/taskbar/includes/remove-the-networking-icon.md b/windows/configuration/taskbar/includes/remove-the-networking-icon.md
new file mode 100644
index 0000000000..a1825e5f0e
--- /dev/null
+++ b/windows/configuration/taskbar/includes/remove-the-networking-icon.md
@@ -0,0 +1,18 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 04/11/2024
+ms.topic: include
+---
+
+### Remove the networking icon
+
+With this policy setting you can remove the networking icon from the system control area.
+
+- If you enable this policy setting, the networking icon isn't displayed in the system notification area
+- If you disable or don't configure this policy setting, the networking icon is displayed in the system notification area
+
+| | Path |
+|--|--|
+| **CSP** | Not available. |
+| **GPO** | **User Configuration** > **Administrative Templates** > **Start Menu and Taskbar** |
diff --git a/windows/configuration/taskbar/includes/remove-the-people-bar-from-the-taskbar.md b/windows/configuration/taskbar/includes/remove-the-people-bar-from-the-taskbar.md
new file mode 100644
index 0000000000..679df69fde
--- /dev/null
+++ b/windows/configuration/taskbar/includes/remove-the-people-bar-from-the-taskbar.md
@@ -0,0 +1,15 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 04/11/2024
+ms.topic: include
+---
+
+### Remove the People Bar from the taskbar
+
+With this policy allows you can remove the People Bar from the taskbar and disables the My People experience. If you enable this policy setting, the people icon is removed from the taskbar, the corresponding settings toggle is removed from the taskbar settings page, and users can't pin people to the taskbar.
+
+| | Path |
+|--|--|
+| **CSP** | `./User/Vendor/MSFT/Policy/Config/Start/`[HidePeopleBar](/windows/client-management/mdm/policy-csp-start#hidepeoplebar) |
+| **GPO** | **User Configuration** > **Administrative Templates** > **Start Menu and Taskbar** |
diff --git a/windows/configuration/taskbar/includes/remove-the-volume-control-icon.md b/windows/configuration/taskbar/includes/remove-the-volume-control-icon.md
new file mode 100644
index 0000000000..8e34ed3d84
--- /dev/null
+++ b/windows/configuration/taskbar/includes/remove-the-volume-control-icon.md
@@ -0,0 +1,18 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 04/11/2024
+ms.topic: include
+---
+
+### Remove the volume control icon
+
+With this policy setting you can remove the volume control icon from the system control area.
+
+- If you enable this policy setting, the volume control icon isn't displayed in the system notification area
+- If you disable or don't configure this policy setting, the volume control icon is displayed in the system notification area
+
+| | Path |
+|--|--|
+| **CSP** | Not available. |
+| **GPO** | **User Configuration** > **Administrative Templates** > **Start Menu and Taskbar** |
diff --git a/windows/configuration/taskbar/includes/show-additional-calendar.md b/windows/configuration/taskbar/includes/show-additional-calendar.md
new file mode 100644
index 0000000000..39ecd45a89
--- /dev/null
+++ b/windows/configuration/taskbar/includes/show-additional-calendar.md
@@ -0,0 +1,22 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 04/11/2024
+ms.topic: include
+---
+
+### Show additional calendar
+
+By default, the calendar is set according to the locale of the operating system, and users can show an additional calendar.
+
+- For `zh-CN` and `zh-SG` locales, an additional calendar shows the lunar month and date and holiday names in Simplified Chinese (Lunar) by default
+- For `zh-TW`, `zh-HK`, and `zh-MO` locales, an additional calendar shows the lunar month and date and holiday names in Traditional Chinese (Lunar) by default
+
+- If you enable this policy setting, users can show an additional calendar in either Simplified Chinese (Lunar) or Traditional Chinese (Lunar), regardless of the locale
+- If you disable this policy setting, users can't show an additional calendar, regardless of the locale
+- If you don't configure this policy setting, the calendar will be set according to the default logic
+
+| | Path |
+|--|--|
+| **CSP** | Not available. |
+| **GPO** | **User Configuration** > **Administrative Templates** > **Start Menu and Taskbar** |
diff --git a/windows/configuration/taskbar/includes/simplify-quick-settings-layout.md b/windows/configuration/taskbar/includes/simplify-quick-settings-layout.md
new file mode 100644
index 0000000000..ea3d57141e
--- /dev/null
+++ b/windows/configuration/taskbar/includes/simplify-quick-settings-layout.md
@@ -0,0 +1,16 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 04/11/2024
+ms.topic: include
+---
+
+### Simplify Quick Settings Layout
+
+- If you enable this policy, Quick Settings is reduced to only having the Wi-Fi, Bluetooth, Accessibility, and VPN buttons. The brightness slider, volume slider, and battery indicator and link to the Settings app
+- If you disable or don't configure this policy setting, the regular Quick Settings layout appears whenever Quick Settings is invoked
+
+| | Path |
+|--|--|
+| **CSP** | `./Device/Vendor/MSFT/Policy/Config/Start/`[SimplifyQuickSettings](/windows/client-management/mdm/policy-csp-start#simplifyquicksettings) |
+| **GPO** | **Computer Configuration** > **Administrative Templates** > **Start Menu and Taskbar** |
diff --git a/windows/configuration/taskbar/includes/turn-off-automatic-promotion-of-notification-icons-to-the-taskbar.md b/windows/configuration/taskbar/includes/turn-off-automatic-promotion-of-notification-icons-to-the-taskbar.md
new file mode 100644
index 0000000000..4e9527beef
--- /dev/null
+++ b/windows/configuration/taskbar/includes/turn-off-automatic-promotion-of-notification-icons-to-the-taskbar.md
@@ -0,0 +1,18 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 04/11/2024
+ms.topic: include
+---
+
+### Turn off automatic promotion of notification icons to the taskbar
+
+With this policy setting you can turn off automatic promotion of notification icons to the taskbar.
+
+- If you enable this policy setting, newly added notification icons aren't temporarily promoted to the Taskbar. Users can still configure icons to be shown or hidden in the Notification Control Panel.
+- If you disable or don't configure this policy setting, newly added notification icons are temporarily promoted to the Taskbar
+
+| | Path |
+|--|--|
+| **CSP** | Not available. |
+| **GPO** | **User Configuration** > **Administrative Templates** > **Start Menu and Taskbar** |
diff --git a/windows/configuration/taskbar/includes/turn-off-notification-area-cleanup.md b/windows/configuration/taskbar/includes/turn-off-notification-area-cleanup.md
new file mode 100644
index 0000000000..56f39f1f65
--- /dev/null
+++ b/windows/configuration/taskbar/includes/turn-off-notification-area-cleanup.md
@@ -0,0 +1,21 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 04/11/2024
+ms.topic: include
+---
+
+### Turn off notification area cleanup
+
+This setting affects the notification area, also called the *system tray*. The notification area is located in the task bar, generally at the bottom of the screen, and it includes the clock and current notifications.
+
+This setting determines whether the items are always expanded or always collapsed. By default, notifications are collapsed. The notification cleanup `<<` icon can be referred to as the *notification chevron*.
+
+- If you enable this setting, the system notification area expands to show all of the notifications that use this area
+- If you disable this setting, the system notification area always collapses notifications
+- If you don't configure it, the user can choose if they want notifications collapsed or expanded
+
+| | Path |
+|--|--|
+| **CSP** | Not available. |
+| **GPO** | **User Configuration** > **Administrative Templates** > **Start Menu and Taskbar** |
diff --git a/windows/configuration/taskbar/includes/turn-off-windows-copilot.md b/windows/configuration/taskbar/includes/turn-off-windows-copilot.md
new file mode 100644
index 0000000000..69b9f7fd71
--- /dev/null
+++ b/windows/configuration/taskbar/includes/turn-off-windows-copilot.md
@@ -0,0 +1,18 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 04/11/2024
+ms.topic: include
+---
+
+### Turn off Windows Copilot
+
+This policy setting allows you to turn off Windows Copilot.
+
+- If you enable this policy setting, users can't use Copilot. The Copilot icon doesn't appear on the taskbar either
+- If you disable or don't configure this policy setting, users can use Copilot, if available
+
+| | Path |
+|--|--|
+| **CSP** | `./User/Vendor/MSFT/Policy/Config/WindowsAI/`[TurnOffWindowsCopilot](/windows/client-management/mdm/policy-csp-windowsai#turnoffwindowscopilot) |
+| **GPO** | **User Configuration** > **Administrative Templates** > **Windows Components** > **Windows Copilot** |
diff --git a/windows/configuration/taskbar/index.md b/windows/configuration/taskbar/index.md
index b6ffb0bfb2..04b5c9de37 100644
--- a/windows/configuration/taskbar/index.md
+++ b/windows/configuration/taskbar/index.md
@@ -2,588 +2,104 @@
title: Configure the Windows taskbar
description: Administrators can pin more apps to the taskbar and remove default pinned apps from the taskbar by adding a section to a layout modification XML file.
ms.topic: how-to
-ms.date: 08/18/2023
+ms.date: 04/17/2024
appliesto:
zone_pivot_groups: windows-versions-11-10
---
# Configure the Windows taskbar
-::: zone pivot="windows-10"
-
-Starting in Windows 10, version 1607, administrators can pin more apps to the taskbar and remove default pinned apps from the taskbar by adding a `` section to a layout modification XML file. This method never removes user-pinned apps from the taskbar.
-
-> [!NOTE]
-> The only aspect of the taskbar that can currently be configured by the layout modification XML file is the layout.
-
-You can specify different taskbar configurations based on device locale and region. There's no limit on the number of apps that you can pin. You specify apps using the [Application User Model ID (AUMID)](../kiosk/find-the-application-user-model-id-of-an-installed-app.md) or Desktop Application Link Path (the local path to the application).
-
-If you specify an app to be pinned that isn't provisioned for the user on the computer, the pinned icon won't appear on the taskbar.
-
-The order of apps in the XML file dictates the order of pinned apps on the taskbar from left to right, starting to the right of any existing apps pinned by the user.
-
-> [!NOTE]
-> In operating systems configured to use a right-to-left language, the taskbar order will be reversed.
-
-The following example shows how apps will be pinned: Windows default apps to the left (blue circle), apps pinned by the user in the center (orange triangle), and apps that you pin using the XML file to the right (green square).
-
-
-
-## Configure taskbar (general)
-
-To configure the taskbar:
-
-1. Create the XML file
- - If you're also [customizing the Start layout](../start/layout.md), use `Export-StartLayout` to create the XML, and then add the `` section from [the following sample](#sample-taskbar-configuration-added-to-start-layout-xml-file) to the file.
- - If you're only configuring the taskbar, use [the following sample](#sample-taskbar-configuration-xml-file) to create a layout modification XML file
-1. Edit and save the XML file. You can use [AUMID](../kiosk/find-the-application-user-model-id-of-an-installed-app.md) or Desktop Application Link Path to identify the apps to pin to the taskbar
- - Add `xmlns:taskbar="http://schemas.microsoft.com/Start/2014/TaskbarLayout"` to the first line of the file, before the closing \>.
- - Use `` and [AUMID](../kiosk/find-the-application-user-model-id-of-an-installed-app.md) to pin Universal Windows Platform apps
- - Use `` and Desktop Application Link Path to pin desktop applications
-1. Apply the layout modification XML file to devices using Group Policy or a provisioning package.
-
->[!IMPORTANT]
->If you use a provisioning package or import-startlayout to configure the taskbar, your configuration will be reapplied each time the explorer.exe process restarts. If your configuration pins an app and the user then unpins that app, the user's change will be overwritten the next time the configuration is applied. To apply a taskbar configuration that allows users to make changes that will persist, apply your configuration by using Group Policy.
->
->If you use Group Policy and your configuration only contains a taskbar layout, the default Windows tile layout will be applied and cannot be changed by users. If you use Group Policy and your configuration includes taskbar and a full Start layout, users can only make changes to the taskbar. If you use Group Policy and your configuration includes taskbar and a [partial Start layout](../start/layout.md), users can make changes to the taskbar and to tile groups not defined in the partial Start layout.
-
-### Tips for finding AUMID and Desktop Application Link Path
-
-In the layout modification XML file, you'll need to add entries for applications in the XML markup. In order to pin an application, you need either its AUMID or Desktop Application Link Path.
-
-The easiest way to find this data for an application is to:
-
-1. Pin the application to the Start menu on a reference or testing PC
-1. Open Windows PowerShell and run the `Export-StartLayout` cmdlet
-1. Open the generated XML file
-1. Look for an entry corresponding to the app you pinned
-1. Look for a property labeled `AppUserModelID` or `DesktopApplicationLinkPath`
-
-### Sample taskbar configuration XML file
-
-```xml
-
-
-
-
-
-
-
-
-
-
-
-```
-
-### Sample taskbar configuration added to Start layout XML file
-
-```xml
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-```
-
-## Keep default apps and add your own
-
-The `` section will append listed apps to the taskbar by default. The following sample keeps the default apps pinned and adds pins for Paint, Microsoft Reader, and a command prompt.
-
-```xml
-
-
-
-
-
-
-
-
-
-
-
-
-```
-
-**Before:**
-
-
-
-**After:**
-
- 
-
-## Remove default apps and add your own
-
-By adding `PinListPlacement="Replace"` to ``, you remove all default pinned apps; only the apps that you specify will be pinned to the taskbar.
-
-If you only want to remove some of the default pinned apps, you would use this method to remove all default pinned apps and then include the default app that you want to keep in your list of pinned apps.
-
-```xml
-
-
-
-
-
-
-
-
-
-
-
-
-```
-
-**Before:**
-
-
-
-**After:**
-
-
-
-## Remove default apps
-
-By adding `PinListPlacement="Replace"` to ``, you remove all default pinned apps.
-
-```xml
-
-
-
-
-
-
-
-
-
-
-```
-
-## Configure taskbar by country or region
-
-The following example shows you how to configure taskbars by country or region. When the layout is applied to a computer, if there's no `` node with a region tag for the current region, the first `` node that has no specified region will be applied. When you specify one or more countries or regions in a `` node, the specified apps are pinned on computers configured for any of the specified countries or regions.
-
-```xml
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-```
-
-When the preceding example XML file is applied, the resulting taskbar for computers in the US or UK:
-
-
-
-The resulting taskbar for computers in Germany or France:
-
-
-
-The resulting taskbar for computers in any other country region:
-
-
-
-> [!NOTE]
-> [Look up country and region codes (use the ISO Short column)](/previous-versions/commerce-server/ee799297(v=cs.20))
-
-## Layout Modification Template schema definition
-
-```xml
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-```
-
-::: zone-end
+The Windows taskbar is an essential component of the Windows operating system. The taskbar acts as a versatile platform for multitasking and quick access to applications and system notifications. For organizations, the ability to customize the taskbar's layout and features through policy settings is invaluable, especially in scenarios where specific roles or functions require streamlined access to certain tools and programs.
::: zone pivot="windows-11"
-> **Looking for OEM information?** See [Customize the Taskbar](/windows-hardware/customize/desktop/customize-the-windows-11-taskbar) and [Customize the Start layout](/windows-hardware/customize/desktop/customize-the-windows-11-start-menu).
-
-Your organization can deploy a customized taskbar to your Windows devices. Customizing the taskbar is common when your organization uses a common set of apps, or wants to bring attention to specific apps. You can also remove the default pinned apps.
-
-For example, you can override the default set of apps with your own a set of pinned apps, and in the order you choose. As an administrator, use this feature to pin apps, remove default pinned apps, order the apps, and more on the taskbar.
-
-To add apps you want pinned to the taskbar, you use an XML file. You can use an existing XML file, or create a new file. If you have an XML file that's used on Windows 10 devices, you can also use it on Windows 11 devices. You may have to update the App IDs.
-
-This article shows you how to create the XML file, add apps to the XML, and deploy the XML file. To learn how to customize the taskbar buttons, see [CSP policies to customize Windows 11 taskbar buttons](supported-csp-taskbar-windows.md#csp-policies-to-customize-windows-11-taskbar-buttons).
-
-## Before you begin
-
-- There isn't a limit on the number of apps that you can pin. In the XML file, add apps using the [Application User Model ID (AUMID)](../kiosk/find-the-application-user-model-id-of-an-installed-app.md) or Desktop Application Link Path (the local path to the app).
-- There are some situations that an app pinned in your XML file won't be pinned in the taskbar. For example, if an app isn't approved or installed for a user, then the pinned icon won't show on the taskbar.
-- The order of apps in the XML file dictates the order of pinned apps on the taskbar, from left to right, and to the right of any existing apps pinned by the user. If the OS is configured to use a right-to-left language, then the taskbar order is reversed.
-- Some classic Windows applications are packaged differently than they were in previous versions of Windows, including Notepad and File Explorer. Be sure to enter the correct AppID. For more information, see [Application User Model ID (AUMID)](../kiosk/find-the-application-user-model-id-of-an-installed-app.md) and [Get the AUMID and Desktop app link path](#get-the-aumid-and-desktop-app-link-path) (in this article).
-- It's recommended to use a Mobile Device Management (MDM) provider. MDM providers help manage your devices, and help manage apps on your devices. You can use Microsoft Intune. Intune is a family of products that include Microsoft Intune, which is a cloud service, and Configuration Manager, which is on-premises.
-
- In this article, we mention these services. If you're not managing your devices using an MDM provider, the following resources may help you get started:
-
- - [Endpoint Management at Microsoft](/mem/endpoint-manager-overview)
- - [What is Microsoft Intune](/mem/intune/fundamentals/what-is-intune) and [Microsoft Intune planning guide](/mem/intune/fundamentals/intune-planning-guide)
- - [What is Configuration Manager?](/mem/configmgr/core/understand/introduction)
-
-## Create the XML file
-
-1. In a text editor, such as Visual Studio Code, create a new XML file. To help you get started, you can copy and paste the following XML sample. The sample pins 2 apps to the taskbar - File Explorer and the Command Prompt:
-
- ```xml
-
-
-
-
-
-
-
-
-
-
-
- ```
-
-1. In the `` node, add (or remove) the apps you want pinned. You can pin Universal Windows Platform (UWP) apps and desktop apps:
-
- - ``: Select this option for UWP apps. Add the [AUMID](../kiosk/find-the-application-user-model-id-of-an-installed-app.md) of the UWP app.
- - ``: Select this option for desktop apps. Add the Desktop Application Link Path of the desktop app.
-
- You can pin as many apps as you want. Just keep adding them to the list. Remember, the app order in the list is the same order the apps are shown on the taskbar.
-
- For more information, see [Get the AUMID and Desktop app link path](#get-the-aumid-and-desktop-app-link-path) (in this article).
-
-1. In the `` node, the apps you add are pinned after the default apps. If you want to remove the default apps, and only show the apps you add in the XML file, then add `PinListPlacement="Replace"`:
-
- - ``: Keeps the default pinned apps. After the default apps, the apps you add are pinned.
- - ``: Unpins the default apps. Only the apps you add are pinned.
-
- If you want to remove some of the default pinned apps, then add `PinListPlacement="Replace"`. When you add your apps to ``, include the default apps you still want pinned.
-
-1. In the `` node, use `region=" | "` to use different taskbar configurations based on the device locale and region.
-
- In the following XML example, two regions are added: `US|UK` and `DE|FR`:
-
- ```xml
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- ```
-
- The taskbar applies when:
-
- - If the `` node has a country or region, then the apps are pinned on devices configured for that country or region.
- - If the `` node doesn't have a region tag for the current region, then the first `` node with no region is applied.
-
-1. Save the file, and name the file so you know what it is. For example, name the file something like `TaskbarLayoutModification.xml`. Once you have the file, it's ready to be deployed to your Windows devices.
-
-## Use Group Policy or MDM to create and deploy a taskbar policy
-
-Now that you have the XML file with your customized taskbar, you're ready to deploy it to devices in your organization. You can deploy your taskbar XML file using Group Policy, or using an MDM provider, like Microsoft Intune.
-
-This section shows you how to deploy the XML both ways.
-
-### Use Group Policy to deploy your XML file
-
-Use the following steps to add your XML file to a group policy, and apply the policy:
-
-1. Open your policy editor. For example, open Group Policy Management Console (GPMC) for domain-based group policies, or open `gpedit` for local policies.
-1. Go to one of the following policies:
-
- - `Computer Configuration\Administrative Templates\Start Menu and Taskbar\Start Layout`
- - `User Configuration\Administrative Templates\Start Menu and Taskbar\Start Layout`
-
-1. Double-select `Start Layout` > **Enable**. Enter the fully qualified path to your XML file, including the XML file name. You can enter a local path, like `C:\StartLayouts\TaskbarLayoutModification.xml`, or a network path, like `\\Server\Share\TaskbarLayoutModification.xml`. Be sure you enter the correct file path. If using a network share, be sure to give users read access to the XML file. If the file isn't available when the user signs in, then the taskbar isn't changed. Users can't customize the taskbar when this setting is enabled.
-
- Your policy looks like the following policy:
-
- :::image type="content" source="images/start-layout-group-policy.png" alt-text="Add your taskbar layout XML file to the Start Layout policy on Windows devices.":::
-
- The `User Configuration\Administrative Templates\Start Menu and Taskbar` policy includes other settings that control the taskbar. Some policies may not work as expected. Be sure to test your policies before broadly deploying them across your devices.
-
-1. When you apply the policy, the taskbar includes your changes. The next time users sign in, they'll see the changes.
-
- For more information on using group policies, see [Implement Group Policy Objects](/training/modules/implement-group-policy-objects/).
-
-### Create a Microsoft Intune policy to deploy your XML file
-
-MDM providers can deploy policies to devices managed by the organization, including organization-owned devices, and personal or bring your own device (BYOD). Using an MDM provider, such as Microsoft Intune, you can deploy a policy that configures the pinned list.
-
-Use the following steps to create an Intune policy that deploys your taskbar XML file:
-
-1. Sign in to the [Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
-
-1. Select **Devices** > **Configuration profiles** > **Create profile**.
-
-1. Enter the following properties:
-
- - **Platform**: Select **Windows 10 and later**.
- - **Profile type**: Select **Templates** > **Device restrictions** > **Create**.
-
-1. In **Basics**, enter the following properties:
-
- - **Name**: Enter a descriptive name for the profile. Name your profiles so you can easily identify it later. For example, a good profile name is **Win11: Custom taskbar**.
- - **Description**: Enter a description for the profile. This setting is optional, and recommended.
-
-1. Select **Next**.
-
-1. In **Configuration settings**, select **Start** > **Start menu layout**. Browse to, and select your taskbar XML file.
-
-1. Select **Next**, and configure the rest of the policy settings. For more specific information, see [Configure device restriction settings](/mem/intune/configuration/device-restrictions-configure).
-
-1. When the policy is created, you can deploy it now, or deploy it later. Since this policy is a customized taskbar, the policy can also be deployed before users sign in the first time.
-
- For more information and guidance on assigning policies using Microsoft Intune, see [Assign user and device profiles](/mem/intune/configuration/device-profile-assign).
-
-> [!NOTE]
-> For third party partner MDM solutions, you may need to use an OMA-URI setting for Start layout, based on the [Policy configuration service provider (CSP)](/windows/client-management/mdm/policy-configuration-service-provider). The OMA-URI setting is `./User/Vendor/MSFT/Policy/Config/Start/StartLayout`.
-
-## Get the AUMID and Desktop app link path
-
-In the layout modification XML file, you add apps in the XML markup. To pin an app, you enter the AUMID or Desktop Application Link Path. The easiest way to find this app information is to use the [Export-StartLayout](/powershell/module/startlayout/export-startlayout) Windows PowerShell cmdlet:
-
-1. On an existing Windows 11 device, pin the app to the Start menu.
-1. Create a folder to save an output file. For example, create the `C:\Layouts` folder.
-1. Open the Windows PowerShell app, and run the following cmdlet:
-
- ```powershell
- Export-StartLayout -Path "C:\Layouts\GetIDorPath.xml"
- ```
-
-1. Open the generated GetIDorPath.xml file, and look for the app you pinned. When you find the app, get the AppID or Path. Add these properties to your XML file.
-
-## Pin order for all apps
-
-On a taskbar, the following apps are typically pinned:
-
-- Apps pinned by the user
-- Default Windows apps pinned during the OS installation, such as Microsoft Edge, File Explorer, and Microsoft Store.
-- Apps pinned by your organization, such as in an unattended Windows setup.
-
- In an unattended Windows setup file, use the XML file you created in this article. It's not recommended to use [TaskbarLinks](/windows-hardware/customize/desktop/unattend/microsoft-windows-shell-setup-taskbarlinks).
-
-Apps are pinned in the following order:
-
-1. Windows default apps are pinned first.
-1. User-pinned apps are pinned after the Windows default apps.
-1. XML-pinned apps are pinned after the user-pinned apps.
-
-If the OS is configured to use a right-to-left language, then the taskbar order is reversed.
-
-## OS install and upgrade
-
-- On a clean install of the Windows client, if you apply a taskbar layout, the following apps are pinned to the taskbar:
-
- - Apps you specifically add
- - Any default apps you don't remove
-
- After the taskbar layout is applied, users can pin more apps, change the order, and unpin apps.
-
-- On a Windows client upgrade, apps are already pinned to the taskbar. These apps may have been pinned by a user, by an image, or by using Windows unattended setup. For upgrades, the taskbar layout applies the following behavior:
-
- - If users pinned apps to the taskbar, then those pinned apps remain. New apps are pinned after the existing user-pinned apps.
- - If the apps are pinned during the install or by a policy (not by a user), and the apps aren't pinned in an updated layout file, then the apps are unpinned.
- - If a user didn't pin an app, and the same app is pinned in the updated layout file, then the app is pinned after any existing pinned apps.
- - New apps in updated layout file are pinned after the user's pinned apps.
-
- After the layout is applied, users can pin more apps, change the order, and unpin apps.
+:::image type="content" source="images/taskbar-11.png" alt-text="Screenshot of the Windows 11 taskbar." border="false" lightbox="./images/taskbar-11.png":::
::: zone-end
-
\ No newline at end of file
+:::image type="content" source="images/taskbar-sections-10.png" alt-text="Screenshot of the Windows 11 taskbar with the two areas highlighted." border="false" lightbox="./images/taskbar-sections-10.png":::
+
+::: zone-end
+
+## Configuration options
+
+There are several options to configure the Windows taskbar.
+
+If you need to configure a device for a single user, you can pin/unpin applications to the taskbar and rearrange them. The taskbar can be further customized from Settings. Go to **Settings** > **Personalization** > **[Taskbar](ms-settings:taskbar)**.
+
+For advanced customizations and when you need to configure multiple devices, you can use one of the following options:
+
+- Configuration Service Provider (CSP): commonly used for devices managed by a Mobile Device Management (MDM) solution, like Microsoft Intune. CSPs can also be configured with [provisioning packages](../provisioning-packages/how-it-pros-can-use-configuration-service-providers.md#csps-in-windows-configuration-designer), which are used at deployment time or for unmanaged devices. To configure the taskbar, use the [Start Policy CSP][WIN-1]
+- Group policy (GPO): used for devices that are Active Directory joined or Microsoft Entra hybrid joined, and not managed by a device management solution. Group policy can also be used for devices that aren't joined to an Active Directory domain, using the local group policy editor
+
+> [!NOTE]
+> While many of the taskbar policy settings can be configured using both CSP and GPO, there are some settings that are exclusive to one or the other. To learn about the available policy settings to configure the Start menu via CSP and GPO, see [Taskbar policy settings](policy-settings.md).
+
+## Next steps
+
+In the next sections, you can learn more about the options available to configure Start menu settings using the Configuration Service Provider (CSP) and Group Policy (GPO):
+
+- [Taskbar policy settings](policy-settings.md)
+- [Configure the taskbar pinned applications](pinned-apps.md)
+
+
+
+[WIN-1]: /windows/client-management/mdm/policy-csp-start
diff --git a/windows/configuration/taskbar/pinned-apps.md b/windows/configuration/taskbar/pinned-apps.md
new file mode 100644
index 0000000000..d38c8a7d60
--- /dev/null
+++ b/windows/configuration/taskbar/pinned-apps.md
@@ -0,0 +1,233 @@
+---
+title: Configure the applications pinned to the taskbar
+description: Learn how to configure the applications pinned to the Windows taskbar.
+ms.topic: how-to
+ms.date: 04/17/2024
+appliesto:
+zone_pivot_groups: windows-versions-11-10
+---
+
+# Configure the applications pinned to the taskbar
+
+The configuration of the applications pinned to the taskbar is done with the use of an XML file. This article describes how to create and deploy the XML configuration file.
+
+> [!NOTE]
+> If you are looking for OEM information, see the article [Customize the Taskbar](/windows-hardware/customize/desktop/customize-the-windows-11-taskbar).
+
+To learn about all the policy settings to customize the taskbar layout and configure the taskbar behaviors, see [Taskbar policy settings](policy-settings.md).
+
+## Before you begin
+
+Here are some considerations before you start configuring the taskbar pinned applications:
+
+- There's no limit to the number of apps that you can pin
+- In the XML file, add apps using the Application User Model ID (AUMID), the Desktop Application ID, or the Desktop Application Link Path
+- Some classic Windows applications are packaged differently than they were in previous versions of Windows, including Notepad and File Explorer. Make sure to enter the correct Application ID. To learn more, see [Find the Application User Model ID of an installed app](../store/find-aumid.md)
+- If you specify an app to be pinned that isn't provisioned for the user on the device, the pinned icon doesn't appear on the taskbar
+- The order of applications in the XML file dictates the order of pinned apps on the taskbar, from left to right. If the OS is configured to use a right-to-left language, then the taskbar order is reversed
+- Applications can be pinned using the following methods:
+ - Default Windows apps, pinned during the OS installation. For example: Microsoft Edge, File Explorer, and Store. These applications are pinned first (blue square)
+ - Pinned manually by the user. These applications are usually pinned next to the default pinned apps (red circle)
+ - Pinned via policy settings. These applications are pinned after the apps pinned manually by the user (green triangle)
+
+::: zone pivot="windows-10"
+
+:::image type="content" source="images/pin-layout-10.png" border="false" lightbox="images/pin-layout-10.png" alt-text="Screenshot of the taskbar with Windows default pinned apps, user pinned apps, and policy-pinned apps.":::
+
+::: zone-end
+
+::: zone pivot="windows-11"
+
+:::image type="content" source="images/pin-layout-11.png" border="false" lightbox="images/pin-layout-11.png" alt-text="Screenshot of the taskbar with Windows default pinned apps, user pinned apps, and policy-pinned apps.":::
+
+::: zone-end
+
+## Configuration steps
+
+The following steps describe how to configure the taskbar pinned applications using policy settings:
+
+1. Create the XML file. You can start with the [XML example](#taskbar-layout-example)
+1. Edit the XML file to meet your requirements and save it
+1. Deploy the XML file to devices using configuration service provider (CSP), provisioning packages (PPKG), or group policy (GPO)
+
+>[!IMPORTANT]
+>If you use a provisioning package or `import-startlayout` to configure the taskbar, your configuration will be reapplied each time the `explorer.exe` process restarts. If your configuration pins an app and the user then unpins that app, the user's change will be overwritten the next time the configuration is applied. To apply a taskbar configuration that allows users to make changes that will persist, apply your configuration by using CSP or GPO.
+
+::: zone pivot="windows-10"
+
+>[!NOTE]
+>If you use GPO and your configuration only contains a taskbar layout, the default Windows tile layout will be applied and cannot be changed by users. If you use GPO and your configuration includes taskbar and a full Start layout, users can only make changes to the taskbar. If you use Group Policy and your configuration includes taskbar and a partial Start layout, users can make changes to the taskbar and to tile groups not defined in the partial Start layout.
+>
+> For more information, see [Configure the Start menu](../start/index.md).
+
+::: zone-end
+
+## Taskbar layout example
+
+Here you can find an example of taskbar layout that you can use as a reference:
+
+[!INCLUDE [example](includes/example.md)]
+
+### Modify the configuration file
+
+> [!CAUTION]
+> When you make changes to the XML file, be aware that the XML format must adhere to an [XML schema definition (XSD)](xsd.md).
+
+You can change the apps pinned to the taskbar by modifying the `` node.
+
+1. In the `` node, add (or remove) the apps you want pinned. You can pin Universal Windows Platform (UWP) apps and desktop apps:
+ - ``: Select this option for UWP apps. Add the *AUMID* of the UWP app
+ - ``: Select this option for desktop apps. Add the *Desktop Application ID* or the *Desktop Application Link Path* of the desktop app
+1. In the `` node, the apps you add are pinned after the default apps. If you want to remove the default apps, and only show the apps you add in the XML file, then add `PinListPlacement="Replace"`:
+ - ``: Keeps the default pinned apps. After the default apps, the apps you add are pinned
+ - ``: Unpins the default apps. Only the apps you add are pinned. If you want to remove some of the default pinned apps, then add `PinListPlacement="Replace"`. When you add your apps to ``, include the default apps you still want pinned
+1. In the `` node, use `region=" | "` to use different taskbar configurations based on the device locale and region
+1. Save the file
+
+For practical examples of how to add, remove, or replace pinned apps, see the following sections:
+
+- [Add pins](#example-add-pins)
+- [Remove default pins](#example-remove-pins)
+- [Replace default pins](#example-replace-pins)
+- [Configure the taskbar by country or region](#example-configure-the-taskbar-by-country-or-region)
+
+#### Example: add pins
+
+The `` section appends the listed apps to the taskbar by default. The following sample keeps the default apps pinned and adds pins for Paint, Microsoft Reader, and a command prompt.
+
+[!INCLUDE [example-add-pins](includes/example-add-pins.md)]
+
+**Before and after:**
+
+::: zone pivot="windows-11"
+:::image type="content" source="images/pin-add-11.png" alt-text="Screenshot of the Windows 11 taskbar, before and after adding pins." border="false" lightbox="./images/pin-add-11.png":::
+::: zone-end
+
+::: zone pivot="windows-10"
+:::image type="content" source="images/pin-add-10.png" alt-text="Screenshot of the Windows 10 taskbar, before and after adding pins." border="false" lightbox="./images/pin-add-10.png":::
+::: zone-end
+
+#### Example: remove pins
+
+To remove all pins, add `PinListPlacement="Replace"` to ``.
+
+[!INCLUDE [example-remove-pins](includes/example-remove-pins.md)]
+
+**Before and after:**
+
+::: zone pivot="windows-11"
+:::image type="content" source="images/pin-remove-11.png" alt-text="Screenshot of the Windows 11 taskbar, before and after removing pins." border="false" lightbox="images/pin-remove-11.png":::
+::: zone-end
+
+::: zone pivot="windows-10"
+:::image type="content" source="images/pin-remove-10.png" alt-text="Screenshot of the Windows 10 taskbar, before and after removing pins." border="false" lightbox="images/pin-remove-10.png":::
+::: zone-end
+
+#### Example: replace pins
+
+To replace all default pins and add your own pins, add `PinListPlacement="Replace"` to ``. Then, add the pins that you want to `TaskbarPinList`.
+
+[!INCLUDE [example-replace-pins](includes/example-replace-pins.md)]
+
+**Before and after:**
+
+::: zone pivot="windows-11"
+:::image type="content" source="images/pin-replace-11.png" alt-text="Screenshot of the Windows 11 taskbar, before and after replacing pins." border="false" lightbox="images/pin-replace-11.png":::
+::: zone-end
+
+::: zone pivot="windows-10"
+:::image type="content" source="images/pin-replace-10.png" alt-text="Screenshot of the Windows 10 taskbar, before and after replacing pins." border="false" lightbox="images/pin-replace-10.png":::
+::: zone-end
+
+#### Example: configure the taskbar by country or region
+
+In the following XML example, two regions are added: `US|UK` and `DE|FR|IT`:
+
+[!INCLUDE [example](includes/example-region.md)]
+
+- If the `` node has region matching the one configured on the device, then the configuration applies
+- If the `` node doesn't have a region matching the one configured on the device, then the first `` node without region applies
+
+> [!NOTE]
+> [Look up country and region codes (use the ISO Short column)](/previous-versions/commerce-server/ee799297(v=cs.20))
+
+## Deploy the taskbar configuration
+
+[!INCLUDE [tab-intro](../../../includes/configure/tab-intro.md)]
+
+#### [:::image type="icon" source="../images/icons/intune.svg"::: **Intune/CSP**](#tab/intune)
+
+To configure devices with Microsoft Intune, [create a Settings catalog policy](/mem/intune/configuration/settings-catalog) and use one of the following settings:
+
+| Category | Setting name | Value |
+|--|--|--|
+| **Start** | Start Layout | Content of the XML file|
+| **Start** | Start Layout (User) | Content of the XML file|
+
+[!INCLUDE [intune-settings-catalog-2](../../../includes/configure/intune-settings-catalog-2.md)]
+
+Alternatively, you can configure devices using a [custom policy][MEM-1] with the [Start CSP][WIN-1]. Use one of the following settings:
+
+| Setting |
+|--|
+| - **OMA-URI:** `./User/Vendor/MSFT/Policy/Config/Start/`[StartLayout](/windows/client-management/mdm/policy-csp-Start#startlayout) - **String:** - **Value:** content of the XML file |
+| - **OMA-URI:** `./Device/Vendor/MSFT/Policy/Config/Start/`[StartLayout](/windows/client-management/mdm/policy-csp-Start#startlayout) - **Data type:** - **Value:** content of the XML file |
+
+[!INCLUDE [intune-custom-settings-2](../../../includes/configure/intune-custom-settings-2.md)]
+
+#### [:::image type="icon" source="../images/icons/provisioning-package.svg"::: **PPKG**](#tab/ppkg)
+
+[!INCLUDE [provisioning-package-1](../../../includes/configure/provisioning-package-1.md)]
+
+- **Path:** `Policies/Start/StartLayout`
+- **Value:** content of the XML file
+
+> [!NOTE]
+> The content of the file must be entered as a single line in the `Value` field. Use a text editor to remove any line breaks from the XML file, usually with a function called *join lines*.
+
+[!INCLUDE [provisioning-package-2](../../../includes/configure/provisioning-package-2.md)]
+
+#### [:::image type="icon" source="../images/icons/group-policy.svg"::: **GPO**](#tab/gpo)
+
+To configure a device with group policy, use the [Local Group Policy Editor](/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc731745(v=ws.10)). To configure multiple devices joined to Active Directory, [create or edit](/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc754740(v=ws.11)) a group policy object (GPO) and use one of the following settings:
+
+| Group policy path | Group policy setting | Value |
+| - | - | - |
+|**Computer Configuration** > **Administrative Templates** > **Start Menu and Taskbar**| Start Layout | Path to the XML file |
+|**User Configuration** > **Administrative Templates** > **Start Menu and Taskbar**| Start Layout | Path to the XML file |
+
+[!INCLUDE [gpo-settings-2](../../../includes/configure/gpo-settings-2.md)]
+
+The GPO applies the Start and taskbar layout at the next user sign-in. Each time the user signs in, the timestamp of the .xml file with the Start and taskbar layout is checked and if a newer version of the file is available, the settings in the latest version of the file are applied.
+
+---
+
+## User experience
+
+After the taskbar layout is applied, the users must sign out and sign in again to see the new layout. Unless prohibited via policy settings, users can pin more apps, change the order, and unpin apps from the taskbar.
+
+### OS install and upgrade experience
+
+On a clean install of Windows, if you apply a taskbar layout, the following apps are pinned to the taskbar:
+
+- Any default apps you don't remove
+- Apps that you specifically pin in the XML file
+
+On a Windows OS upgrade, apps are already pinned to the taskbar. The taskbar layout applies the following logic:
+
+- If users pinned apps to the taskbar, then those pinned apps remain. New apps are pinned after the existing user-pinned apps
+- If the apps are pinned during the install or by a policy (not by a user), and the apps aren't pinned in an updated layout file, then the apps are unpinned
+- If a user didn't pin an app, and the same app is pinned in the updated layout file, then the app is pinned after any existing pinned apps
+- New apps in updated layout file are pinned after the user's pinned apps
+
+If you apply the taskbar configuration to a clean install or an update, users can still:
+
+- Pin more apps
+- Change the order of pinned apps
+- Unpin any app
+
+## Next steps
+
+Learn more about the options available to configure Start menu settings using the Configuration Service Provider (CSP) and Group Policy (GPO):
+
+- [Taskbar policy settings](policy-settings.md)
diff --git a/windows/configuration/taskbar/policy-settings.md b/windows/configuration/taskbar/policy-settings.md
index 1016be2d5b..cf9fa4a5ea 100644
--- a/windows/configuration/taskbar/policy-settings.md
+++ b/windows/configuration/taskbar/policy-settings.md
@@ -1,101 +1,186 @@
---
-title: Supported CSP policies to customize the Taskbar on Windows 11
-description: See a list of the Policy CSP - Start items that are supported on Windows 11 to customize the Taskbar.
-ms.date: 12/31/2017
-ms.topic: article
+title: Taskbar policy settings
+description: Learn about the policy settings to configure the Windows taskbar.
+ms.topic: reference
+ms.date: 04/17/2024
appliesto:
-- ✅ Windows 11
+zone_pivot_groups: windows-versions-11-10
---
-# Supported configuration service provider (CSP) policies for Windows 11 taskbar
+# Taskbar policy settings
-The Windows OS exposes CSPs that are used by MDM providers, like [Microsoft Intune](/mem/intune/fundamentals/what-is-intune). In an MDM policy, these CSPs are settings that you configure. When the policy is ready, you deploy the policy to your devices. This article lists the CSPs that are available to customize the Taskbar for Windows 11 devices.
+This reference article outlines the policy settings available for customizing the Windows taskbar, using Configuration Service Provider (CSP) or group policy (GPO). For information about how to configure these settings, see [Configure the Windows taskbar](index.md).
-For more general information, see [Configuration service provider (CSP) reference](/windows/client-management/mdm/configuration-service-provider-reference).
+The settings are categorized and presented in alphabetical order to facilitate navigation and configuration.
-## CSP policies to customize Windows 11 taskbar buttons
+1. **Taskbar layout**: settings to control the taskbar layout and appearance
+1. **Taskbar behaviors**: settings to control the taskbar behaviors and the users' allowed actions
-- [Search/ConfigureSearchOnTaskbarMode](/windows/client-management/mdm/policy-csp-search#configuresearchontaskbarmode)
- - Group policy: `Computer Configuration\Administrative Templates\Windows Components\Search\Configures search on the taskbar`
- - Local setting: Settings > Personalization > Taskbar > Search
+Select one of the tabs to see the list of available settings:
-- [Start/HideTaskViewButton](/windows/client-management/mdm/policy-csp-start#hidetaskviewbutton)
- - Group policy: `Computer and User Configuration\Administrative Templates\Start Menu and Taskbar\Hide the TaskView button`
- - Local setting: Settings > Personalization > Taskbar > Task view
-
-- [NewsAndInterests/AllowNewsAndInterests](/windows/client-management/mdm/policy-csp-newsandinterests#allownewsandinterests)
- - Group policy: `Computer Configuration\Administrative Templates\Windows Components\Widgets\Allow widgets`
- - Local setting: Settings > Personalization > Taskbar > Widgets
-
-- [Experience/ConfigureChatIcon](/windows/client-management/mdm/policy-csp-experience#configurechaticonvisibilityonthetaskbar)
- - Group policy: `Computer Configuration\Administrative Templates\Windows Components\Chat\Configure the Chat icon setting`
- - Local setting: Settings > Personalization > Taskbar > Chat
-
-## Existing CSP policies that Windows 11 taskbar supports
-
-- [Start/HideRecentJumplists](/windows/client-management/mdm/policy-csp-start#hiderecentjumplists)
- - Group policy: `User Configuration\Administrative Templates\Start Menu and Taskbar\Do not keep history of recently opened documents`
- - Local setting: Settings > Personalization > Start > Show recently opened items in Jump Lists on Start or the taskbar
-
-- [Start/NoPinningToTaskbar](/windows/client-management/mdm/policy-csp-start#nopinningtotaskbar)
- - Group policy: `User Configuration\Administrative Templates\Start Menu and Taskbar\Do not allow pinning programs to the Taskbar`
- - Local setting: None
-
-## Existing CSP policies that Windows 11 doesn't support
-
-The following list includes some of the CSP policies that aren't supported on Windows 11:
-
-- [ADMX_Taskbar/TaskbarLockAll](/windows/client-management/mdm/policy-csp-admx-taskbar#taskbarlockall)
- - Group policy: `User Configuration\Administrative Templates\Start Menu and Taskbar\Lock all taskbar settings`
-
-- [ADMX_Taskbar/TaskbarNoAddRemoveToolbar](/windows/client-management/mdm/policy-csp-admx-taskbar#taskbarnoaddremovetoolbar)
- - Group policy: `User Configuration\Administrative Templates\Start Menu and Taskbar\Prevent users from adding or removing toolbars`
-
-- [ADMX_Taskbar/TaskbarNoDragToolbar](/windows/client-management/mdm/policy-csp-admx-taskbar#taskbarnodragtoolbar)
- - Group policy: `User Configuration\Administrative Templates\Start Menu and Taskbar\Prevent users from rearranging toolbars`
-
-- [ADMX_Taskbar/TaskbarNoRedock](/windows/client-management/mdm/policy-csp-admx-taskbar#taskbarnoredock)
- - Group policy: `User Configuration\Administrative Templates\Start Menu and Taskbar\Prevent users from moving taskbar to another screen dock location`
-
-- [ADMX_Taskbar/TaskbarNoResize](/windows/client-management/mdm/policy-csp-admx-taskbar#taskbarnoresize)
- - Group policy: `User Configuration\Administrative Templates\Start Menu and Taskbar\Prevent users from resizing the taskbar`
-
-- [ADMX_StartMenu/NoToolbarsOnTaskbar](/windows/client-management/mdm/policy-csp-admx-startmenu#notoolbarsontaskbar)
- - Group policy: `User Configuration\Administrative Templates\Start Menu and Taskbar\Do not display any custom toolbars in the taskbar`
-
-- [ADMX_StartMenu/NoTaskGrouping](/windows/client-management/mdm/policy-csp-admx-startmenu#notaskgrouping)
- - Group policy: `User Configuration\Administrative Templates\Start Menu and Taskbar\Prevent grouping of taskbar items`
-
-- [ADMX_StartMenu/QuickLaunchEnabled](/windows/client-management/mdm/policy-csp-admx-startmenu#quicklaunchenabled)
- - Group policy: `User Configuration\Administrative Templates\Start Menu and Taskbar\Show QuickLaunch on Taskbar`
-
-- [Start/HidePeopleBar](/windows/client-management/mdm/policy-csp-start#hidepeoplebar)
- - Group policy: `User Configuration\Administrative Templates\Start Menu and Taskbar\Remove the People Bar from the taskbar`
-
-
-
-
-
+
+> [!Note]
+> In Windows 10 version 21H2 and later, non-Administrator user accounts can add both a display language and its corresponding language features.
+
+In Windows 10 version 1809 and later, changing the **Specify settings for optional component installation and component repair** policy also influences how language packs are acquired, however language packs can only be acquired directly from Windows Update (until Windows 11 version 22H2). It's currently not possible to acquire them from a network share. Specifying a network location works for FoD packages or corruption repair, depending on the content at that location.
+
+In Windows 10 versions 1709 and 1803, changing the **Specify settings for optional component installation and component repair** policy to download content from Windows Update enables acquisition of FoD packages while also enabling corruption repair. Specifying a network location works for either, depending on the content is found at that location. Changing this policy on these OS versions doesn't influence how language packs are acquired.
For all OS versions, changing the **Specify settings for optional component installation and component repair** policy doesn't affect how OS updates are distributed. They continue to come from WSUS, Configuration Manager, or other sources as you have scheduled them, even while optional content is sourced from Windows Update or a network location.
-Learn about other client management options, including using Group Policy and administrative templates, in [Manage clients in Windows 10](/windows/client-management/).
+Learn about other client management options, including using Group Policy and administrative templates, in [Manage Windows clients](/windows/client-management/).
## More resources
diff --git a/windows/deployment/update/optional-content.md b/windows/deployment/update/optional-content.md
index 7f6fffc7b4..9984fc897b 100644
--- a/windows/deployment/update/optional-content.md
+++ b/windows/deployment/update/optional-content.md
@@ -11,11 +11,11 @@ ms.localizationpriority: medium
appliesto:
- ✅ Windows 11
- ✅ Windows 10
-ms.date: 03/15/2023
+ms.date: 04/22/2024
---
# Migrating and acquiring optional Windows content during updates
-
+
This article provides some background on the problem of keeping language resources and Features on Demand during operating system updates and offers guidance to help you move forward in the short term and prepare for the long term.
When you update the operating system, it's critical to keep language resources and Features on Demand (FODs). Many commercial organizations use Configuration Manager or other management tools to distribute and orchestrate Windows client setup using a local Windows image or WIM file (a *media-based* or *task-sequence-based* update). Others do in-place updates using an approved Windows client feature update by using Windows Server Update Services (WSUS), Configuration Manager, or equivalent tools (a *servicing-based* update).
@@ -28,7 +28,8 @@ Optional content includes the following items:
- General Features on Demand also referred to as FODs (for example, Windows Mixed Reality)
- Language-based and regional FODs (for example, Language.Basic~~~ja-jp~0.0.1.0)
-- Local Experience Packs
+- Local Experience Packs
+- Language packs
Optional content isn't included by default in the Windows image file that is part of the operating system media available in the Volume Licensing Service Center (VLSC). Instead, it's released as an additional ISO file on VLSC. Shipping these features out of the operating system media and shipping them separately reduces the disk footprint of Windows. This approach provides more space for user's data. It also reduces the time needed to service the operating system, whether installing a monthly quality update or upgrading to a newer version. A smaller default Windows image also means less data to transmit over the network.
@@ -137,7 +138,8 @@ Several of the options address ways to address optional content migration issues
- This setting doesn't support installing language packs from an alternate source file path, only Features on Demand. If the policy is configured to acquire content from Windows Update, language packs will be acquired.
- If this setting isn't configured or disabled, files are downloaded from the default Windows Update location, for example Windows Update for Business or WSUS.
-For more information, see [Configure a Windows Repair Source](/windows-hardware/manufacture/desktop/configure-a-windows-repair-source).
+
+For more information, see [Configure a Windows Repair Source](/windows-hardware/manufacture/desktop/configure-a-windows-repair-source) and [How to make Features on Demand and language packs available when you're using WSUS or Configuration Manager](fod-and-lang-packs.md).
## More resources
diff --git a/windows/deployment/update/waas-manage-updates-wsus.md b/windows/deployment/update/waas-manage-updates-wsus.md
index 6506f11e90..548b26fb85 100644
--- a/windows/deployment/update/waas-manage-updates-wsus.md
+++ b/windows/deployment/update/waas-manage-updates-wsus.md
@@ -15,11 +15,11 @@ appliesto:
- ✅ Windows 11
- ✅ Windows 10
- ✅ WSUS
-ms.date: 12/31/2017
+ms.date: 04/22/2024
---
# Deploy Windows client updates using Windows Server Update Services (WSUS)
-
+
> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq)
diff --git a/windows/deployment/update/wufb-wsus.md b/windows/deployment/update/wufb-wsus.md
index 5f5374ac96..6062716b60 100644
--- a/windows/deployment/update/wufb-wsus.md
+++ b/windows/deployment/update/wufb-wsus.md
@@ -11,10 +11,10 @@ ms.localizationpriority: medium
appliesto:
- ✅ Windows 11
- ✅ Windows 10
-ms.date: 01/13/2022
+ms.date: 04/22/2024
---
-# Use Windows Update for Business and WSUS together
+# Use Windows Update for Business and WSUS together
> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq)
@@ -69,7 +69,8 @@ The policy can be configured using the following two methods:
> [!NOTE]
> - You should configure **all** of these policies if you are using CSPs.
-> - Editing the registry to change the behavior of update policies isn't recommended. Use Group Policy or the Configuration Service Provider (CSP) policy instead of directly writing to the registry. However, if you choose to edit the registry, ensure you've configured the `UseUpdateClassPolicySource` registry key too, or the scan source won't be altered.
+> - Editing the registry to change the behavior of update policies isn't recommended. Use Group Policy or the Configuration Service Provider (CSP) policy instead of directly writing to the registry. However, if you choose to edit the registry, ensure you've configured the `UseUpdateClassPolicySource` registry key too, or the scan source won't be altered.
+> - If you're also using the **Specify settings for optional component installation and component repair** policy to enable content for FoDs and language packs, see [How to make Features on Demand and language packs available when you're using WSUS or Configuration Manager](fod-and-lang-packs.md) to verify your policy configuration.
- [Update/SetPolicyDrivenUpdateSourceForDriverUpdates](/windows/client-management/mdm/policy-csp-update#update-setpolicydrivenupdatesourcefordriver)
- [Update/SetPolicyDrivenUpdateSourceForFeatureUpdates](/windows/client-management/mdm/policy-csp-update#update-setpolicydrivenupdatesourceforfeature)
diff --git a/windows/privacy/windows-11-endpoints-non-enterprise-editions.md b/windows/privacy/windows-11-endpoints-non-enterprise-editions.md
index f27e7c4961..386320c5f8 100644
--- a/windows/privacy/windows-11-endpoints-non-enterprise-editions.md
+++ b/windows/privacy/windows-11-endpoints-non-enterprise-editions.md
@@ -32,7 +32,7 @@ The following methodology was used to derive the network endpoints:
> [!NOTE]
> Microsoft uses global load balancers that can appear in network trace-routes. For example, an endpoint for *.akadns.net might be used to load balance requests to an Azure datacenter, which can change over time.
-## Windows 11 Family
+## Windows 11 Home
| **Area** | **Description** | **Protocol** | **Destination** |
|-----------|--------------- |------------- |-----------------|
diff --git a/windows/privacy/windows-endpoints-1809-non-enterprise-editions.md b/windows/privacy/windows-endpoints-1809-non-enterprise-editions.md
index b4736b74ce..aebe78e618 100644
--- a/windows/privacy/windows-endpoints-1809-non-enterprise-editions.md
+++ b/windows/privacy/windows-endpoints-1809-non-enterprise-editions.md
@@ -32,7 +32,7 @@ We used the following methodology to derive these network endpoints:
> [!NOTE]
> Microsoft uses global load balancers that can appear in network trace-routes. For example, an endpoint for *.akadns.net might be used to load balance requests to an Azure datacenter, which can change over time.
-## Windows 10 Family
+## Windows 10 Home
| **Destination** | **Protocol** | **Description** |
| --- | --- | --- |
diff --git a/windows/privacy/windows-endpoints-1903-non-enterprise-editions.md b/windows/privacy/windows-endpoints-1903-non-enterprise-editions.md
index b558fc1c1e..3640d0e89a 100644
--- a/windows/privacy/windows-endpoints-1903-non-enterprise-editions.md
+++ b/windows/privacy/windows-endpoints-1903-non-enterprise-editions.md
@@ -36,7 +36,7 @@ The following methodology was used to derive the network endpoints:
> [!NOTE]
> Microsoft uses global load balancers that can appear in network trace-routes. For example, an endpoint for *.akadns.net might be used to load balance requests to an Azure datacenter, which can change over time.
-## Windows 10 Family
+## Windows 10 Home
| Destination | Protocol | Description |
| ----------- | -------- | ----------- |
diff --git a/windows/privacy/windows-endpoints-1909-non-enterprise-editions.md b/windows/privacy/windows-endpoints-1909-non-enterprise-editions.md
index a0bfa21291..efebab8e60 100644
--- a/windows/privacy/windows-endpoints-1909-non-enterprise-editions.md
+++ b/windows/privacy/windows-endpoints-1909-non-enterprise-editions.md
@@ -34,7 +34,7 @@ The following methodology was used to derive the network endpoints:
> [!NOTE]
> Microsoft uses global load balancers that can appear in network trace-routes. For example, an endpoint for *.akadns.net might be used to load balance requests to an Azure datacenter, which can change over time.
-## Windows 10 Family
+## Windows 10 Home
| **Destination** | **Protocol** | **Description** |
| --- | --- | --- |
diff --git a/windows/privacy/windows-endpoints-2004-non-enterprise-editions.md b/windows/privacy/windows-endpoints-2004-non-enterprise-editions.md
index c8f28f8ea4..8836b64032 100644
--- a/windows/privacy/windows-endpoints-2004-non-enterprise-editions.md
+++ b/windows/privacy/windows-endpoints-2004-non-enterprise-editions.md
@@ -35,7 +35,7 @@ The following methodology was used to derive the network endpoints:
> [!NOTE]
> Microsoft uses global load balancers that can appear in network trace-routes. For example, an endpoint for *.akadns.net might be used to load balance requests to an Azure datacenter, which can change over time.
-## Windows 10 Family
+## Windows 10 Home
| **Destination** | **Protocol** | **Description** |
| --- | --- | --- |
diff --git a/windows/privacy/windows-endpoints-20H2-non-enterprise-editions.md b/windows/privacy/windows-endpoints-20H2-non-enterprise-editions.md
index f41413a60a..c57c257926 100644
--- a/windows/privacy/windows-endpoints-20H2-non-enterprise-editions.md
+++ b/windows/privacy/windows-endpoints-20H2-non-enterprise-editions.md
@@ -34,7 +34,7 @@ The following methodology was used to derive the network endpoints:
> [!NOTE]
> Microsoft uses global load balancers that can appear in network trace-routes. For example, an endpoint for *.akadns.net might be used to load balance requests to an Azure datacenter, which can change over time.
-## Windows 10 Family
+## Windows 10 Home
| **Area** | **Description** | **Protocol** | **Destination** |
|-----------|--------------- |------------- |-----------------|
diff --git a/windows/privacy/windows-endpoints-21H1-non-enterprise-editions.md b/windows/privacy/windows-endpoints-21H1-non-enterprise-editions.md
index ae92428145..01a9f50103 100644
--- a/windows/privacy/windows-endpoints-21H1-non-enterprise-editions.md
+++ b/windows/privacy/windows-endpoints-21H1-non-enterprise-editions.md
@@ -34,7 +34,7 @@ The following methodology was used to derive the network endpoints:
> [!NOTE]
> Microsoft uses global load balancers that can appear in network trace-routes. For example, an endpoint for *.akadns.net might be used to load balance requests to an Azure datacenter, which can change over time.
-## Windows 10 Family
+## Windows 10 Home
| **Area** | **Description** | **Protocol** | **Destination** |
|-----------|--------------- |------------- |-----------------|
diff --git a/windows/security/application-security/application-control/windows-defender-application-control/design/deploy-multiple-wdac-policies.md b/windows/security/application-security/application-control/windows-defender-application-control/design/deploy-multiple-wdac-policies.md
index 1d76e0e5a9..38c5700dab 100644
--- a/windows/security/application-security/application-control/windows-defender-application-control/design/deploy-multiple-wdac-policies.md
+++ b/windows/security/application-security/application-control/windows-defender-application-control/design/deploy-multiple-wdac-policies.md
@@ -2,7 +2,7 @@
title: Use multiple Windows Defender Application Control Policies
description: Windows Defender Application Control supports multiple code integrity policies for one device.
ms.localizationpriority: medium
-ms.date: 07/19/2021
+ms.date: 04/15/2024
ms.topic: article
---
@@ -11,17 +11,22 @@ ms.topic: article
>[!NOTE]
>Some capabilities of Windows Defender Application Control (WDAC) are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](../feature-availability.md).
-Prior to Windows 10 1903, Windows Defender Application Control only supported a single active policy on a system at any given time. This limited customers in situations where multiple policies with different intents would be useful. Beginning with Windows 10 version 1903, WDAC supports up to 32 active policies on a device at once in order to enable the following scenarios:
+Beginning with Windows 10 version 1903 and Windows Server 2022, you can deploy multiple Windows Defender Application Control (WDAC) policies side-by-side on a device. To allow more than 32 active policies, install the Windows security update released on, or after, April 9, 2024 and then restart the device. With these updates, there's no limit for the number of policies you can deploy at once to a given device. Until you install the Windows security update released on or after April 9, 2024, your device is limited to 32 active policies and you must not exceed that number.
+
+>[!NOTE]
+>The policy limit was not removed on Windows 11 21H2 and will remain limited to 32 policies.
+
+Here are some common scenarios where multiple side-by-side policies are useful:
1. Enforce and Audit Side-by-Side
- To validate policy changes before deploying in enforcement mode, users can now deploy an audit-mode base policy side by side with an existing enforcement-mode base policy
2. Multiple Base Policies
- Users can enforce two or more base policies simultaneously in order to allow simpler policy targeting for policies with different scope/intent
- - If two base policies exist on a device, an application has to be allowed by both to run
+ - If two base policies exist on a device, an application must pass both policies for it to run
3. Supplemental Policies
- Users can deploy one or more supplemental policies to expand a base policy
- A supplemental policy expands a single base policy, and multiple supplemental policies can expand the same base policy
- - For supplemental policies, applications that are allowed by either the base policy or its supplemental policy/policies are allowed to run
+ - For supplemental policies, applications allowed by either the base policy or its supplemental policy/policies run
> [!NOTE]
> Pre-1903 systems do not support the use of Multiple Policy Format WDAC policies.
@@ -31,11 +36,11 @@ Prior to Windows 10 1903, Windows Defender Application Control only supported a
- Multiple base policies: intersection
- Only applications allowed by both policies run without generating block events
- Base + supplemental policy: union
- - Files that are allowed by either the base policy or the supplemental policy aren't blocked
+ - Files allowed by either the base policy or the supplemental policy run
## Creating WDAC policies in Multiple Policy Format
-In order to allow multiple policies to exist and take effect on a single system, policies must be created using the new Multiple Policy Format. The "MultiplePolicyFormat" switch in [New-CIPolicy](/powershell/module/configci/new-cipolicy?preserve-view=true&view=win10-ps) results in 1) unique GUIDs being generated for the policy ID and 2) the policy type being specified as base. The below example describes the process of creating a new policy in the multiple policy format.
+In order to allow multiple policies to exist and take effect on a single system, policies must be created using the new Multiple Policy Format. The "MultiplePolicyFormat" switch in [New-CIPolicy](/powershell/module/configci/new-cipolicy?preserve-view=true&view=win10-ps) results in 1) unique values generated for the policy ID and 2) the policy type set as a Base policy. The below example describes the process of creating a new policy in the multiple policy format.
```powershell
New-CIPolicy -MultiplePolicyFormat -ScanPath "" -UserPEs -FilePath ".\policy.xml" -Level FilePublisher -Fallback SignedVersion,Publisher,Hash
@@ -55,7 +60,7 @@ Add-SignerRule -FilePath ".\policy.xml" -CertificatePath [-K
### Supplemental policy creation
-In order to create a supplemental policy, begin by creating a new policy in the Multiple Policy Format as shown above. From there, use Set-CIPolicyIdInfo to convert it to a supplemental policy and specify which base policy it expands. You can use either SupplementsBasePolicyID or BasePolicyToSupplementPath to specify the base policy.
+In order to create a supplemental policy, begin by creating a new policy in the Multiple Policy Format as shown earlier. From there, use Set-CIPolicyIdInfo to convert it to a supplemental policy and specify which base policy it expands. You can use either SupplementsBasePolicyID or BasePolicyToSupplementPath to specify the base policy.
- "SupplementsBasePolicyID": GUID of base policy that the supplemental policy applies to
- "BasePolicyToSupplementPath": path to base policy file that the supplemental policy applies to
@@ -66,11 +71,11 @@ Set-CIPolicyIdInfo -FilePath ".\supplemental_policy.xml" [-SupplementsBasePolicy
### Merging policies
-When you're merging policies, the policy type and ID of the leftmost/first policy specified is used. If the leftmost is a base policy with ID \, then regardless of what the GUIDs and types are for any subsequent policies, the merged policy will be a base policy with ID \.
+When you're merging policies, the policy type and ID of the leftmost/first policy specified is used. If the leftmost is a base policy with ID \, then regardless of what the GUIDs and types are for any subsequent policies, the merged policy is a base policy with ID \.
## Deploying multiple policies
-In order to deploy multiple Windows Defender Application Control policies, you must either deploy them locally by copying the `*.cip` policy files into the proper folder or by using the ApplicationControl CSP, which is supported by Microsoft Intune's custom OMA-URI feature.
+In order to deploy multiple Windows Defender Application Control policies, you must either deploy them locally by copying the `*.cip` policy files into the proper folder or by using the ApplicationControl CSP.
### Deploying multiple policies locally
@@ -86,15 +91,9 @@ To deploy policies locally using the new multiple policy format, follow these st
Multiple Windows Defender Application Control policies can be managed from an MDM server through ApplicationControl configuration service provider (CSP). The CSP also provides support for rebootless policy deployment.
-However, when policies are unenrolled from an MDM server, the CSP will attempt to remove every policy from devices, not just the policies added by the CSP. The reason for this is that the ApplicationControl CSP doesn't track enrollment sources for individual policies, even though it will query all policies on a device, regardless if they were deployed by the CSP.
+However, when policies are unenrolled from an MDM server, the CSP attempts to remove every policy not actively deployed, not just the policies added by the CSP. This behavior happens because the system doesn't know what deployment methods were used to apply individual policies.
For more information on deploying multiple policies, optionally using Microsoft Intune's custom OMA-URI capability, see [ApplicationControl CSP](/windows/client-management/mdm/applicationcontrol-csp).
> [!NOTE]
> WMI and GP do not currently support multiple policies. Instead, customers who cannot directly access the MDM stack should use the [ApplicationControl CSP via the MDM Bridge WMI Provider](/windows/client-management/mdm/applicationcontrol-csp#powershell-and-wmi-bridge-usage-guidance) to manage Multiple Policy Format Windows Defender Application Control policies.
-
-### Known Issues in Multiple Policy Format
-
-* If the maximum number of policies is exceeded, the device may bluescreen referencing ci.dll with a bug check value of 0x0000003b.
-* If policies are loaded without requiring a reboot such as `PS_UpdateAndCompareCIPolicy`, they will still count towards this limit.
-* This may pose an especially large challenge if the value of `{PolicyGUID}.cip` changes between releases. It may result in a long window between a change and the resultant reboot.
diff --git a/windows/security/application-security/application-control/windows-defender-application-control/operations/known-issues.md b/windows/security/application-security/application-control/windows-defender-application-control/operations/known-issues.md
index 91af264958..2522308d55 100644
--- a/windows/security/application-security/application-control/windows-defender-application-control/operations/known-issues.md
+++ b/windows/security/application-security/application-control/windows-defender-application-control/operations/known-issues.md
@@ -2,7 +2,7 @@
title: WDAC Admin Tips & Known Issues
description: WDAC Known Issues
ms.manager: jsuther
-ms.date: 11/22/2023
+ms.date: 04/15/2024
ms.topic: article
ms.localizationpriority: medium
---
@@ -43,32 +43,30 @@ When the WDAC engine evaluates files against the active set of policies on the d
4. Lastly, WDAC makes a cloud call to the ISG to get reputation about the file, if the policy enables the ISG option.
-5. If no explicit rule exists for the file and it's not allowed based on ISG or MI, then the file is blocked implicitly.
+5. Any file not allowed by an explicit rule or based on ISG or MI is blocked implicitly.
## Known issues
### Boot stop failure (blue screen) occurs if more than 32 policies are active
-If the maximum number of policies is exceeded, the device will bluescreen referencing ci.dll with a bug check value of 0x0000003b. Consider this maximum policy count limit when planning your WDAC policies. Any [Windows inbox policies](/windows/security/threat-protection/windows-defender-application-control/operations/inbox-wdac-policies) that are active on the device also count towards this limit.
+Until you apply the Windows security update released on or after April 9, 2024, your device is limited to 32 active policies. If the maximum number of policies is exceeded, the device bluescreens referencing ci.dll with a bug check value of 0x0000003b. Consider this maximum policy count limit when planning your WDAC policies. Any [Windows inbox policies](/windows/security/threat-protection/windows-defender-application-control/operations/inbox-wdac-policies) that are active on the device also count towards this limit. To remove the maximum policy limit, install the Windows security update released on, or after, April 9, 2024 and then restart the device. Otherwise, reduce the number of policies on the device to remain below 32 policies.
+
+**Note:** The policy limit was not removed on Windows 11 21H2, and will remain limited to 32 policies.
### Audit mode policies can change the behavior for some apps or cause app crashes
-Although WDAC audit mode is designed to avoid impact to apps, some features are always on/always enforced with any WDAC policy that includes the option **0 Enabled:UMCI**. Here's a list of known system changes in audit mode:
+Although WDAC audit mode is designed to avoid impact to apps, some features are always on/always enforced with any WDAC policy that turns on user mode code integrity (UMCI) with the option **0 Enabled:UMCI**. Here's a list of known system changes in audit mode:
- Some script hosts might block code or run code with fewer privileges even in audit mode. See [Script enforcement with WDAC](/windows/security/application-security/application-control/windows-defender-application-control/design/script-enforcement) for information about individual script host behaviors.
- Option **19 Enabled:Dynamic Code Security** is always enforced if any UMCI policy includes that option. See [WDAC and .NET](/windows/security/application-security/application-control/windows-defender-application-control/design/wdac-and-dotnet#wdac-and-net-hardening).
-### Managed Installer and ISG may cause excessive events
-
-When Managed Installer and ISG are enabled, 3091 and 3092 events are logged when a file didn't have Managed Installer or ISG authorization, regardless of whether the file was allowed. These events were moved to the verbose channel beginning with the September 2022 Update Preview since the events don't indicate an issue with the policy.
-
### .NET native images may generate false positive block events
In some cases, the code integrity logs where Windows Defender Application Control errors and warnings are written include error events for native images generated for .NET assemblies. Typically, native image blocks are functionally benign as a blocked native image falls back to its corresponding assembly and .NET regenerates the native image at its next scheduled maintenance window.
### Signatures using elliptical curve cryptography (ECC) aren't supported
-WDAC signer-based rules only work with RSA cryptography. ECC algorithms, such as ECDSA, aren't supported. If you try to allow files by signature based on ECC signatures, you'll see VerificationError = 23 on the corresponding 3089 signature information events. You can authorize the files instead by hash or file attribute rules, or using other signer rules if the file is also signed with signatures using RSA.
+WDAC signer-based rules only work with RSA cryptography. ECC algorithms, such as ECDSA, aren't supported. If WDAC blocks a file based on ECC signatures, the corresponding 3089 signature information events show VerificationError = 23. You can authorize the files instead by hash or file attribute rules, or using other signer rules if the file is also signed with signatures using RSA.
### MSI installers are treated as user writeable on Windows 10 when allowed by FilePath rule
@@ -88,18 +86,19 @@ As a workaround, download the MSI file and run it locally:
```console
msiexec -i c:\temp\Windows10_Version_1511_ADMX.msi
```
+
### Slow boot and performance with custom policies
-WDAC evaluates all processes that run, including inbox Windows processes. If policies don't build off the WDAC templates or don't trust the Windows signers, you'll see slower boot times, degraded performance and possibly boot issues. For these reasons, you should use the [WDAC base templates](../design/example-wdac-base-policies.md) whenever possible to create your policies.
+WDAC evaluates all processes that run, including inbox Windows processes. You can cause slower boot times, degraded performance, and possibly boot issues if your policies don't build upon the WDAC templates or don't trust the Windows signers. For these reasons, you should use the [WDAC base templates](../design/example-wdac-base-policies.md) whenever possible to create your policies.
#### AppId Tagging policy considerations
-If the AppId Tagging Policy wasn't built off the WDAC base templates or doesn't allow the Windows in-box signers, you'll notice a significant increase in boot times (~2 minutes).
+AppId Tagging policies that aren't built upon the WDAC base templates or don't allow the Windows in-box signers might cause a significant increase in boot times (~2 minutes).
-If you can't allowlist the Windows signers, or build off the WDAC base templates, it's recommended to add the following rule to your policies to improve the performance:
+If you can't allowlist the Windows signers or build off the WDAC base templates, add the following rule to your policies to improve the performance:
:::image type="content" source="../images/known-issue-appid-dll-rule.png" alt-text="Allow all dlls in the policy.":::
:::image type="content" source="../images/known-issue-appid-dll-rule-xml.png" alt-text="Allow all dll files in the xml policy.":::
-Since AppId Tagging policies evaluate but can't tag dll files, this rule will short circuit dll evaluation and improve evaluation performance.
+Since AppId Tagging policies evaluate but can't tag dll files, this rule short circuits dll evaluation and improve evaluation performance.
diff --git a/windows/security/cloud-security/index.md b/windows/security/cloud-security/index.md
index b31f712e0f..9fde8b8939 100644
--- a/windows/security/cloud-security/index.md
+++ b/windows/security/cloud-security/index.md
@@ -1,6 +1,6 @@
---
title: Windows and cloud security
-description: Get an overview of cloud security features in Windows
+description: Get an overview of cloud security features in Windows.
ms.date: 08/02/2023
ms.topic: overview
author: paolomatarazzo
@@ -9,7 +9,7 @@ ms.author: paoloma
# Windows and cloud security
-Today's workforce has more freedom and mobility than ever before, and the risk of data exposure is also at its highest. We are focused on getting customers to the cloud to benefit from modern hybrid workstyles while improving security management. Built on zero-trust principles, Windows works with Microsoft cloud services to safeguard sensitive information while controlling access and mitigating threats.
+Today's workforce has more freedom and mobility than ever before, and the risk of data exposure is also at its highest. We're focused on getting customers to the cloud to benefit from modern hybrid workstyles while improving security management. Built on zero-trust principles, Windows works with Microsoft cloud services to safeguard sensitive information while controlling access and mitigating threats.
From identity and device management to Office apps and data storage, Windows and integrated cloud services can help improve productivity, security, and resilience anywhere.
diff --git a/windows/security/identity-protection/hello-for-business/configure.md b/windows/security/identity-protection/hello-for-business/configure.md
index b4d14a1882..008110433e 100644
--- a/windows/security/identity-protection/hello-for-business/configure.md
+++ b/windows/security/identity-protection/hello-for-business/configure.md
@@ -2,7 +2,7 @@
title: Configure Windows Hello for Business
description: Learn about the configuration options for Windows Hello for Business and how to implement them in your organization.
ms.topic: how-to
-ms.date: 01/03/2024
+ms.date: 04/23/2024
---
# Configure Windows Hello for Business
diff --git a/windows/security/identity-protection/hello-for-business/hello-feature-dynamic-lock.md b/windows/security/identity-protection/hello-for-business/hello-feature-dynamic-lock.md
index 5fe562311d..e1845d9363 100644
--- a/windows/security/identity-protection/hello-for-business/hello-feature-dynamic-lock.md
+++ b/windows/security/identity-protection/hello-for-business/hello-feature-dynamic-lock.md
@@ -1,7 +1,7 @@
---
title: Dynamic lock
description: Learn how to configure dynamic lock on Windows devices via group policies. This feature locks a device when a Bluetooth signal falls below a set value.
-ms.date: 02/29/2024
+ms.date: 04/23/2024
ms.topic: how-to
---
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md
index 1b1ad680bf..ff9bf8c522 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md
@@ -5,7 +5,7 @@ ms.date: 08/19/2018
ms.topic: how-to
---
-# Using Certificates for AADJ On-premises Single-sign On
+# Using Certificates for Microsoft Entra joined on-premises single-sign on
[!INCLUDE [apply-to-hybrid-cert-trust-entra](deploy/includes/apply-to-hybrid-cert-trust-entra.md)]
@@ -16,34 +16,35 @@ If you plan to use certificates for on-premises single-sign on, then follow thes
Steps you'll perform include:
-- [Prepare Microsoft Entra Connect](#prepare-microsoft-entra-connect)
-- [Prepare the Network Device Enrollment Services Service Account](#prepare-the-network-device-enrollment-services-ndes-service-account)
-- [Prepare Active Directory Certificate Services](#prepare-active-directory-certificate-authority)
-- [Install the Network Device Enrollment Services Role](#install-and-configure-the-ndes-role)
-- [Configure Network Device Enrollment Services to work with Microsoft Intune](#configure-network-device-enrollment-services-to-work-with-microsoft-intune)
-- [Download, Install and Configure the Intune Certificate Connector](#download-install-and-configure-the-intune-certificate-connector)
-- [Create and Assign a Simple Certificate Enrollment Protocol (SCEP) Certificate Profile](#create-and-assign-a-simple-certificate-enrollment-protocol-scep-certificate-profile)
+> [!div class="checklist"]
+> - [Prepare Microsoft Entra Connect](#prepare-microsoft-entra-connect)
+> - [Prepare the Network Device Enrollment Services Service Account](#prepare-the-network-device-enrollment-services-ndes-service-account)
+> - [Prepare Active Directory Certificate Services](#prepare-active-directory-certificate-authority)
+> - [Install the Network Device Enrollment Services Role](#install-and-configure-the-ndes-role)
+> - [Configure Network Device Enrollment Services to work with Microsoft Intune](#configure-network-device-enrollment-services-to-work-with-microsoft-intune)
+> - [Download, Install and Configure the Intune Certificate Connector](#download-install-and-configure-the-intune-certificate-connector)
+> - [Create and Assign a Simple Certificate Enrollment Protocol (SCEP) Certificate Profile](#create-and-assign-a-simple-certificate-enrollment-protocol-scep-certificate-profile)
## Requirements
-You need to install and configure additional infrastructure to provide Microsoft Entra joined devices with on-premises single-sign on.
+You must install and configure additional infrastructure to provide Microsoft Entra joined devices with on-premises single-sign on.
-- An existing Windows Server 2012 R2 or later Enterprise Certificate Authority
-- A Windows Server 2012 R2 domain joined server that hosts the Network Device Enrollment Services role
+- An existing Windows Server Enterprise Certificate Authority
+- A domain joined Windows Server that hosts the Network Device Enrollment Services (NDES) role
### High Availability
-The Network Device Enrollment Services (NDES) server role acts as a certificate registration authority. Certificate registration servers enroll certificates on behalf of the user. Users request certificates from the NDES service rather than directly from the issuing certificate authority.
+The NDES server role acts as a certificate registration authority (CRA). Certificate registration servers enroll certificates on behalf of the user. Users request certificates from the NDES service rather than directly from the issuing certificate authority.
-The architecture of the NDES server prevents it from being clustered or load balanced for high availability. To provide high availability, you need to install more than one identically configured NDES servers, and use Microsoft Intune to load balance then (in round-robin fashion).
+The architecture of the NDES server prevents it from being clustered or load balanced for high availability. To provide high availability, you need to install more than one identically configured NDES servers, and use Microsoft Intune to load balance then (in round-robin fashion).
-The Network Device Enrollment Service (NDES) server role can issue up to three unique certificate templates. The server role accomplishes this by mapping the purpose of the certificate request to a configured certificate template. The certificate request purpose has three options:
+The Network Device Enrollment Service (NDES) server role can issue up to three unique certificate templates. The server role accomplishes this by mapping the purpose of the certificate request to a configured certificate template. The certificate request purpose has three options:
- Signature
- Encryption
- Signature and Encryption
-If you need to deploy more than three types of certificates to the Microsoft Entra joined device, you need additional NDES servers. Alternatively, consider consolidating certificate templates to reduce the number of certificate templates.
+If you need to deploy more than three types of certificates to the Microsoft Entra joined device, you need additional NDES servers. Alternatively, consider consolidating certificate templates to reduce the number of certificate templates.
### Network Requirements
@@ -51,36 +52,31 @@ All communication occurs securely over port 443.
## Prepare Microsoft Entra Connect
-Successful authentication to on-premises resources using a certificate requires the certificate to provide a hint about the on-premises domain. The hint can be the user's Active Directory distinguished name as the subject of the certificate, or the hint can be the user's user principal name where the suffix matches the Active Directory domain name.
+Successful authentication to on-premises resources using a certificate requires the certificate to provide a hint about the on-premises domain. The hint can be the user's Active Directory distinguished name as the subject of the certificate, or the hint can be the user's user principal name where the suffix matches the Active Directory domain name.
-Most environments change the user principal name suffix to match the organization's external domain name (or vanity domain), which prevents the user principal name as a hint to locate a domain controller. Therefore, the certificate needs the user's on-premises distinguished name in the subject to properly locate a domain controller.
+Most environments change the user principal name suffix to match the organization's external domain name (or vanity domain), which prevents the user principal name as a hint to locate a domain controller. Therefore, the certificate needs the user's on-premises distinguished name in the subject to properly locate a domain controller.
-To include the on-premises distinguished name in the certificate's subject, Microsoft Entra Connect must replicate the Active Directory **distinguishedName** attribute to the Microsoft Entra ID **onPremisesDistinguishedName** attribute. Microsoft Entra Connect version 1.1.819 includes the proper synchronization rules needed for these attributes.
+To include the on-premises distinguished name in the certificate's subject, Microsoft Entra Connect must replicate the Active Directory **distinguishedName** attribute to the Microsoft Entra ID **onPremisesDistinguishedName** attribute. Microsoft Entra Connect version 1.1.819 includes the proper synchronization rules needed for these attributes.
### Verify Microsoft Entra Connect version
-Sign-in to computer running Microsoft Entra Connect with access equivalent to _local administrator_.
+Sign-in to computer running Microsoft Entra Connect with access equivalent to *local administrator*.
-1. Open **Synchronization Services** from the **Microsoft Entra Connect** folder.
-
-2. In the **Synchronization Service Manager**, select **Help** and then select **About**.
-
-3. If the version number isn't **1.1.819** or later, then upgrade Microsoft Entra Connect to the latest version.
+1. Open **Synchronization Services** from the **Microsoft Entra Connect** folder
+1. In the **Synchronization Service Manager**, select **Help** and then select **About**
+1. If the version number isn't **1.1.819** or later, then upgrade Microsoft Entra Connect to the latest version
### Verify the onPremisesDistinguishedName attribute is synchronized
The easiest way to verify that the onPremisesDistingushedNamne attribute is synchronized is to use the Graph Explorer for Microsoft Graph.
-1. Open a web browser and navigate to [Graph Explorer](https://developer.microsoft.com/graph/graph-explorer).
-
-2. Select **Sign in to Graph Explorer** and provide Azure credentials.
+1. Open a web browser and navigate to [Graph Explorer](https://developer.microsoft.com/graph/graph-explorer)
+1. Select **Sign in to Graph Explorer** and provide Azure credentials
> [!NOTE]
- > To successfully query the Graph API, adequate [permissions](/graph/api/user-get?) must be granted.
-
-3. Select **Modify permissions (Preview)**. Scroll down and locate **User.Read.All** (or any other required permission) and select **Consent**. You'll now be prompted for delegated permissions consent.
-
-4. In the Graph Explorer URL, enter `https://graph.microsoft.com/v1.0/users/[userid]?$select=displayName,userPrincipalName,onPremisesDistinguishedName`, where **[userid]** is the user principal name of a user in Microsoft Entra ID. Select **Run query**.
+ > To successfully query the Graph API, adequate [permissions](/graph/api/user-get?) must be granted
+1. Select **Modify permissions (Preview)**. Scroll down and locate **User.Read.All** (or any other required permission) and select **Consent**. You'll now be prompted for delegated permissions consent
+1. In the Graph Explorer URL, enter `https://graph.microsoft.com/v1.0/users/[userid]?$select=displayName,userPrincipalName,onPremisesDistinguishedName`, where **[userid]** is the user principal name of a user in Microsoft Entra ID. Select **Run query**
> [!NOTE]
> Because the v1.0 endpoint of the Graph API only provides a limited set of parameters, we will use the $select [Optional OData query parameter](/graph/api/user-get?). For convenience, it is possible to switch the API version selector from **v1.0** to **beta** before performing the query. This will provide all available user information, but remember, **beta** endpoint queries should not be used in production scenarios.
@@ -95,7 +91,7 @@ The easiest way to verify that the onPremisesDistingushedNamne attribute is sync
GET https://graph.microsoft.com/v1.0/users/{id | userPrincipalName}?$select=displayName,userPrincipalName,onPremisesDistinguishedName
```
-5. In the returned results, review the JSON data for the **onPremisesDistinguishedName** attribute. Ensure the attribute has a value and that the value is accurate for the given user. If the **onPremisesDistinguishedName** attribute isn't synchronized the value will be **null**.
+1. In the returned results, review the JSON data for the **onPremisesDistinguishedName** attribute. Ensure the attribute has a value and that the value is accurate for the given user. If the **onPremisesDistinguishedName** attribute isn't synchronized the value will be **null**
#### Response